Alta is not HIPAA compliant for HIPAA Covered Entities or Business Associates because Alta does not offer a HIPAA Business Associate Agreement and the service is not represented as supporting HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule requirements for electronic protected health information.
HIPAA requires a HIPAA Business Associate Agreement when a vendor creates, receives, maintains, or transmits protected health information on behalf of a Covered Entity or another Business Associate. The agreement must define permitted uses and disclosures, require safeguards for electronic protected health information, address reporting of breaches of unsecured protected health information, and impose equivalent restrictions on subcontractors. Alta is not willing to sign a HIPAA Business Associate Agreement based on its published contracting position, which prevents regulated organizations from using Alta for workflows involving protected health information.
Customer engagement and automation platforms can process identifiers, contact records, behavioral data, message content, and workflow metadata. Those data elements become protected health information when they identify an individual and relate to treatment, payment, or healthcare operations. Protected health information can be introduced through intake and registration forms, segmentation attributes, tags, campaign content, appointment reminders, care program enrollment status, billing context, and support conversations. Even limited message content can disclose protected health information when it connects an identifiable person to a provider, department, service line, or visit type.
HIPAA operational safeguards also limit how staff can use automation tools. The HIPAA Minimum Necessary Rule restricts access and disclosure to the minimum needed to perform a permitted function. Transmission security and access controls are required under the HIPAA Security Rule when electronic protected health information is stored or exchanged through third-party systems. Without a HIPAA Business Associate Agreement and defined platform controls for regulated data, a Covered Entity or Business Associate cannot validate that these requirements are met for Alta-based workflows.
Alta may be used by healthcare organizations only for activities that exclude protected health information and do not link identifiable individuals to healthcare services or payment. When a workflow requires protected health information, use a vendor that will execute a HIPAA Business Associate Agreement for the services in scope and that supports access controls, audit controls, transmission security, retention controls, and incident response procedures aligned with HIPAA obligations.