• /
  • Log in

HIPAA enablement - what you need to know and do

HIPAA readiness overview

Before you request New Relic’s Business Associate Agreement ("BAA"), we want to provide some additional context regarding setup for HIPAA-enabled Accounts on New Relic.

  • New Relic helps businesses gain a clearer view of what’s happening in their software environments.
  • Our multi-tenant architecture provides the benefit and ease of using a low-cost cloud service rather than having to implement and host expensive, on-premises software. The multi-tenant nature of our service also means that the terms that govern the use of the service need to remain consistent across our entire customer base.
  • Our application performance monitoring and data analytics solutions are intended for use cases with non-sensitive timing and metric data, which you control by your deployment and configuration choices.
  • Additional information is available in our BAA FAQs located in our HIPAA BAA FAQ.

Acknowledgements and Requirements

New Relic's role

You acknowledge and agree that New Relic does not provide electronic medical records, is not a health information exchange or health information organization, and is not an electronic data interchange, and you will not send Designated Record Sets, substantial portions of Designated Record Sets, or any other health records in full to New Relic, such as eligibility and benefit inquiry and response data, claims status inquiry and response data, authorization and referral request data, prior authorization and notification inquiry, hospital admission notification data, medical claims data, electronic remittance advice, pharmacy claims data, health summary documents, continuity of care documents, medical images, discharge data, medical data transcriptions, electronic prescription, medical billing data, wellness and disease management program files, clinical case notes, explanations of benefits, or medical billing statements; or use the Services as a personal health record for patients.

Setup

  • You must sign New Relic’s BAA before sending any PHI to New Relic. All capitalized terms used on this page shall have the meanings given to them in the BAA.
  • You must appropriately configure your HIPAA-enabled Account and New Relic Services as described in New Relic’s BAA and Documentation. Your New Relic order must include an eligible New Relic service subscription for HIPAA account enablement on New Relic.
  • Your New Relic account representative must confirm your HIPAA-enabled Account is set up and ready before sending any PHI to such HIPAA-enabled Account.

Limited handling of Protected Health Information (PHI)

You acknowledge and agree that your use of the HIPAA Covered Services may occasionally involve limited, incidental handling of PHI and personal data. For example: if a subset of the HIPAA Covered Services temporarily processes IP addresses, a Customer may elect to capture email addresses, and limited data elements may end up in a log. Subject to your compliance with the requirements, you may send:

  • PHI regulated by the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (collectively, "HIPAA") and personal data concerning health to the HIPAA Account, which is defined in the Business Associate Addendum; and
  • Data concerning health as set out in European Union Regulation 2016/679 Article 9. To the extent any information sent to New Relic pertains to health about an EU data subject, a Customer must have express consent to send sensitive Personal Data, and if applicable, explicit consent as required in European Union Regulation 2016/679 Article 9.

Product, service, and feature-specific requirements

  • You may only use the services listed under "HITRUST CSF" set forth in our regulatory audits documentation
  • You must select the U.S. data region for all your HIPAA-enabled Accounts. Accounts in different geographical regions are ineligible for HIPAA-enabled Accounts.
  • You must use TLS 1.2 to encrypt data in transit when using New Relic Browser.
  • You must disable Log Patterns any New Relic Accounts that contain PHI.
  • You may not create an Alert Policy with any PHI in any Alert Conditions or Alert Policy which uses email as a notification channel.
  • You may not use such existing New Relic Account for your HIPAA-compliance needs if you have enabled Incident Intelligence for an existing New Relic Account. Instead, you must create a new New Relic HIPAA-enabled Account before sending any PHI.
  • When using New Relic’s iOS or Android mobile applications, you must enable mobile-device security controls sufficient for your compliance needs, such as device-level encryption, device-login access set to the highest setting, or disabling notifications on locked screens.

Global Technical Support

  • You may not use New Relic’s Zoom subscription with any PHI. Please provide your own HIPAA-compliant video conferencing service. It is solely your responsibility to ensure the video conferencing service you choose meets your compliance obligations.
  • You may not use New Relic’s Google Workspace subscription with any PHI. Please do not send any emails with PHI to New Relic or include in any Google Workspace application such Google Docs or Google Slides.
  • You may not use New Relic’s Slack subscription with any PHI. Please do not send us Slack messages containing any PHI.
  • You must ensure that your users’ access to New Relic GTS support tickets are appropriate and must remove users who should not have access to PHI.
  • Support-related emails for HIPAA customers will not send ticket subjects or ticket comments via email. Instead, they will contain a link to the ticket and direct people to view and respond to the ticket in our Support ticketing system.
  • You may not include any data from a HIPAA-enabled account in a support ticket that you created or submitted prior to you receiving a HIPAA-enabled account.

Considerations for users with strict U.S. data localization requirements

EU and Health Data

To the extent you are not subject to HIPAA, you have signed a data processing agreement ("DPA") with New Relic, you want to send data concerning health as described in GDPR, and you otherwise meet the requirements above, then:

  • "BAA" referenced above means the amendment to the DPA signed with New Relic.
  • "Protected Health Information" and "PHI" referenced above means "Health Data".
  • "HIPAA Covered Service" means "Health Data Covered Service".
  • "HIPAA-enabled Account" means "Health Data Account".
  • Terms will have the meanings given to them in the amendment to the DPA signed with New Relic.
  • You must appropriately configure your Health Data Account and New Relic Services as described in the amendment to the DPA and Documentation.

For more help

If you need more help, check out these support and learning resources:

Create issueEdit page
Copyright © 2021 New Relic Inc.