MuleSoft business associate addendum restrictions
Published: December 19, 2018
This article provides guidance about the Mulesoft Amendment to the HIPAA Business Associate Addendum (collectively, the “BAA”) that Salesforce offers customers for a subset of the Mulesoft services as discussed below. In order for customers use of the Mulesoft Services to be covered by a BAA, you and Salesforce must sign an underlying Business Associate Addendum and then a Mulesoft BAA Amendment that expressly includes the covered Mulesoft services and you must comply with the terms of the BAA and this article. In the event of a conflict between the BAA and this article, the terms of the BAA govern.
Covered Mulesoft services
The following services are covered by the Mulesoft BAA Amendment. If a service is not listed below, it is not covered by the BAA and must not be used for transmitting, storing or processing Protected Health Information (PHI):
- Anypoint Runtime Manager
- Anypoint Monitoring
- Anypoint MQ
- Anypoint Object Store v2
- Anypoint Security
Anypoint Runtime Manager
PHI must only be handled inside a customer's dedicated Virtual Private Cloud. PHI should further be restricted by using CloudHub’s Dedicated Load Balancing Service where applicable. CloudHub’s non-dedicated runtime environment is not covered by the Mulesoft BAA Amendment.
PHI must only be handled inside a customers dedicated Anypoint Monitoring implementation. The dedicated Anypoint Monitoring is available to customers under the Titanium subscription. PHI should further be restricted by using the tokenizer connector where applicable. Anypoint Monitoring non-dedicated environment is not covered by the Mulesoft BAA Amendment.
PHI must only be used with transmitted to and processed by encrypted queues, or payloads that were encrypted by the customer prior to publishing messages to Anypoint MQ. The time-to-live (TTL) should be set to the minimum value needed. Non-encrypted queues are not covered under the BAA.
Anypoint Object Store v2
PHI must only be transmitted to and stored in Object Store v2 for the minimum amount of time necessary for the workload. This requires the customer to set the appropriate time-to-live (TTL). Object Store v2 is not designed for permanent storage.
Anypoint Security are a set of features that can help customers secure their PHI within the context of an application network. However, PHI must only be transmitted and processed by CloudHub runtimes running inside a CloudHub Virtual Private Cloud connected to an Anypoint Platform organization with a valid and signed Business Associate Addendum and Mulesoft Amendment.
Inbound transmission of PHI
When PHI is transmitted to a CloudHub runtime, it must use HTTPS connections. Dedicated load balancers enforce TLS version 1.1 or higher when clients connect with HTTPS. CloudHub runtimes by default also support non-TLS HTTP protocol. It is the customer’s responsibility to ensure that PHI is only transmitted to MuleSoft over HTTPS connections. Customers can verify that web request was received over TLS by checking that the value of X-Forwarded-Proto HTTP header is set to “HTTPS”.
Transmission of PHI within a virtual private cloud
In a CloudHub Virtual Private Cloud, runtimes are able to communicate with each other internally as well as externally. If customer’s application transmits PHI, such application must encrypt the PHI in transit, e.g. by using TLS protocol version 1.1 or higher for the transmission. Customer must validate that PHI is encrypted in the payload and/or in the transmission.
Transmission of PHI from CloudHub deployed applications to external services
Transmission of PHI to Mulesoft and Salesforce provided add-on services
Customer must not transmit PHI to any Mulesoft or Salesforce provided Add-on service not listed above. The only Add-on services that are approved for handling PHI are the services listed above in the section “Mulesoft Covered Services”.
Transmission of PHI to Non-MuleSoft/Salesforce applications
Non-MuleSoft/Salesforce applications such as partner-provided Add-on services are not provided by MuleSoft/Salesforce and therefore are not covered by the Salesforce BAA. If the customer’s application transmits PHI to such services, the customer is responsible for verifying that the transmission and subsequent handling of PHI by those service providers meet HIPAA requirements.
Transmission of PHI to other internet services
Transmission of PHI to other services on the Internet is not covered by the Salesforce BAA. The customer is responsible for ensuring that such transmission and subsequent handling by the remote service meet HIPAA requirements.
PHI in application logs
CloudHub provides access to log data that includes deployment messages and events for each worker. CloudHub stores logs of up to 100 MB per application per worker, or for up to 30 days, whichever limit is reached first. If CloudHub Application Logs need to be archived or downloaded for audit, analytics or similar purpose on regular intervals, please use Custom Log Appender to extract logs.
If a customer uses CloudHub application logging, then you must not transmit PHI in the log stream. It is the customer’s responsibility to ensure that PHI does not enter the log stream by ensuring that:
- PHI is not accidentally logged by custom configuration of logging parameters
- PHI is not included in the URL or query string submitted to web processes and logged by the Anypoint Platform
- PHI is not printed to stdout by the application process
Customers can transmit PHI in the log stream when using a custom log appender and sending all logs to the source of the customers choosing (Splunk, ELK, etc..). It is customer’s responsibility to ensure that the such transmission and subsequent handling by the receiving log capture service meet HIPAA requirements.
Anypoint Monitoring logging
If Anypoint Monitoring Logging is enabled in the dedicated option available under the Titanium subscription then a customer may transmit PHI in the log stream, or use the log tokenization connector to tokenize the logs or items in the logs. It is the customer's responsibility to ensure such transmission, and subsequent handling meet HIPAA requirements.