The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is the United States legislation that provides data privacy and security provisions for safeguarding protected health information, while The Health Information Technology for Economic and Clinical Health Act (HITECH Act) of 2009 was created to motivate the implementation of electronic health records (EHR) and supporting technology in the United States. The HITECH Act broadened the scope of the protection of privacy and confidentiality provided under HIPAA by increasing the potential legal liability for non-compliance and providing for stricter enforcement.
Under HIPAA, certain information about a person’s health or health care services is classified as Protected Health Information (PHI), VWO customers that are subject to HIPAA and plan to use the VWO Experience Optimization Platform with PHI must sign a Business Associate Agreement (BAA) with Wingify.
Wingify helps its customers to address their HIPAA obligations by leveraging appropriate security configuration options in the VWO Experience Optimization Platform. Having your VWO account HIPAA compliant provides sufficient administrative physical, and technical safeguards to ensure the continued security and privacy of your Protected Health Information (PHI) or Electronic Protected Health Information (ePHI).
NOTE: As of now, there is no official certification for HIPAA or HITECH Act compliance. However, VWO Services covered under the BAA have undergone audits conducted by accredited independent auditors for the Wingify ISO/IEC 27001, BS 10012 certification, and PCI DSS.
To learn more about Wingify's commitment to comply with HIPAA, refer to HIPAA and HITECH Act.
How to make your VWO account HIPAA compliant?
To ensure that the data is collected in your VWO account and to secure its accessibility to HIPAA standards, an admin/owner user need to do the following:
- Go to SETTINGS > ACCOUNTS -> SECURITY, and under the Login and access section, enable:
- Expire user's password in 90 days
- Log user out of VWO after 15 minutes of inactivity
- Go to SETTINGS > ACCOUNTS -> PRIVACY CENTER, and under the Data security section, enable:
- Collect only TLS 1.2 data
- If you have enabled the setting wherein the user gets logged out after 15 minutes of inactivity, their Remember me preference on the login page will be overridden
- Password expiry is not applicable if logins are governed by SSO.
By virtue of enabling these options in VWO, the data in your account and its access methods will comply with HIPAA requirements.