Bandwidth HIPAA and Business Associate Agreement (BAA)


Marissa Brinkman


A Business Associate Agreement (BAA) is an agreement that extends HIPAA obligations to Bandwidth as a service provider on behalf of certain customers. 

By including this agreement, Bandwidth agrees to abide by the HIPAA Security Rule to safeguard Protected Health Information (PHI) that may be exchanged by Covered Entities over our platform. 

BAAs are intended for customers with platforms serving the Healthcare market, including doctor offices, pharmacies, and Health IT platforms, who are Covered Entities under HIPAA, and whose use case may include PHI in the content of messages or calls. If you believe you may need a BAA to work with Bandwidth, please reach out to your Bandwidth account manager or get in touch with our sales team. 

List of eligible products and services

Bandwidth is committed to serving healthcare communications better by continuously expanding the list of products covered by our BAA. Please see our HIPAA-eligible products and services for an up-to-date list.

Bandwidth BAA structure

A BAA sets out a business associate's obligations to the Covered Entity to protect PHI under the HIPAA Security Rule. In fact, most of the terms in it are specifically required by law. Some variation is expected based on the nature of the services and how each party will operationalize or comply with specific obligations.

In our case, Bandwidth’s BAA is carefully drafted to (1) include all of the provisions required by law, (2) scope for our HIPAA-eligible products in the context of the communications ecosystem, (3) include appropriate rights and responsibilities for both parties, and (4) all without disturbing the terms of any underlying master agreement between Bandwidth and the customer. 

Simply put, you can expect to find that our BAA, like the rest of our contracting process, is fair, on-point, and gets the job done. 

Frequently asked questions (FAQ)

What is PHI?

PHI stands for Protected Health Information. Protected Health Information under HIPAA generally refers to information: (1) about an individual’s past, present, or future health status or condition, the provision of health care, or the payment for healthcare, (2) that identifies an individual, and (3) that is created or received by a Covered Entity and can be determined with reasonable accuracy either directly or by reference to other information. 

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law designed to prevent the disclosure of PHI. HIPAA requires Covered Entities, including hospitals, healthcare providers, pharmacies, and the business associates that support them, to take reasonable measures to protect PHI.

What is BAA?

A Business Associate Agreement (BAA) is an agreement between Bandwidth in its role as a Business Associate (as defined under HIPAA) and the customer in its role as a Covered Entity or Business Associate itself – to ensure that each party appropriately safeguards PHI. Bandwidth enters into a BAA with Covered Entities consuming our messaging API and programmable voice API.

Can I send PHI via text message?

Sending PHI via any unencrypted channel should be carefully considered. Since PHI is controlled by the patient, their consent and knowledge of the risks may be required to send PHI via text message. In addition, security and privacy controls are a critical component of compliance with HIPAA for any telehealth platform and a shared obligation between a Covered Entity and a business associate. Covered Entities should consult with their legal counsel to ensure compliance with their obligations under HIPAA.  

Do all healthcare companies need a BAA to do business with Bandwidth?

Not all healthcare companies require a BAA to do business with Bandwidth. This may be because they aren't identified as Covered Entities under HIPAA, the nature of their use case doesn't include PHI, or the type of services they use falls under the conduit exception.

If you think you may need a BAA or you believe you will pass traffic that may contain PHI, you should discuss the risks and options with your legal team.

Do I need to sign a new BAA when Bandwidth releases new HIPAA-compliant products?

No. Our standard BAA includes the list of HIPAA-eligible products and services by reference. As Bandwidth continues to bring products and services into compliance with these standards, we'll update our list of HIPAA-Eligible Products and Services cited in the BAA; all new additions to the list will be covered on a prospective basis by existing agreements.

Disclaimer: The information provided in this document does not, and is not intended to, constitute legal advice; instead, all information is for general informational purposes only.

Other resources

Article is closed for comments.