SAP is a cloud and enterprise software provider that enables organizations to manage business operations, data analytics, and enterprise resource planning across industries, including healthcare. With SAP, organizations can leverage “HIPAA Eligible Services” to store or process protected health information (PHI) within the platform.
Is SAP HIPAA compliant? SAP can be HIPAA compliant.
Yes, SAP will sign a business associate agreement with customers that intend to store or process PHI in HIPAA Eligible Services. The BAA can be reviewed by contacting your SAP Sales team.
The SAP BAA establishes contractual assurances about data safeguarding, reporting, and access in accordance with HIPAA regulations. Their BAA covers:
According to SAP: “SAP helps customers support HIPAA compliance by adhering to the HIPAA Security Rule requirements in its capacity as a business associate, including the implementation of the required technical, physical, and administrative safeguards.”
SAP’s BAA does not make the customer HIPAA compliant automatically. SAP notes: “By offering a BAA, SAP helps support your HIPAA compliance, but using SAP services or other cloud services doesn't guarantee compliance of such cloud services. Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place.”
SAP signs a BAA and therefore can support HIPAA compliance, but ultimate responsibility for HIPAA adherence lies with the customer.
Learn more: HIPAA Compliant Email: The Definitive Guide
A BAA is a legally binding contract establishing a relationship between a covered entity under HIPAA and its business associates. Its purpose is to ensure the proper protection of PHI as required by HIPAA regulations.
HIPAA sets national standards for protecting the privacy and security of certain health information, known as PHI. HIPAA ensures healthcare providers and insurers can securely exchange electronic health information and establishes penalties for violations.
HIPAA applies to covered entities, including healthcare providers, health plans, and healthcare clearinghouses, as well as business associates performing certain functions or activities on behalf of these covered entities.