nhs-logo
Employee communications app built for Franciscan Children's
walgreens-2020-primary-logo
Iredell logo
Bethany Children's health center logo
GE HealthCare logo

Staffbase is your partner to protect employee 
and patient privacy

Staffbase is one of the fastest growing and most experienced employee communications platform providers. Companies in all industries — including more than 250 healthcare organizations — trust Staffbase to solve their unique challenges in a secure, scalable way.


Security is of utmost importance to our platform and vision. As a US healthcare provider, we want to address your unique concerns and share more about how we support you.

What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) is a US law that regulates the collection and handling of PHI. HIPAA applies to providers of health care, health plans, and health care clearinghouse services. These providers are required to handle PHI in a way that meets defined security standards.

When healthcare providers, known as covered entities, use third-party service providers who might process PHI, these service providers, known as business associates, must also adhere to the HIPAA standards. Under the HIPAA rules, covered entities and business associates must enter into a Business Associate Agreement (“BAA”) that covers the ways PHI must be handled.
Does Staffbase offer a BAA?
Yes, Staffbase has created a BAA that is tailored to our services and meets the HIPAA requirements.

We want to clarify that Staffbase provides a service for employee communications. We do not sell patient management systems or any other software where you’d expect to store and process PHI. For this reason, our BAA is limited to specific Staffbase Services and we require our customers to take the necessary technical and/or organizational measures to protect any PHI that might end up in the Staffbase platform.
How does Staffbase secure PHI?
At Staffbase, we are committed to ensure all of your data is always protected. Staffbase is ISO 27001 certified. As part of our ISO 27001 certification, Staffbase routinely conducts risk assessments and prepares risk treatment plans to mitigate any identified risks so that we continuously improve our security controls. More information about our security practices can be found here.

As required by HIPAA, we implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any PHI that we may process on behalf of covered entities under a BAA. These safeguards include measures required by the HIPAA security rule.

Learn how Staffbase supports customers with their HIPAA compliance based on our ISO 27001 certification.

Staffbase is limited to the status of a business associate under the BAA. Staffbase is not a holder of the Designated Record Set. The HIPAA requirements for a business associate are met through Staffbase's ISO 27001 certifications.
See PDF
Staffbase HIPAA compliance table

FAQ about the Staffbase BAA

Yes, we have entered into BAA’s with those Subprocessors that may process PHI in relation to the Staffbase Services. You can find an overview of our Subprocessors on our Subprocessor Page here. For clarity, not all of our Subprocessors process PHI.
We treat all Customer Data the same. We do not monitor Customer Data for specific content, including PHI. This also means that Staffbase does not segregate PHI for special treatment. Staffbase does not maintain a Designated Record Set.
No. At the moment our BAA covers the following Staffbase products:

  • ➜ Employee App
  • ➜ Intranet
  • ➜ Email

For clarity, our BAA does not apply to (i) Support Services; (ii) Third-Party Services; and (iii) Betas and Trials.
Yes, if you sign a BAA with Staffbase, we require you to implement a set of organizational and security measures designed to help you safeguard PHI. Below you can find an overview of the most up-to-date HIPAA requirements and a number of recommendations to ensure transparency and mitigate potential risks.
Our HIPAA requirements.
We require customers that sign a BAA with Staffbase to:
  • Have policies in place prohibiting the use of PHI in the Staffbase platform;
  • Enforce these policies against their employees;
  • Regularly monitor and remove any PHI in the Staffbase platform;
  • Select “US Hosting” for data hosting;
  • Activate the “Secure media” feature;
  • Activate SSO as the sign in procedure;
  • Review access rights of their employees to the Staffbase platform; and
  • Configure appropriate session management (session timeout & maximum number of concurrent sessions).
Our HIPAA requirements.
We have listed a number of recommendations for customers on how to increase transparency within their organization on what is allowed and prohibited in relation to the use of the Staffbase products.
Employee App & Intranet
  • Clarify in the legal terms what data must not be shared in the Staffbase platform;
  • Regularly have employees acknowledge internal policies in regards to PHI;
  • Educate employees about the risks associated with sharing PHI;
  • Limit chat access to certain (groups of) employees; and
  • Customize the footer of email notifications to inform employees what to do in case an email contains PHI.
Email
  • Instruct users of the Email product to exclude any PHI from any email they plan to send;
  • Educate users of the Email product about the risks associated with sharing PHI;
  • Include a notification in each email instructing email recipients to delete emails that contain PHI.

Please contact us if you have any questions.

Contact us
Gartner Peer Insights™ are trademarks of Gartner, Inc. and/or its affiliates. All rights reserved. Gartner Peer Insights content consists of the opinions of individual end users based on their own experiences, and should not be construed as statements of fact, nor do they represent the views of Gartner or its affiliates. Gartner does not endorse any vendor, product or service depicted in this content nor makes any warranties, expressed or implied, with respect to this content, about its accuracy or completeness, including any warranties of merchantability or fitness for a particular purpose.