Skip to main content
Gainsight Inc.

Gainsight [PX] Workflow and Configuration Guidelines for Maintaining HIPAA Privacy and Security

Overview

For Gainsight customers that may process electronic Protected Health Information (ePHI) or encounter incidental ePHI in the course of their business, we strongly recommend implementation of the following Workflows and Configurations within the Gainsight Platform to adhere to HIPAA privacy and security requirements. 

If you have any questions regarding these Guidelines, please contact your Engagement Manager or Client Outcomes Manager. 

Last Updated: September 1, 2020

Workflow & Configuration Guidance for PX Features

Features Workflow & Configuration Guidance 
PX User Tracking
  • Recommend using only non-PII user attributes to identify users. 

  • Recommend using a hashcode for the user ID.

PX Data Transmission

  • Recommend removing support for anything except strong encryption if there is a chance that ePHI could be transmitted. Do so by configuring PX to disable support for any encryption capabilities that aren’t deemed strong, including unencrypted transport, TLS 1.0, and TLS 1.1.  

PX SDK Configuration

  • Require that specific application URLs be masked or excluded through configuration. 

  • Recommend that IP tracking be disabled through configuration.

  • Recommend limiting tracking of DOM data elements that contain ePHI to the minimum necessary to meet the need. Note, by default PX does not track DOM data elements.

  • Recommend deleting the user record, if ePHI is tracked via a URL, IP address, or DOM element and must be deleted. 

PX Custom Events Tracking
  • Recommend limiting custom event tracking that may contain ePHI to the minimum necessary meet the need. 

  • Recommend deleting the user record, if ePHI in a custom event must be deleted. 

PX URL Mapping
  • Recommend using the SDK configuration to mask or exclude URLs that are tracked, included in Product Mapper or Guides, that may contain any ePHI.
PX Knowledge Center (KC) Bot
  • Recommend not configuring or utilizing the KC Bot feedback module which allows free input text if a customers’ end user may enter ePHI into KC bot for feedback or may search for ePHI in the KC Bot. 
PX Engagements
  • Recommend limiting any engagements triggered based on ePHI to the minimum necessary to complete the task.

  • Recommend limiting the use of Surveys to collect ePHI to the minimum necessary to complete the task. 

PX Integrations with other systems, including Gainsight CS
  • Recommend only sending aggregated user or account level data to a system integrated with PX to limit transmission of ePHI.

  • Recommend only sending aggregated user or account level data using a rest API to limit transmission of ePHI. 

  • If ePHI must be transmitted, recommend limiting data transmission from PX to the minimum necessary to complete CS tasks.

  • If you are concerned about incidental ePHI being transmitted from PX to CS, you may choose to not enable the integration and only import account level data with a custom integration.

PX Product Mapper & Guide Mapper
  • Recommend limiting tracking of the particular element that contains ePHI to the minimum necessary to meet the need. 

  • If you need to track an element with ePHI, we recommend that you use a numeric naming convention for the element.