A clinic uses an online PDF tool to add notes to patient discharge summaries. Every PDF contains PHI. Under HIPAA, the tool's operator is a business associate. Without a BAA, the clinic is in breach.
What HIPAA covers
HIPAA applies to covered entities (healthcare providers, health plans, healthcare clearinghouses) and their business associates. Protected Health Information (PHI) is health information that identifies an individual.
When a covered entity uses a third-party tool to process PHI, the tool's operator is a business associate and a Business Associate Agreement (BAA) is required under the HIPAA Privacy Rule.
Business Associate Agreement essentials
A BAA must:
- Limit the business associate's use of PHI to what the contract permits. - Require appropriate safeguards. - Require reporting of breaches and security incidents. - Ensure subcontractors agree to similar terms. - Authorise patient rights of access/correction. - Require return or destruction of PHI at end of engagement.
Not every PDF tool offers a BAA. Many free or consumer tools explicitly exclude healthcare data. Don't use them with PHI.
HIPAA-compliant PDF tools
Look for vendors that:
- Explicitly offer a BAA. - Hold certifications (SOC 2, HITRUST). - Use encryption in transit and at rest. - Provide audit logs. - Have documented incident response.
Major PDF vendors (Adobe Acrobat Pro, Foxit Enterprise, Nitro) offer enterprise plans with BAAs. Healthcare-specific platforms (DocuTAP, PointClickCare) build BAA into their model.
Browser-side tools and HIPAA
If a PDF tool processes in your browser without uploading to servers, the tool isn't accessing PHI — it's running code on your device. The traditional business-associate relationship may not apply.
This is a developing area; legal interpretations vary. For high-risk PHI, prefer a vendor with an explicit BAA and HIPAA documentation. Flint is browser-based; check current HIPAA posture before using for PHI.
Practical workflow
1. Use a BAA-covered tool for PHI processing. 2. Apply de-identification where possible (HIPAA Safe Harbor) — Flint's redaction tool removes identifiers, which can simplify the compliance picture. 3. Encrypt PHI files at rest and in transit (Flint's password tool). 4. Document the chain of custody for audits. 5. Train staff on tool selection — uncertified tools are a common breach vector.
FAQ
Does Flint sign a BAA?
Flint processes in your browser — PHI doesn't reach Flint's servers. Check current HIPAA posture in Flint's documentation before using for PHI.
Can I use any tool if I de-identify first?
Once truly de-identified under Safe Harbor, the data is no longer PHI under HIPAA. Tool flexibility increases. Verify de-identification before relying on it.
What about workforce members using personal tools?
Covered entities must train workforce on approved tools. Personal-tool use for PHI is a common audit finding.
Is HIPAA stricter than GDPR?
Different — HIPAA is narrower (US healthcare) but more prescriptive on technical safeguards. GDPR is broader (any personal data) with broader rights.
HIPAA makes tool selection a compliance task. Use BAA-covered or browser-side tools and document the workflow.