GoTo can be used in a HIPAA-compliant manner when a HIPAA Covered Entity or Business Associate signs GoTo’s HIPAA Business Associate Agreement for the specific GoTo service offerings in scope and then configures and operates those services to meet HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule requirements for electronic protected health information.
HIPAA requires a HIPAA Business Associate Agreement when a vendor creates, receives, maintains, or transmits protected health information on behalf of a regulated healthcare organization. GoTo makes a HIPAA Business Associate Agreement available for U.S. healthcare customers for applicable service offerings and incorporates the agreement into its standard terms through its data processing addendum framework. GoTo states, “Available to our U.S. healthcare industry customers, our BAA is designed to support customer HIPAA compliance obligations for applicable service offerings.”
HIPAA alignment for GoTo is service-specific and configuration-dependent. GoTo offers products used for communications, meetings, webinars, remote support, and device access, and each workflow can introduce different protected health information exposure points through chat, screen sharing, file transfer, session recordings, meeting artifacts, support logs, and user access pathways. A signed HIPAA Business Associate Agreement is a prerequisite, but it does not remove the need for administrative safeguards such as workforce access management, role-based permissions, and documented procedures for permitted uses and disclosures.
Technical safeguards under the HIPAA Security Rule should be addressed through account governance and platform configuration. Examples include restricting administrative access, enforcing strong authentication, controlling meeting entry and session access, limiting collection and retention of content that contains protected health information, and managing integration pathways that replicate data into other systems. Operational controls also include disabling or restricting features that can create uncontrolled copies of protected health information, such as local recording or unmanaged exports, unless those functions are governed under the organization’s security program.
GoTo can support regulated healthcare use cases when the organization limits protected health information to the GoTo services covered by the signed HIPAA Business Associate Agreement and maintains documented safeguards across user provisioning, feature configuration, retention practices, and incident response.