Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info

Please contact legal@tidepool.org to discuss executing a Business Associate Agreement with Tidepool.

Live Search
spaceKey@self
additionalpage excerpt
placeholderSearch this space
typepage

At this time, Tidepool is not a covered entity under HIPAA. However, your institution may be a covered entity under HIPAA (which is likely why you are reading this content).

Executing a Business Associate Agreement with Tidepool

Tidepool enters into Business Associate Agreements with health care systems and other covered entities by request.

We request an inquiring clinic that wishes to have a Business Associate Agreement with Tidepool start by reviewing Tidepool's standard BAA for consideration.

Tidepool's Standard Business Associate Agreement

If you are able to accept the terms of the standard Business Associate Agreement, please download, sign, and return the PDF version (linked above) to legal@tidepool.org.

If you would like to request redlines be made to Tidepool’s standard Business Associate Agreement, please download the .docx version (linked above), make your suggested changes, and return that document to legal@tidepool.orgprovides a standard Software Service Agreement and Business Associate Agreement for participating clinics and health systems that wish to use Tidepool’s Base Platform at no cost. Please fill out our Business Associate Agreement and return it to legal@tidepool.org to get the Agreement countersigned.

Redlines to either document (Software Services Agreement or Business Associate Agreement) will be entertained as part of a Tidepool+ Essential or Tidepool+ Professional contract. Please see provider.tidepool.org or contact clinic@tidepool.org for additional details about these Tidepool+ offerings.

To discuss Tidepool+ contracting terms, you can use this link to book a meeting with a member of our Sales team.

Page Tree

Tidepool's Business Associate Agreements with Subcontractors

Tip

Tidepool enters into Business Associate Agreements with our underlying technology providers who provide HIPAA-compliant services for Tidepool.

Tidepool inherits many security controls from our cloud vendors, particularly AWS, who provide the majority of our compute hosting services either directly or indirectly. For reference, we provide links to the compliance documentation for these providers certifications below. Due to internal security or confidentiality concerns, some entities do not provide detailed compliance information publicly, but known references are below.

Controls inherited or that are shared responsibility with AWS, Google and other cloud providers include, but are not limited to Physical Security, Data Center Security, Data Destruction, Network Security Controls, System Inventory

Prior to entering into a BAA with a subcontractor, Tidepool performs a security and risk evaluation for each service and its integration into Tidepool services evaluating the following elements:

  • Security - encryption, authentication/SSO/MFA, authorization, logging, auditing, access control

  • Operations - metrics, reporting, availability, backup, data retention/re-use, continuity of service/data re-use

  • Regulatory - BAA implementation, service agreements

  • Legal - data location, storage, destruction, area of operations, company geographic location

  • Disaster Recovery/Continuity - data export, backup, re-use, continuity/data transformation/recomposition

Tip

Subcontractor security and risk evaluations are peer reviewed and approved by the Tidepool CEO/CPO and VP of Engineering prior to implementation.