Does N-able need to execute a Business Associate Agreement (BAA) for use of its Passportal product?

The Health Insurance Portability and Accountability Act (HIPAA) is legislation that provides data privacy and security provisions for safeguarding electronic Protected Health Information (ePHI), which is computer-based patient health information.

The data stored in N-able Passportal includes system configuration notes, URLs, and login credentials to various systems and applications. Some of these systems or applications may store or manage ePHI. However, login information and password data are not considered ePHI.

Additionally, N-able Passportal’s data encryption technology protects password records in transit by 2048-bit RSA keys, and at rest more than 300 different rounds of 256-bit symmetric encryption, and six different randomly generated keys. No member of N-able can access the decrypted data, one of the six randomly generated keys, specifically called the Organization Key, is created and stored on the MSP side. As a result, N-able does not have access to this Organization Key.

As there is no ePHI data stored within N-able Passportal and N-able does not access the login credentials stored within N-able Passportal, no BAA is necessary to maintain your (and your client’s) HIPAA compliance.