Self-Hosted HIPAA & BAA Position
Password Pusher Pro – Self Hosted Edition
Apnotic, LLC
1. Applicability to HIPAA
Password Pusher Pro Self Hosted is deployed entirely within the customer's infrastructure. As such, Apnotic does not create, receive, maintain, or transmit Protected Health Information (PHI) on behalf of the customer.
| HIPAA Role | Self Hosted Deployment |
|---|---|
| Covered Entity | Customer (healthcare provider, plan, or clearinghouse) |
| Business Associate | Not applicable – Apnotic is a software vendor only |
| PHI Custodian | Customer maintains sole custody of all PHI |
2. Why No BAA is Required
A Business Associate Agreement (BAA) is required under HIPAA when a Business Associate performs functions or activities involving PHI on behalf of a Covered Entity.
Apnotic does not meet the definition of a Business Associate for Self Hosted deployments because:
- No PHI is transmitted to Apnotic systems
- No PHI is stored, processed, or accessible by Apnotic
- No services are performed by Apnotic using customer PHI
- Apnotic provides only software (compiled code/container images), similar to on-premises software vendors
Analogy: Just as Microsoft does not sign a BAA for Windows Server or SQL Server running in a hospital's data center, Apnotic does not require a BAA for self-hosted Password Pusher Pro.
3. Customer HIPAA Responsibilities
As the sole custodian of PHI in a Self Hosted deployment, the customer is responsible for:
| Requirement | Customer Action |
|---|---|
| Access Controls | Configure authentication, RBAC, and session management |
| Audit Controls | Enable and monitor application and system audit logs |
| Integrity Controls | Implement data validation and backup procedures |
| Transmission Security | Configure TLS/SSL and encryption in transit |
| Breach Notification | Monitor, detect, and report PHI breaches per 45 CFR 164.400 |
| Risk Analysis | Conduct security risk assessment per 45 CFR 164.308(a)(1) |
| Business Associate Contracts | Execute BAAs with any third parties processing PHI (hosting provider, IT vendors) |
4. Security Capabilities Provided
Password Pusher Pro includes features to support customer HIPAA compliance:
| Feature | How It Supports HIPAA |
|---|---|
| Encryption at Rest | AES-256 encryption for stored passwords/files |
| Encryption in Transit | TLS 1.3 for all communications |
| Audit Logging | Comprehensive event logging for access and actions |
| Access Controls | User authentication, role-based permissions |
| Auto-Destruction | Configurable expiration reduces PHI exposure window |
| Secure Deletion | Cryptographic erasure of expired content |
5. Documentation for Compliance Reviews
For OCR Audits or Compliance Reviews:
- This document confirms Apnotic's role as a software vendor, not a Business Associate
- Customer maintains all system logs, access records, and audit trails
- Customer controls all encryption keys and authentication systems
- Apnotic has no capability to access PHI even if legally compelled
6. SaaS vs. Self-Hosted Comparison
| Aspect | SaaS (pwpush.com) | Self Hosted Pro |
|---|---|---|
| BAA Required | ✅ Yes – Apnotic processes data | ❌ No – Customer processes own data |
| PHI Location | Apnotic infrastructure | Customer infrastructure |
| Access Controls | Managed by Apnotic | Managed by customer |
| Audit Logs | Available in application | Customer-managed storage |
| Encryption Keys | Apnotic-managed | Customer-managed |
7. For Compliance Officers
Common Question: "We need a BAA for any vendor handling PHI. Why won't you sign one?"
Answer: HIPAA defines a Business Associate as an entity that creates, receives, maintains, or transmits PHI on behalf of a Covered Entity. In a self-hosted deployment:
- Apnotic provides only compiled software (container images)
- PHI never leaves the customer's environment
- Apnotic cannot access, process, or even view customer PHI
- The customer is the sole custodian and processor of PHI
A BAA would be legally inappropriate because no business associate relationship exists. The correct HIPAA framework is that of a software vendor providing tools for the Covered Entity's own use—similar to Oracle, Microsoft, or Red Hat providing on-premises database or operating system software.
Document Version: 1.0
Last Updated: April 2026
Contact: support@apnotic.com | https://apnotic.com