View All Blog Posts

Is Mixpanel HIPAA-Compliant?

As a healthcare marketing agency, we are often asked about the HIPAA compliance of certain marketing tools. To address this need, we have created a blog series that examines common marketing tools and software to determine whether or not they pose a HIPAA concern.

This week, we’re taking a closer look at Mixpanel.

What Is Mixpanel?

Mixpanel is a popular analytics platform, similar to Google Analytics. It’s widely used by marketers who want an alternative to Google Analytics, an upgrade to GA’s free version without taking the steep price hike to Analytics 360, as well as product teams wanting to improve their users’ experience. Mixpanel can also offer a more customized analytics or reporting system without going “around the system” in the way you sometimes need to in Google Analytics (Google Analytics was to provide very basic insights out of the box for just about any user who was willing to complete a simple setup guide). 

Mixpanel, however, is not intended for beginners, and instead focuses on marketers & product team members who are looking for a highly customizable product that exists outside of the Google ecosystem. Mixpanel’s popularity has grown further since the release of Mixpanel Marketing Analytics.

Healthcare marketers use Mixpanel to do the following:

  • Analyze patient journeys: Mixpanel can be used to understand the journeys that patients take when seeking care, from initial research to booking appointments. 
  • Segmentation: Marketers can divide audiences into specific segments based on behavior, demographics, pages viewed, or any other number of trackable metrics.
  • A/B testing: Mixpanel allows for robust testing features, allowing marketers to test campaigns, webpages, and more in order to boost conversion rates.
  • Retention: Mixpanel can be used to measure user retention, which can help teams determine how sticky their content is.
  • Flexible and complex attribution: Mixpanel allows for highly customized attribution models, which can be tailored to specific user journeys.

What Data Does Mixpanel Collect?

Mixpanel is a first-party data platform that, much like GA4, operates on an event-based framework. What the platform collects is entirely dependent on the tool’s setup, but the following are almost always collected:

  • Site actions: The primary points of data collection, site actions are the events that users take on your website. This could be a button click, a form submission, a video view, or nearly any action you’ve defined on your site.
  • Event properties: The additional information attached to events, such as transaction prices, categories, & other information, which can be defined during setup.
  • Device information: This can include the model of the device the user is using, the operating system, browser.
  • Location data: This includes your approximate location based on your IP address.

Is Mixpanel HIPAA-Compliant?

Every organization’s definition of HIPAA-compliance is dependent on their legal team’s interpretation of the guidelines set by the U.S. Department of Health and Human Services. That being said, Mixpanel falls fairly low on the risk scale, largely because Mixpanel is willing to enter into Business Associate Agreements (BAAs) with its customers.

Risk Mitigation

Mixpanel is a data-forward, privacy-focused product, whose risk mitigation options go beyond entering into a BAA. Mixpanel is built on Google Cloud Platform, which is subjected to regular, independent verification of security, privacy, & compliance controls against HIPAA. That being said, it is a good idea to ensure you have the following in place in order to catch some common missteps:

  • Ensure that you have a current, valid BAA in place. Schedule regular check-ins to verify that your BAA is still current.
  • Consider any other tools that may be integrated with Mixpanel – is your configuration sending data to another third party tool? If so, do you have a BAA in place with that vendor? Stay aware of all steps of your data processing, storage, and transmissions, and be judicious about integrations that are unnecessary, redundant, or obsolete.

It’s always important to connect with your legal team to determine how best to move forward. Listen to our HIPAA & FTC 101 podcast for more information about changes for healthcare companies.

Not sure how to get started?

Hedy & Hopp has already engaged multiple healthcare clients to perform an audit and risk assessment that both marketing and legal teams can use to make the best decisions for their business. If you’re looking to make sure your marketing practices are compliant, let’s talk – we’d love to help!



About the Author

The Hedy & Hopp analytics team is the cornerstone to patient-centered activation. This team is responsible for building measurement plans and data visualizations that provide useful and action-oriented insights for all of our marketing campaigns. Insightful and curious, for this team of lovable geniuses, decision science is their marketing happy.

More from this author
Next Blog Post

Building a Personal Brand with Positivity on LinkedIn

Today Jenny welcomes Sunny Yarrish, Director of Marketing, Digital, and Omnichannel at Myriad Genetics. On…