HIPAA compliance

The Health Insurance Portability and Accountability Act (HIPAA) is a regulation developed by the U.S. Department of Health and Human Services designed to protect the privacy and security of an individual’s Protected Health Information (PHI).

You can use Condens as your UX Research Repository in a HIPAA-compliant way and Condens will enter into a Business Associate Agreement (BAA) with your organization based on the criteria below.

Privacy and security protection

Condens provides comprehensive privacy and security protections that enable you to operate our software in compliance with HIPAA. These include:

  • assigned security team responsible for maintaining compliance with HIPAA requirements

  • security measures to protect PHI - more on this on our Security page

  • security audits performed by independent third-parties

  • policies that govern the appropriate handling of PHI and cases relating to HIPAA including a Breach Notification Policy, a Business Associate Policy and a Privacy, Use, and Disclosure Policy all of which are reviewed annually

  • an internal control system to ensure the proper implementation and monitoring of legal specifications and policies

  • regular risk assessments of systems to ensure that safeguards remain relevant and effective

  • annual security awareness training and HIPAA training for employees who come into contact with customer PHI

Signing a Business Associate Agreement (BAA)

Before you enter PHI to Condens you need to sign a BAA with us. Here is how to do that.

Step 1: Decide for a plan
You can sign a BAA with Condens if you go with our Company or Enterprise plan (see details on plans here). If you go with our Company plan, our standard BAA to which we can't make any changes. If you go with our Enterprise plan, we can consider changes to our standard BAA or use your BAA as a basis.

Step 2: Request our BAA or send your BAA

Reach out to hello@condens.io to request our BAA or - only if you go with the Enterprise plan - send your BAA for us to review.

Step 3: Follow usage requirements
Make sure everyone at your organization using Condens knows and follows the usage requirements listed below.

Usage requirements

Condens has defined HIPAA usage requirements that each customer needs to follow in order to use Condens in a HIPAA compliant way. We want to stress that it's your responsibility to ensure you’re using Condens in a HIPAA-compliant way. We can't take responsibility for any unauthorized access to your PHI, that results from your failure to comply with these usage requirements.

It’s also your obligation to ensure all third party applications integrated with Condens are operated in a HIPAA-compliant way. The BAA that you sign with us only covers Condens and the subcontractors used by us.

You need to use Condens in line with the following requirements:

  • Do not share data containing PHI via a public link (more on this here). Instead, invite stakeholders to your account to make data accessible.

  • Do not enter PHI via the Give Feedback button

  • Do not enter PHI in comments or replies to comments

  • Do not send PHI to Condens via email or share PHI in a (video) call with a Condens employee

  • If you download data to your computer, please ensure that those downloaded files are handled appropriately since they may contain PHI. We suggest that you secure those files by encrypting them and only transfer using an encrypted connection.

Due to the changes in law or regulation or changes in Condens Software, we may update or revise this page from time to time. If you signed a BAA with us we will update you of relevant changes to this page. This page does not constitute an exhaustive template for all controls over PHI nor does it constitute legal advice.

Didn't find what you're looking for? Send us a message and we'll get back to you.