Sisense and HIPAA Compliance

At Sisense we understand that our healthcare customers need to ensure they stay compliant with HIPAA requirements as they manage, process or archive Protected Health Information (PHI). Sisense platform is a HIPAA-ready solution that provides a high level of data security, integrity and encryption needed to maintain HIPAA compliance.

Is Sisense HIPAA compliant?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that establishes data privacy and security requirements for organizations that are charged with safeguarding individuals’ protected health information (PHI). Sisense platform is a HIPAA-ready solution that provides a high level of data security needed to maintain HIPAA compliance. In provisioning and operating the Sisense platform and services, Sisense complies with the provisions of the HIPAA Security Rule, Breach Notification Rule, and Privacy Rule that are required and applicable to it in its capacity as a business associate. As such, Sisense has experience partnering with its healthcare customers to ensure that each party is meeting their respective HIPAA obligations.

Sisense Security Controls & Compliance

We understand the importance of data security to our healthcare customers and Sisense continuously implements security protocols and industry leading practices to achieve top level certifications such as ISO and SOC2.

Sisense provides several key security features to its customers that enables HIPAA compliance.

Protection of Data in Transit. Sisense leverages Transport Layer Security (TLS) 1.2+ to secure data in transit.

Protection of Data at Rest. Sisense helps customers implement the proper encryption methods for any data stored on the Sisense platform.

Data Access Controls. Sisense account administrators have secured access to manage individual, group, or organization level management. You can find out more on our Security and Trust page. Additionally, Sisense can configure customer specific data access controls to help secure your data. You can learn more here:

Customer’s Security Controls & Compliance

You, as the customer, are responsible for ensuring that the environment and applications that you rely on when using Sisense services are properly configured and secured according to HIPAA requirements. Since Sisense itself is not a database, but a reporting and query tool, Sisense’s HIPAA compliance is contingent on your compliance with HIPAA requirements. This is often referred to as the shared security model. 

Sisense offers a number of ways to help you manage your data security and governance and to maintain your HIPAA compliance. However, you are ultimately responsible for securing the following areas and Sisense takes no responsibility for any breach or violations that result from:

  • Your environment.
  • Your databases.
  • Your configuration of access permissions and security controls for internal users and third-parties you authorize to use your databases.

The Business Associate Agreement (BAA) covers Sisense’s services as described in the applicable services agreement to which the BAA is attached, except that the following are not covered by the BAA:

  • Any third-party services or tools provided by an entity other than Sisense or its affiliate.
  • Any custom code, API integration or services developed by the customer.
  • Any plug-ins or add-ons that have not been certified by Sisense (even if created specifically for you at your request). See the Sisense Marketplace for additional information.
  • Any services that are not generally available (such as beta features and previews).

Sisense recommends the following technical best practices when configuring the Sisense platform to maintain HIPAA compliance:

Auditing Access to PHI. Depending on the level of access that your users will have to PHI, Sisense can help you implement row-level monitoring of access to sensitive data. You can learn more here:

Secure Configuration. Implement industry-standard methods of authenticating users such as two-factor authentication or SAML-supported SSO iDP, and to the extent a user relies on SSO, restrict the “login_special_email” permission to a maximum of 2 users.

Database Security. Configure the database access to ensure Sisense does not have any write or administrative access to your databases.

Encryption. Ensure that all connections to the database are encrypted in transit, and if using an SSH tunnel connection, that a tunnel server is employed.

Implementation. When implementing Sisense in a complex data environment involving PHI, we recommend you get help from partners and service providers with HIPAA expertise to determine your compliance needs and requirements. Sisense Sales Engineers and Support staff will provide support along the way to assist in meeting your goals or guiding you to an appropriate deployment model.