Before you request New Relic’s Business Associate Agreement ("BAA"), we want to provide some additional context regarding setup for HIPAA-enabled Accounts on New Relic.
- New Relic helps businesses gain a clearer view of what’s happening in their software environments.
- Our multi-tenant architecture provides the benefit and ease of using a low-cost cloud service rather than having to implement and host expensive, on-premises software. The multi-tenant nature of our service also means that the terms that govern the use of the service need to remain consistent across our entire customer base.
- Our application performance monitoring and data analytics solutions are intended for use cases with non-sensitive timing and metric data, which you control by your deployment and configuration choices.
- Additional information is available in our BAA FAQs located in our HIPAA BAA FAQ.
You acknowledge and agree that New Relic does not provide electronic medical records, is not a health information exchange or health information organization, and is not an electronic data interchange, and you will not send Designated Record Sets, substantial portions of Designated Record Sets, or any other health records in full to New Relic, such as eligibility and benefit inquiry and response data, claims status inquiry and response data, authorization and referral request data, prior authorization and notification inquiry, hospital admission notification data, medical claims data, electronic remittance advice, pharmacy claims data, health summary documents, continuity of care documents, medical images, discharge data, medical data transcriptions, electronic prescription, medical billing data, wellness and disease management program files, clinical case notes, explanations of benefits, or medical billing statements; or use the Services as a personal health record for patients.
- You must sign New Relic's BAA before sending any PHI to New Relic. All capitalized terms used on this page shall have the meanings given to them in the BAA.
- You must appropriately configure your HIPAA-enabled Account and New Relic Services as described in New Relic's BAA and Documentation. You must have a current and valid subscription to our Enterprise edition with the Data Plus option, or have an alternative New Relic-approved subscription.
- Your New Relic account representative must confirm your HIPAA-enabled Account is set up and ready before sending any PHI to such HIPAA-enabled Account.
You acknowledge and agree that your use of the HIPAA Covered Services may occasionally involve limited, incidental handling of PHI and personal data. For example: if a subset of the HIPAA Covered Services temporarily processes IP addresses, a Customer may elect to capture email addresses, and limited data elements may end up in a log. Subject to your compliance with the requirements, you may send:
- PHI regulated by the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (collectively, "HIPAA") and personal data concerning health to the HIPAA Account, which is defined in the Business Associate Addendum; and
- Data concerning health as set out in European Union Regulation 2016/679 Article 9. To the extent any information sent to New Relic pertains to health about an EU data subject, a Customer must have express consent to send sensitive Personal Data, and if applicable, explicit consent as required in European Union Regulation 2016/679 Article 9.
- You may only use the services listed under "HITRUST CSF" set forth in our regulatory audits documentation
- You must select the U.S. data region for all your HIPAA-enabled Accounts. Accounts in different geographical regions are ineligible for HIPAA-enabled Accounts.
- You must use TLS 1.2 to encrypt data in transit when using New Relic Browser.
- You must disable log patterns for any New Relic HIPAA-enabled Accounts.
- You may not create an alert policy with any PHI in any alert conditions, or an alert policy that uses email as a notification channel.
- You may not share dashboards with PHI in the name or title of the dashboard.
- Incident intelligence is not in-scope of the New Relic BAA. You may not use an existing New Relic Account for your HIPAA compliance needs if you have enabled incident intelligence for that Account. Instead you must create a new New Relic HIPAA-enabled Account before sending any PHI to New Relic.
- For iOS or Android apps monitored by New Relic mobile monitoring, you must enable mobile-device security controls sufficient for your compliance needs, such as device-level encryption, device-login access set to the highest setting, or disabling notifications on locked screens.
- You may not use New Relic’s Zoom subscription with any PHI. Please provide your own HIPAA-compliant video conferencing service. It is solely your responsibility to ensure the video conferencing service you choose meets your compliance obligations.
- You may not use New Relic’s Google Workspace subscription with any PHI. Please do not send any emails with PHI to New Relic or include in any Google Workspace application such Google Docs or Google Slides.
- You may not use New Relic’s Slack subscription with any PHI. Please do not send us Slack messages containing any PHI.
- You must ensure that your users’ access to New Relic GTS support tickets are appropriate and must remove users who should not have access to PHI.
- Support-related emails for HIPAA customers will not send ticket subjects or ticket comments via email. Instead, they will contain a link to the ticket and direct people to view and respond to the ticket in our Support ticketing system.
- You may not include any data from a HIPAA-enabled account in a support ticket that you created or submitted prior to you receiving a HIPAA-enabled account.
- Consult with New Relic before using New Relic mobile monitoring.
- You may only add New Relic team members based in the United States when requesting either New Relic Support or New Relic Expert Services.
To the extent you are not subject to HIPAA, you have signed a data processing agreement ("DPA") with New Relic, you want to send data concerning health as described in GDPR, and you otherwise meet the requirements above, then:
- "BAA" referenced above means the amendment to the DPA signed with New Relic.
- "Protected Health Information" and "PHI" referenced above means "Health Data".
- "HIPAA Covered Service" means "Health Data Covered Service".
- "HIPAA-enabled Account" means "Health Data Account".
- Terms will have the meanings given to them in the amendment to the DPA signed with New Relic.
- You must appropriately configure your Health Data Account and New Relic Services as described in the amendment to the DPA and Documentation.