Monday, 18 December 2017

Can I use Mixpanel and be HIPAA Compliant?

Can I use Mixpanel and be HIPAA Compliant? - Paubox

Lately, we’ve been discussing in the office whether certain cloud-based solutions are HIPAA compliant or not. Mixpanel is a popular business analytics service that tracks user interactions with web and mobile applications.

We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector.

In previous posts, we’ve covered the following cloud solutions and their capabilities for HIPAA compliance:

Today, we will determine if Mixpanel offers HIPAA compliance or not.

SEE ALSO: HIPAA Breaches and Cloud Providers

About Mixpanel

Mixpanel is a popular web analytics company that’s based a few blocks away in San Francisco. It tracks user interactions with web and mobile applications and provides tools for targeted communication with them. Its toolset also contains the ability to perform A/B tests and user survey forms.

Mixpanel and the Business Associate Agreement

We’ve previously talked about how a Business Associate Agreement (BAA) is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance.

We checked Mixpanel’s site and were unable to find any information on their ability to sign a BAA.


The Mixpanel Terms of Use page however, made a reference to protected health information (PHI):

“4.3 Customer agrees to comply with all applicable privacy and data protection regulations. Further, Customer agrees to not use the Application Services to send Mixpanel Sensitive Information. “Sensitive Information” shall means information the unauthorized disclosure of which could cause material, severe, or catastrophic harm or impact to Mixpanel, any data subjects or third parties, including but not limited to … genetic, bio-metric, or health data, personally identifiable information”


We also found the Mixpanel Infrastructure page, which states:


Customer data is hosted with providers compliant with:

  • SOC 2
  • ISO 27001
  • EU Privacy Shield
  • HIPAA

It should be noted however, Mixpanel is not directly claiming they are HIPAA compliant, but rather the vendors they do business are.


As a last check, we reviewed the Mixpanel Privacy Policy.

We were unable to find any reference to HIPAA, Protected Health Information, or Business Associate Agreement.


Does Mixpanel Offer HIPAA Compliant Service?

The Business Associate Agreement is a key component to HIPAA compliance between a Covered Entity and a Business Associate.

Mixpanel’s Terms of Use page yielded the information we were looking for.

Mixpanel explicitly states their customers are not allowed to send it sensitive information. Mixpanel also classifies “health data” or PHI as sensitive information.

Conclusion

Mixpanel is not HIPAA compliant.

No comments:

Post a Comment