Can I use MuleSoft and be HIPAA compliant?

Featured image

Share this article

Does MuleSoft

We sometimes get asked by customers and prospects about MuleSoft and their ability to use it in a HIPAA compliant manner.

We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud services in this sector.

In previous posts, we’ve covered the following cloud solutions and their capabilities for HIPAA compliance:

Today, we will determine if MuleSoft offers HIPAA compliant service or not.

SEE ALSO: HIPAA Breaches and Cloud Providers

MuleSoft

MuleSoft provides integration software for connecting applications, data and devices.

The company’s Anypoint Platform of integration products ties together SaaS and on-premises software.

MuleSoft was acquired in March 2018 by Salesforce for $6.5B in cash and stock.

MuleSoft and the Business Associate Agreement

We’ve previously talked about how a Business Associate Agreement is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance.

We checked MuleSoft’s site and discovered they attained HITRUST certification in 2014.

HITRUST is the leading security certification in US healthcare and is currently the gold standard for HIPAA compliance.

As we’ve also discussed previously, the U.S. Department of Health and Human Services (HHS) does not have an official HIPAA certification.

We had a hard time however, finding mention of whether MuleSoft will actually sign a BAA with its customers.

For example, in a Dataloader.io Community Discussion post from 2015, a Dataloader employee stated:

“In regards to HIPAA, MuleSoft is not subject to HIPAA regulations, as we do not directly handle personal health information. HIPAA is only applicable to covered entities.

We are, however, certified under HiTrust. If you aren’t familiar with HiTrust, it is a common security framework designed to simplify compliance with technical controls derived from HIPAA/HITECH. HiTrust is a very extensive security framework, that many companies are pursuing because it incorporates other standards and provides clear, actionable guidelines.”

While Dataloader.io is a MuleSoft product, the reply is not accurate.

HIPAA regulations apply to both Covered Entities (CE) and Business Associates (BA).

SEE ALSO: HIPAA Privacy Rule for Business Associates

HIPAA Conduit Exception Rule

The HIPAA Conduit Exception Rule comes to mind when thinking about MuleSoft and HIPAA compliance.

As an overview, it was created by the HIPAA Privacy Rule in 2000.

As per Section 160.103 – Definitions:

We do not require a covered entity to enter into a business associate contract with a person or organization that acts merely as a conduit for protected health information (e.g., the US Postal Service, certain private couriers and their electronic equivalents). A conduit transports information but does not access it other than on a random or infrequent basis as may be necessary for the performance of the transportation service, or as required by law. Since no disclosure is intended by the covered entity and the probability of exposure of any particular protected health information to a conduit is very small, we do not consider a conduit to be a business associate of the covered entity.

HIPAA Conduit Exception Rule and Cloud Service Providers

Since a lot of time has elapsed since 2000, the obvious question arises:

How does a Cloud Services Provider (CSP) like MuleSoft fit into the HIPAA Conduit Exception Rule?

We can reference Guidance on HIPAA & Cloud Computing (HHS) for help.

Question 3 states:

Can a CSP be considered to be a “conduit” like the postal service, and, therefore, not a business associate that must comply with the HIPAA Rules?

Generally, no. CSPs that provide cloud services to a covered entity or business associate that involve creating, receiving, or maintaining (e.g., to process and/or store) electronic protected health information (ePHI) meet the definition of a business associate, even if the CSP cannot view the ePHI because it is encrypted and the CSP does not have the decryption key.

As explained in previous guidance,[14] the conduit exception is limited to transmission-only services for PHI (whether in electronic or paper form), including any temporary storage of PHI incident to such transmission. Any access to PHI by a conduit is only transient in nature. In contrast, a CSP that maintains ePHI for the purpose of storing it will qualify as a business associate, and not a conduit, even if the CSP does not actually view the information, because the entity has more persistent access to the ePHI.

Further, where a CSP provides transmission services for a covered entity or business associate customer, in addition to maintaining ePHI for purposes of processing and/or storing the information, the CSP is still a business associate with respect to such transmission of ePHI. The conduit exception applies where the only services provided to a covered entity or business associate customer are for transmission of ePHI that do not involve any storage of the information other than on a temporary basis incident to the transmission service.

Does MuleSoft Offer HIPAA Compliant Service?

The Business Associate Agreement is a key component to HIPAA compliance between a covered entity and a business associate.

We were quickly able to determine that MuleSoft attained HITRUST certification in 2014.

We were unable to ascertain however:

  • HITRUST certification must be renewed every two years. Has MuleSoft kept up with HITRUST renewals?
  • Will MuleSoft sign a BAA with its customers?
  • It is unlikely MuleSoft qualifies for the HIPAA Conduit Exception Rule. Does MuleSoft share this outlook?

Conclusion: MuleSoft is HITRUST certified, which is the gold standard in US Healthcare for HIPAA compliance. It remains inconclusive however, if they will sign Business Associate Agreements with their customers.

Try Paubox Email Suite for FREE today.
Author Photo

About the author

Hoala Greevy

Founder of Paubox. Kayak fishing when I can. Native Hawaiian CEO.

Read more by Hoala Greevy

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022