feature

Braze became HIPAA compliant to better support health and fitness brands and any other company working with Protected Health Information (PHI). Let’s take a look at why that matters and how we made it happen.

Today’s consumers demand relevant brand experiences. To build strong relationships, brands need to ensure that they’re communicating in ways that speak to each customer as an individual—and that’s true whether that brand is a retailer or in the healthcare space. But there’s a catch: While data is an essential part of these personalized experiences, it’s also a subject that can be very sensitive for consumers and regulators alike. You can’t avoid the need for data as a marketer today, but you also can’t afford to treat it lightly, or fail to protect and safeguard the information that’s been entrusted to your brand.

All of that is especially true when it comes to health-related data. As the digital services offered by health and fitness brands continue to expand, the need to find ways to both leverage and protect sensitive health-related data has become increasingly clear. While the ability to deliver value and convenience quickly through brand experiences can concretely improve people’s lives—especially in a space known for its long wait times—it’s important to protect the data that informs those experiences without compromise.

To make that possible for health-related brands, Braze prioritized achieving and maintaining HIPAA compliance for our platform. Let’s take a look at why that matters, how we made it happen, and what it means for marketers.

What is HIPAA?

The U.S. government passed the Health Insurance Portability and Accountability Act (HIPAA) in 1996 to implement rules ensuring that organizations with digital access to customers’ health information are protecting that highly confidential information. This data, known as Protected Health Information (PHI), includes traditional medical data, such as health records and test results, as well as individually-identifying data points related to someone’s health records, like a patient’s name, account number, images, demographic information, and more.

HIPAA is mandated only for “Covered Entities,” which include:

  • Health insurance companies (HMOs, company health plans, Medicare, Medicaid)
  • Health care providers (doctors, clinics, specialists, pharmacies)
  • Health data companies

However, these organizations don’t operate in vacuums. HIPAA allows Covered Entities to disclose PHI to other organizations (known as “Business Associates”) if doing so is necessary to execute on healthcare-related needs or activities. However, these Business Associates have to ensure that they’re safeguarding the PHI in question, using it only for the purposes that it was shared to support, among other requirements, in order to be HIPAA compliant.

What Does HIPAA Compliance Look Like?

In general, all brands that send digital protected health information must institute and follow certain physical, network, and process security measures to meet HIPAA compliance. Furthermore, in order for a company to be HIPAA-compliant, their sub-processors (any third party that may handle the PHI on behalf of the Covered Entity) generally also need to be HIPAA-compliant. This means the sub-processor must adhere to strict requirements including, but not limited to, the following:

  • Sign a Business Associate Agreement (BAA) that states they adhere to the security and privacy rules required by HIPAA
  • Perform a risk analysis
  • Audit and track activity on hardware and software that processes PHI
  • Implement a data backup plan
  • Install physical safeguards to protect electronic information systems
  • Implement policies and procedures to ensure compliance

Becoming HIPAA compliant isn’t easy—and it isn’t a one-time deal. It requires ongoing support, maintenance, and focus, especially as the law is updated over time.

HIPAA Compliance and Braze

Today, data privacy and security are integral for brands and consumers alike. To ensure that Braze customers (and their customers) can handle PHI in a safe, secure manner to support meaningful, relevant experiences, we’ve made HIPAA compliance—and data privacy and security in general—a major priority for our company and our product.

At Braze, the work we did to become HIPAA compliant formed the foundation of our current data security approach.

“The first big formal risk analysis we did was for HIPAA,” notes Jon Hyman, Braze Cofounder and CTO. “We hired a lawyer who studies HIPAA and we worked with him to ensure that we were doing things according to what’s required…[and] literally built a risk analysis where we had a risk register of potential threats and vulnerabilities, the controls we have in place, the likelihood of issues, the potential impact, what remediation looks like, and how our incident response team will address things.”

Braze also completed significant infrastructure-related work. For one we created a separate, HIPAA-focused cluster of the Braze platform for brands working with PHI. With the Braze HIPAA cluster, “You log into a different URL, and if you're not in the non-HIPAA environment, your SDKs hit a totally different URL and different set of servers,” Hyman says. “Your databases are separate. Everything is completely separate. It has different firewall rules. It has its own virtual network. It's completely separate from the other environments within Braze, which is nice from an isolation standpoint.”

Braze is proud to be HIPAA compliant, but we haven’t stopped there. We’ve continued to iterate on these measures, going above and beyond what is required by law. For example, we’ve added additional safeguards of two-factor authorization, IP white-listing for the dashboard and our APIs, password expiration policies, and password complexity rules.

HIPAA Compliance Means Strict Information Security For All Braze Customers

But while HIPAA compliance was a major undertaking for Braze, it ended up paving the way for everything that came after—in fact, in 2018, we also successfully completed our SOC 2 Type 2 audit and ISO 27001 certification then completed a second audit and certification in the past year.

The SOC 2 standard, which is overseen by the American Institute of Certified Public Accountants (AICPA), sets down compliance requirements for a given company’s security controls. This audit ensured Braze had already established strict information security policies and procedures. Additionally, our ISO 27001 certification affirms that Braze has performed a comprehensive assessment of security risks and has an Information Security Management System (ISMS) that complies with the International Organization for Standardization (ISO)’s global information security management standard.

“The way that HIPAA requires Braze to operate for brands using PHI is the way we now operate across the board,” explains Hyman. “For example, administrative safeguards in HIPAA required us to do a risk analysis, which we did. But that’s also a requirement for ISO 27001, where you have to make sure your information security management system conforms to high standards. And everything follows from that; making sure that we have proper controls, effective processes for things like terminating access to employees who depart, and a process for handling sensitive data across the board.”

Next Steps

Data privacy and security matters—now more than ever. With a platform committed to HIPAA compliance, health and fitness brands can deliver memorable, relevant experiences to the customers while still respecting their privacy.

To discover how a personalized, HIPAA-compliant communication strategy increases the value of your brand, check out how HelpAround boosts app user retention with Braze.