by Kapua Iao
Article filed in

Is Quip HIPAA compliant?

by Kapua Iao

Quip logo

HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards.

Covered entities and their business associates must be HIPAA compliant to protect the rights and privacy of patients and their protected health information (PHI).

We know the HIPAA industry is vast and that it is important to correctly create notations for proper patient care while remaining HIPAA compliant.

SEE ALSO: HIPAA compliant email

This is especially true with the recent move toward remote working and the increase in cyberattacks against healthcare.

Today, we will determine if Quip is HIPAA compliant or not.

About Quip

Quip launched in 2013 as a mobile-centric tool for creating shared notes, lists, and documents. Salesforce purchased Quip in 2016.

RELATED: How to make Salesforce emails HIPAA compliant

Quip standardizes, automates, and embeds real-time, collaborative documents inside Salesforce records. It has a built-in office suite functionality, including word processing, spreadsheet, and presentation software.

Users can prepare, transcribe, and share notes in a collaborative environment.

Finally, Quip includes a live updating history of edits as well as access to real-time CRM data.

Quip and the business associate agreement

A major part of HIPAA compliance is ensuring a business associate will sign a business associate agreement (BAA). A business associate is a person or entity that performs certain functions or activities that involves the use or disclosure of PHI.

In this instance, Quip is a business associate of a healthcare organization if a note includes any electronic PHI (ePHI), like a name or an email address.

Generally, the HIPAA Privacy Rule allows healthcare providers to disclose PHI if they receive assurance that the information is protected through a signed BAA.

According to Salesforce, several Quip solutions are covered by a BAA including Quip for Salesforce. Salesforce stresses that its BAA does not cover any product not listed. Customers must not use those unlisted to transmit, store, or process PHI.

Quip, cybersecurity, and HIPAA

According to Jotform,

Quip . . . uses innovative security controls and measures that align with HIPAA compliance requirements. The system is fully encrypted and offers a variety of customizable privacy options to meet each organization’s unique compliance requirements.

In fact, the Security at Quip web page states that the company utilizes AES 256-bit encryption at rest and Transport Layer Security (TLS) 1.2 encryption in transit.

The Salesforce web page on the BAA provides further information about HIPAA and safeguarding PHI when using some of its services.

More or less, it is the responsibility of the customer to ensure the transmission is safe. Customers need a separate BAA for any transaction with another company.

Is Quip HIPAA compliant?

The BAA is a key component of HIPAA compliance and Salesforce will sign a BAA for its Quip product. Moreover, the company appears to utilize strong cybersecurity methods that follow HIPAA guidelines.

Conclusion

Quip for Salesforce can be HIPAA compliant.

Try Paubox Email Suite for FREE today.