HIPAA-related question

I work for a digital agency which is considering Prismic as a platform for several of our clients. One of the clients we're considering Prismic for is in the medical field and requires all vendors they work with to sign a Business Associate Agreement (BAA) as part of their HIPAA compliance efforts, regardless of whether that vendor directly handles any HIPAA-covered data. I wanted to see if this is an arrangement Prismic would consider, or if it's not an option.

https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html

Hey Scott!

We take security seriously and have implemented several measures to protect sensitive data, including encryption, secure authentication (via OAuth2 for private API access), and regular backups for Enterprise plans. While we are currently GDPR compliant, regarding HIPAA, we do not have a specific Business Associate Agreement (BAA) in place.

For more information read our legal and security page.

Hi Pau,

Thanks for the reply. Unfortunately this doesn't quite answer my question. Would it be possible to talk to someone via email or some other method that's not a public forum post? I have a sample BAA I can provide which my client would require Prismic to sign if they were to use your service. The contact forms I was finding on your site were mostly around requesting a demo, which is why I started here in the forum.

I'm probably not qualified to speak to this, but I would imagine that since Prismic is used to create and serve content for the web, it is unlikely that anyone would be putting sensitive healthcare-related data into this system. If your site/web app does tie into someone's personal data on a dashboard, then this data would likely be stored in a database somewhere. This database, I would imagine, needs HIPAA compliance/certification. If your webapp is hosted in something like Vercel or you're using AWS etc, they would be the ones who need to provide the HIPAA compliance SOC2 etc info. Private information is not something that would go into Prismic.
Does that sound close?

Yeah, I 100% agree with you. But this part of my original post is why I'm still bringing it up:

Sorry I missed that part. In reading what you linked to, I can see why one might see Prismic as a business associate in this instance, but if you nor patients provide data to Prismic, is it really something that this covers?

The Privacy Rule allows covered providers and health plans to disclose protected health information to these “business associates” if the providers or plans obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule.