Is impact.com HIPAA compliant? (Update 2024)

Impact.com is a partnership management platform that streamlines workflows and provides access to performance metrics and actionable insights. Many healthcare organizations use such solutions to better connect and communicate with employees, patients, and other healthcare providers. To do so, however, those within the healthcare industry need to work with companies that are HIPAA compliant.

In the healthcare industry, sensitive protected health information (PHI) must be safeguarded under HIPAA. A major part of this compliance is working with vendors who will sign a business associate agreement (BAA) and ensure the security of PHI. Impact.com still does not mention a BAA on its website and may not be HIPAA compliant.

What is impact.com?

Impact.com considers itself a world leader in partnership management platforms, transforming the way organizations manage and optimize their associations. The company helps organizations build ‘authentic’ relationships with affiliates, influencers, commerce content publishers, and business-to-business (B2B) enterprises. Impact.com allows users to automate communication tasks and expand rapidly, tracking and analyzing customer interactions across the Internet and various apps.

With this platform, organizations can centralize and standardize customer information to improve and enrich their customers’ journeys.

SEE ALSO: Understanding the patient journey

Is impact.com a business associate?

HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates (i.e., vendors) of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.

A BAA is a written contract between a covered entity and a business associate. It outlines the responsibilities and obligations of each party regarding the handling of PHI. Typical provisions within a BAA include:

• Permitted uses and disclosures of PHI
• Safeguards for protecting PHI
• Reporting and mitigation of security incidents
• Compliance with HIPAA regulations
• Dispute resolution and termination clauses

The agreement is required by law for HIPAA compliance and is considered the primary item to consider when it comes to impact.com and its ability to be HIPAA compliant. Impact.com is a business associate of a healthcare organization if it is storing, processing, or transmitting PHI on or through its platform.

RELATED: How to know if you're a business associate

Impact.com and the BAA

Generally, the HIPAA Privacy Rule allows healthcare providers to disclose PHI if they receive assurance that the information is protected through a signed BAA. We checked impact.com’s website in 2022 for reference to an agreement but found no mention of a BAA or HIPAA. Currently, there is still no mention of either at impact.com.

Impact.com and data security

Covered entities must consider the administrative, physical, and technical safeguards that a vendor utilizes to protect PHI. To accurately provide analytics, management platforms must have access to personal information to facilitate communication. With the increasing importance of data privacy and security, all healthcare business associates who collect, store, or process PHI are subject to HIPAA regulations. Many management platforms are available, but not all meet HIPAA requirements for encryption, data backup, and access controls.

Information on the company’s disclosure of personally identifiable information (PII) and cybersecurity was not easy to find. According to Impact.com’s privacy policy, customer’s personal information is used for legitimate business purposes only; it does not rent or sell PII. As for end users, impact.com states that it might process “clients’ visitors and customers, and visitors to our Clients’ websites” as a service provider or data processor.

Within its privacy policy, impact.com adds that it “strive[s] to implement and maintain reasonable, commercially acceptable security procedures” though it is “unable to guarantee the absolute security of the Personal Information [it has] collected from you.”

Is impact.com HIPAA compliant?

The BAA is a necessary component of HIPAA compliance and impact.com does not appear to sign a BAA for its healthcare customers. Moreover, impact.com does not provide much information about its cybersecurity procedures.

Conclusion: impact.com may not be HIPAA compliant.

Understanding HIPAA compliance

Healthcare providers know that clear and efficient communication with patients is necessary to run a successful practice. When evaluating a platform’s HIPAA compliance, especially on the cloud, consider the following security needs beyond a BAA:

• Technical safeguards: Mitigate risks associated with cyber threats, hacking, malware, and other security incidents with strong technical safeguards. Such tools as perimeter defenses (e.g., firewalls) and HIPAA compliant email are equally vital for extra protection.
• Employee training: Ensure all staff members have up-to-date knowledge of HIPAA regulations and best practices. Regular training sessions can help prevent unintentional, employee-related breaches.
• Regular audits: Perform periodic assessments of all systems and processes to ensure that they remain compliant. Adapt to any changes in regulations or technology.
• Data access controls: Implement stringent controls, such as multifactor authentication, on who can access PHI and under what circumstances.