Understanding Twilio's Business Associate Addendum

July 13, 2020
Written by
Christina Sung
Opinions expressed by Twilio contributors are their own
Reviewed by
Julie Ea

Understanding Twilio BAA Header

You may have recently heard: Twilio can now sign BAA (Business Associate Addendum) for HIPAA eligible products – and we know that you have had questions about the process. This post will cover key information about Twilio’s BAA so you have the background you need to get started on building your health and communications use case!

Twilio’s Business Associate Addendum (BAA)

Twilio’s communications APIs make it easy to build communication features and functionality into your software application. Think of Twilio as a bag of specialized interconnecting building blocks, like a set of special LEGO pieces but instead of building vehicles or buildings, you are building communications into your software application. With Twilio, you control the communications that you create, receive, maintain, or transmit on our platform.

When you use Twilio to build communications applications that contain Protected Health Information (PHI), you are using a service provider – Twilio – to process PHI on your behalf. In that case, you need to execute a Business Associate Addendum with Twilio.

Here we’ve collected a number of common questions about the BAA, and collated all of the details you’ll need to get started.

Frequently Asked Questions about the Twilio’s BAA

In this section we’ll answer your frequently asked questions about Twilio’s BAA. Of course, we know we can’t cover every question – if you don’t find your answer here, please contact your Sales Rep.

How is Twilio’s BAA Structured?

Twilio’s BAA is structured as an Addendum to our standard terms of service (TOS) or master sales agreement (MSA). 

Because Twilio operates a horizontal and global platform, and because our products and services can be used by customers in a variety of different use cases – some regulated and some not – our TOS and MSA establishes the core terms and conditions of our business relationship. For our HIPAA-eligible products, we will sign a BAA to cover your HIPAA-regulated use cases.

This allows you, our customer, to have all of your general commercial or legal terms that are applicable across all use cases in the MSA and TOS. It focuses the BAA on only the additional requirements you and Twilio need to support your compliance with HIPAA.  

Is there anything else I need to do besides sign a BAA?

Yes. Twilio operates on what is commonly referred to amongst cloud infrastructure providers as the “shared responsibility model.”

You, our customer and the builder of the software application, are responsible for the instructions your software application sends to Twilio. And, Twilio is responsible for executing those instructions faithfully in accordance with our documentation and in a secure manner.

When it comes to compliance with applicable laws like HIPAA, you are responsible for ensuring that:

  1. it is possible for you to use Twilio in a compliant manner; and
  2. your software applications’ instructions to Twilio comply with applicable law. 

Twilio’s responsibility is to:

  1. provide you information sufficient for you to determine if you can use Twilio in a compliant manner and to configure your use of Twilio to achieve that compliance and
  2. faithfully execute your software application’s instructions to Twilio in conformance with how we said we would.

Be sure to take a close look at Architecting for HIPAA on Twilio for information on how to properly build on Twilio for compliance.

Why do I need to inform Twilio which projects and subaccounts where BAA should apply?

When you have a health communications use case, we’ll ask you to let us know explicitly which projects or subaccounts will process PHI. 

When Twilio signs a BAA, we are agreeing to act as a Business Associate (BA) under HIPAA with respect to the PHI we process on your behalf via our HIPAA-eligible products, and, therefore we have to change our standard operations. This includes things such as adopting different data handling of PHI, support procedures, different record keeping procedures, and different incident handling procedures. Since not every use case requires a BAA, we need you to advise us of which Twilio projects and subaccounts are required to be covered so we can apply these added procedures and protections.

What products can Twilio BAAs cover?

The list of products covered by Twilio’s BAA is continuously expanding. For the most updated list of Twilio’s HIPAA-eligible products, visit this page. Interested customers should also review Architecting for HIPAA on Twilio which contains valuable information on how to ensure that your application or use case remains HIPAA compliant.

As more Twilio products become HIPAA-eligible, do I need to sign a new BAA?

We have structured our BAA so that you do not need to sign an additional contract or amend your BAA with us to start using newly HIPAA-eligible Twilio products. Again, this is only the case if the new HIPAA-eligible products you want to add are being used by and through your existing HIPAA enabled project and/or subaccounts.

Is Twilio able to see the contents of my/my end-user's communications?

We have extremely limited visibility regarding the individuals whose Protected Health Information (PHI) you process on Twilio.

The content of your communications is your business, not ours. Our business is making it easier for you to programmatically deliver, receive, and manage your communications via your software application – whatever the content of those communications might be. While we might have a record of the phone numbers your software application called or received calls from, we will not have additional context around whether those phone numbers belong to a patient, a provider, or someone else entirely.

I have a special HIPAA use case – can Twilio accommodate?

We’ve drafted our BAA to comply with HIPAA as well as to accurately reflect what we can operationally support at scale. Accordingly, scalability is at the forefront of minds when we consider any one-off customer requests that have an operational impact on Twilio.

Generally, we cannot support special HIPAA use case requests, but if we note sufficient demand from customers that we implement new product features or support certain operational requirements, they may make their way to our business roadmap.

Getting Started with BAAs and Twilio

Now that you understand the basics of Twilio’s BAA, we look forward to working with you! Contact your Sales Rep today, and check out our configuration guide Architecting for HIPAA on Twilio to learn more about how you can use Twilio to develop applications and workflows that support your HIPAA compliance.

If you haven't gotten in touch yet, we want to help – get in touch to discuss your use case.

Christina Sung is the Director of Product Management—Healthcare, at Twilio. Prior to Twilio, she led product strategy, new product development, patient satisfaction, and operational efficiency projects, and a variety of other initiatives at leading healthcare organizations, including Vocera and Kaiser Permanente.