We sometimes get asked by customers and prospects about MuleSoft and their ability to use it in a HIPAA compliant manner. We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud services in this sector.
In previous posts, we’ve covered the following cloud solutions and their capabilities for HIPAA compliance:
- Amazon Alexa
- Amazon CloudFront
- Apple iCloud
- Apple iMessage
- Citrix ShareFile
- Constant Contact
- Google Calendar
- Google Docs
- Google Drive
- Google Forms
- Google Hangouts
- Google Hangouts Chat
- Google Slides
- Google Voice
- Microsoft Teams
- Microsoft 365
- Return Path
- Uber Health
Today, we will determine if MuleSoft offers HIPAA compliant service or not. SEE ALSO: HIPAA Breaches and Cloud Providers
MuleSoft provides integration software for connecting applications, data and devices. The company's Anypoint Platform of integration products ties together SaaS and on-premises software. MuleSoft was acquired in March 2018 by Salesforce for $6.5B in cash and stock.
MuleSoft and the Business Associate Agreement
We’ve previously discussed how a Business Associate Agreement is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance.
We checked MuleSoft's site and discovered they attained HITRUST certification in 2014.
HITRUST is the leading security certification in US healthcare and is currently the gold standard for HIPAA compliance.
As we've also discussed previously, the U.S. Department of Health and Human Services (HHS) does not have an official HIPAA certification.
We had a hard time, however, finding mention of whether MuleSoft will actually sign a BAA with its customers.
For example, in a Dataloader.io Community Discussion post from 2015, a Dataloader employee stated:
"In regards to HIPAA, MuleSoft is not subject to HIPAA regulations, as we do not directly handle personal health information. HIPAA is only applicable to covered entities.
We are, however, certified under HiTrust. If you aren't familiar with HiTrust, it is a common security framework designed to simplify compliance with technical controls derived from HIPAA/HITECH. HiTrust is a very extensive security framework, that many companies are pursuing because it incorporates other standards and provides clear, actionable guidelines.
" While Dataloader.io is a MuleSoft product, the reply is not accurate. HIPAA regulations apply to both Covered Entities (CE) and Business Associates (BA).
SEE ALSO: HIPAA Privacy Rule for Business Associates
HIPAA Conduit Exception Rule
The HIPAA Conduit Exception Rule comes to mind when thinking about MuleSoft and HIPAA compliance.
As an overview, it was created by the HIPAA Privacy Rule in 2000. As per Section 160.103 – Definitions:
We do not require a covered entity to enter into a business associate contract with a person or organization that acts merely as a conduit for protected health information (e.g., the US Postal Service, certain private couriers and their electronic equivalents). A conduit transports information but does not access it other than on a random or infrequent basis as may be necessary for the performance of the transportation service, or as required by law. Since no disclosure is intended by the covered entity and the probability of exposure of any particular protected health information to a conduit is very small, we do not consider a conduit to be a business associate of the covered entity.
HIPAA Conduit Exception Rule and Cloud Service Providers
Since a lot of time has elapsed since 2000, the obvious question arises:
How does a Cloud Services Provider (CSP) like MuleSoft fit into the HIPAA Conduit Exception Rule?
We can reference Guidance on HIPAA & Cloud Computing ( HHS) for help.
Question 3 states:
Can a CSP be considered to be a “conduit” like the postal service, and, therefore, not a business associate that must comply with the HIPAA Rules?
Generally, no. CSPs that provide cloud services to a covered entity or business associate that involve creating, receiving, or maintaining (e.g., to process and/or store) electronic protected health information (ePHI) meet the definition of a business associate, even if the CSP cannot view the ePHI because it is encrypted and the CSP does not have the decryption key.
As explained in previous guidance, the conduit exception is limited to transmission-only services for PHI (whether in electronic or paper form), including any temporary storage of PHI incident to such transmission. Any access to PHI by a conduit is only transient in nature.
In contrast, a CSP that maintains ePHI for the purpose of storing it will qualify as a business associate, and not a conduit, even if the CSP does not actually view the information, because the entity has more persistent access to the ePHI.
Further, where a CSP provides transmission services for a covered entity or business associate customer, in addition to maintaining ePHI for purposes of processing and/or storing the information, the CSP is still a business associate with respect to such transmission of ePHI.
The conduit exception applies where the only services provided to a covered entity or business associate customer are for transmission of ePHI that do not involve any storage of the information other than on a temporary basis incident to the transmission service.
Does MuleSoft Offer HIPAA Compliant Service?
The Business Associate Agreement is a key component to HIPAA compliance between a covered entity and a business associate.
We were quickly able to determine that MuleSoft attained HITRUST certification in 2014. We were unable to ascertain however:
- HITRUST certification must be renewed every two years. Has MuleSoft kept up with HITRUST renewals?
- Will MuleSoft sign a BAA with its customers?
- It is unlikely MuleSoft qualifies for the HIPAA Conduit Exception Rule. Does MuleSoft share this outlook?
Conclusion: MuleSoft is HITRUST certified, which is the gold standard in US Healthcare for HIPAA compliance.
It remains inconclusive however, if they will sign Business Associate Agreements with their customers.