How Mixpanel provides HIPAA-compliant analytics for healthtech
Regulatory sands are shifting under the feet of the Healthcare industry in the United States. The FTC and HHS recently issued a joint letter to 130 major hospitals, warning them about the “serious privacy and security risks” relating to the use of third-party user data and ad tech like Google Analytics and Facebook/Meta pixels. The letter comes on the heels of the FTC’s prior guidance and major enforcement actions against GoodRx and BetterHelp. So, if third-party platforms like those are out, what about analytics in general?
At Mixpanel, we know that you’re doing everything you can to provide your patients with the best care, while respecting their privacy rights. This means constantly analyzing and updating your digital offerings to improve their healthcare experience. Unlike other third-party tools that collect and use information that may include patient health information (PHI) for their own purposes, Mixpanel focuses exclusively on providing the best event analytics in the industry. Mixpanel allows you to make better decisions about your websites and apps, without the worry of potential disclosure of PHI to user data platforms that are not HIPAA compliant. This should allow you to focus on improving your digital products to provide your patients with the best care, without worry of violating their privacy rights.
Contracts, configurations, and compliance
Mixpanel has built a robust analytics platform that can be configured in a way that’s compliant with HIPAA, the US legal protection of sensitive patient health information from being disclosed without the patient’s consent or knowledge. Customers who purchase a Mixpanel subscription and are considered Covered Entities under HIPAA can execute a Business Associate Agreement (BAA) with us by contacting our sales team. We also enter into Data Protection Agreements (DPA) with customers to ensure that we will continue to honor the privacy rights of data subjects not covered by HIPAA.
In addition to contractual measures, we have built data governance right into our services. This allows account administrators an additional level of control to classify PHI and other sensitive data in order to limit its disclosure using permissions as they see fit within their own organization and ensures visibility when new categories of information are added. Patient data can be exported or changed using Mixpanel’s export API in response to patient requests to access or amend information. And while we offer the ability to interface with some ad platforms, such as Facebook and Google, these features are turned off by default. These are just a few of the ways we provide administrators an unmatched level of control over their data, while still allowing them to make smart decisions about their digital offerings.
To satisfy HIPAA compliance and beyond, Mixpanel offers Business Associate Agreements (BAA), Data Protection Agreements (DPA), and robust user ID and data transit security.
Mixpanel also maintains a robust data security program that meets or exceeds industry standards for compliance in the healthcare industry. This includes product configurations like Single Sign-On (SSO) and Two-Factor Authentication (2FA) that ensure your users are who they say they are. We utilize TLS 1.2 to ensure that data in transit is encrypted, and strong encryption when data is at rest. We also maintain compliance with ISO and SOC 2 type II standards on an annual basis, with documentation available under NDA.
The patient benefits of user analytics
The largest reason these privacy measures are important is because they allow us to offer healthtech companies uncompromised user analytics they can use to help improve the patient experience.
Mixpanel customer Winona, for example, has written about using product analytics to redesign its app’s long onboarding flow and address a problem where too many doctor messages were going unread. These improvements helped the company’s patients get health advice sooner.
|Part of a compliant healthtech optimization stack|
Mixpanel analytics is just one part of the tech stack healthtech companies need to optimize their products and business. Collin Crowell, VP of the North American region for our experimentation partner Kameleoon, adds:
“While using PHI isn’t required to build great digital experiences, protecting patient trust is paramount. Kameleoon and Mixpanel are not only HIPAA compliant, we both can enter into business associate agreements that protect PHI usage. Our native integrations make it easy for healthcare marketers, product managers and engineers to build better patient experiences and stay fully HIPAA compliant.”
Brooklyn Data, a Mixpanel solutions partner, is an expert in modernizing healthcare companies. Founder and CEO Scott Breitenother echoes the importance joining together the best tech can have for the patient experience:
“In the world of ever-evolving patient expectations, forward-thinking healthcare organizations realize that harnessing technology for better patient experiences is not only possible, it’s table stakes. We’re excited to be a premier solutions partner for Mixpanel, a company that shares our commitment to implementing secure, HIPAA-compliant solutions.”
To find out more about how Mixpanel might be able to help you, and your patients, with a compliant analytics solution, contact our sales team today.
Legal Disclaimer: The information in this blog post is provided for general information purposes only. Nothing in this blog post should be considered legal advice. HIPAA is complex. We recommend that customers regulated by HIPAA seek experienced legal expertise when configuring our products.