For Enterprise customers only: The HIPAA-compliant Superhuman Go is exclusively available to customers with a Superhuman Enterprise plan. If you're interested in HIPAA-compliant solutions for your organization, please have a member of our Revenue team contact you.
Go’s security and privacy strategy is built upon well-established principles that guide us in our approach to securing Go and keeping your data safe. For customers subject to the requirements of the Health Information Portability and Accountability Act (”HIPAA”) who intend to upload, transmit, and communicate about Protected Health Information (”PHI”), Go is able to assist our customers in their HIPAA compliance efforts through our Enterprise plan.
This article provides guidance on important configuration factors, product restrictions, and customer obligations necessary to maintain HIPAA compliance. HIPAA is a shared responsibility between the customer and Go. Go supports HIPAA compliance (within the scope of a Business Associate Agreement) but ultimately customers are responsible for evaluating their own HIPAA compliance and application of the BAA is subject to technical implementation requirements and limitations described in more detail below.
Prospective customers should read this article in its entirety to ensure their intended use of the Go platform aligns with HIPAA requirements.
Within this article, you'll find:
- Requirements for enabling HIPAA compliance
- Configuration and product use considerations
- Limitations and restrictions
- Privacy, certifications, and compliance
Requirements for enabling HIPAA compliance
- Enterprise level Go plan: HIPAA compliance is only offered to customers on Go’s Enterprise plan.
- Signed Business Associate Agreement (BAA): Once signed, your Superhuman BAA governs the handling and protection of PHI.
- Configurations and product use considerations: See the table below.
If you're interested in upgrading to an Enterprise plan or would like to discuss these requirements with our team, please contact us here.
Configuration and product use considerations
The following table outlines Go features and configurations that support HIPAA compliance obligations.
If you intend to use Coda as part of your bundle, please review our Coda HIPAA compliance information.
| HIPAA Standards | How Go Supports Compliance |
|
Data Use Purposes Ensure data is only used as a service provider for the purposes defined in the contract. |
Product Improvement and Training Control: For all customers on our Enterprise plan, Product Improvement and Training is off by default, meaning we are not using these organizations’ content to train our models or improve our product for other customers or users. |
|
Access Control Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to authorized persons or software programs. |
Enable SAML SSO: Go supports SAML SSO and can work with your Identity Provider (IdP) of choice. For organizations managing multiple workspaces, Go’s SAML implementation supports provisioning access to specified workspaces based on IdP user attributes. Agents control: Administrators control which agents are available to their organization, and users can install only agents that their administrators have approved for their team. Should administrators allow the installation of third-party agents in Go, those are subject to both Superhuman Developer Terms and their own separate terms and policies, which users can review on the listing page before installation. Not all third-party agents are HIPAA compliant. |
|
Unique User Identification Assign a unique name and/or number for identifying and tracking user identity. |
SAML: Go supports SAML SSO allowing admins to provision, manage, and deprovision members. Go SSO is currently supported via Grammarly and will migrate to Superhuman in the future. |
|
Automatic Logoff Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. |
Session period: Go’s default session period is 30 days. Customers who require a different session period may reach out to Go support to set a custom session timer. |
|
Audit Controls Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. |
Audit log: Go provides audit event logs upon customer request. |
|
Integrity Controls Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner. Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of. |
Audit Log: Audit logs provide an immutable record of events within an organization. Data Controls: Customers have access to enhanced data controls, including confidential mode, domain controls, and application controls. Go can access only the data that your standard OAuth permissions allow; it cannot access anything beyond that. Administrators control which agents are available to their organization, and users can install only agents that their administrators have approved for their team. Data Export: Go provides audit event log export upon customer request. Note: chat history is stored temporarily on your device and is deleted when you log out or update your version of Go. |
|
Transmission Security Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate. Implement a mechanism to encrypt and decrypt electronic protected health information. |
Encryption: Go utilizes AWS Key Management Service (KMS) for database encryption and key management, with access restricted to authorized personnel. Data in transit is encrypted using Transport Layer Security (TLS) 1.2 or higher. Data at rest is encrypted using the industry-standard AES-256 algorithm. |
|
Data Retention and Disposal Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored. |
Data retention and disposal: Enterprise-tier customers can end their Go subscription at any time. Upon contract termination or expiration, stored data is deleted in accordance with Superhuman’s data retention policies. For more information, refer to the Superhuman Customer Business Agreement. |
Limitations and restrictions
The below are limitations and restrictions on your use of Go that may impact your HIPAA compliance efforts. Go’s obligations under your BAA only apply to services that comply with these limitations and restrictions.
- Users - Go is not an EHR (Electronic Health Record) and is not designed to be the system of record for health information.
- Third-Party Agents and Superhuman-built Agents for Third-Party Services - Agents built by third parties and agents built by Superhuman for Third-Party Services may interoperate with, be made available on, and/or be built using Go. These Third-Party Agents and the Third-Party Services for which Superhuman may build agents are not covered by your Superhuman BAA. You, the customer, are responsible for independently evaluating the HIPAA compliance of Third-Party Agents and Third-Party Services you choose to use and directly contracting with their developers and/or providers, as you deem necessary.
- Customer-Built Agents - Agents built by you, the customer, can work with and/or be built using Go. The building and deployment of Customer-Built Agents in Go is subject to the Superhuman Developer Terms.
- Superhuman Mail Agent - Our Mail agent is not currently covered by Superhuman’s BAA.
- Support Services - When submitting support requests to Go, users must not include any PHI in the message contents or in any file uploads including screenshots, documents, etc. This is inclusive of all methods of support (in-product widget, email, phone, chat, etc.).
Privacy, certifications, and compliance
It is important to note that there is no certification recognized by the US HHS for HIPAA compliance and that complying with HIPAA is a shared responsibility between the customer and Superhuman.
Please review our terms, privacy policy, and DPA for more information about our privacy practices.