VWO HIPAA & HITECH Compliance

At VWO, we recognize that organizations in the healthcare sector must comply with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). While VWO does not require or store Protected Health Information (PHI) or electronic PHI (ePHI) for its functioning, we maintain industry-leading security, privacy, and data protection practices that support our customers’ compliance obligations.

No PHI/ePHI Storage by default

VWO is a self-service experimentation and optimization platform that does not require any patient-specific personal data, PHI, or ePHI.

All website visitor data collected by VWO is de-identified before storage.
By default, VWO does not target, receive, or store any PHI/ePHI from customers or their website visitors.
VWO processes only aggregate, anonymous website visitor behavior data for analytics, A/B testing, website optimization etc.

Because VWO does not store or collect PHI/ePHI by default, we do not meet the definition of a Business Associate or Business Associate Subcontractor under HIPAA.

Business Associate Agreement (BAA)

A BAA is required when a vendor handles PHI/ePHI. Since VWO does not require, request, or store any PHI/ePHI: A BAA is not applicable, and VWO is not categorized as a Business Associate.

If you believe your specific use case requires a BAA, please contact your VWO Account Executive or reach out to our Data Protection Officer in writing via email to privacy@vwo.com for escalation.

IP Address Processing and HIPAA Context

VWO processes the IP address of its customer’s website visitors strictly for operational and analytics purposes. When a visitor accesses a website that uses VWO, the IP address is first received by our Content Delivery Network (CDN) servers. From there, it is forwarded to VWO’s privacy-focused backend servers only after anonymization.

(a) How VWO Handles and Anonymizes IP Addresses

The last octet of every visitor IP address is automatically stripped and replaced with “0” before it is stored.
Example: ‘203.115.87.142’ becomes ‘203.115.87.0’
Customers may choose to mask additional octets, depending on their internal compliance or privacy requirements.
At no point does VWO store a full, non-anonymized IP address in its systems.

This ensures that the IP address cannot be tied back to an individual and aligns with industry-standard privacy practices.

(b) Is an IP Address ePHI Under HIPAA?

Under HIPAA:

An IP address is recognized as one of the 18 personal identifiers that can make data “PHI.”
However, an IP address by itself is not PHI or ePHI.

For an IP address to be considered ePHI, all three conditions must be met:

It identifies or can reasonably identify an individual.
It is handled by a HIPAA-covered entity or its Business Associate.
It is linked to information about an individual’s health status, healthcare services, or payment for healthcare.

An IP address only becomes ePHI when it is connected to health information in a HIPAA-regulated environment.

(c) Why VWO’s Processing of Visitor IP Addresses Does Not Create ePHI

VWO does not collect, process, or store any health-related information or medical context.
VWO does not require, target, or process PHI/ePHI for any of its features.
The visitor IP address is anonymized before storage, removing any potential for direct identification.
Without any link to an individual’s health information, an anonymized IP address cannot be classified as ePHI.

Therefore, the IP addresses processed by VWO belonging to customers’ website visitors and stored only in anonymized form do not constitute PHI or ePHI under HIPAA.

VWO’s HIPAA-Aligned Security & Privacy Practices

Even though VWO does not store PHI/ePHI, we maintain robust administrative, technical, and physical safeguards aligned with HIPAA and HITECH principles.

(a) Governance & Oversight

A dedicated Data Protection Officer (DPO) oversees HIPAA-aligned policies on privacy, security, and incident response.
Annual third-party audits against ISO 27001 (Information Security) and ISO 27701 (Privacy).
Formal risk assessments and continuous monitoring of security controls.

(b) Technical & Security Measures

End-to-end encryption: TLS 1.2+ for data in transit AES-256 for data at rest
Strict access controls, privileged access monitoring, and secure development lifecycle.
Incident response and breach notification procedures aligned with 45 CFR § 164.410. Internal containment within 48 hours.

These safeguards ensure confidentiality, integrity, and security of all data processed by VWO.

Customer Responsibilities for HIPAA-Aligned Use of VWO

Healthcare customers using VWO must ensure they configure the platform in a compliant manner. Key areas include:

(a) Cookie Consent Compliance

VWO uses certain cookies depending on the product(s) activated.

Please review all cookies listed here: Cookies Stored by VWO

Include relevant VWO cookies in your cookie banner.
For implementing consent-based loading of SmartCode, refer to: Configuring VWO SmartCode for Cookie Consent

(b) User Access Management

Complete access management for your VWO account lies with the customer.
Resources:

(c) Proper and Compliant Configurations

VWO is a self-service SaaS experimentation and optimization platform, which means customers have full control over how they create campaigns, configure experiments, and collect insights. As part of HIPAA-aligned usage, customers must ensure that no configurations expose or transmit any PHI, ePHI, or other sensitive health-related information through VWO.

While VWO provides strong privacy and security controls, the proper and compliant use of the platform lies with the customer. This includes ensuring that: Campaigns and experiment settings do not capture or display any PHI/ePHI, such as patient identifiers, medical record numbers, appointment details, or clinical data. Elements such as non-input fields, URL parameters, etc. must be anonymized/blacklisted by the customer if they carry any PHI or sensitive medical information while creating Campaigns.

(d) VWO Insights & Session Replays (If enabled)

Customers using VWO Insights (including Session Recordings) must ensure no PII/PHI/ePHI is captured.

Please refer to: VWO Data Privacy Compliance Guide for VWO Insights Customers: Navigating Data Protection Laws w.r.t Session Recordings and Safeguarding

The guide includes configuration steps for masking, blocking, and avoiding sensitive data exposure.

VWO Certifications and Industry Standards

VWO maintains a strong and continuously improving compliance posture backed by globally recognized security, privacy, and cloud certifications. These certifications demonstrate our commitment to protecting customer data, ensuring secure operations, and maintaining adherence to international regulatory requirements.

For more details, please visit VWO Compliance Page and VWO Trust Center.

Contact and Escalations

If you have questions about HIPAA, HITECH, or compliance practices or if you believe your use case requires additional assessment, please contact your VWO Account Executive / Account Manager or in case of any escalations, please feel free to write to our Data Protection Officer: Keshav Kumar, email: privacy@vwo.com

Features +125 more

Features +120 more