At this time, Tidepool is not a covered entity under HIPAA. However, your institution may be a covered entity under HIPAA (which is likely why you are reading this content).

Executing a Business Associate Agreement with Tidepool

Tidepool enters into Business Associate Agreements with health care systems and other covered entities by request.

We request an inquiring clinic that wishes to have a Business Associate Agreement with Tidepool start by reviewing Tidepool's standard BAA for consideration.

Tidepool's Standard Business Associate Agreement

If you are able to accept the terms of the standard Business Associate Agreement, please download, sign, and return the PDF version (linked above) to legal@tidepool.org.

If you would like to request redlines be made to Tidepool’s standard Business Associate Agreement, please download the .docx version (linked above), make your suggested changes, and return that document to legal@tidepool.org.

Tidepool's Business Associate Agreements with Subcontractors

Tidepool enters into Business Associate Agreements with our underlying technology providers who provide HIPAA-compliant services for Tidepool.

Tidepool inherits many security controls from our cloud vendors, particularly AWS, who provide the majority of our compute hosting services either directly or indirectly. For reference, we provide links to the compliance documentation for these providers certifications below. Due to internal security or confidentiality concerns, some entities do not provide detailed compliance information publicly, but known references are below.

Controls inherited or that are shared responsibility with AWS, Google and other cloud providers include, but are not limited to Physical Security, Data Center Security, Data Destruction, Network Security Controls, System Inventory

Amazon for Amazon Web Services
- AWS provides all their security audit and compliance documentation through the AWS platform service Artifact.
  - A free personal AWS account can be created to access this documentation if required
Google for G Suite (email, drive and Google Docs) and Google Compute Platform
- Google provides all its compliance documentation from their Compliance Reports Manager
Rollbar, for HIPAA-compliant client-side logging, monitoring and analysis
- https://docs.rollbar.com/docs/security
Sumo Logic, for HIPAA-compliant server-side logging. monitoring and analysis
- https://www.sumologic.com/security/platform-security/
ZenDesk, for HIPAA-compliant customer support ticketing and knowledge base. Found at support.tidepool.org
- https://www.zendesk.com/product/zendesk-security/#artifacts
MongoDB Atlas, for HIPAA-compliant database software, hosting and services
- https://www.mongodb.com/cloud/trust#compliance
Marketo, for HIPAA-compliant marketing communications tasks
- https://www.marketo.com/company/trust/security/

Prior to entering into a BAA with a subcontractor, Tidepool performs a security and risk evaluation for each service and its integration into Tidepool services evaluating the following elements:

Security - encryption, authentication/SSO/MFA, authorization, logging, auditing, access control
Operations - metrics, reporting, availability, backup, data retention/re-use, continuity of service/data re-use
Regulatory - BAA implementation, service agreements
Legal - data location, storage, destruction, area of operations, company geographic location
Disaster Recovery/Continuity - data export, backup, re-use, continuity/data transformation/recomposition

Subcontractor security and risk evaluations are peer reviewed and approved by the Tidepool CEO/CPO and VP of Engineering prior to implementation.