Most popular search results
Google uses ISO 27001 certification and SOC 2 and SOC 3 Type II audits. Its BAA covers many of the G Suite products, including Gmail, Google Calendar, and Google Drive (Google Docs, Google Sheets, and Google Slides). For Google Meet, however, the BAA only covers the chat messaging feature and doesn’t cover the video chat feature.
Zoom has Advanced Encryption Standard (AES) encryption and uses 256-bit keys to protect its meetings. For HIPAA accounts, Zoom enables “Fully Encrypted Persistent Chat,” an encrypted messaging system through which public-key cryptography and private keys are generated and can be stored only on users’ devices. Zoom incorporates additional security measures, ensuring that PHI always stays private. There are two different user authentication requirements, as well as access control measures, which regulate who or what can view or use resources on the platform.
The free version of Gmail that most people use is not HIPAA compliant on its own, but Google’s G Suite can be HIPAA compliant. G Suite includes Gmail, Google Calendar, and Google Drive, just like the free version, but it also includes security features that, once configured, make G Suite HIPAA compliant. Once you’ve made your G Suite account HIPAA compliant, your connected Gmail account will be HIPAA compliant as well. Gmail is the most widely used email service around, with 1.5 billion users worldwide, an increase of 500 million users just since 2016. The ubiquity and familiarity of Gmail make it an appealing option for healthcare companies. HIPAA sets strict standards for protecting patient confidentiality and health information. Sending HIPAA-compliant emails requires training staff to use technological safeguards. Your email provider may follow HIPAA regulations, but that doesn’t automatically make your emails secure.Every employee must understand how HIPAA applies to their email. Your staff needs training in everything from encrypting sensitive emails to ensuring they’re sent to authorized recipients. Ongoing training is necessary as healthcare workers are often targeted by phishing and other email attacks. Recent breaches have compromised the sensitive personal data, such as Social Security numbers and financial account information, as well as the PHI of hundreds of thousands of patients. Continuous training improves the chances your employees will thwart phishing scams before they cause any damage. Your business needs a straightforward, step-by-step process to help staff comply with both HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act. Now that we’ve considered the importance of strong training and policies, it’s time to take a look at the technical side of things. You need a signed business associate agreement (BAA) with every third party that could access the PHI in your custody. Using an email provider is no different. A BAA ensures that your business associate understands how they can use PHI and what security measures are required. The fundamental risk of transmitting PHI via email is that unauthorized people could gain access to that data. HIPAA-compliant email services should have strong security features or allow third-party plugins that provide the needed security. Access must be restricted to only those who need the information. Never print emails that contain PHI. These emails should be visible only to the sender and the recipient. Using end-to-end encryption and access controls ensures that ePHI doesn’t fall into the wrong hands. Google will sign a BAA with healthcare companies that use G Suite but not until all security protocols are in place. Using G Suite to transmit or store PHI before you have the BAA is a HIPAA violation.
Skype is one of the most well-known video conferencing tools, and hundreds of millions of people worldwide use it. Since being acquired by Microsoft in 2011, Skype has been available on Windows PCs by default. That’s why so many medical practitioners use it. But no software can be HIPAA compliant on its own. Skype must be configured properly to be HIPAA compliant.
Google Drive is part of G Suite, which has TLS (Transport Layer Security) encryption to protect PHI. To adhere to HIPAA-compliant procedures, Google Drive users will need to sign a BAA and disable file sharing and syncing. The BAA does not apply to third-party apps that connect with G Suite, so an additional BAA from that app provider is required to meet HIPAA compliance standards. Google will sign a BAA with healthcare companies that use G Suite but not until all security protocols are in place. Using G Suite to transmit or store PHI before you have the BAA is a HIPAA violation. Healthcare companies have embraced G Suite because of its robust security features and low cost. Setting up a HIPAA-compliant Gmail account Simply purchasing G Suite doesn’t make your email HIPAA compliant. To use Gmail, even with G Suite, you must configure your account correctly. Here are the steps to ensure Gmail is HIPAA compliant:
OneDrive is a cloud storage solution provided by Microsoft. As cloud storage is often used to store and transmit Electronic Patient Health Information, covered entities should rely on cloud storage solutions that can become HIPAA compliant. OneDrive can be HIPAA compliant if the organization takes the proper steps. The business associate agreement is an essential part of making any software solution HIPAA compliant. This agreement states how the parties handle the Electronic Patient Health Information (ePHI) will adhere to HIPAA. Without a signed BAA agreement, no technology solution can be considered HIPAA compliant but Microsoft provides that. In addition, Exchange Administrator Access Tracking can be turned on so the user can know which administrators have accessed which data. As a result, OneDrive fullfills the access control obligation quite sufficently.
Square takes things seriously when it comes to HIPAA compliance and aims to protect both their users and the customers of their users. That's why they took the necessary measures in order to provide HIPAA compliance to its users. If the user is subject to HIPAA (as a covered entity or business associate) and dealing with Protected Health Information, the user needs to sign Square HIPAA BAA. The responsibility to decide whether they need to comply with the HIPAA requirement or not belongs to the user. The user can get more information by checking Square's HIPAA BAA. The user doesn't need to apply for PCI compliance since Square is already PCI compliant by its nature.
Privacy settings for each Google Doc should be configured so that they cannot be viewed unless a user has permission. Titles shouldn’t contain any patient information. Link-sharing and automatic file syncing aren’t allowed for HIPAA compliance. Additional precautions are recommended, such as backing up Google Docs data.
HIPAA compliance only applies to the messaging and file transfer features of Slack, not any other Slack features. Slack cannot be used to communicate with patients, plan members, or their families or employers. With Slack Enterprise Grid, healthcare companies can integrate Slack with their existing medical records system to share and control medical data in a HIPAA-compliant manner.
WhatsApp is one of the most used text messaging apps in the world. After it was bought by Facebook, various security measures such as end-to-end encryption were added. However, in the current version, WhatsApp cannot become HIPAA compliant but there is a possibility for it to be HIPAA compliant technically. Access controls, possibly a BAA and audit controls would be needed for starters, for WhatsApp to become HIPAA compliant. The lack of a signed Businesses Association Agreement overrides all of the security features required for a tool to become HIPAA compliant. WhatsApp shouldn't be used to communicating PHI since it has a probability of breaking the HIPAA rules.
Evernote doesn’t offer a Business Associate Agreement (BAA). Even though it incorporates some protection features that can prevent unauthorized access, the overall security controls aren’t sufficient to meet HIPAA standards. Evernote can only be used for medical data storage purposes if it’s completely offline and is going to stay offline. The computer that Evernote is set up on should be encrypted in order to prevent unauthorized personnel from accessing the information. Given that its primary purpose is file sharing, Evernote isn’t the ideal solution for handling PHI and shouldn’t be used to store PHI.
eFax is an electronic faxing solution that uses advanced security protocols to make sure ePHI is secure both during transmission and in storage. eFax is known as one of the most secure online fax providers. eFax uses unique user identification and 256-bit SSL encryption to ensure secure document transmission and keep ePHI safe from unauthorized access. eFax also offers secure transport layer security (TLS) encryption protocol, administration privileges to limit access to ePHI, and multilevel audit controls, including secure and automatic fax archiving. Fax transmissions are stored on the eFax cloud and kept safe in Tier III secure servers.
Box checks all the boxes for HIPAA compliance. It ensures documents containing sensitive information and PHI are safely stored in the cloud by using numerous security features, including access monitoring, two-factor verification, reporting and audit trails, and data encryption. Box also provides access control, uses a strict logical system, and restricts access to its servers and customer data files.
Mailchimp provides security measures to reduce the risk of unauthorized access, including physical security controls and encryption. Since encryption is built into the service, it meets certain HIPAA compliance regulations. But Mailchimp doesn’t guarantee that all HIPAA compliance standards are met.According to Mailchimp’s terms and conditions, customers are responsible for ensuring they comply with regulations like HIPAA. Mailchimp explicitly states that it isn’t liable if the service violates HIPAA regulations.Uploading patient information to a Mailchimp email list is a disclosure of Patient Health Information (PHI). That makes Mailchimp a business associate. If a HIPAA-covered entity uses Mailchimp services, a Business Associate Agreement must be in place for Mailchimp to meet HIPAA compliance requirements.Without a signed BAA, Mailchimp doesn’t comply with HIPAA, so it shouldn’t be used with any form of PHI.
The free email platform offered by Microsoft, Outlook.com, isn’t built to handle ePHI securely and isn’t HIPAA compliant. However, Outlook can be used as a HIPAA-compliant service with a paid Office 365 subscription and additional client-side encryption. For HIPAA compliance, users must be on one of the following plans: Office 365 Business Premium, Office 365 Business Essentials, Office 365 ProPlus, Office 365 Enterprise E1, Office 365 Enterprise E2, or Office 365 Enterprise E3.
Metrofax offers secure, encrypted fax communication services. The built-in faxing features allow users to quickly send information from a cell phone or computer as a fax.Even though Metrofax provides encryption to protect transmitted information, it’s missing a few capabilities required for HIPAA compliance. When sharing PHI through a third-party provider, HIPAA regulations require a signed Business Associate Agreement. This BAA must be in place for Metrofax’s services to meet HIPAA compliance.Since Metrofax doesn’t sign a BAA, it is not HIPAA compliant and shouldn’t be used with PHI.
Wix is a popular website builder. While Wix offers security features, these measures aren’t sufficient for HIPAA compliance. Passive scanning is done periodically, but customers don’t have access to real-time monitoring to protect against hacking.A signed Business Associate Agreement (BAA) is essential for HIPAA compliance. Since Wix doesn’t sign a BAA with its customers, this service shouldn’t be used with patient health information.Certain Wix features can be HIPAA compliant when paired with other services. Wix partners with Google G Suite to integrate email hosting. When purchasing Wix services, you can meet HIPAA requirements for email if you use specific security settings and sign a BAA with Google. Websites made with Wix, however, are not HIPAA compliant.
Teamviewer is a HIPAA-compliant remote access solution that allows users to access devices no matter where they are.Security is a key objective for Teamviewer. The company has received multiple security certifications from A-LIGN, a provider that helps businesses implement HIPAA-compliant security features.All of Teamviewer’s remote support, remote access, and online collaboration features maintain the level of privacy and security necessary for HIPAA compliance. This includes end-to-end encryption, which is why many companies trust Teamviewer.HIPAA has strict standards for the privacy and confidentiality of patient information. When using computers, networks, and mobile devices for PHI, all access and management must follow HIPAA regulations. Additionally, every employee must receive regular HIPAA training. Teamviewer’s security and privacy practices meet HIPAA compliance standards.Before using Teamviewer with PHI, you must get a signed BAA from the company. Since Teamviewer is a third party that could access PHI on your computers and devices, the BAA ensures that protections are in place if Teamviewer exposes PHI. The potential risk involved in remote access opens up the possibility of unauthorized access to PHI. Teamviewer mitigates this risk using encryption and security features to protect information. Submit an inquiry to Teamviewer customer service for assistance in obtaining the BAA. A signed BAA might be available only for organizations that meet a specific spending threshold. The company reviews each situation on a case-by-case basis, so you must contact Teamviewer to discuss a BAA. It’s a HIPAA violation to use Teamviewer before you have a signed BAA in place.
The Salesforce platform can be set up to meet HIPAA compliance standards through certain features that help keep Patient Health Information (PHI) secure in the cloud. Salesforce complies with the HIPAA Security Rule, including administrative, physical, technical, organizational, and documentation safeguards to protect PHI.Customers can meet strict HIPAA security requirements using customer-controlled security features through Salesforce Covered Services. Additionally, Salesforce has core security safeguards such as data encryption in transit, ongoing monitoring for security violations, and audit logging to identify changes in activity. Customer administrators can use configurable tools to- Define permission sets that govern the visibility of data- Maintain strict password security- Monitor field level history- Set security rules to manage data access- Define a company-wide sharing model and role hierarchyIn addition to permission sets, customers can define user profiles to limit data record access to authorized employees. It’s a good idea to use the premium set of Salesforce features known as “Salesforce Shield.” These features provide extra monitoring, encryption, and auditing. You might need to enable other features or additional services to ensure the protection of PHI when information is in transit.If you’re planning to use Salesforce for patient information, reach out to your account representative for a signed Business Associate Agreement (BAA). The account representative can also advise you on specific features and settings for HIPAA compliance.
Google Sheets is part of G Suite, which uses high-level encryption to protect patient health information (PHI). Google doesn’t access the PHI in Google Sheets but still needs to sign a BAA since this data is stored on Google servers. Google will sign an agreement with businesses that use G Suite services such as Google Sheets, Google Docs, Google Slides, Google Drive, and Google Forms.While Google Sheets offers HIPAA-compliant security features, covered entities are responsible for maintaining the right security settings. Your healthcare organization must configure Google Sheets to be HIPAA compliant.Admin console logs and reports are an important part of HIPAA-compliant security for Google Sheets and all other apps in G Suite. Use these tools to monitor user collaboration, examine security risks, track sign-ins, and analyze activity. Administrators can set alerts for activities like suspicious login attempts, suspending users, activating a suspended user, adding a new user, changing a password, and granting or revoking admin privileges.In Google Sheets, administrators set visibility and access permissions for both files and folders. These settings also manage the sharing and editing capabilities of collaborators.When using Google Apps, administrators can separate user access for team members who manage PHI. This feature allows an administrator to activate or deactivate specific services for users. For example, since Google+ and YouTube aren’t HIPAA compliant, administrators should turn off these apps. Also, consider disabling third-party applications and add-ons from third-party developers.
Carbonite uses internal privacy and security provisions to safeguard medical information. These services support HIPAA requirements, as long as healthcare customers sign a Business Associate Agreement.HIPAA requires business associates to implement risk management measures that protect the integrity, confidentiality, and availability of patient information. Carbonite meets this standard through real-time monitoring, a secure firewall, encryption, a vulnerability management program, and a formal incident response process for information security threats.Physical security measures include restricted access at Carbonite’s facilities, so only authorized employees, third parties, and visitors can enter. Twenty-four-hour security includes both interior and exterior cameras as well as an alarm system and an electronic card access control system.Additionally, Carbonite restricts access to software programs, allowing only authorized employees access. When a customer needs to dispose of data, authorized individuals wipe the drive, then complete a full write of the drive and a full read to ensure it is blank.Carbonite uses vendors that maintain HIPAA-compliant practices, ensuring the same privacy standards for all Carbonite services.You must have a Carbonite Safe Pro subscription for HIPAA compliance. The BAA provides contractual assurances that Carbonite understands and implements strategies for safeguarding PHI. Carbonite Safe Pro also gives administrators access to view user activity and logins.Since HIPAA regulations can be challenging to navigate, Carbonite provides a HIPAA handbook to guide customers in keeping their backups HIPAA compliant.
Quickbooks has many features to simplify business invoicing and bookkeeping. While this software is effective in a variety of industries, it isn’t recommended for medical billing. Since deductibles, cash payouts, insurance invoices, and copays include patient health information, you shouldn’t enter this information into Quickbooks.Some medical clinics use Quickbooks for summarizing revenue and sales receipts. This tool can be a powerful way to track revenue by company, insurance, or even patient category. But you need to be sure that the information does not fall under the classification of “protected health information” (PHI).For example, you shouldn’t use Quickbooks for patient demographic data, information about physical or mental health conditions of patients, health care services offered to each person, or payment for medical services. According to the US Department of Health and Human Services, medical practitioners shouldn’t use non-compliant software services for the above information if there is “a reasonable basis to believe it can be used to identify the individual.”Another reason why Quickbooks is not HIPAA compliant is that the company won’t sign a Business Associate Agreement (BAA).If you are in the healthcare industry and use Quickbooks, you should not use “individually identifiable health information” with this software. This information is best secured using HIPAA-compliant medical billing software.
iCloud provides cloud-based storage solutions, with security protections for both data storage and transfer. Authentication controls and access management are necessary for cloud services to be HIPAA-compliant. A healthcare provider must be able to monitor who accessed the data and what the user does with the information. iCloud’s controls meet the minimum HIPAA requirements, but that doesn’t mean that the service is HIPAA compliant.Even though strong access and authentication features are part of iCloud, the services it provides classify Apple as a business associate. When healthcare providers use cloud services with patient health information (PHI), business associates must sign a BAA.Apple will not sign a BAA with healthcare organizations. The terms and conditions clearly state that HIPAA-covered entities shouldn’t use iCloud for sharing, storing, or transmitting PHI. Using this service for PHI is a violation of HIPAA rules.
RingCentral is a HIPAA-compliant option that healthcare organizations can use to transmit and store patient health information. As a cloud service provider, RingCentral takes a proactive approach in ensuring privacy and safety for all communications.The service boasts a “seven layers of security” approach to securing data that transfers through their services. These seven layers include physical, network, data, host, business process, application, and enterprise-level security measures.Available HIPAA security measures include transmission security in the form of transport layer security (TLS) and secure real-time transport protocol (SRTP). This encryption means that information is secure at rest and when in motion. Infrastructure security uses vulnerability scans, firewalls, user authentication, and intrusion detection. Additionally, RingCentral data centers have state of the art security protocols with onsite guards and electronic prevention systems.Healthcare customers must implement proper security measures using the features listed above. Employee training is another important element to ensure the team is using these cloud services in a HIPAA-compliant manner.When a healthcare organization uses these services with patient health information, RingCentral is classified as a business associate. Therefore, healthcare organizations using RingCentral services must obtain a signed business associate agreement (BAA). RingCentral offers its own BAA, which customers can obtain by contacting their personal representative.
DocuSign falls into the category of a business associate when healthcare providers use its services for protected health information (PHI). DocuSign offers AES 256-bit encryption for data in transit and at rest. This encrypted information is held on the DocuSign servers, and the company doesn’t have access to the information.DocuSign is fully compliant with the security and privacy requirements of HIPAA. DocuSign also meets Health and Human Services (HHS) standards for digital signatures.This service enables HIPAA compliance through its digital tracking system. Each e-signature has a tamper-proof audit trail that’s fully traceable. DocuSign data centers are SOC2 audited and ISO 27001-certified.Customers can trust the authenticity of e-signatures through signature verification. When signing a document, the service captures unalterable information, including names, email addresses, timestamps, signing location, public IP addresses, and document completion status.While DocuSign offers essential encryption, auditing, and security standards, it’s the responsibility of each customer to ensure that they share and access PHI in a HIPAA-compliant manner.If your healthcare organization is using DocuSign for PHI, then you are only HIPAA compliant after obtaining a signed BAA. Customers need an enterprise account to access the necessary security features and get a BAA. Once you have a BAA in place, you can use DocuSign for HIPAA-compliant e-signatures.
Sharepoint provides necessary administrative and technical features to meet HIPAA compliance. Some of these features include access control for users, audit control, logs, and encryption. Threat awareness resources make it easy to access real-time reports about information access and usage.Sharepoint is a Microsoft service. The Microsoft website states that Sharepoint online is HIPAA compliant when paired with Office 365 Enterprise. While Microsoft ensures it meets its responsibilities as a business associate, users are responsible for configuring the platform correctly.A variety of security add-ons are included for Office 365 Enterprise users, such as advanced threat protection, security management, advanced compliance, and threat intelligence. Licensing includes anti-malware, Windows Defender, Cloud App Security (CAS), Azure AD Identity Protection, Azure Security Center, Azure Advanced Threat Protection, and more.If you are a HIPAA covered entity, then you must follow HIPAA regulations. For example, you must control how data is shared, used, published, and updated. Always classify sensitive data to ensure monitoring, protection, and appropriate access controls for storage and information transit.Microsoft is willing to sign a Business Associate Agreement (BAA) for organizations that use Sharepoint for patient health information. This BAA is for Office 365 Enterprise, which also covers Sharepoint Online. Without this signed BAA, HIPAA-covered entities shouldn’t use this platform for protected health information.If you configure and use Sharepoint correctly and obtain a BAA, then this service can be a HIPAA-compliant solution for information storage, management, and collaboration.
Virtru provides HIPAA-compliant data protection services that encrypt email and files to protect confidential patient health information (PHI). HIPAA defines specific technical standards for data encryption, and Virtru meets or exceeds these standards at all times. Encryption protects files while they are in transit and at rest.Additionally, Virtru provides administrative controls for managing emails, photos, videos, PDFs, and Office files. You can manage authorization to allow or disallow users to access specific content and types of content. Tracking and monitoring features provide real-time protection for patient information.Other HIPAA-compliant security features include forwarding restrictions and the ability to revoke messages after they are sent. When sharing information between patients and colleagues, the content is always protected, private, and audit-ready.Virtru offers client-side email encryption if you’re using the plugin with on-device encryption. When creating information on the device, the protection occurs immediately (before distribution). Advanced controls allow end-to-end encryption, so patient information is always safe.Virtru can integrate end-to-end encryption in Gmail. Google will sign a BAA and ensure protection for content within your email account. But privacy control isn’t available when the data leaves the Gmail ecosystem. Virtru offers an extra layer of security to strengthen privacy controls after email leaves your inbox. When using Virtru and Gmail together, you must have a signed Business Associate Agreement (BAA) from both providers.All Virtru services meet or exceed technology standards required for HIPAA compliance. Virtru is willing to sign a (BAA) for customers on most of its paid plans. BAAs aren’t available if you are an unpaid user with a Personal Privacy account. If you need a signed BAA, purchase a paid plan and contact the support team to receive this HIPAA-compliant documentation. It usually takes one to two weeks to receive the countersigned document. You should not enter patient health information in the system until this document is signed.
Venmo states that it doesn’t meet HIPAA requirements and doesn’t provide HIPAA protection for sensitive patient health information. Since the platform is typically used by individuals to send money to one another, it doesn’t fit the requirements for healthcare organizations.There are several payment gateways which provide HIPAA compliance, however Venmo is not one of them and although it is a great payment method for many, it is not the best fit for medical institutions.
Google Hangouts is a communication platform available through Google Workspace. The chat messaging feature in Google Hangouts meets HIPAA compliance standards, which means that covered entities can use it and maintain HIPAA compliance.Security features provide privacy controls that notify you when unauthorized access occurs. These controls must be configured before using Google Hangouts for protected health information (PHI). Using Google Hangouts on a mobile device could violate HIPAA rules. Each covered entity needs to have a signed business associate agreement (BAA). Google will sign this agreement for customers with a Google Workspace Business or Enterprise account. Customers using the free version of Google Hangouts cannot obtain a signed BAA, so the free account shouldn’t be used for PHI.Even with a signed BAA in place, covered entities need to be cautious. This BAA doesn’t include specific features, such as video chat and VOIP. With a signed BAA, healthcare providers may use the Hangouts text chat messaging feature only. When your organization needs video chat services, it’s best to select an alternative tool (like Google Meet) that follows HIPAA requirements.If your organization is planning to use Google Hangouts for PHI, refer to Google’s user guide for detailed information about security and privacy controls.
Healthcare organizations can use Webex as long as they get a signed BAA from Cisco. Webex’s administrative and technical measures meet HIPAA requirements. However, healthcare practices must ensure that Webex is configured correctly. Cisco clearly states the responsibilities of both parties (Cisco Webex and the customer) for HIPAA compliance. Cisco Webex is responsible for protecting the confidentiality, privacy, and security of PHI, whereas the healthcare provider is responsible for properly classifying and maintaining data. Cisco also offers a Webex HIPAA Self-Assessment. Customers just need to contact their account managers.
GoDaddy provides a variety of services including website hosting, email management, and domain names. Covered entities can use email services for protected health information, but website hosting services don’t meet HIPAA requirements.Basic website hosting plans aren’t HIPAA compliant because they are on shared servers. Other technical and physical safeguards aren’t in place for these plans. Covered entities shouldn’t use GoDaddy shared hosting for websites containing patient information.GoDaddy also offers email services through Microsoft Office 365. Two plans, Business Premium and Premium Security, offer HIPAA-compliant features. Covered entities must purchase HIPAA-compliant email as an add-on to the service. All email accounts on the same plan are HIPAA compliant. These email solutions offer the option of full integration with Microsoft Office.GoDaddy and Microsoft will sign a business associate agreement (BAA) to support HIPAA compliance. Also, covered entities must activate their email accounts before using these tools for PHI.
Even though ProtonMail isn’t designed specifically for the healthcare industry, it offers security features healthcare organizations can use for protected health information (PHI). ProtonMail includes a HIPAA compliance statement on its website that assures HIPAA-covered entities the company will do its part to protect patient data.Privacy and security features include end-to-end encryption and zero access data management. The service uses 4,096-bit RSA encryption for all stored communications. World-class data centers provide physical security for all data backups. The server hardware is located in Switzerland where the servers use fully encrypted hard disks, including multiple password layers in case the hardware is removed from the data center.If a user’s device is stolen or lost, a remote wipe feature protects PHI. Account owner authorization gives healthcare organizations control over who can access the information. Automated virus checking and data backups are standard. There is also a sophisticated monitoring system.ProtonMail employees don’t have access to PHI. Since the encryption is zero access, ProtonMail employees can’t read a user’s encrypted data. As part of the employment contract, each employee signs a confidentiality agreement.At the end of a contract with ProtonMail, the company deletes all of an organization’s data from its servers. ProtonMail doesn’t store paper copies or printed reports in its facilities.ProtonMail offers a signed BAA for all accounts, including its free plan. Healthcare organizations can request a signed copy by emailing firstname.lastname@example.org and using the email subject line: “HIPAA BAA.”
Google Calendar is a service offered through Google Workspace (formerly G Suite) that makes it easy for users to track appointments and manage their schedules. This tool ensures the safety of PHI, as long as you configure the security, access, and audit settings to prevent the disclosure or misuse of PHI.The default settings in Google Calendar share all information with team members in your domain. Security features allow you to set meetings that involve PHI to “Private” to maintain confidentiality. This setting shows the time as “Busy” without disclosing information about the meeting. With proper privacy settings, the program won’t include PHI in the meeting details, such as the title and description.The free version of Google Calendar doesn’t adhere to HIPAA compliance standards. Covered entities must be on a paid Google Workspace Business or Enterprise plan. The paid plans give users the option to manage Google Calendar security controls to meet HIPAA requirements.Google will sign a BAA with covered entities using these paid versions of Google Workspace. This BAA covers the following tools available in Google Workspace: Google Calendar, Google Meet, Google Drive, Google Keep, Jamboard, Google Sites, Google Cloud Search, and Google Vault.
Acuity Scheduling is part of the Squarespace platform. While many aspects of Squarespace aren’t HIPAA compliant, Acuity Scheduling includes design features that allow covered entities to comply with HIPAA regulations.Customers can manage notification settings to limit access to protected health information (PHI). For example, they can prevent emails from displaying the from and reply-to fields that show the patient’s name and email address. You can contact Acuity to disable the feature that attaches a calendar file (ICS invite) containing the client’s name, appointment time, and appointment type to appointment confirmation and rescheduling messages.Covered entities need to sign up for the Powerhouse Player plan to enable security features required for HIPAA compliance. Access the Customize Appearance section to manage Scheduling Page Options, and then select the option to enter into a BAA using an electronic signature. Customers on Enterprise plans have the option to use custom BAAs.A third-party security consultant has reviewed and verified Acuity’s HIPAA compliance.
Grasshopper isn’t HIPAA compliant. Its website states that support team members have access to account information and settings to help with technical issues. This access includes all messages that pass through Grasshopper’s calling, texting, and faxing features.If protected health information (PHI) passes through these communication tools, then it’s possible for unauthorized individuals to access the information. Grasshopper doesn’t offer HIPAA-compliant services, so covered entities shouldn’t use these tools.
Zoho’s website provides limited information about HIPAA compliance. Even though its tools aren’t for healthcare entities specifically, many of the security features may meet HIPAA requirements.These cloud-based services are comparable to those in Office 365 and G Suite, with secure solutions for word processing, custom applications, project management, live chat, app integration, and an IoT management platform.The company offers technical, physical, and administrative safeguards for all services, but there are questions about whether these privacy features are sufficient for HIPAA regulations.Zoho is willing to sign a Business Associate Agreement (BAA), but the company clearly states that its apps aren't built for the healthcare industry. Responsibility for compliance remains with the customer.For now, covered entities should check with Zoho for specific security features and updates on each of the available tools.
Many telecommunication firms act as conduits for data transmission and are exempt from signing a business associate agreement (BAA) through the conduit exception rule. Information shared over the phone or using a standard fax machine is not subject to HIPAA compliance. However, other means of communication, including VOIP, SMS, and digital fax services, must meet HIPAA regulations.Since HelloFax uses digital faxing, not regular fax machines, the service must provide privacy and security features if covered entities are using the system. HelloFax provides AES-256-bit encryption for information at rest and TLS encryption for information in transit, meeting the minimum HIPAA standards. Additionally, each document is encrypted with a unique key, and keys are encrypted with a master key that rotates frequently, which means that if unauthorized people gained access to the hard drive, they wouldn’t be able to decrypt the data.HelloFax advertises “bank-grade” security, including physical and electronic protections. The data center uses strict access controls at all times. Because of these security measures, it is possible to use the HelloFax system without violating HIPAA requirements.The company website doesn’t state that HelloFax will sign a business associate agreement (BAA). But larger companies with high annual spending have secured BAAs with HelloFax. Contact HelloFax support for a BAA.
ShareFile offers HIPAA-compliant tools that allow healthcare providers to exchange data and files with patients and third-party providers. A secure SSL/TLS connection maintains the privacy of protected health information (PHI) in transit. And data at rest is secured with AES 256-bit encryption.These security tools provide bank-level encryption for every email, attachment, and file. Healthcare providers can move PHI between local storage and HIPAA-compliant cloud storage as needed. Check-in and check-out systems ensure that everyone works on the latest version of a file. Audit controls let administrators see the history of access, including account usage and access to folders and files.Users can create individual accounts tied to unique email addresses; single sign-on is also available. Other HIPAA-compliant features include session timeout due to inactivity, identity management, and account lockout after five failed attempts.ShareFile integrates with a variety of other tools, including Microsoft Outlook.Mobile apps are available for Android, iOS, and more. Cloud syncing gives users access to current information on all devices. This streamlined healthcare collaboration system also provides e-signature features for digital document signing.HIPAA compliance features are available only for customers with a Premium plan. ShareFile will sign a business associate agreement (BAA) with covered entities.
Google Forms offers security and privacy configurations that comply with HIPAA regulations. Covered entities can set the access and visibility of folders and files, as well as grant specific collaborators sharing and editing capabilities.When configuring Google Forms, administrators must set the sharing permissions to manage data visibility and access. Additionally, admins should disable third-party applications that don’t meet HIPAA privacy standards. Software compliance depends on how the software is used, which is why administrators must adjust privacy settings before using Google Forms for patient information.Other HIPAA-compliant safeguards include encryption to protect sensitive information, user authentication, and audit controls that track information access.If a covered entity uses Google Forms to collect protected health information (PHI), it must have a business associate agreement (BAA) in place before collecting PHI through this tool.oogle offers a signed business associate agreement (BAA) that covers Google Forms as well as other Google Workplace services, such as Gmail, Docs, Sheets, Calendar, and Slides.
PayPal doesn’t provide HIPAA-compliant features for covered entities, and a company shouldn’t use this payment platform for protected health information (PHI). Not only are specific security protections missing, but this service can be a blatant violation of HIPAA regulations.One issue is that PayPal uses transaction data to optimize relevant offers for both consumers and merchants. PayPal collects user information and provides data to advertisers, which is a clear violation of HIPAA regulations.HIPAA privacy rules require the protection of all “individually identifiable health information.” Demographic data and payment history fall into this category.Also, PayPal won’t sign a BAA with covered entities. Medical providers should find an alternate, HIPAA-compliant service to collect payments.
GoToMeeting provides technical, physical, and administrative safeguards for online meetings and videoconferences. According to the GoToMeeting website, these security controls meet or exceed HIPAA technical standards. One of these features is end-to-end encryption. All data in transit uses AES 128-bit encryption, including chat information, audio, and video files.Additionally, logs of session activity and account connection create an audit trail for HIPAA compliance. Account managers can access management and reporting tools to see account activity. When an account is inactive for a certain period of time, an automatic log-off feature requires a new login before the information can be accessed again.Only authorized individuals can access accounts. Access security features include password protection and unique meeting codes. Meeting organizers have full control over who can join each meeting. GoToMeeting verifies a user’s identity through a unique email address and password.Covered entities must enter into a Business Associate Agreement (BAA) with GoToMeeting before using these services for protected health information. Once this BAA is in place, and the client correctly configures their account security features, these videoconferencing tools are HIPAA compliant.
VSee provides HIPAA-compliant videoconferencing services, with secure encryption for all audio and video communication on its platform. These security standards are available for both free VSee accounts and paid subscriptions.Since videoconferencing may involve the exchange of electronic data, including protected health information (PHI), it must meet HIPAA requirements for covered entities. VSee streams video directly from end point to end point, and never stores information on its servers or intercepts it. Covered entities must also consider how other video collaboration tools meet HIPAA security requirements. For example, videoconferencing can include screen-sharing, text chat, and file transfer. Videoconferences on VSee are always confidential, encrypted with FIPS 140-2 compliant, military-grade 256-bit Advanced Encryption Standard.VSee will sign a business associate agreement (BAA) for all customers, including those using a free VSee account. In this BAA, VSee agrees to maintain the security of patient information. If a breach occurs, the company agrees to provide an immediate report of the incident.
While MyFax offers a variety of security and privacy features, this service doesn’t meet HIPAA requirements. The privacy features of this digital faxing service are more robust than traditional fax machines, but they aren’t sufficient for protected health information.Also, MyFax won’t sign a business associate agreement (BAA).The company J2 Global owns both MyFax and eFax. These platforms are similar, but there are notable differences in privacy, security, and faxing capabilities. MyFax suggests that covered entities use services from its partner, eFax Corporate, which is HIPAA compliant and will sign a BAA.
While Squarespace offers a variety of software services, Squarespace Scheduling is the only HIPAA-compliant feature available. This scheduling tool meets all requirements for the HIPAA security rule.Protections for HIPAA-enabled accounts include email notification privacy, a shortened browser session timeout, and limited access for uploading intake forms. Also, customers can disable third-party integrations that don’t support HIPAA.Covered entities shouldn’t use other Squarespace services, including Form Block for contact form creation. If an organization needs to collect protected health information (PHI) outside of Scheduling, then it’s best to use a different service that’s HIPAA compliant to do so.You need a Squarespace Powerhouse Player or Enterprise plan to access HIPAA-compliant features for your Scheduling account. Each Scheduling account must be HIPAA enabled before using the service for PHI.All covered entities need to obtain a signed business associate agreement (BAA) from Squarespace. Customers with a Powerhouse Player plan must use Squarespace’s BAA. Custom BAAs are available for customers with an Enterprise plan. This BAA applies only to Squarespace Scheduling, not other Squarespace features.
Avast offers free antivirus software that isn’t HIPAA compliant. Other service plans, such as Virtual Mobile Platform (VMP), might meet certain HIPAA requirements.Avast offers security features that seem to comply with specific HIPAA regulations. But the only mention of HIPAA on their website is in a press release about Virtual Mobile Platform (VMP). Avast VMP allows users to share photos and medical images securely, without storing the data on a personal device. Also, all IM messages and phone calls are encrypted, which may fit HIPAA requirements.There is no mention of HIPAA on the VMP web page or the Avast website. Because Avast won’t sign a BAA, it’s best for covered entities to use another service for protected health information.
WordPress offers a variety of website security features, but these controls aren’t sufficient to meet HIPAA regulations. Multiple security breaches over the years have shown that vulnerabilities are frequently found in the software.It is possible to meet specific HIPAA standards in WordPress, but this process is complicated. Controls must be in place to prevent unauthorized access to the administration control panel and PHI. Additionally, transmission security controls are necessary to encrypt data in transit and secure information at rest.WordPress isn’t willing to sign a business associate agreement (BAA). If covered entities choose WordPress for website design and content management, they shouldn’t upload PHI to the site.Covered entities don’t need a BAA if PHI is accessed through a plug-in and stored separately from the website. If you’re using a third-party plug-in for PHI, then it’s necessary to obtain a BAA from the plug-in developer. This use of WordPress is risky because plug-ins often have vulnerabilities that could make it easy for hackers to access PHI.Without a BAA, covered entities can use this software for general communication that doesn’t collect or store PHI on the site. For example, a blog to communicate with patients doesn’t require HIPAA compliance. But an online scheduling system to book appointments on the website violates HIPAA rules since it collects patient information.
Typeform provides data-collection services through online forms. Even though the company is currently working on HIPAA compliance, the existing service doesn’t meet HIPAA security and privacy requirements.Typeform’s terms and conditions are clear that covered entities shouldn’t use these forms for collecting protected health information (PHI).Because Typeform doesn’t provide HIPAA-compliant security features, the company won’t sign a BAA.
JotForm offers HIPAA compliance in their Silver and Gold plans. If your company needs a HIPAA compliant solution, you can easily enable HIPAA compliance from the settings of your JotForm account and then JotForm will email a signed BAA to you. You also have to sign the BAA in order to become HIPAA compliant. If you already have a JotForm account and would like to upgrade to HIPAA compliance, you don’t need to make any changes on your existing forms, once you activate HIPAA compliance, your data will be automatically transferred to HIPAA servers and you’ll be HIPAA compliant. JotForm’s HIPAA compliant online forms start the encryption of your data as soon as your HIPAA compliant form starts being populated. The transfer and the storage of your sensitive information also take place under encryption.JotForm also has many integrations with other HIPAA compliant services such as Google Drive, Dropbox, etc. You can also accept online payments with JotForm’s HIPAA compliant online forms. JotForm offers many different payment gateway integrations.
23andMe isn’t HIPAA compliant because the Health Insurance Portability and Accountability Act (HIPAA) only applies to healthcare organizations and providers, such as physicians, insurance companies, hospitals, and applicable business associates. HIPAA doesn’t apply to private genetic testing and genealogy services, such as 23andMe and other similar businesses. These services aren’t considered covered entities.Current HIPAA privacy laws were in place before genetic privacy became a concern. HIPAA laws don’t protect personal data shared with genealogy testing providers. The collection of genetic information gives 23andMe more sensitive information than a healthcare provider or a doctor. Unfortunately, HIPAA doesn’t hold these genetic testing services to the same standard of confidentiality as covered entities.Few restrictions are in place outside of HIPAA to protect genetic data. For example, the government might access genetic information in private or public databases if national security is at risk. Individuals who contribute DNA to 23andMe could face law enforcement scrutiny if a relative’s genetic data provides probable cause in a criminal investigation. (23andMe only releases clients’ information to law enforcement upon receipt of a court order).23andMe also collects other information through social media and real-time tracking of online activity. The company uses this data for marketing. It also shares customer information for research, as long as customers consent to participate in its research efforts.
Backblaze offers crucial security features for cloud backups, such as encryption for file transmission and data at rest. Customers can specify their own private encryption keys, adding another layer of security for data privacy.In addition to proactive monitoring of all systems, Backblaze hires third parties to test the system’s security. Before accessing private data, the service requires account verification. Two-factor verification is available to prevent unauthorized access to the account.These privacy features align with HIPAA requirements, but the company website doesn’t offer much information about HIPAA compliance. It appears that HIPAA compliance is available only for customers on the B2 Cloud Storage plan.Backblaze will sign a business associate agreement (BAA) upon customer request. To access a signed BAA, customers must contact Backblaze support and provide information about the amount of data storage and the number of online backup licenses required.
IDrive offers online backup services that covered entities can use for protected health information (PHI). Both digital and physical security maintain the confidentiality of patient information.Encryption is a critical feature for ensuring that your backup cloud software is HIPAA compliant, and it’s available through IDrive. Data encryption and secure transmission help to prevent unauthorized access to individually identifiable health records. If someone hacks the offsite server, encryption protects the files from access and use.IDrive’s world-class data center uses modern technology, including SOC approved data protection, to prevent the unauthorized use of data. Physical safeguards, administrative procedures, and technical security manage access to the data center and vaults.Additionally, IDrive provides features to protect against human error. The True Archiving service means that data always remains on the IDrive account until you perform an archive cleanup or manually delete the files from the archive. On the desktop application, users have 30 days to restore files from the trash.Customers using this service for PHI must have an IDrive Business account, which allows for unlimited computers and users.IDrive will sign a business associate agreement (BAA) for covered entities.
Wufoo’s online forms aren’t HIPAA compliant, so covered entities shouldn’t use them to collect or store protected health information. To be HIPAA compliant, software must include physical, administrative, and technical safeguards to protect PHI. While Wufoo offers security features, they don’t meet HIPAA requirements.Covered entities shouldn’t collect or store identifiable information about patients, services, treatments, and payments through Wufoo’s services.SurveyMonkey acquired Wufoo in 2011. Since the acquisition, covered entities have been invited to use SurveyMonkey for all their HIPAA-related needs.Since Wufoo isn’t HIPAA compliant, it won’t sign a business associate agreement (BAA). A signed BAA is available through Survey Monkey, however.
Xero offers useful financial and accounting tools for healthcare businesses, such as expense management, inventory tracking, and more. While Xero is designed for the business management side of the healthcare industry, these tools aren’t HIPAA compliant.Covered entities shouldn’t use Xero for protected health information (PHI). Xero offers the option to link to third-party healthcare apps for HIPAA-compliant features, such as practice management and appointment scheduling.Since Xero isn’t HIPAA compliant, the company won’t sign a business associate agreement.
Mindbody has proactive security measures that meet HIPAA regulations. Not only does this company maintain a PCI Level 1 certification, but it also completes an annual audit and HIPAA risk assessment.HIPAA-compliant privacy features include network security, encryption, ePHI protection, access control measures, and a Vulnerability Management Program.These digital lines of defense provide the security needed for protected health information (PHI). System alerts are in place to notify admins of unauthorized access.Mindbody offers privacy and security for all PHI, including appointment scheduling, contact logs, documents, and transactions. Progress notes are HIPAA compliant, allowing covered entities to record personal information that’s accessible only by authorized personnel.A business associate agreement (BAA) must be in place before using Mindbody for PHI. Covered entities can email Mindbody to request a signed BAA.
HubSpot isn’t a HIPAA-compliant service, so covered entities shouldn’t use it for PHI. On HubSpot’s terms of service page, the company states that its services don’t comply with industry-specific regulations like HIPAA.HubSpot is clear that customers may not use its services for communications that are subject to these laws. The terms of service forbid the processing or storage of sensitive health information.Also, HubSpot won’t sign a Business Associate Agreement (BAA), which is a requirement for HIPAA compliance.
Transport Layer Security (TLS encryption) offers security when sending emails, but it doesn’t guarantee secure delivery to the recipient. Even though cryptography codes the messages in transit, security isn’t assured for information at rest.Certain email providers don’t support the delivery of encrypted messages. So the service removes the encryption to deliver the email, resulting in a message that contains plain text without encryption. Also, if the recipient responds, the reply transmits without encryption.Covered entities must make sure they’re using tools that ensure encryption on delivery. To meet HIPAA requirements, both mail servers must use TLS encryption.TLS encryption can be one tool to support HIPAA compliance. But TLS encryption alone isn’t sufficient for HIPAA requirements because the information will be exposed if the encryption fails.
Bluehost doesn’t offer the privacy and security features required to comply with federal HIPAA regulations. While some web hosts provide higher-priced plans to support covered entities with HIPAA compliance, Bluehost doesn’t offer any plans that meet HIPAA standards.Bluehost provides customers with a variety of security features, including SSL certification and HTTPS protocol. While these security features are necessary steps for HIPAA compliance, they aren’t enough. HIPAA compliance requires access control and audit control for digital security. Additionally, facility controls must include physical safeguarding of server equipment.It’s a breach of the user agreement to store PHI on Bluehost servers. The company is transparent that its services aren’t authorized for patient health data and identifiable medical information. No Bluehost tools, including shared hosting, dedicated hosting, and email, should be used for PHI.Since Bluehost doesn’t provide HIPAA-compliant services, the company won’t sign a business associate agreement (BAA). Covered entities that need web hosting services for PHI should choose a different service that meets HIPAA requirements.
HIPAA compliance is available with ActiveCampaign’s Enterprise plan. The security page states that ActiveCampaign will meet HIPAA standards for enterprise-level customers, but no further information is available about specific security features for HIPAA compliance.The company stresses that each customer is responsible for using the service in a HIPAA-compliant manner. ActiveCampaign provides security to support these needs. According to the HIPAA Security Rule, entities and business associates must take reasonable steps to protect PHI, including end-to-end security. ActiveCampaign will sign itd own Business Associate Agreement (BAA) with covered entities. Covered entities must have an enterprise plan and complete a signed BAA before using this service for PHI.
Eset Antivirus can help covered entities secure protected health information (PHI). Technical controls keep unwanted malware off devices, including laptops, smartphones, and tablets. The antivirus services perform full system scans to detect and block executable files that activate computer viruses.Malicious parties use malware in an attempt to access data on the device. Antivirus software is a critical factor in protecting both devices and networks against these attacks. Antivirus and malware protection through Eset block attacks immediately. Encryption provides another layer of security. Additionally, customers have the option to set up two-factor authentication.A web control module through Eset Antivirus keeps users from visiting non-work-related websites, reducing the likelihood of a virus infection. Internet access variations are available for each user’s account, depending on the needs of the organization. Eset Anti-Phishing protection is another valuable tool to help covered entities avoid infected emails that put the account and machine at risk.While antivirus and anti-malware protections are required for HIPAA compliance, these software providers don’t need to sign business associate agreements. Eset provides antivirus protection, and the software doesn’t have access to PHI. So there’s no need for covered entities to obtain a signed business associate agreement (BAA) when using Eset Antivirus.
SiteGround doesn’t comply with HIPAA regulations, so its services are not recommended for protected health information (PHI). In its terms of service, SiteGround includes a HIPAA disclaimer section that states customers are prohibited from using its services to store PHI.Covered entities that need web hosting services should choose a provider that offers digital and physical HIPAA-compliant safeguards. While most hosting providers provide HTTPS protocol and SSL certification for security, these features aren’t sufficient to meet HIPAA requirements. For a hosting account to be HIPAA compliant, it must include physical safeguards to protect equipment and servers. Audit controls and access controls are other digital security features that help with HIPAA compliance.Because SiteGround doesn’t provide HIPAA-compliant services, the company is unwilling to sign a business associate agreement (BAA).
Norton Antivirus helps prevent computer hacking, an essential step in protecting PHI. The goal of antivirus software is to ensure devices are free from malware. Antivirus software is a good choice for all devices that access PHI, including laptops, tablets, and smartphones.Hackers use malware to access private files, such as PHI. Covered entities can reduce the risk of data theft by protecting all devices and networks with antivirus software. Norton Antivirus blocks malware attacks and helps keep computers virus free. Additionally, the encryption features protect all of the information you send, receive, and store.HIPAA regulations require covered entities to use anti-malware and antivirus protection. No business associate agreement is needed since Norton Antivirus doesn’t have access to PHI.
Bitlocker is HIPAA compliant for data at rest. This service uses the XTS-AES algorithm for data encryption on Windows systems, offering customers both AES 128-bit and 256-bit key lengths. The highest level of protection is available when this encryption is paired with a Trusted Platform Module (TPM) version 1.2 or later.Since Bitlocker integrates with the Microsoft Windows operating system, covered entities should use additional security precautions if cloud storage is involved. Another benefit of using Bitlocker for HIPAA compliance is the data protection feature that addresses data theft risks, including exposure from computers that are stolen, lost, or inappropriately decommissioned.Compliance depends on several criteria, such as integrating Azure cloud service and having volume licensing. Microsoft will sign a BAA as a contract addendum with customers who have a Volume Licensing/Enterprise Agreement.