Gearset is committed to protecting your and your customers' data. We understand the need for assurance that your data is not only secure but that it’s also being used in a manner that's compliant with laws and regulations.
This guide is intended for Gearset customers that have a Business Associate Agreement (BAA) in place with us, or intend to enter into one with us. We’ve created this guide to provide you with the knowledge you need on how to use our products in a HIPAA-compliant way.
BAAs are available for customers on our Enterprise deployment, automation and backup tiers.
It’s important to remember that HIPAA compliance is a shared responsibility between Gearset and you. Completing these steps won't automatically guarantee your compliance with HIPAA. You must also ensure that you follow HIPAA best practices.
What is the Health Insurance Portability and Accountability Act (HIPAA)?
The Health Insurance Portability and Accountability Act (HIPAA) is a regulation developed by the U.S. Department of Health and Human Services and is designed to protect the privacy and security of people’s protected health information (PHI). HIPAA applies to healthcare providers who electronically transmit health information in connection with certain transactions, health plans, and healthcare clearinghouses, as well as other third parties, known as “business associates”, that create, receive, maintain, or transmit PHI on behalf of covered entities.
There are a few key terms relating to HIPAA:
Covered entity. A health care provider who electronically transmits health information in connection with certain transactions, a health plan, or a healthcare clearinghouse.
Protected health information (PHI). Individually identifiable health information that is transmitted or maintained by a covered entity or its business associate in any form or media, including electronic, paper, or oral, and that relates to:
an individual’s past, present, or future physical/mental health condition;
an individual’s provision of healthcare; or
the past, present, or future payment of healthcare.
Business associate. A person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of a covered entity. A business associate may also include a subcontractor that creates, receives, maintains, or transmits PHI on behalf of another business associate.
Business associate agreement (BAA). A contractual assurance from the business associate to the covered entity or another business associate that they follow HIPAA's requirements. It specifies each party’s responsibilities when it comes to safeguarding and using PHI. This agreement must be in place before the transfer of any PHI to the business associate.
Using Gearset in a HIPAA compliant way
Gearset's HIPAA instance
PHI must only be used with Gearset's HIPAA instance, and not in our other hosting instances.
When you sign a BAA with Gearset, your account will be provisioned in our dedicated HIPAA instances, located in HIPAA-accredited AWS hosting regions within the USA. All of your data processed by Gearset will remain in this region and in the USA, including any data backups.
All of your users must ensure they're signed into a HIPAA instance when using Gearset to access, process or store PHI. You can confirm you're in a HIPAA instance by looking in the footer of the Gearset app to confirm it shows Data storage location: HIPAA
.
Configuring Gearset in a HIPAA compliant way
To use Gearset for PHI you'll need to be on one of our Enterprise plans, regardless of your company size.
You need to enter into a Business Associate Agreement with us. You can find out more information on this on our HIPAA product page.
Ensure that you don't input PHI into any of the following:
Sales or support conversations with our team - whether through the in-app chat, by email, on the phone, or otherwise
Names of any automated jobs within Gearset, including Continuous integration jobs, Data backup jobs, Change monitoring jobs, and Unit testing jobs
Names of any custom metadata filters or data loader filters
Friendly names of any deployment items, saved org connections or saved comparison pairs
Customer feedback requests or surveys
Data input and management
It’s your responsibility to ensure you’re using Gearset products in a HIPAA-compliant way. We don’t monitor or analyze the data that you input, and you're always in control of what data is being accessed, processed and stored by Gearset through how you configure the app. Through this documentation we've provided guidance on how to use Gearset to process PHI, and we recommend that you have the required processes and procedures in place to ensure all your users adhere to end-to-end compliance.
Third-party integrations
The BAA that you sign with us only covers your use of Gearset. It’s your responsibility to ensure that any third-party applications integrated with Gearset are operated in a HIPAA-compliant way. This includes your obligation to have a BAA in place with all such applicable third-party applications. You’ll need to determine if you require a BAA or any other data privacy and security protections before sharing any PHI with a third party.
Any Gearset features that are part of a trial, alpha, beta, or early access offering are not covered by the BAA unless otherwise indicated by this guide.
Gearset security assurance
Trust is a core principle at Gearset. We understand the kind of data that users trust Salesforce with, and Gearset has been built to respect that data and that trust. We undergo independent third-party audits to provide you with the assurance that we’re complying with current regulations and that your data is secure. Learn more about our security program.
Disclaimer
Due to changes in law or regulation or changes in Gearset or the Services, we may update or revise this guide from time to time. We will provide you with notice of material changes and an updated copy through your account owner. This document contains Gearset's recommendations for certain minimum effective product configurations for its customers' protection of PHI within the Gearset products outlined above at this time. This document does not constitute an exhaustive template for all controls over such data nor does it constitute legal advice. Each Gearset customer should seek its own legal counsel with regard to HIPAA compliance obligations applicable to their specific situations and should make any additional changes to its security configurations in accordance with its own independent review and risk analysis, so long as such changes do not conflict with or undermine the security of the configurations outlined in this document.