What is a BAA?
- The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), is a U.S. law that controls the flow, protection, and disclosure of protected health information (“PHI”).
- A business associate agreement (“BAA”) is a legally binding document between a HIPAA-covered entity and a contractor or vendor, which outlines how PHI will be safeguarded, in accordance with HIPAA guidelines.
Does my company need a BAA in place with FullStory?
- While FullStory continues to prohibit customers from using FullStory’s services to collect health data, we like to have BAAs in place with customers that consider themselves a covered entity under HIPAA, a contractor to a HIPAA-covered company, or if your company interacts with health data, even if that data is anonymous/not sensitive.
- The BAAs will protect both FullStory and you, the Customer, in the event that FullStory inadvertently processes or interacts with health data due to a Customer’s configuration of the FullStory services.
Does FullStory support signing BAA's for HIPAA compliance?
Yes, FullStory provides our BAA to support our Customer’s respective HIPAA obligations when using our services.
If we have a BAA in place, does this mean we can then share health data or PHI data with FullStory?
It depends. It is FullStory's policy to prohibit Customers from sending us any sensitive data as such is defined in our standard subscription agreement or the applicable agreement we have mutually executed with you already. Health data is a type of “Sensitive data,” which includes but is not limited to medical records, diagnostic data, medical identification numbers, an individual’s mental or physical condition, unique identifiers used by a health insurer or provider to identify an individual, and genetic information.
With that said, we understand that PHI can include names, email addresses, and IP addresses, all of which are okay for FullStory Customers to share with the FullStory services. Please reach out to FullStory’s Legal team if you have any questions regarding what type of data you can share with FullStory at firstname.lastname@example.org.
If your organization has inadvertently shared health data with FullStory, we give further guidance in this help article on what to do if sensitive data has been captured in your account.
How do I request a business associate agreement (BAA)?
If you are an existing customer, please reach out to your Account Manager to discuss putting a BAA in place. However, if you’re not sure who to contact, please reach out to our support team via email@example.com.
Useful links for reference:
Terms & Conditions - Refer to references of “Sensitive Data”
Acceptable Use Policy - Refer to Prohibited Activities - Prohibited Uses
How do I protect my users' privacy in FullStory?
Private by Default at FullStory
What to do if sensitive data has been captured