Twilio Business Associate Agreement

12 Oct

Twilio offers a BAA for some of its products for covered companies. Customers who are subject to HIPAA and intend to use Twilio to develop communication flows with PHI must run a “Business Associate Addendum” (i.e., BAA) to twilio`s Terms of Service. Please note that some Twilio customers may have special agreements with us that determine the collection, use and transmission of their data. Where such special agreements and communication are in conflict, such special agreements shall apply. The Health Care Act (HIPC) came into effect in 1996 as part of a major reform of the health care system in the United States. Part of the legislation aims to ensure data security and protection in the areas of access, use and disclosure of protected health information (IHP). The HIPC covers all organizations that meet the definition of “covered enterprises” or “counterparties”. Under the HIPC, companies that use a service provider to process IHP on their behalf must enter into a counterpart agreement with that provider. Accordingly, customers who are subject to HIPAA and intend to use Twilio`s products and services to develop communication flows containing PHI must run a Business Associate Addendum (BAA) to Twilio`s Terms of Service. Twilios BAA has been developed taking into account the specific products and services offered by Twilio and considers HIPAA compliance as a shared responsibility between the customer and Twilio.

For more information about creating a HIPAA-compliant workflow with Twilio offerings, see Architecting for HIPAA on Twilio. Even if a software platform is secure, it is not considered HIPC compliant if the software provider is unwilling or unable to sign a Business Association Agreement (BAA). Until recently, Twilio was not HIPAA compliant for this reason. Since then, they have changed their attitude and are now ready to sign a BAA with their healthcare clients which they call the “Business Associate Addendum”. Even if you send data via TLS or any other encrypted protocol, the provider and healthcare provider must enter into an agreement to protect patient data and limit what can be done with the transferred PHI. If you add a new part to this equation, such as: Below, you will find a summary of our practices regarding your data collected when using the Twilio account portal and our products and services. If you would like to learn more about our practices regarding data collected when visiting our publicly available website, click here. Twilio is just one part of a larger solution, like a pharmacy app for an HMO or a contact tracing app for a public health agency.

For this larger solution to be HIPAA compliant, Twilio must be established as a partner in the covered unit it has created. You don`t need to trust twilio (or an intermediary). You can transfer encrypted information end-to-end without the intermediary being able to access it. This is the solution we created with our API, you can see the full documents here: Even if you encrypt the data at Twilio and Twilio “promises” not to store the data and promises to encrypt the data when sending after the stream, the promises are not good enough in the eyes of HIPAA/HITECH. You need an agreement such as a counterparty agreement, in which all parties agree to protect PHI. . . .