Overview
This article covers the data collection practices of CHEQ Control, as well as relevant implications with respect to HIPAA compliance. CHEQ Control consists of Manage (client and server-side tagging), Enforce (privacy compliance enforcement) and One (profile storage).
What is HIPAA Compliance?
The Health Insurance Portability and Accountability Act (HIPAA), enacted as a U.S. federal law in 1996, sets national standards for safeguarding individuals' sensitive health information. Originally focused on healthcare providers and insurance companies, its scope has since expanded to encompass a broad range of entities that handle Protected Health Information (PHI).
Compliance with HIPAA ensures organizations securely manage PHI, protect patient privacy, and implement proper data collection and management practices.
Who is HIPAA Compliance Relevant For?
The scope of HIPAA includes any entities who handle PHI. This group includes not only healthcare providers, health plans, and healthcare clearinghouses (collectively known as Covered Entities) but also their partners and any entity that processes, manages, or handles PHI (referred to as Business Associates).
Data Collection and CHEQ
CHEQ Manage
Client-side Tag Manager
The client-side portion of CHEQ Manage does not store any user data. The client-side Tag Manager parses client-side information (e.g., data layer), formats it, and sends it to any specified vendors. CHEQ does not store any of this information; however, the vendors set up to receive this data might. IP address is captured through a pseudonymized approach and maintained as a non-reversible hash in our log data.
Tag Manager HIPAA Status: Compliant
- CHEQ Tag Manager does not directly collect PHI, but can be used to deploy other services that do (analytics, advertising, etc.). Therefore, CHEQ Tag Manager itself is HIPAA-compliant, provided that it is used with HIPAA-compliant tracking technology. We advise customers not to pass PHI to the platform.
Server-side Tagging (SST) and Pulse
Instead of communicating directly with various vendors from a customer’s browser, CHEQ SST uses a simple data collection pixel (Pulse) to capture the data otherwise needed to run the tags on the client side. The scope of stored data is encrypted. This solution captures IP and payload of the pixel by default, but customers can adjust these settings based on their compliance posture. The option to enable/disable IP Logging can be found within the Security portion of Pulse Settings.
SST HIPAA Status: Compliance can be enforced
- As needed, relevant Business Associate Agreements (BAAs) can be created and/or revisited. As another available measure, customers can disable the storage of IP address and payload for their data collection pixel, as described above.
CHEQ Enforce
CHEQ Enforce, as a tool that manages user consent to enforce privacy compliance, stores necessary signals on how users opt in or out of certain tracking technology. The platform can be set up to not store any data until a user has opted in, as required by the GDPR in the EU and the LGPD in Brazil. Enforce stores some aggregated data on user consent signals for the purpose of reporting. Any IP addresses are anonymized in this process. Additionally, the Data Governance feature can be used to stop PII or PHI from reaching vendors.
Enforce HIPAA Status: Compliant in most cases
- CHEQ Enforce does not store any PHI, and is generally HIPAA-compliant. If a customer chooses to support cross-device consent storage using CHEQ One, the following section applies.
CHEQ One
CHEQ One, as an API-driven profile store, associates a user ID (e.g., email) with specified data (target group, consent signals, purchase history, etc.). An example application of One, Cloud Consent, enables the transfer of consent for an authenticated user across devices, different sites and deleted cookies.
One HIPAA Status: Compliance can be enforced
- In order to support HIPAA compliance, we advise customers not to pass PHI to the platform or associate it with data stored by the platform.