Twingate & HIPAA

This page provides information about Twingate and HIPAA compliance to customers who are regulated by HIPAA, whether as a covered entity or a business associate.

When your organization is responsible for handling sensitive health information, we understand the particular importance that you place on ensuring that any vendor you entrust with that information is handling it in a secure and compliant manner.

Business Associate Agreements

We understand that you are generally required by HIPAA to enter into a Business Associate Agreement (BAA) with business associates who handle your protected health information (PHI).

While Twingate is able to review your standard form BAA, we explain below why we believe a BAA is unnecessary (and potentially undesirable) given the way Twingate operates. As such, it is our desire to not sign a BAA because having one in place can give the incorrect impression that we are a business associate and that HIPAA applies to our specific service (which is not something that is in your or Twingate’s interest).

How Twingate Works

Twingate’s primary purpose is to help organizations secure the access that end users have to protected corporate network resources. Organizations can, via the Twingate admin console, define which users have access to which protected resources, and how access to those resources is authenticated and authorized. No PHI is involved with those processes. Once users obtain authorization to access protected resources, Twingate also assists with efficiently routing authorized, encrypted traffic from user devices to those resources, but it does not — and does not need to — do anything with the contents of that traffic other than pass it along.

Conduit Exception

Our view is that Twingate is not a “business associate” under HIPAA because we do not require “access on a routine basis” to any PHI that may transit Twingate infrastructure. This is referred to as the “conduit exception” in the Department of Health and Human Services’ (DHHS) commentary on the Omnibus Rule under HIPAA.

The only time Twingate’s services could realistically come into contact with customer PHI is when a user device with Twingate installed connects to a protected customer resource and either sends PHI to, or receives PHI from, that resource. In such a case, that traffic is routed from the end user’s device to the destination resource across the internet via Twingate’s relays (and, like any other internet traffic, via other intermediate third party nodes on the internet as well). The only Twingate infrastructure that may touch that traffic are our relays. As the name suggests, a relay’s purpose is to provide a transmission service and efficiently route traffic without regard to its content.

Additionally, such traffic is end-to-end encrypted. Twingate does not decrypt and inspect the contents of traffic passing through its relays. Additionally, relays do not store any traffic - from our perspective, the data is transient in nature.

Guidance from the DHHS is that the conduit exception is intended to apply to services such as the U.S. Postal Service and internet service providers who are involved in transporting data, but not processing or storing it beyond the short period it takes to route that data onward. Twingate fulfills a virtually identical role in this context. However, in contrast to the U.S. Postal Service, the duration that Twingate relays come into contact with data can be measured in fractions of a second.

For customers who are themselves business associates, the DHHS has also clarified that the conduit exception also applies to subcontractors of business associates: “the same interpretations that apply to determining whether a first tier contractor is a business associate also apply to determining whether a subcontractor is a business associate. Thus, our interpretation of who is and is not excluded from the definition of business associate as a conduit also applies in the context of subcontractors as well.”

Please note that Twingate supports peer-to-peer connections, which enables network traffic to be sent from a user device to a destination resource without that traffic transiting Twingate’s relays or any other Twingate infrastructure. Twingate relays are used as a fallback to route traffic in situations where networking conditions do not permit a connection to otherwise be established due to certain technical reasons.

Twingate Security

It is important to note that our view that HIPAA does not apply to Twingate does not detract from our commitment to protecting the security of customer data - regardless of what that data is. Read more about the security measures we take at Twingate.

BAA Review

If your compliance team nonetheless requires a BAA to be in place, we are able to review it but we typically require the following things in connection with a BAA: (1) the BAA will only apply to the extent that HIPAA actually applies to any services provided by Twingate; and (2) liability under the BAA will be tied back to the limitation of liability provisions of the main services agreement. Given prioritization of legal resources at Twingate, we’re also only able to review customer BAAs for annual plans above $75,000.

Questions?

Please reach out to your account manager if you have any questions about BAAs, HIPAA, and Twingate.

Last updated 3 months ago