Has anyone come across a resource which lists BAA requirements for the top 100 or so dev tools? Interested in (i) whether or not a BAA is required and (ii) the process for getting one signed with each vendor where it is required.
I’m thinking about working on a couple health care projects and wondering how much I’m going to have to build myself even though it exists elsewhere.
Hi, good question! Instead of going through them all, I’ll start with a framework you can use to get to the correct answer most of the time.
If a vendor processes PHI on your behalf, you will need a BAA with them. In other word, you need a BAA with any vendor that is going to create, receive, maintain, or transmit identifiable health data for you.
We explain this in more detail in this resource: What is a HIPAA BAA?
Some takeaways:
With hosting/compute environments (Aptible Enclave app layer, AWS EC2) and data storage (Enclave database layer, AWS RDS, S3), it’s pretty easy to tell that a BAA is required for use with PHI.
For dev tools that interact with code, and not prod data (text editors, linters/static analysis, etc.) a BAA is usually not required because there is no PHI being processed by a third party.
In cases where a third party might receive data (CI, source code version control, analytics, logging, error reporting, etc.) you have to be aware of what data the vendor is processing, both for normal use and in edge cases (e.g. a stack trace).
Finally, the same analysis applies to productivity tools (Gmail, Zendesk, etc.)