Since Paubox is a Business Associate to thousands of customers, we've been wondering if they can use Miro in a HIPAA compliant manner.
In fact, we've noticed more vendors, customers, and prospects asking about HIPAA compliant services. This is especially true now as we see an accelerated, long overdue adoption of digital tools in healthcare.
We know the HIPAA industry is vast, so we can empathize with just how many people need to use cloud services in this sector. Today we will determine if Miro offers HIPAA compliant service or not.
Miro is the leading visual collaboration platform that empowers teams to communicate and collaborate across formats, tools, channels, and timezones without the constraints of physical location, meeting space, and whiteboards.
It was founded in 2011 by Andrey Khusid for his design agency to communicate ideas to clients who weren't in the same room. The virtual whiteboard he created, RealtimeBoard, grew into the visual collaboration platform now named Miro.
A Business Associate is a person or company that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) for a Covered Entity. In a nutshell, the role of a Business Associate is to help Covered Entities comply with the HIPAA Privacy Rule.
Read more: What does it mean to be a Business Associate?
If a Business Associate provides services to a Covered Entity, then a Business Associate Agreement (BAA) must be in place. A BAA is a written contract between a Covered Entity and a Business Associate and is required by law for HIPAA compliance. At a minimum, a Business Associate Agreement contains 10 provisions.
Read more: Business Associate Agreement Provisions
We checked the Miro site for mention of their ability to sign a Business Associate Agreement (BAA). We found the following page: Miro's Terms of Service.
On that page, we can see that Miro does not currently sign a BAA with its customers.
5.2 Prohibited Uses: Customer must not use the Service with Prohibited Data or for High Risk Activities. Customer acknowledges that the Service is not intended to meet any legal obligations for these uses, including HIPAA requirements, and that Miro is not a Business Associate as defined under HIPAA. Notwithstanding anything else in this Agreement, Miro has no liability for Prohibited Data or use of the Service for High Risk Activities.
The BAA is a key component of HIPAA compliance between a covered entity and a business associate. Miro currently won't sign a BAA. When using Miro in a healthcare context, you can use it for project management, provided no protected health information is shared in a Miro board.
Ultimately, Miro may not be HIPAA compliant, and it's important to be careful about using them if you'll be storing or transmitting PHI.
Conclusion: Miro may not be HIPAA compliant.