If you are a covered entity (HHS definition), you need to treat any personal health information (‟PHI”) specially to ensure your compliance with HIPAA (HIPAA Privacy Rule summary),
If you disclose PHI to a service provider, you need to have a business associate agreement (‟BAA”) with the provider (Business Associate definition). A BAA is a contract stating that the business associate will protect PHI data you upload in accordance with HIPAA requirements.
In the SMP system all confidential data is always stored and transmitted in encrypted form (security information page). As SMP does not have access to the encryption keys (remember the keys themselves are encrypted with a strengthened version of your password), in HIPAA terms you are not actually dislosing PHI to SMP.
However, there are many other important aspects of HIPAA and you should consider requiring a BAA from any cloud service provider you use. SMP adheres carefully to HIPAA requirements as they are good practice and we offer our BAA to all of our users.
To execute a BAA with Secure Meeting Place, please visit the ‟BAA” tab on your Account page. On that page you can view our BAA and sign it electronically, keeping a copy for your records.