Today we’ll research whether Airbase provides HIPAA compliant service or not.
Airbase is a cloud-based spend management platform that helps businesses automate and streamline their spend management processes. It is designed to help finance teams gain visibility and control over company spending by providing a centralized platform for managing expenses, invoices, and payments.
With Airbase, businesses can manage their spend across various categories such as employee expenses, vendor payments, subscriptions, and more. It provides features such as virtual and physical corporate cards, invoice management, and automated workflows for approvals and reimbursements.
Airbase and the business associate agreement
There’s a primary item to consider when it comes to Airbase and its ability to provide a HIPAA compliant service.
First, let’s start with a quick recap of terms. The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that protects the privacy of individuals’ personal health information, otherwise known as protected health information (PHI).
As we’ve previously discussed, HIPAA applies to covered entities, which includes healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.
A business associate agreement (BAA) is a written contract between a covered entity and a business associate. It is required by law for HIPAA compliance. In the case of Airbase, the service would certainly fall into the category of business associate if it’s servicing customers that would store, process, or transmit PHI on its platform.
We checked Airbase's site and could not find any mention of their ability to sign a BAA with customers. Specifically, we closely checked these pages:
Does Airbase offer HIPAA compliant service?
The Business Associate Agreement (BAA) is a key component to HIPAA compliance between a covered entity and a business associate.
In regards to being considered a HIPAA compliant solution, we were able to learn the following about Airbase:
- Airbase states in their Security Policy they are SOC 2 Type II and SOC 1 Type II compliant.
- We could not find any mention of their stance on HIPAA compliance, however.
Conclusion: Airbase is likely not HIPAA compliant, as we could not find any mention of their ability to sign a BAA on their site.