Table of Contents
This article provides guidance about the Quip Amendment to the HIPAA Business Associate Addendum (collectively, the “BAA”) that Salesforce offers customers for a subset of the Quip services as discussed below. In order for customers use of the Quip Services to be covered by a BAA, you and Salesforce must sign an underlying Business Associate Addendum and then a Quip BAA Amendment that expressly includes the covered Quip services and you must comply with the terms of the BAA and this article. In the event of a conflict between the BAA and this article, the terms of the BAA govern.
Covered Quip Services
The following services are covered by the Quip BAA Amendment. PHI must only be handled within these services. If a service is not listed below, it is not covered by the BAA and must not be used for transmitting, storing or processing Protected Health Information (PHI):
- Quip Services
- Quip Mobile
- Quip Live App Platform
Inbound transmission of PHI
When PHI is transmitted from a client it must use HTTPS connections. Quip enforces TLS version 1.2 or higher when clients connect with HTTPS. It is your responsibility to ensure that PHI is only transmitted to Quip over HTTPS connections for connections for which the customer can control transmission protocols. Security reviews to ensure the secure transmission of data is your responsibility.
Transmission of PHI within a Virtual Cloud Network
If your application transmits PHI in a Quip Virtual Private Cloud, Quip enforces TLS version 1.2 or higher when clients connect with HTTPS. It is your responsibility to ensure that PHI is only transmitted to Quip over HTTPS connections for connections for which the customer can control transmission protocols. Security reviews to ensure the secure transmission of data is your responsibility.
Transmission of PHI from Quip applications to external services
Transmission of PHI to Quip and Salesforce provided Add-on services
Customer must not transmit PHI to any Quip or Salesforce provided Add-on service not listed above. The only Add-on services that are approved for handling PHI are the services listed above in the section “Quip Covered Services”.
Transmission of PHI to Non-Quip/Salesforce Applications
Non-Quip/Salesforce applications such as partner-provided Add-on services are not provided by Quip/Salesforce and therefore are not covered by the Salesforce BAA. If customer’s application transmits PHI to such services, customer is responsible for verifying that the transmission and subsequent handling of PHI by those service providers meet HIPAA requirements.
Transmission of PHI to other Internet Services
Transmission of PHI to other services on the Internet is not covered by the Salesforce BAA. Customer is responsible for ensuring that such transmission and subsequent handling by the remote service meet HIPAA requirements.