Quip - Business Associate Addendum Restrictions

Table of Contents

Covered Quip Services

Inbound transmission of PHI

Transmission of PHI within a Virtual Private Cloud

Transmission of PHI from Quip applications to external services

Transmission of PHI to Quip and Salesforce provided Add-on services

Transmission of PHI to Non-Quip/Salesforce Applications

Transmission of PHI to other Internet Services

This article provides guidance about the Quip Amendment to the HIPAA Business Associate Addendum (collectively, the “BAA”) that Salesforce offers customers for a subset of the Quip services as discussed below. In order for customers use of the Quip Services to be covered by a BAA, you and Salesforce must sign an underlying Business Associate Addendum and then a Quip BAA Amendment that expressly includes the covered Quip services and you must comply with the terms of the BAA and this article. In the event of a conflict between the BAA and this article, the terms of the BAA govern.

Covered Quip Services

The following services are covered by the Quip BAA Amendment. PHI must only be handled within these services.  If a service is not listed below, it is not covered by the BAA and must not be used for transmitting, storing or processing Protected Health Information (PHI):

  • Quip Services
  • Quip Mobile
  • Quip Live App Platform 

Inbound transmission of PHI

When PHI is transmitted from a client it must use HTTPS connections. Quip enforces TLS version 1.2 or higher when clients connect with HTTPS. It is your responsibility to ensure that PHI is only transmitted to Quip over HTTPS connections for connections for which the customer can control transmission protocols. Security reviews to ensure the secure transmission of data is your responsibility.  

Transmission of PHI within a Virtual Cloud Network

If your application transmits PHI in a Quip Virtual Private Cloud, Quip enforces TLS version 1.2 or higher when clients connect with HTTPS. It is your responsibility to ensure that PHI is only transmitted to Quip over HTTPS connections for connections for which the customer can control transmission protocols. Security reviews to ensure the secure transmission of data is your responsibility.

Transmission of PHI from Quip applications to external services

Transmission of PHI to Quip and Salesforce provided Add-on services

Customer must not transmit PHI to any Quip or Salesforce provided Add-on service not listed above. The only Add-on services that are approved for handling PHI are the services listed above in the section “Quip Covered Services”.

Transmission of PHI to Non-Quip/Salesforce Applications

Non-Quip/Salesforce applications such as partner-provided Add-on services are not provided by Quip/Salesforce and therefore are not covered by the Salesforce BAA. If customer’s application transmits PHI to such services, customer is responsible for verifying that the transmission and subsequent handling of PHI by those service providers meet HIPAA requirements.

Transmission of PHI to other Internet Services

Transmission of PHI to other services on the Internet is not covered by the Salesforce BAA. Customer is responsible for ensuring that such transmission and subsequent handling by the remote service meet HIPAA requirements.

 

Was this article helpful?
1 out of 1 found this helpful