How Kameleoon supports HIPAA compliance

1 ​What is HIPAA?

The United States Health Insurance Portability and Accountability Act (HIPAA) safeguards patient information by setting data privacy and security standards. It stipulates who can access health information (and when), protecting this data to ensure it remains confidential.

HIPAA IN A NUTSHELL

Originally passed in 1996, HIPAA’s range was widened through the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was incorporated into law in 2013. Amongst other points, the HITECH Act extends the penalties for non-compliance, with violations potentially resulting in fines up to $1.5 million. It also expands who the legislation covers to include subcontractors, such as providers of SaaS-based software handling Protected Health Information (PHI).

​

Therefore every company handling PHI as part of its operations (called a Covered Entity) needs to ensure compliance - and make sure that its subcontractors (classed as Business Associates) are also meeting legislative requirements. 

Here are some definitions you need to know before discussing how Kameleoon helps achieve HIPAA compliance:

 HIPAA

• Health Insurance Portability and Accountability Act, passed in 1996

 PHI (or ePHI) - (electronic) Protected Health Information

• Data that can be used to identify an individual, their medical history or payment history. This includes name, address, social security numbers and biometric data.

OCR - the Office for Civil Rights of the Department of Health and Human Services

• This is the body responsible for enforcing HIPAA’s provisions.

 Covered Entity

• This is any organization that handles or transmits PHI electronically, such as a medical facility/practice, health insurer, HMO or health care clearing house.

 Business Associate

• A company hired by a Covered Entity to help it carry out its health care activities and functions. There must be a written Business Associate Agreement or other arrangement in place to ensure compliance. 

2 ​How Kameleoon is HIPAA compliant

As an organization Kameleoon enables straightforward HIPAA compliance. At a technical level our platform is designed to meet the Act’s requirements, while we will quickly sign Business Associate agreements to ensure compliance before our systems are used with your PHI or ePHI. 

Our compliance focuses on these four areas:

PASSWORD EXPIRY RULES

HIPAA mandates that passwords have to be changed every 60 or 90 days. Within Kameleoon you can easily create rules to ensure users change their passwords at specified intervals.

​

SECURE DATA TRANSFER

To be compliant, all systems need to have the TLS 1.2 data security protocol in place. This is already the default within Kameleoon, meaning no changes need to be made to the solution to ensure compliance.

AUTOMATIC LOGOUT

To further protect ePHI, organizations must automatically log out users if they have been inactive for 15 minutes. This option is available within Kameleoon. 

BUSINESS ASSOCIATE AGREEMENT

As a trusted, compliant supplier to organizations across multiple industries Kameleoon follows clear, transparent processes in how we handle and protect data. We are happy to sign Business Associate Agreements (BAA) as part of any agreement with clients.

Thanks to these provisions, companies that need to be HIPAA compliant can use Kameleoon for both A/B testing and personalization projects.

To find out more about our support for HIPAA compliance please contact us at [email protected] or get in touch with your Customer Success Manager.