Comply with HIPAA by masking or blocking PHI from going to destinations
Freshpaint provides several features to restrict and manage Protected Health Information (PHI) in your customer data.
A destination is in HIPAA Mode if its connection mode is "Server-side" and HIPAA features are enabled.
Only destinations that support a server-side connection can be used in HIPAA mode.
You can change these options on the destination's configuration page. When handling PHI, you should always enable HIPAA mode unless you've signed a Business Associate Agreement (BAA) with the destination.
A destination is in HIPAA mode if its Connection Mode is "server-side" and HIPAA features are enabled
Because HIPAA Mode features are applied to events on Freshpaint's servers, client-side destinations do not support HIPAA mode. As a result, destinations where HIPAA features are enabled and the connection mode is "Client-side" are invalid.
Destinations configured to restrict PHI that are set to the Client-Side connection mode are invalid
When your account is configured for HIPAA, you default to restrict PHI from your destinations. To change this behavior, click the
Configurebutton for HIPAA Settings and you'll see a modal pop up, like this:
Check the box to disable HIPAA restrictions for a destination
Check the box next to
Disable ID Masking and Enforced Allowlistsonly if you want to allow PHI to be sent to a destination.
Once you have HIPAA mode turned on and a destination configured to restrict PHI, you can use allowlists to manage what you can send. Click the
HIPAA Allow Listand you'll see a screen which looks like this:
Choose which kind of properties to allow
You'll see three lists you can configure:
Click the edit icon to configure any one of these sets of properties, and you'll see an interface which looks like this:
Configure the properties you can send
You can add the properties that you'll allow to a destination. Once you do, only those properties will be sent. You can see that we've decided to use ID masking for the
user_idproperty will be sent unmasked, meaning it will be clearly recognizable in the destination to which it goes.