Please contact legal@tidepool.org to discuss executing a Business Associate Agreement with Tidepool.

At this time, Tidepool is not a covered entity under HIPAA. However, your institution may be a covered entity under HIPAA (which is likely why you are reading this content).

Executing a Business Associate Agreement with Tidepool

Tidepool provides a standard Software Service Agreement and Business Associate Agreement for participating clinics and health systems that wish to use Tidepool’s Base Platform at no cost. Please fill out our Business Associate Agreement and return it to legal@tidepool.org to get the Agreement countersigned.

Redlines to either document (Software Services Agreement or Business Associate Agreement) will be entertained as part of a Tidepool+ Essential or Tidepool+ Professional contract. Please see provider.tidepool.org or contact clinic@tidepool.org for additional details about these Tidepool+ offerings.

To discuss Tidepool+ contracting terms, you can use this link to book a meeting with a member of our Sales team.

Tidepool's Business Associate Agreements with Subcontractors

Tidepool enters into Business Associate Agreements with our underlying technology providers who provide HIPAA-compliant services for Tidepool.

Tidepool inherits many security controls from our cloud vendors, particularly AWS, who provide the majority of our compute hosting services either directly or indirectly. For reference, we provide links to the compliance documentation for these providers certifications below. Due to internal security or confidentiality concerns, some entities do not provide detailed compliance information publicly, but known references are below.

Controls inherited or that are shared responsibility with AWS, Google and other cloud providers include, but are not limited to Physical Security, Data Center Security, Data Destruction, Network Security Controls, System Inventory

Amazon for Amazon Web Services
- AWS provides all their security audit and compliance documentation through the AWS platform service Artifact.
  - A free personal AWS account can be created to access this documentation if required
Google for G Suite (email, drive and Google Docs) and Google Compute Platform
- Google provides all its compliance documentation from their Compliance Reports Manager
Rollbar, for HIPAA-compliant client-side logging, monitoring and analysis
- https://docs.rollbar.com/docs/security
Sumo Logic, for HIPAA-compliant server-side logging. monitoring and analysis
- https://www.sumologic.com/security/platform-security/
ZenDesk, for HIPAA-compliant customer support ticketing and knowledge base. Found at support.tidepool.org
- https://www.zendesk.com/product/zendesk-security/#artifacts
MongoDB Atlas, for HIPAA-compliant database software, hosting and services
- https://www.mongodb.com/cloud/trust#compliance
Marketo, for HIPAA-compliant marketing communications tasks
- https://www.marketo.com/company/trust/security/

Prior to entering into a BAA with a subcontractor, Tidepool performs a security and risk evaluation for each service and its integration into Tidepool services evaluating the following elements:

Security - encryption, authentication/SSO/MFA, authorization, logging, auditing, access control
Operations - metrics, reporting, availability, backup, data retention/re-use, continuity of service/data re-use
Regulatory - BAA implementation, service agreements
Legal - data location, storage, destruction, area of operations, company geographic location
Disaster Recovery/Continuity - data export, backup, re-use, continuity/data transformation/recomposition

Subcontractor security and risk evaluations are peer reviewed and approved by the Tidepool CEO/CPO and VP of Engineering prior to implementation.