Integrating marketing and analytical tools with HIPAA is no small feat. With regulations around audits, remediation plans, staff training, documentation, formal Business Associate Agreements (BAAs), and even incident plans, HIPAA is one of the most stringent regulations in effect. 

    Any organization managing protected health information (PHI)—or performing services for a covered entity handling PHI—can’t use the typical SaaS tools for marketing and analytics unless those tools are also HIPAA compliant, which is almost never the case.

    Simply put, sharing customer data in a high-compliance world is sometimes impossible and always risky

    The Challenge with HIPAA 

    One of our partners, Effin Amazing, provides marketing stack and automation, funnel optimization, and analytics and metrics for big-name brands like Kissmetrics, Forks over Knives, Funding Circle, and more. One of their clients in the healthcare industry needed data routing but was unable to find an Integration Vendor who met their compliance needs. 

    So Effin Amazing brought them to us. 

    Specifically, their client wanted to stream customer data—which contained PHI—to tools like Google Analytics and Amplitude, while also storing a copy in Amazon Simple Storage Service (S3) for internal use. This required a HIPAA-compliant data routing platform willing to sign a BAA.

    They couldn’t find one. 

    Of course, even asking for a signed BAA is somewhat risky: at the end of the day, an organization is still putting compliance in the hand of a third party and losing control. What our client really wanted was easy, reliable, and compliant integration. 

    That’s where MetaRouter came in. 

    The MetaRouter Solution

    When a client is HIPAA-compliant, MetaRouter is HIPAA-compliant. Although MetaRouter offers a SaaS and iPaaS data routing option, the entire platform is designed to be deployed on any private cloud, with their direct data access removed, placing governance completely in the hands of an organization. 

    Our insurer could, then, deploy MetaRouter on their private Amazon Web Services (AWS) instance and leverage MetaRouter’s proprietary server-side integration library, keeping all the data processing and transportation secure from collection to delivery. They could even redact or encrypt parts of the data payload in transit, for some or all of the destinations, right from the platform. 

    This approach eliminated the risk of a HIPAA breach so completely that they didn’t even require MetaRouter to sign a BAA. And because MetaRouter is cloud- and message queue-agnostic, it fits neatly into their existing system and vendor preferences. 

    Thanks to MetaRouter’s secure-by-design approach, this HIPAA-compliant health organization knows that their PHI is in good hands: their own. 

    Laurel Brunk

    Written by Laurel Brunk