Quip - Business Associate Addendum Restrictions

Last updated: September 13, 2019

This article provides guidance about the Quip Amendment to the HIPAA Business Associate Addendum (collectively, the “BAA”) that Salesforce offers customers for a subset of the Quip services that are covered under the BAA, as discussed below (the “Quip Covered Services”). In order for a customer’s use of Quip services to be covered by the BAA, (1) you and Salesforce must sign an underlying Business Associate Addendum and then a Quip BAA Amendment that expressly includes the Quip Covered Services, and (2) you must comply with the terms of the BAA and this article. In the event of a conflict between the BAA and this article, the terms of the BAA govern.

Table of Contents

  1. Quip Covered Services
  2. Inbound Transmission of PHI
  3. Transmission of PHI within a Virtual Cloud Network
  4. Transmission of PHI from Quip Applications to External Services
  5. Transmission of PHI to Quip Add-On Services
  6. Transmission of PHI to Non-SFDC Applications
  7. Transmission of PHI to other Internet Services

Quip Covered Services

The following services are covered by the Quip BAA Amendment. PHI must only be handled within these services.  If a Quip service is not listed below, it: (1) is not a Quip Covered Service; (2) is not covered by the BAA; and (3) must not be used for transmitting, storing or processing Protected Health Information (PHI):

  • Quip Starter
  • Quip Enterprise
  • Quip for Salesforce
  • Quip Virtual Private Cloud
  • Quip Mobile (Add-on Service)
  • Quip Live App Platform (Add-on Service)

Inbound Transmission of PHI

When PHI is transmitted from a client it must use HTTPS connections. Quip enforces TLS version 1.2 or higher when clients connect with HTTPS. It is your responsibility to ensure that PHI is only transmitted to the Quip Covered Services over HTTPS connections for which the customer can control transmission protocols. In addition, it is your responsibility to ensure the secure transmission of data.  

Transmission of PHI within a Virtual Cloud Network

If your application transmits PHI in Quip Virtual Private Cloud, Quip enforces TLS version 1.2 or higher when clients connect with HTTPS. It is your responsibility to ensure that PHI is only transmitted to the Quip Covered Services over HTTPS connections for which the customer can control transmission protocols. In addition, it is your responsibility to ensure the secure transmission of data.

Transmission of PHI from Quip Applications to External Services

Transmission of PHI to Quip Add-On Services

The only Add-on services that are approved for handling PHI when using Quip are Quip Mobile and Quip Live App Platform.  Customer must not transmit PHI to any other Add-on service provided by Quip or Salesforce unless that Add-on service is separately covered under the Salesforce BAA.

Transmission of PHI to Non-SFDC Applications

Non-SFDC Applications (as described in the customer’s Master Subscription Agreement)  include customer-provided or third party partner-provided applications or services. They are not covered by the BAA. If customer’s application transmits PHI to such Non-SFDC Applications, then customer is responsible for verifying that the transmission and subsequent handling of such PHI by the service providers that offer those Non-SFDC Applications also meet HIPAA requirements.

Transmission of PHI to other Internet Services

Transmission of PHI to other services on the Internet is not covered by the BAA. Customer is responsible for ensuring that such transmission and subsequent handling of such PHI by the remote service meet HIPAA requirements.

 

 

Was this article helpful?
1 out of 1 found this helpful