Regulatory sands are shifting under the feet of the Healthcare industry in the United States. The FTC and HHS recently issued a joint letter to 130 major hospitals, warning them about the “serious privacy and security risks” relating to the use of third-party user data and ad tech like Google Analytics and Facebook/Meta pixels. The letter comes on the heels of the FTC’s prior guidance and major enforcement actions against GoodRx and BetterHelp. So, if third-party platforms like those are out, what about analytics in general?
At Mixpanel, we know that you’re doing everything you can to provide your patients with the best care, while respecting their privacy rights. This means constantly analyzing and updating your digital offerings to improve their healthcare experience. Unlike other third-party tools that collect and use information that may include patient health information (PHI) for their own purposes, Mixpanel focuses exclusively on providing the best event analytics in the industry. Mixpanel allows you to make better decisions about your websites and apps, without the worry of potential disclosure of PHI to user data platforms that are not HIPAA compliant. This should allow you to focus on improving your digital products to provide your patients with the best care, without worry of violating their privacy rights.
Contracts, configurations, and compliance
Mixpanel has built a robust analytics platform that can be configured in a way that’s compliant with HIPAA, the US legal protection of sensitive patient health information from being disclosed without the patient’s consent or knowledge. Customers who purchase a Mixpanel subscription and are considered Covered Entities under HIPAA can execute a Business Associate Agreement (BAA) with us by contacting our sales team. We also enter into Data Protection Agreements (DPA) with customers to ensure that we will continue to honor the privacy rights of data subjects not covered by HIPAA.
In addition to contractual measures, we have built data governance right into our services. This allows account administrators an additional level of control to classify PHI and other sensitive data in order to limit its disclosure using permissions as they see fit within their own organization and ensures visibility when new categories of information are added. Patient data can be exported or changed using Mixpanel’s export API in response to patient requests to access or amend information. And while we offer the ability to interface with some ad platforms, such as Facebook and Google, these features are turned off by default. These are just a few of the ways we provide administrators an unmatched level of control over their data, while still allowing them to make smart decisions about their digital offerings.
To satisfy HIPAA compliance and beyond, Mixpanel offers Business Associate Agreements (BAA), Data Protection Agreements (DPA), and robust user ID and data transit security.
Mixpanel also maintains a robust data security program that meets or exceeds industry standards for compliance in the healthcare industry. This includes product configurations like Single Sign-On (SSO) and Two-Factor Authentication (2FA) that ensure your users are who they say they are. We utilize TLS 1.2 to ensure that data in transit is encrypted, and strong encryption when data is at rest. We also maintain compliance with ISO and SOC 2 type II standards on an annual basis, with documentation available under NDA.
The patient benefits of user analytics
The largest reason these privacy measures are important is because they allow us to offer healthtech companies uncompromised user analytics they can use to help improve the patient experience.
Mixpanel customer Winona, for example, has written about using product analytics to redesign its app’s long onboarding flow and address a problem where too many doctor messages were going unread. These improvements helped the company’s patients get health advice sooner.
