Staffbase and HIPAA

Q: Has Staffbase signed BAA’s with its subprocessors?

Yes, we have entered into BAA’s with those Subprocessors that may process PHI in relation to the Staffbase Services. You can find an overview of our Subprocessors on our Subprocessor Page here . For clarity, not all of our Subprocessors process PHI.

Q: Does Staffbase segregate PHI from other personal data?

We treat all Customer Data the same. We do not monitor Customer Data for specific content, including PHI. This also means that Staffbase does not segregate PHI for special treatment. Staffbase does not maintain a Designated Record Set.

Q: Are all Staffbase Services covered by the Staffbase BAA?

No. At the moment our BAA covers the following Staffbase products: ➜ Employee App ➜ Intranet ➜ Email For clarity, our BAA does not apply to (i) Support Services; (ii) Third-Party Services; and (iii) Betas and Trials.

Learn more about how we can support you as a healthcare provider in the United States.

Staffbase is your partner to protect employee  and patient privacy

Staffbase is one of the fastest growing and most experienced employee communications platform providers. Companies in all industries — including more than 250 healthcare organizations — trust Staffbase to solve their unique challenges in a secure, scalable way. Security is of utmost importance to our platform and vision. As a US healthcare provider, we want to address your unique concerns and share more about how we support you.

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) is a US law that regulates the collection and handling of PHI. HIPAA applies to providers of health care, health plans, and health care clearinghouse services. These providers are required to handle PHI in a way that meets defined security standards.

When healthcare providers, known as covered entities, use third-party service providers who might process PHI, these service providers, known as business associates, must also adhere to the HIPAA standards. Under the HIPAA rules, covered entities and business associates must enter into a Business Associate Agreement (“BAA”) that covers the ways PHI must be handled.

Does Staffbase offer a BAA?

Yes, Staffbase has created a BAA that is tailored to our services and meets the HIPAA requirements.

We want to clarify that Staffbase provides a service for employee communications. We do not sell patient management systems or any other software where you’d expect to store and process PHI. For this reason, our BAA is limited to specific Staffbase Services and we require our customers to take the necessary technical and/or organizational measures to protect any PHI that might end up in the Staffbase platform.

How does Staffbase secure PHI?

At Staffbase, we are committed to ensure all of your data is always protected. Staffbase is ISO 27001 certified. As part of our ISO 27001 certification, Staffbase routinely conducts risk assessments and prepares risk treatment plans to mitigate any identified risks so that we continuously improve our security controls. More information about our security practices can be found here.

As required by HIPAA, we implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any PHI that we may process on behalf of covered entities under a BAA. These safeguards include measures required by the HIPAA security rule.

Learn how Staffbase supports customers with their HIPAA compliance based on our ISO 27001 certification.

Staffbase is limited to the status of a business associate under the BAA. Staffbase is not a holder of the Designated Record Set. The HIPAA requirements for a business associate are met through Staffbase's ISO 27001 certifications.

See PDF

Infographic detailing Staffbase HIPAA compliance based on ISO 27001 certification, covering safeguards and staffbase approaches in various categories.

FAQ about the Staffbase BAA

Has Staffbase signed BAA’s with its subprocessors?

Does Staffbase segregate PHI from other personal data?

Are all Staffbase Services covered by the Staffbase BAA?

Do customers have to enable certain HIPAA-related security configurations?

Yes, if you sign a BAA with Staffbase, we require you to implement a set of organizational and security measures designed to help you safeguard PHI. Below you can find an overview of the most up-to-date HIPAA requirements and a number of recommendations to ensure transparency and mitigate potential risks.

Our HIPAA requirements

We have listed a number of recommendations for customers on how to increase transparency within their organization on what is allowed and prohibited in relation to the use of the Staffbase products.

We require customers that sign a BAA with Staffbase to:

Have policies in place prohibiting the use of PHI in the Staffbase platform;
Enforce these policies against their employees;
Regularly monitor and remove any PHI in the Staffbase platform;
Select “US Hosting” for data hosting;
Activate the “Secure media” feature;
Activate SSO as the sign in procedure;
Review access rights of their employees to the Staffbase platform; and
Configure appropriate session management (session timeout & maximum number of concurrent sessions).

…when using the Employee App & Intranet:

Clarify in the legal terms what data must not be shared in the Staffbase platform;
Regularly have employees acknowledge internal policies in regards to PHI;
Educate employees about the risks associated with sharing PHI;
Limit chat access to certain (groups of) employees; and
Customize the footer of email notifications to inform employees what to do in case an email contains PHI.

…when using Staffbase Email:

Instruct users of the Email product to exclude any PHI from any email they plan to send;
Educate users of the Email product about the risks associated with sharing PHI;
Include a notification in each email instructing email recipients to delete emails that contain PHI.