HIPAA readiness overview
Before you request New Relic’s Business Associate Agreement ("BAA"), we want to provide some additional context regarding setup for HIPAA-enabled Accounts on New Relic.
- New Relic helps businesses gain a clearer view of what’s happening in their software environments.
- Our multi-tenant architecture provides the benefit and ease of using a low-cost cloud service rather than having to implement and host expensive, on-premises software. The multi-tenant nature of our service also means that the terms that govern the use of the service need to remain consistent across our entire customer base.
- Our application performance monitoring and data analytics solutions are intended for use cases with non-sensitive timing and metric data, which you control by your deployment and configuration choices.
- Additional information is available in our BAA FAQs located in our HIPAA BAA FAQ.
Acknowledgements and requirements
New Relic's role
You acknowledge and agree that New Relic does not provide electronic medical records, is not a health information exchange or health information organization, is not an electronic data interchange, does not retrieve PHI or copy health records on behalf of covered entities, and will not use or create a Limited Data Set. You agree that you will not send Designated Record Sets, substantial portions of Designated Record Sets, or any other health records in full to New Relic, such as eligibility and benefit inquiry and response data, claims status inquiry and response data, authorization and referral request data, prior authorization and notification inquiry, hospital admission notification data, medical claims data, electronic remittance advice, pharmacy claims data, health summary documents, continuity of care documents, medical images, discharge data, medical data transcriptions, electronic prescription, medical billing data, wellness and disease management program files, clinical case notes, explanations of benefits, or medical billing statements; or use the Services as a personal health record for patients.
- You must sign New Relic's BAA before sending any PHI to New Relic. All capitalized terms used on this page shall have the meanings given to them in the BAA.
- You must appropriately configure your HIPAA-enabled Account and New Relic Services as described in New Relic's BAA and Documentation. You must have a current and valid subscription to our Enterprise edition with the Data Plus option, or have an alternative New Relic-approved subscription.
- Your New Relic account representative must confirm in writing that your HIPAA-enabled Account is set up and ready before you send any PHI to such HIPAA-enabled Account.
Product, service, and feature-specific requirements
- "HIPAA Covered Services" do not include the out-of-scope services listed under "HIPAA-enabled capabilities" set forth in our regulatory audits documentation. If you have an existing New Relic Account with Incident Intelligence enabled, you must create a new New Relic HIPAA-enabled Account before sending any PHI to New Relic.
- You must select the U.S. data region for all your HIPAA-enabled Accounts. Accounts in different geographical regions are ineligible for HIPAA-enabled Accounts.
- You must use TLS 1.2 to encrypt data in transit when using New Relic Browser.
- You must disable log patterns for any New Relic HIPAA-enabled Accounts.
- You may not create an alert policy with any PHI in any alert conditions, or an alert policy that uses email as a notification channel.
- You may not share dashboards with PHI in the name or title of the dashboard.
- For iOS or Android apps monitored by New Relic mobile monitoring, you must enable mobile-device security controls sufficient for your compliance needs, such as device-level encryption, device-login access set to the highest setting, or disabling notifications on locked screens.
- In order to address an emergency or threat to the security or integrity of New Relic or its suppliers, respond to claims, litigation, or loss of license rights related to third-party intellectual property rights, or comply with the law or requests of a government entity, New Relic may need to remove an existing Service or functionality of a Service from the list of Covered Services without prior notice to You. New Relic will, however, use commercially reasonable efforts to provide as much advance notice as is reasonably practicable under the circumstances (which may also be no prior notice).
Limited handling of Protected Health Information (PHI)
You acknowledge and agree that your use of the HIPAA Covered Services may occasionally involve limited, incidental handling of PHI and personal data. For example: if a subset of the HIPAA Covered Services temporarily processes IP addresses, a Customer may elect to capture email addresses, and limited data elements may end up in a log. Subject to your compliance with the requirements, you may send:
- PHI regulated by the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (collectively, "HIPAA") and personal data concerning health to the HIPAA Account, which is defined in the Business Associate Addendum; and
- Data concerning health as set out in European Union Regulation 2016/679 Article 9. To the extent any information sent to New Relic pertains to health about an EU data subject, a Customer must have express consent to send sensitive Personal Data, and if applicable, explicit consent as required in European Union Regulation 2016/679 Article 9.
Global Technical Support
- You may not use New Relic’s Zoom subscription with any PHI. Please provide your own HIPAA-compliant video conferencing service. It is solely your responsibility to ensure the video conferencing service you choose meets your compliance obligations.
- You may not use New Relic’s Google Workspace subscription with any PHI. Please do not send any emails with PHI to New Relic or include in any Google Workspace application such Google Docs or Google Slides.
- You may not use New Relic’s Slack subscription with any PHI. Please do not send us Slack messages containing any PHI.
- You must ensure that your users’ access to New Relic GTS support tickets are appropriate and must remove users who should not have access to PHI.
- Support-related emails for HIPAA customers will not send ticket subjects or ticket comments via email. Instead, they will contain a link to the ticket and direct people to view and respond to the ticket in our Support ticketing system.
- You may not include any data from a HIPAA-enabled account in a support ticket that you created or submitted prior to you receiving a HIPAA-enabled account.
Considerations for users with strict U.S. data localization requirements
- You may only add New Relic team members based in the United States when requesting either New Relic Support or New Relic Expert Services.
EU and Health Data
To the extent you are not subject to HIPAA, you have signed a data processing agreement ("DPA") with New Relic, you want to send data concerning health as described in GDPR, and you otherwise meet the requirements above, then:
- "BAA" referenced above means the amendment to the DPA signed with New Relic.
- "Protected Health Information" and "PHI" referenced above means "Health Data".
- "HIPAA Covered Service" means "Health Data Covered Service".
- "HIPAA-enabled Account" means "Health Data Account".
- Terms will have the meanings given to them in the amendment to the DPA signed with New Relic.
- You must appropriately configure your Health Data Account and New Relic Services as described in the amendment to the DPA and Documentation.