HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards. Covered entities and their business associates must be HIPAA compliant to protect the rights and privacy of patients and their protected health information (PHI).
HIPAA compliance has become increasingly complicated as more healthcare providers embrace the use of digital tools to improve their operations. This includes leveraging analytics platforms to gather valuable insights about website visitors.
While these solutions may help boost patient engagement, they can also open a new pathway to potential HIPAA violations.
In addition to choosing a HIPAA compliant web host, it’s important for covered entities to go one step further and ensure that their analytics setup meets compliance obligations.
Let’s find out if Looker is HIPAA compliant or not.
SEE ALSO: HIPAA compliant email
About Looker
Equipped with a user-friendly dashboard that promotes seamless collaboration, Looker is a business intelligence and big data analytics platform that allows users to explore, evaluate, and share advanced insights in real-time.
With access to one unified source of reliable and up-to-date information, companies are able to receive the answers they need to streamline workflows, gain a better understanding of customer interactions, and provide smarter data-driven experiences.
Looker and business associate agreements
Any third-party vendor that stores, accesses, or sends PHI is considered a business associate. In order for a third-party vendor to be considered HIPAA compliant, a business associate agreement (BAA) must be signed by both parties. This is a written document that outlines the responsibilities of the business associate to keep PHI secure.
According to Looker’s website, the company “supports HIPAA compliance within the scope of a business associate agreement” and will sign a BAA for all “services and professional services under a Looker-hosted deployment.” This excludes third-party services, non-secure API integration tools, and features that are not generally available such as previews.
Looker affirms that customers are ultimately responsible for evaluating their own HIPAA compliance when using the services and “must manage access in a way that complies with the BAA.”
Looker and data security
Beyond the BAA, data security is another critical component of maintaining HIPAA compliance. Therefore, covered entities should evaluate the measures that a vendor is taking to protect PHI.
Looker offers a secure infrastructure with a variety of protective features including a built-in robust permissioning layer to ensure that real-time data access is only available to authorized individuals.
The company also makes queries directly against customer databases to protect sensitive information and uses AES 256 bit encryption to secure credentials and data at rest.
Customers can take further steps to secure PHI with additional controls such as enabling two-factor authentication, limiting users’ ability to download reports, restricting permissions for creating public links, and reducing the amount of time that query results are cached. However, it is up to the customer to make the necessary configurations.
Looker explicitly states that the company “takes no responsibility for any breach that results from customers’ environment and configuration of the services, access permissions, and security controls.”
Is Looker HIPAA compliant?
Yes, Looker can be made HIPAA compliant with a signed BAA.
However, covered entities must ensure that all settings are appropriately configured to minimize risks and maintain the necessary security standards.
