[marcinzm]

As a note, HIPAA does not require end-to-end encryption as long as you have a BAA with the provider. Zoom has an option for a BAA starting at $200/month.

edit: Server-client communication does need to be encrypted which zoom does.

[lvh]

The Security Rule and Transmission Control Standard mention encryption, but as Addressable, not Required, if memory serves. That means you have to do it if it's "reasonable and appropriate", and in this context they just mean transport encryption like TLS, not Signal-style actual E2E.

Not that you shouldn't, of course. And you better have an excuse for not doing it (e.g. we don't re-encrypt after the load balancer terminates TLS is a common one). But doctor's offices fax stuff to each other all the time, and that certainly is not encrypted. Perhaps you're thinking of a HITRUST control?

(Minor nit: HIPAA, not HIPPA.)

[SkyPuncher]

It's a bit more nuanced. Hipaa (two a's) does not require the type end-to-end encryption that most devs come to think of.

Generally, Hipaa does require transport encryption from the client to the server processing the request. The importance here is SSL/TLS should be terminated at the app server.

[lonelappde]

HIPAA (all caps)

[biggc]

What is a BAA?

[lvh]

A BAA is a Business Associate Agreement. It's a standard HIPAA document where an entity with PHI (typically a Covered Entity, which is an entity specifically mentioned by HIPAA, such as e.g. a healthcare facility) effectively puts a vendor on notice: we may stuff PHI in your service, you agree to abide by this set of rules and regulations. A big one is that the vendor agrees to disclose when they've been breached, and the timeline on which that happens.

Even though a lot of online sources suggest BAAs are only for Covered Entities, that's not strictly speaking true. The standard form document doesn't require the buyer to certify they're a CE. It makes tons of sense for vendors of CEs, themselves bound by BAAs, to bind _their_ vendors to BAAs! If there's a decent chance your customers put PHI in your service, there's a decent chance they put PHI in your support system, and they don't really care if your support system is something in-house or Zendesk when that happens. There's also a good chance that PHI might end up in your logging system, and from there in your Slack instance, and... before you know it everyone's signed a BAA with everyone.

The life-hack consequence for that is that you can just collect BAAs from anyone who will sign them and now you have disclosure timeline guarantees.

[jonny_eh]

PHI: Protected Health Information.

I figured someone asking what BAA stands for doesn't necessarily know all the other acronyms.

Edit: Fixed definition!

[closeparen]

Protected, not Personal.

[jonny_eh]

Fixed, thanks!

[jiveturkey]

> disclosure timeline guarantees.

depends on your definition of "guarantee".

what you really have is externalisation of risk.

[marcinzm]

Business Associate Agreement.

A contract which defined how protected health information will be dealt with by the provider and how HIPAA provisions will be followed (ie: provider will do X but you need to do Y to be compliant).

https://www.hhs.gov/hipaa/for-professionals/covered-entities...

[chasb]

I wrote this a while back for our customers: https://www.aptible.com/hipaa/what-is-a-baa/

[schwank]

Business Associate Agreement, which defines the legal requirements between two parties sharing HIPAA data.