New Surveys feature now available! Learn more →

HIPAA Deployment Guide

[Last update: July 10th, 2026]
Download as PDF

Purpose

Air360 is designed to collect behavioral analytics rather than patient information.

Healthcare customers should configure Air360 so that Protected Health Information (PHI) is never transmitted to the platform.

Session Replay

For customers with an executed Business Associate Agreement (BAA), Air360 enables full text obfuscation by default, which prevents any text on the page, not just form inputs, from ever being captured in session replays. Customers without a BAA can contact Air360 to enable this option.

  • Mask all user-entered text.
  • Exclude password fields.
  • Exclude medical record forms.
  • Exclude patient portals.
  • Exclude billing forms.
  • Exclude authentication pages.

Events

Do not send:

  • patient names;
  • dates of birth;
  • medical record numbers;
  • insurance identifiers;
  • diagnosis information;
  • treatment information;
  • laboratory results;
  • prescription information.

Events should instead use anonymous identifiers or internal application identifiers that cannot identify an individual.

URLs

Applications should not include PHI within:

  • URL paths;
  • query parameters;
  • fragments.

For example:

Incorrect: /patient/JohnSmith

Correct: /patient/a91f4e2c (an opaque internal identifier, not a medical record number or other identifier from the patient’s records)

Custom Properties

Custom properties should never contain PHI.

Avoid:

  • names;
  • email addresses;
  • phone numbers;
  • addresses;
  • patient IDs;
  • diagnoses;
  • free-text notes.

Data Layer

If using a JavaScript data layer, ensure that objects transmitted to Air360 exclude PHI.

Testing

Before production deployment:

  • verify that session replays contain no readable text;
  • verify that custom events contain no PHI;
  • verify that URLs contain no PHI;
  • review captured payloads using browser developer tools.

Customer Responsibility

Customer is responsible for ensuring that PHI is not transmitted to Air360.

If PHI is inadvertently captured, Customer should immediately notify Air360 and remove the affected implementation until corrective measures have been applied.