Paubox blog: HIPAA compliant email made easy

Is NetSuite HIPAA compliant?

Written by Kirsten Peremore | July 21, 2023

Enterprise resource planning (ERP) systems bring together different areas of business operations, including finance, accounting, inventory management, supply chain, customer relationship management (CRM), human resources, and more. However, apps like Netsuite, which deal with protected health information (PHI), may not always be HIPAA compliant. 

 

What is NetSuite?

NetSuite is a cloud-based ERP software platform developed by Oracle. It offers a suite of integrated business management applications that help organizations manage various aspects of their operations, including financials, CRM, inventory management, procurement, and project management.

Features of NetSuite include financial management, order, and billing management, inventory and supply chain management, customer service and support, marketing automation, e-commerce capabilities, and business intelligence and reporting. The software is designed to facilitate collaboration and automation across various organizational departments.

Related: Is iContact HIPAA compliant?

 

NetSuite and the Business Associate Agreement

A Business Associate Agreement (BAA) is a legal contract between a covered entity (such as a healthcare provider) and a business associate (such as a service provider like NetSuite) that establishes the obligations and responsibilities regarding the handling of protected health information (PHI) in compliance with HIPAA.

The BAA ensures that both parties understand their roles and obligations in safeguarding PHI and complying with HIPAA regulations. It outlines how PHI will be handled, protected, and used, including provisions for data security, privacy, breach notification, and compliance reporting.

As a product of Oracle, NetSuite does not explicitly offer a Business Associate Agreement (BAA) for HIPAA compliance. Based on Oracle Netsuites Subscription Services Agreement, Netsuite Oracle states that it is "not acting on Customer's behalf as a Business Associate or subcontractor; (ii) the Cloud Service may not be used to store, maintain, process or transmit protected health information ("PHI")." 

Related: HIPAA Compliant Email: The Definitive Guide

 

Is NetSuite HIPAA compliant?

While on its own, Netsuite is not inherently HIPAA compliant, it can meet the compliance requirements by integrating data protection services such as StratoKey. These data protection services provide encryption and tokenization for fields and attachments within NetSuite to secure PHI stored in the system. This integration ensures that data is protected, and organizations have control over encryption keys.

As a cloud-based ERP software platform, NetSuite does not explicitly advertise or position itself as HIPAA compliant. The information available indicates that NetSuite's Cloud Service, as provided by Oracle, may not be used for storing, maintaining, processing, or transmitting PHI without combining it with a HIPAA compliant service. 

Conclusion: NetSuite may not be HIPAA compliant