Back to top icon
New Relic, Inc.

HIPAA & BAA FAQ

New Relic Telemetry Data Platform, Full-stack Observability, and Applied Intelligence solutions

Thank you for considering becoming a customer of New Relic.

New Relic’s offerings are different from other SaaS offerings you may have encountered before. To avoid any misunderstandings about how New Relic fits into your technology estate, this FAQ is intended to paint a clearer picture of what we do, how we do it, why we do it, and where PHI may end up with New Relic.

What does New Relic do?

New Relic provides software developers and teams that run the software the tools needed to identify issues with that software.

New Relic does not provide IT solutions for health care treatment or payment, nor many of the operations.

Our technology performance-monitoring solutions are intended for use cases with non-sensitive timing and metric data, which you control by your deployment and configuration choices. We provide SRE and DevOps teams that develop, maintain, or update your software and technology solutions control over the data elements sent to New Relic.

Health IT Examples

Does New Relic do this or provide this?

Primary Care

Clinical decision support

Computerized disease registries

Computerized provider order entry

Consumer health IT applications

Electronic medical record systems

Electronic prescribing

Telehealth

Revenue Cycle

Charge capture

Coding

Claims submission

Insurer communications

Payment collections

Medical service review

Payment

Billing

Risk adjustment

Reviewing for medical necessity, coverage, justification of charges and the like

Utilization review activities

Disclosure to consumer reporting agencies

Health care operations

Conducting quality assessment and improvement activities, population-based activities relating to improving health or reducing health care costs, and case management and care coordination;

Reviewing the competence or qualifications of health care professionals, evaluating provider and health plan performance, training health care and non-health care professionals, accreditation, certification, licensing, or credentialing activities;

Underwriting and other activities relating to the creation, renewal, or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to health care claims

Conducting or arranging for medical review, legal, and auditing services, including fraud and abuse detection and compliance programs; 

Business planning and development, such as conducting cost-management and planning analyses related to managing and operating the entity; and 

Business management and general administrative activities related to implementing and complying with the Privacy Rule and other Administrative Simplification Rules, resolution of internal grievances, sale or transfer of assets, creating de-identified health information or a limited data set, and fundraising for the benefit of the covered entity.

 

Does New Relic directly interact with patients on a covered entity’s behalf?

No. New Relic’s users are generally developers, IT operations, and site reliability engineers. In general, New Relic’s subscriptions prohibit sublicensing access and use of New Relic’s SaaS to your own customers.

How does New Relic provide its solutions?

  1. New Relic provides a database, which we call the Telemetry Data Platform, that stores telemetry data about software performance.

  2. New Relic provides a graphical user interface via our website that allows users to quickly understand the health of frontend software and backend software, which we call the Full-Stack Observability.

  3. New Relic provides AI-powered solutions, which we call Applied Intelligence, that run on the telemetry data and can help automate identifying the root cause of a problem with software.

Why does New Relic provide its solutions?

Software code is bigger and more distributed than ever before. New Relic’s solutions can help your teams answer software problems and questions like:

What patient treatment or payment services do New Relic provide covered entities?

None. New Relic’s solutions help software developers identify issues with software.

Can I see what’s in the data sent from my systems to New Relic?

  • New Relic’s data dictionary defines many of the common data attributes processed by New Relic. 

  • New Relic users can view data using New Relic’s data explorer to view the telemetry data elements (including in JSON format) in the New Relic account.

  • Your teams, solely within their election, may configure your licensed software to send custom telemetry data. That is wholly within your teams’ control and purview. You can view these customized data in data explorer as well if you would like to view the data elements for such custom telemetry data.

  • Logs data is generally unstructured, raw “reports” generated by your software. Like other telemetry data available to users, if you have a New Relic account, you can view these Logs in New Relic’s data explorer and the Logs UI in New Relic One.

What kind of health information technology does New Relic provide to covered entities?

None. New Relic:

  • Does not provide an electronic medical record or a personal health record; 

  • Is not an electronic data interchange; and

  • Is not a health information exchange or health information organization

Depending on the technologies that your teams may use, New Relic can help your teams that build, operate, and maintain your health information technology identify issues with such software.

Why does New Relic sign a BAA then? Where will PHI likely end up?

  1. If you use New Relic Browser in your patient-facing website, IP addresses are used to derive regional location information, and then the IP address is subsequently overwritten. Please see additional information provided here.

  2. If you use New Relic Mobile in your patient-facing mobile application, IP addresses are used to derive regional location information and subsequently discarded. Please see additional information provided here.

  3. If: 

    1. Your applications or your infrastructure (servers, hypervisor, etc) process PHI

    2. Your applications or your infrastructure generate Logs that may include personal information relating to a patient

    3. You configure your applications or your infrastructure to send those Logs to New Relic

Then PHI may end up in the Logs that New Relic receives from your software and on your behalf.

“The HIPAA Rules generally require that covered entities and business associates enter into contracts with their business associates to ensure that the business associates will appropriately safeguard protected health information” (published by HHS). If you are a covered entity and will have PHI in the data that you send to us, you need a business associate agreement with New Relic.

Do all covered entities have to sign a business associate agreement with New Relic?

According to HHS: A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. 

Not all covered entities sign a business associate agreement with New Relic because some covered entities do not send protected health information to New Relic. Covered entities can (i) limit the scope of systems performance monitoring and (ii) control the telemetry data sent from their software and IT systems so that it excludes any PHI.

How can I help reduce or limit any PHI in the telemetry data that I send to New Relic?

Some options for your consideration:

  1. Carefully choose which applications and infrastructures you want to instrument and measure performance. Some or many of your systems may never process any PHI and therefore monitoring those systems will unlikely contain any PHI.

  2. Reduce or limit the use of any custom events so they do not contain any PHI elements. Talk to your legal, privacy, or compliance officers if you need assistance determining whether your data attributes or your proposed JSON schema will contain any PHI elements.

  3. Reduce or limit the use of dimensional metrics that may include any personal identifiers about patients.

  4. Review Service Maps in New Relic One to determine whether there are upstream connections to any patient-facing services or connections to systems that may contain PHI.

  5. Use New Relic’s data explorer to review every type of data at a regular cadence to see if there are any PHI elements.

    1. Add your legal, privacy, or compliance officers as a New Relic user so they can use New Relic’s data explorer to review for themselves.

    2. There’s a separate subsection in New Relic’s data explorer for “Custom Events”

    3. If you are implementing rules on your systems to remove identifiers in any telemetry data before sending it to New Relic, then consult with your legal, privacy, or compliance officers by sharing the JSON or raw file types (under New Relic’s data explorer) to confirm the telemetry data has been appropriately de-identified in accordance with HIPAA.

    4. Invite your legal, privacy, or compliance officer to review any one of your data in New Relic’s data explorer

  6. Use New Relic Log drop filter rules to drop Logs data that meet your specified criteria.

  7. If you find PHI that you prefer to keep out, then reconfigure your data source to omit the specified data attribute, and then subsequently, request data deletion in accordance with New Relic’s personal data deletion request.

How do I identify the individuals included in my telemetry data whose data may also be subject to state privacy laws?

New Relic’s services by default do not specifically collect names, addresses, dates of birth, or the like, and therefore, New Relic will not have names with state of residency. Depending on the developers that created your software or IT systems, the developers may have opted to include data elements that could include personal information in the Logs data generated from such software or IT systems. Consulate your developers or your software and systems documentation for more information.

I am the covered entity and it is my obligation under HIPAA to ensure all business associates sign a business associate agreement with me. Why can my company not use its own BAA?

While it may be the covered entity’s obligation, nothing in HIPAA requires that the business associate start with the covered entity’s business associate agreement.

New Relic’s business associate agreement is specifically tailored to reflect New Relic’s service offering and its multi-tenant environment. It sets out the specialized processes and procedures in relation to New Relic’s obligations as a business associate to the covered entity that do not provide full records about patients or individuals. These all correlate to the way in which New Relic’s unique services and its multi-tenant infrastructure operate.

For example, stock business associate agreements are drafted for any type of vendor that use and disclose large quantities of PHI like medical claims, pharmacy claims, ERAs, health charts, billing & coding, and medical images and will contain requirements for handling these types of PHI directly as if the covered entity itself.

New Relic will not handle such types of PHI and does not have mechanisms in place to handle specific requests by the Covered Entity pertaining to such types of PHI. 

  • New Relic’s platform was designed to ingest telemetry data and query telemetry data. Any PHI elements will be temporary or ancillary (ee question above)

  • Customers are fully in control of the data sent to New Relic; New Relic will not by default collect information about a patient to confirm the identity of the individual (e.g. first name, last name, home address, group plan ID, member ID, etc.).

  • Because of the foregoing, New Relic will not be able to identify the Individuals impacted in a data incident.

  • New Relic will not be directly interfacing with patients.

  • New Relic was not designed to operate as a system of record for patient care or payments and cannot amend PHI.

  • New Relic can provide a special environment for health care customers, which require coordination between customer and New Relic as specified in New Relic’s BAA.

  • New Relic’s business associate agreement is bespoke to New Relic’s telemetry data platform architecture built on our cloud vendors. New Relic inherits all the features and functionalities as provided by cloud vendors supporting our platform.

What about the main agreement between the parties?

The New Relic BAA is an addendum to the main agreement between New Relic and our customer and forms part of that agreement.

Why are some features, such as Applied Intelligence and others that use AI/ML, not included as a HIPAA Covered Service?

New Relic releases new products and features on an ongoing basis. In addition to following a standards-based risk management program for our services, New Relic works with third-party auditors that separately review and verify New Relic is meeting requirements under a recognized privacy and security framework such as SOC or HITRUST. New Relic prioritizes and adds new eligible services based on customer demand.

For more information about our business associate program, or to request new HIPAA Covered Services, please speak with your New Relic representative. New Relic realizes the value our services and features provide to all customers; if you are a health care customer, we would love to hear from you.

I am responsible for ensuring that only authorized Users can access my HIPAA Account that may contain PHI. How do I add, remove, or manage users in my HIPAA Account?

New Relic’s Documentation provides detailed information on how to manage users for a New Relic Account, including a HIPAA Account. Please see here.

How does New Relic meet its obligations under HIPAA?

Not only are we committed to you as our customer, HHS/OCR can directly oversee business associates like New Relic. New Relic has both a dedicated security and privacy team within our organization who are passionate about delivering and maintaining privacy and security for our HIPAA covered offerings.

  • We will keep your data confidential: All of New Relic’s staff who have access to our customer’s data are committed to confidentiality as part of their terms of employment with New Relic.

  • We keep your data safe and secure: At New Relic, the security of your data is of the utmost importance to us. We engineered our HIPAA offering using the same privacy and security framework we used for FedRAMP.

  • We have implemented robust technical and organisational measures to assist our customers in meeting their compliance needs: At New Relic we know that our customers are subject to compliance obligations under HIPAA. Your users have query and retrieval capabilities in our services to look for your specified data attributes.

  • We will only use approved business associates: All of our own business associates undergo rigorous security and privacy assessment from our security and privacy team. You can be assured that we conduct thorough due diligence prior to onboarding and that we ensure we have the appropriate contractual provisions in place.  At all times New Relic remains liable for the acts of our business associates.

  • We will assist you in the event of a data breach: If a data breach occurs at New Relic and your data is affected, we will notify you and we will provide you with details of the breach in order for you to assess the impact it may have upon your organisation. 

  • We use an independent auditor and nationally-recognized audit framework: We picked a nationally-recognized and respected audit framework so that you and New Relic are aligned on our privacy and security measures.

How can I sign the New Relic BAA?

Contact your Account Executive for more information.

I would like to ask some questions that are not answered in this FAQs

For any additional information you require, you may contact your Account Executive who will be happy to assist you.

 

This information contained in this document does not provide legal advice.  We recommend that you consult with your own legal counsel in order to obtain advice specific to your own unique situation and how you intend to use the New Relic services- remember a BAA with New Relic is only necessary if you fall under the conditions set forth in HIPAA.