Do we need to sign a BAA for your HIPAA compliant MSP?
The Health Insurance Portability and Accountability Act is a legislation that provides data privacy and security provisions for safeguarding electronic Protected Health Information (ePHl). ePHl is patient health information which is computer based.
The data stored within Passportal includes system configuration notes, URLs, and login credentials to various systems and applications - some of which may be systems or applications which store or manage ePHl.
While the login credentials stored in Passportal may be those which grant access to systems containing ePHl, the login or password data itself is not considered ePHl. This results in the first reason why there is no need for Passportal to sign a BAA.
The access information to ePHl which includes URLs or remote server addresses and login credentials that are able to be accessed, known, or otherwise used by any individuals or organizations would inherently require those individuals or organizations to sign a BAA in agreement to cooperate in safeguarding the ePHl they have access to. With this in mind, Passportal's data encryption technology which leverages hundreds of rounds of AES-256 encryption via 6 unique SHA-256 Hash keys used on a random algorithmic basis for each login credential stored, guarantees that no member of the Passportal organization can ever access, see, or know the decrypted format of that data. One of the 6 keys used in the encryption technology briefly described is never generated, stored, or known by Passportal. This unknown encryption key is the Organization Key your company chooses upon registering an account with Passportal. The involvement of the Organization Key in our encryption technology makes it impossible for members of the Passportal team to completely decrypt any password data within our platform. This results in a secondary reason why there is no need for Passportal to sign a BAA.
In conclusion, since there is no ePHl data stored within Passportal and no employee, contractor, consultant, or representative of Passportal can access the login credentials stored within Passportal, the company is precluded from any requirement to sign a BAA to meet and maintain yours and your clients' HIPAA compliance.