The #1 conference for internal communicators is heading back to New York City in April 2023! Purchase your tickets now!

UC Health logo
Employee Experience Platform Staffbase Customer Iredell Health System
childrens-hospital-omaha-logo
1280px-McKesson_logo
Logo Granville health system
Rush Memorial Hospital logo

Staffbase supports 55,000 healthcare workers.

Staffbase is one of the fastest growing and most experienced internal communications platform providers. Companies of all industries use Staffbase to solve their unique internal communication challenges, including those in the healthcare sector. Together we’ve successfully launched over 1,000 employee communication apps and intranet projects for organizations worldwide, which includes healthcare providers in the US.

We’re confident in our track record and we also understand that as a healthcare provider active in the US, you may have additional questions such as: “Can you share Protected Health Information (“PHI”) in the Staffbase Services?” Or, “Is Staffbase HIPAA compliant?” We’ve created this page to help you address these concerns and learn more about how we can support you as a healthcare provider in the United States.

What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) is a US law that regulates the collection and handling of PHI. HIPAA applies to providers of health care, health plans, and health care clearinghouse services. These providers are required to handle PHI in a way that meets defined security standards.

When healthcare providers, known as covered entities, use third-party service providers who might process PHI, these service providers, known as business associates, must also adhere to the HIPAA standards. Under the HIPAA rules, covered entities and business associates must enter into a Business Associate Agreement (“BAA”) that covers the ways PHI must be handled.
Does Staffbase offer a BAA?
Yes, Staffbase has created a BAA that is tailored to our services and meets the HIPAA requirements.

We want to clarify that Staffbase provides a service for employee communications. We do not sell patient management systems or any other software where you’d expect to store and process PHI. For this reason, our BAA is limited to specific Staffbase Services and we require our customers to take the necessary technical and/or organizational measures to protect any PHI that might end up in the Staffbase platform.
How does Staffbase secure PHI?
At Staffbase, we are committed to ensure all of your data is always protected. Staffbase is ISO 27001 certified. As part of our ISO 27001 certification, Staffbase routinely conducts risk assessments and prepares risk treatment plans to mitigate any identified risks so that we continuously improve our security controls. More information about our security practices can be found here.

As required by HIPAA, we implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any PHI that we may process on behalf of covered entities under a BAA. These safeguards include measures required by the HIPAA security rule.
Staffbase HIPAA compliance table

Learn how Staffbase supports customers with their HIPAA compliance based on our ISO 27001 certification.

Staffbase is limited to the status of a business associate under the BAA. Staffbase is not a holder of the Designated Record Set. The HIPAA requirements for a business associate are met through Staffbase's ISO 27001 certifications.

FAQ about the Staffbase BAA

Yes, we have entered into BAA’s with those Subprocessors that may process PHI in relation to the Staffbase Services. You can find an overview of our Subprocessors on our Subprocessor Page here. For clarity, not all of our Subprocessors process PHI.
We treat all Customer Data the same. We do not monitor Customer Data for specific content, including PHI. This also means that Staffbase does not segregate PHI for special treatment. Staffbase does not maintain a Designated Record Set.
No, at the moment the Staffbase BAA only covers the following core products:

  • ➜ User Profiles;
  • ➜ Chat Plugin;
  • ➜ News Plugin; and
  • ➜ Pages Plugin.

Any other Staffbase products (including plugins and widgets), Staffbase services (including support services) and Third-Party Services (including Integrations) are not covered by the Staffbase BAA, unless otherwise specified by us.
Yes, if you sign a BAA with Staffbase, we require you to implement a set of security configurations designed to help you safeguard PHI. You can find an overview of the most up-to-date requirements and recommendations below. Please ask your Customer Success Manager if you wish to receive additional information or if something is not clear.

Our HIPAA requirements.
We require customers that sign a BAA with Staffbase to:
  • Have policies in place prohibiting the use of PHI in the Staffbase platform;
  • Enforce these policies against their employees;
  • Regularly monitor and remove any PHI in the Staffbase platform;
  • Select “US Hosting” for data hosting;
  • Activate the “Secure media” feature;
  • Activate SSO as the sign in procedure;
  • Review access rights of their employees to the Staffbase platform; and
  • Configure appropriate session management (session timeout & maximum number of concurrent sessions).
Our HIPAA recommendations.
In addition to our requirements listed above, we highly recommend customers that sign a BAA with us to:
  • Clarify in the legal terms what data must not be shared in the Staffbase platform;
  • Regularly have employees acknowledge internal policies in regards to PHI;
  • Educate employees about the risks associated with sharing PHI;
  • Limit chat access to certain (groups of) employees; and
  • Customize the footer of email notifications to inform employees what to do in case an email contains PHI.

Please contact us if you have any questions.