HIPAA Compliance Checker

Users can limit who accesses protected health information (PHI) and monitor how PHI is used. Dropbox also provides recommendations upon request for users looking to make their business accounts HIPAA compliant.

Zoom has Advanced Encryption Standard (AES) encryption and uses 256-bit keys to protect its meetings. For HIPAA accounts, Zoom enables “Fully Encrypted Persistent Chat,” an encrypted messaging system through which public-key cryptography and private keys are generated and can be stored only on users’ devices. Zoom incorporates additional security measures, to ensure the privacy of PHI. There are two different user authentication requirements, as well as access control measures, which regulate who or what can view or use resources on the platform.

Google uses ISO 27001 certification and SOC 2 and SOC 3 Type II audits. Its BAA covers many of the G Suite products, including Gmail, Google Calendar, and Google Drive (Google Docs, Google Sheets, and Google Slides). For Google Meet, however, the BAA currently only covers the chat messaging feature and doesn’t cover the video chat feature.

The free version of Gmail that most people use is not HIPAA compliant on its own, but Google’s G Suite can be HIPAA compliant. G Suite includes Gmail, Google Calendar, and Google Drive, just like the free version, but it also includes security features that, once properly configured, can make one's use of G Suite HIPAA compliant.Gmail is the most widely used email service around, with 1.5 billion users worldwide, an increase of 500 million users just since 2016. The ubiquity and familiarity of Gmail make it an appealing option for healthcare companies.HIPAA sets strict standards for protecting patient confidentiality and health information. Sending HIPAA-compliant emails requires training staff to use technological safeguards. Your email provider may follow HIPAA regulations, but that doesn’t automatically make your emails secure. Every employee must understand how HIPAA applies to their email. Training in everything from encrypting sensitive emails to ensuring they’re sent to authorized recipients can be beneficial.Healthcare workers are occasionally targeted by phishing and other email attacks. Recent breaches have compromised the sensitive personal data, such as Social Security numbers and financial account information, as well as the PHI of hundreds of many patients. Continuous training improves the chances that your employees will not fall prey to phishing scams.Your business needs a straightforward, step-by-step process to help staff comply with both applicable laws, which can include HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act, among others. Now that we’ve considered the importance of strong training and policies, it’s time to take a look at the technical side of things.If you’re a covered entity, or a business associate of a covered entity, you should have a signed business associate agreement (BAA) with every third party that could access the PHI in your custody. Using an email provider is no different. A BAA ensures that your business associate understands how they can use PHI and what security measures are required.The fundamental risk of transmitting PHI via email is that unauthorized people could gain access to that data. HIPAA-compliant email services should have strong security features or allow third-party plugins that provide the needed security.Access must be restricted to only those who need the information. Never print emails that contain PHI. These emails should be visible only to the sender and the recipient. Using end-to-end encryption and access controls ensures that ePHI doesn’t fall into the wrong hands.

Skype is one of the most well-known video conferencing tools, and hundreds of millions of people worldwide use it. Since being acquired by Microsoft in 2011, Skype has been available on Windows PCs by default. That’s why so many medical practitioners use it. But no software can be HIPAA compliant on its own. Skype must be configured properly to be HIPAA compliant.

Google Drive is part of G Suite, which has TLS (Transport Layer Security) encryption to protect PHI. To adhere to HIPAA-compliant procedures, Google Drive users will need to sign a BAA and disable file sharing and syncing. The BAA does not apply to third-party apps that connect with G Suite, so an additional BAA from that app provider may be required to meet HIPAA compliance standards.Google appears willing to sign a BAA with healthcare companies that use G Suite, but not until all security protocols are in place. Using G Suite to transmit or store PHI before you have the BAA in place is risky.Healthcare companies have embraced G Suite because of its robust security features and low cost.Setting up a HIPAA-compliant Gmail accountSimply purchasing G Suite doesn’t make your email HIPAA compliant. To use Gmail, even with G Suite, you must configure your account correctly.

FaceTime isn’t designed to be used as a telecommunications tool in a healthcare setting.

OneDrive is a cloud storage solution provided by Microsoft. As cloud storage is often used to store and transmit Electronic Patient Health Information, covered entities should rely on cloud storage solutions that can be used in a HIPAA-compliant manner. OneDrive can be HIPAA compliant if the organization takes the proper steps. A business associate agreement is an essential part of making any software solution HIPAA compliant. This agreement states how the parties handle the Electronic Patient Health Information (ePHI) will adhere to HIPAA. Without a signed BAA agreement, no technology solution can be considered HIPAA compliant, but Microsoft does provide a BAA. In addition, Exchange Administrator Access Tracking can be turned on so the user can know which administrators have accessed which data. As a result, OneDrive seems to fulfill the access control obligation quite well.

For HIPAA compliance, users need to purchase a paid plan for G Suite, purchase Google Voice, and sign the G Suite BAA.

Square aims to protect both their users and the customers of their users. If the user is subject to HIPAA (as a covered entity or business associate) and dealing with Protected Health Information, the user should sign a BAA with Square. The responsibility to decide whether they need to comply with the HIPAA requirement or not belongs to the user. The user can get more information by checking Square's website.

Privacy settings for each Google Doc should be configured so that they cannot be viewed unless a user has permission. Titles shouldn’t contain any patient information. Additional precautions are recommended, such as backing up Google Docs data.

In order to make Office 365 HIPAA compliant, users should be on one of the following plans: Office 365 Business Premium, Office 365 Business Essentials, Office 365 ProPlus, Office 365 Enterprise E1, Office 365 Enterprise E2, or Office 365 Enterprise E3.

HIPAA compliance would likely only apply to the messaging and file transfer features of Slack, and not to any other Slack features. Caution should be used before relying on the Slack app to communicate with patients, plan members, or their families or employers. With Slack Enterprise Grid, healthcare companies can integrate Slack with their existing medical records system to share and control medical data as part of an overall HIPAA compliance solution.

WhatsApp is one of the most used text messaging apps in the world. After it was bought by Facebook, various security measures such as end-to-end encryption were added. However, in the current version, WhatsApp does not state that they are HIPAA compliant. Access controls, possibly a BAA and audit controls would be needed for starters, for the app to become HIPAA compliant.

eFax is an electronic faxing solution that uses advanced security protocols to make sure ePHI is secure both during transmission and in storage. eFax is known as one of the most secure online fax providers.eFax uses unique user identification and 256-bit SSL encryption to ensure secure document transmission and keep ePHI safe from unauthorized access. eFax also offers secure transport layer security (TLS) encryption protocol, administration privileges to limit access to ePHI, and multilevel audit controls, including secure and automatic fax archiving. Fax transmissions are stored on the eFax cloud and kept safe in Tier III secure servers.

Although Evernote incorporates some protection features that can prevent unauthorized access, the overall security controls aren’t likely sufficient to meet HIPAA standards.Evernote can only be used for medical data storage purposes if it’s completely offline and is going to stay offline. The computer that Evernote is set up on should be encrypted in order to prevent unauthorized personnel from accessing the information.

Amazon supports HIPAA-compliant administrative processes and controls. Covered entities and business associates using AWS need to get training on how to properly configure AWS settings.

The free email platform offered by Microsoft, Outlook.com, does not appear to have been built to handle ePHI securely or to be HIPAA compliant. However, Outlook can be used as a HIPAA-compliant service with a paid Office 365 subscription and additional client-side encryption.For HIPAA compliance, users must be on one of the following plans: Office 365 Business Premium, Office 365 Business Essentials, Office 365 ProPlus, Office 365 Enterprise E1, Office 365 Enterprise E2, or Office 365 Enterprise E3.

Box appears to check all the boxes for HIPAA compliance. It ensures documents containing sensitive information and PHI are safely stored in the cloud by using numerous security features, including access monitoring, two-factor verification, reporting and audit trails, and data encryption.Box also provides access control, uses a strict logical system, and restricts access to its servers and customer data files.

Mailchimp provides security measures to reduce the risk of unauthorized access, including physical security controls and encryption. Since encryption is built into the service, it may meet certain HIPAA compliance regulations, but using Mailchimp doesn’t guarantee that all HIPAA compliance standards will be met.According to Mailchimp’s terms and conditions, customers are responsible for ensuring they comply with regulations like HIPAA.Uploading patient information to a Mailchimp email list likely constitutes a disclosure of Patient Health Information (PHI).

Metrofax offers secure, encrypted fax communication services. The built-in faxing features allow users to quickly send information from a cell phone or computer as a fax.Even though Metrofax provides encryption to protect transmitted information, it appears to be missing some capabilities required for HIPAA compliance. When sharing PHI through a third-party provider, HIPAA regulations require a signed Business Associate Agreement. This BAA must be in place for Metrofax’s services to meet HIPAA compliance.Check with Metrofax to see if they will sign a BAA.

Wix is a popular website builder. Passive scanning is done periodically, but customers don’t have access to real-time monitoring to protect against hacking.Certain Wix features can be HIPAA compliant when paired with other services. Wix partners with Google G Suite to integrate email hosting. When purchasing Wix services, you may meet HIPAA requirements for email if you use specific security settings and sign a BAA with Google.

Teamviewer states that it is a HIPAA-compliant remote access solution that allows users to access devices no matter where they are. Security is a key objective for Teamviewer. The company has received multiple security certifications from A-LIGN, a provider that helps businesses implement HIPAA-compliant security features.All of Teamviewer’s remote support, remote access, and online collaboration features maintain privacy and security. This includes end-to-end encryption, which is why many companies trust Teamviewer.HIPAA has strict standards for the privacy and confidentiality of patient information. When using computers, networks, and mobile devices for PHI, all access and management must follow HIPAA regulations. Additionally, every employee must receive regular HIPAA training. Teamviewer’s security and privacy practices appear to meet HIPAA compliance standards.Before using Teamviewer with PHI, you must get a signed BAA from the company. Submit an inquiry to Teamviewer customer service for assistance in obtaining the BAA. A signed BAA might be available only for organizations that meet a specific spending threshold.

Carbonite uses internal privacy and security provisions to safeguard medical information.HIPAA requires business associates to implement risk management measures that protect the integrity, confidentiality, and availability of patient information. Carbonite provides real-time monitoring, a secure firewall, encryption, a vulnerability management program, and a formal incident response process for information security threats.Physical security measures include restricted access at Carbonite’s facilities, so only authorized employees, third parties, and visitors can enter. Security includes both interior and exterior cameras as well as an alarm system and an electronic card access control system.Additionally, Carbonite restricts access to software programs.A Carbonite Safe Pro subscription offers HIPAA compliance. Carbonite Safe Pro also gives administrators access to view user activity and logins.Carbonite provides a HIPAA handbook to guide customers in keeping their backups HIPAA compliant.

Quickbooks has many features to simplify business invoicing and bookkeeping. While this software is effective in a variety of industries, it isn’t recommended for medical billing. Since deductibles, cash payouts, insurance invoices, and copays include patient health information, you should be cautious before entering this information into Quickbooks until it is known that Quickbooks is HIPAA compliant.Some medical clinics use Quickbooks for summarizing revenue and sales receipts. This tool can be a powerful way to track revenue by company, insurance, or even patient category.You might want to avoid using Quickbooks for patient demographic data, information about physical or mental health conditions of patients, health care services offered to each person, or payment for medical services. According to the US Department of Health and Human Services, medical practitioners shouldn’t use non-compliant software services for the above information if there is “a reasonable basis to believe it can be used to identify the individual.”If you are in the healthcare industry and use Quickbooks, you should use caution before inputting “individually identifiable health information” into this software.

Google Sheets is part of G Suite, which uses high-level encryption to protect patient health information (PHI).While Google Sheets offers HIPAA-compliant security features, covered entities are responsible for maintaining the right security settings. Your healthcare organization must configure Google Sheets to be HIPAA compliant.Admin console logs and reports are an important part of HIPAA-compliant security for Google Sheets and all other apps in G Suite. Use these tools to monitor user collaboration, examine security risks, track sign-ins, and analyze activity. Administrators can set alerts for activities like suspicious login attempts, suspending users, activating a suspended user, adding a new user, changing a password, and granting or revoking admin privileges.In Google Sheets, administrators set visibility and access permissions for both files and folders. These settings also manage the sharing and editing capabilities of collaborators.When using Google Apps, administrators can separate user access for team members who manage PHI. This feature allows an administrator to activate or deactivate specific services for users. For example, since Google+ and YouTube aren’t HIPAA compliant, administrators should turn off these apps. Also, consider disabling third-party applications and add-ons from third-party developers.

The Salesforce platform can be set up to meet HIPAA compliance standards through certain features that help keep Patient Health Information (PHI) secure in the cloud. Salesforce includes administrative, physical, technical, organizational, and documentation safeguards to protect PHI.Customers can use customer-controlled security features through Salesforce Covered Services. Additionally, Salesforce has security safeguards such as data encryption in transit, ongoing monitoring for security violations, and audit logging to identify changes in activity. Customer administrators can use configurable tools to define permission sets that govern the visibility of data, maintain strict password security, monitor field level history, set security rules to manage data access, define a company-wide sharing model and role hierarchy.In addition to permission sets, customers can define user profiles to limit data record access to authorized employees.It’s a good idea to use the premium set of Salesforce features known as “Salesforce Shield.” These features provide extra monitoring, encryption, and auditing. You might need to enable other features or additional services to ensure the protection of PHI when information is in transit.If you’re planning to use Salesforce for patient information, reach out to your account representative for a signed Business Associate Agreement (BAA). The account representative can also advise you on specific features and settings for HIPAA compliance.

iCloud provides cloud-based storage solutions, with security protections for both data storage and transfer. Authentication controls and access management are necessary for cloud services to be HIPAA-compliant. A healthcare provider must be able to monitor who accessed the data and what the user does with the information. iCloud’s controls meet the minimum HIPAA requirements.When healthcare providers use cloud services with patient health information (PHI), business associates must sign a BAA.

Virtru provides data protection services that encrypt email and files to protect confidential patient health information (PHI). HIPAA defines specific technical standards for data encryption. Encryption protects files while they are in transit and at rest.Additionally, Virtru provides administrative controls for managing emails, photos, videos, PDFs, and Office files. You can manage authorization to allow or disallow users to access specific content and types of content. Tracking and monitoring features provide real-time protection for patient information.Other security features include forwarding restrictions and the ability to revoke messages after they are sent.Virtru offers client-side email encryption if you’re using the plugin with on-device encryption. When creating information on the device, the protection occurs immediately (before distribution). Advanced controls allow end-to-end encryption.Virtru can integrate end-to-end encryption in Gmail. Virtru offers an extra layer of security to strengthen privacy controls after email leaves your inbox.

DocuSign appears to fall the category of a business associate when healthcare providers use its services for protected health information (PHI). DocuSign offers AES 256-bit encryption for data in transit and at rest. This encrypted information is held on the DocuSign servers, and the company states that it doesn’t have access to the information.DocuSign seems to meet Health and Human Services (HHS) standards for digital signatures.This service enables HIPAA features through its digital tracking system. Each e-signature has an audit trail that’s fully traceable. DocuSign data centers are SOC2 audited and ISO 27001-certified.When signing a document, the service captures names, email addresses, timestamps, signing location, public IP addresses, and document completion status.While DocuSign offers essential encryption, auditing, and security standards, it’s the responsibility of each customer to ensure that they share and access PHI in a HIPAA-compliant manner.

RingCentral is an option that healthcare organizations can use to transmit and store patient health information because it appears to take a proactive approach in ensuring privacy and safety for all communications as a cloud service provider.The service boasts a “seven layers of security” approach to securing data that transfers through their services. These seven layers include physical, network, data, host, business process, application, and enterprise-level security measures.Available security measures include transmission security in the form of transport layer security (TLS) and secure real-time transport protocol (SRTP). This encryption means that information should be secure at rest and when in motion. Infrastructure security uses vulnerability scans, firewalls, user authentication, and intrusion detection. Additionally, RingCentral data centers have security protocols with onsite guards and electronic prevention systems.Healthcare customers must implement proper security measures using the features listed above. Employee training is another important element to ensure the team is using these cloud services in a HIPAA-compliant manner.

Sharepoint has stated that it provides necessary administrative and technical features to meet HIPAA compliance. Some of these features include access control for users, audit control, logs, and encryption. Threat awareness resources make it easy to access real-time reports about information access and usage.Sharepoint is a Microsoft service. The Microsoft website states that Sharepoint online is HIPAA compliant when paired with Office 365 Enterprise. While Microsoft ensures it meets its responsibilities as a business associate, users are responsible for configuring the platform correctly.A variety of security add-ons are included for Office 365 Enterprise users, such as advanced threat protection, security management, advanced compliance, and threat intelligence. Licensing includes anti-malware, Windows Defender, Cloud App Security (CAS), Azure AD Identity Protection, Azure Security Center, Azure Advanced Threat Protection, and more.If you configure and use Sharepoint correctly, this service can be a HIPAA-compliant solution for information storage, management, and collaboration.

Even though ProtonMail isn’t designed specifically for the healthcare industry, it offers security features healthcare organizations can use for protected health information (PHI). ProtonMail includes a HIPAA compliance statement on its website that assures HIPAA-covered entities that the company will do its part to protect patient data.Privacy and security features include end-to-end encryption and zero access data management. The service uses 4,096-bit RSA encryption for all stored communications. Data centers provide physical security for all data backups. The server hardware is located in Switzerland where the servers use fully encrypted hard disks, including multiple password layers in case the hardware is removed from the data center.If a user’s device is stolen or lost, a remote wipe feature can protect PHI. Account owner authorization gives healthcare organizations control over who can access the information. Automated virus checking and data backups are standard. There is also a sophisticated monitoring system.ProtonMail states that its employees don’t have access to PHI. ProtonMail states that it doesn't store paper copies or printed reports in its facilities.

Healthcare organizations can use Webex as part of their HIPAA compliance. Healthcare practices (covered entities) must ensure that Webex is configured correctly. Cisco states the responsibilities of both parties (Cisco Webex and the customer) for HIPAA compliance. Cisco Webex states that it is responsible for protecting the confidentiality, privacy, and security of PHI, whereas the healthcare provider is responsible for properly classifying and maintaining data. Cisco also offers a Webex HIPAA Self-Assessment.

Acuity Scheduling is part of the Squarespace platform. While many aspects of Squarespace may not be HIPAA compliant, Acuity Scheduling includes features designed to allow covered entities to comply with HIPAA regulations.Customers can manage notification settings to limit access to protected health information (PHI). For example, they can prevent emails from displaying the from and reply-to fields that show the patient’s name and email address. You can contact Acuity to disable the feature that attaches a calendar file (ICS invite) containing the client’s name, appointment time, and appointment type to appointment confirmation and rescheduling messages.Covered entities should sign up for the Powerhouse Player plan to enable security features required for HIPAA compliance. Access the Customize Appearance section to manage Scheduling Page Options, and then select the option to enter into a BAA using an electronic signature.

GoDaddy provides a variety of services including website hosting, email management, and domain names. Covered entities can use email services for protected health information, but website hosting services may not meet HIPAA requirements.For example, basic website hosting plans are on shared servers. Other technical and physical safeguards aren’t in place for these plans. Covered entities shouldn’t use GoDaddy shared hosting for websites containing patient information.GoDaddy also offers email services through Microsoft Office 365. Two plans, Business Premium and Premium Security, offer HIPAA-compliant features. Covered entities may purchase HIPAA-compliant email as an add-on to the service. All email accounts offer the option of full integration with Microsoft Office.Covered entities must activate their email accounts before using these tools for PHI.

Google Calendar is a service offered through Google Workspace (formerly G Suite) that makes it easy for users to track appointments and manage their schedules. This tool appears to ensure the safety of PHI, as long as you configure the security, access, and audit settings to prevent the disclosure or misuse of PHI.The default settings in Google Calendar share all information with team members in your domain. Security features allow you to set meetings that involve PHI to “Private” to maintain confidentiality. This setting shows the time as “Busy” without disclosing information about the meeting. With proper privacy settings, the program won’t include PHI in the meeting details, such as the title and description.Covered entities should be on a paid Google Workspace Business or Enterprise plan. The paid plans give users the option to manage Google Calendar security controls to meet HIPAA requirements.

Google Hangouts is a communication platform available through Google Workspace. The chat messaging feature in Google Hangouts appears to meet HIPAA compliance standards. These controls should be configured before using Google Hangouts for protected health information (PHI). Covered entities should require a signed business associate agreement (BAA). If your organization is planning to use Google Hangouts for PHI, refer to Google’s user guide for detailed information about security and privacy controls.

Venmo does not currently state that it meets HIPAA requirements and doesn’t provide HIPAA protection for sensitive patient health information. Since the platform is typically used by individuals to send money to one another, it may not fit all the PHI-related requirements of healthcare organizations.There are several payment gateways which seem to provide HIPAA compliance, but Venmo, despite being a great payment method for many, it is not the best fit for medical institutions to protect PHI.

Grasshopper's website states that it is not HIPAA compliant and that support team members have access to account information and settings to help with technical issues. This access includes all messages that pass through Grasshopper’s calling, texting, and faxing features.If protected health information (PHI) passes through these communication tools, then it seems possible for unauthorized individuals to access the information. If Grasshopper doesn’t offer HIPAA-compliant services, covered entities shouldn’t use these tools.

Google Forms offers security and privacy configurations that could be made to comply with HIPAA regulations. Covered entities can set the access and visibility of folders and files, as well as grant specific collaborators sharing and editing capabilities.When configuring Google Forms, administrators should set the sharing permissions to manage data visibility and access. Additionally, admins should disable third-party applications that don’t meet HIPAA privacy standards. Software compliance depends on how the software is used, which is why administrators should adjust privacy settings properly before and during using Google Forms for collecting and managing patient information.Other possible HIPAA-compliant safeguards include encryption to protect sensitive information, user authentication, and audit controls that track information access.If a covered entity uses Google Forms to collect protected health information (PHI), it must have a business associate agreement (BAA) in place before collecting PHI through this tool. Google may offer a signed business associate agreement (BAA) that covers Google Forms as well as other Google Workplace services such as Gmail, Docs, Sheets, Calendar, and Slides.

PayPal's website doesn’t state that it provides HIPAA-compliant features for covered entities, so a covered entity should use caution before using the site to share or store protected health information (PHI).HIPAA privacy rules require the protection of all “individually identifiable health information.” Demographic data and payment history fall into this category.

VSee provides videoconferencing services and offers secure encryption for audio and video communication on its platform. These security standards are available for both free VSee accounts and paid subscriptions.Since videoconferencing may involve the exchange of electronic data, including protected health information (PHI), it must meet HIPAA requirements for covered entities. VSee streams video directly from end point to end point.Covered entities must consider how video collaboration tools meet HIPAA security requirements. For example, videoconferencing can include screen-sharing, text chat, and file transfer. Videoconferences on VSee are advertised as encrypted with FIPS 140-2 compliant, military-grade 256-bit Advanced Encryption Standard.

ShareFile offers HIPAA-compliant tools that allow healthcare providers to exchange data and files with patients and third-party providers. A secure SSL/TLS connection maintains the privacy of protected health information (PHI) in transit. And data at rest is secured with AES 256-bit encryption.These security tools provide bank-level encryption for email, attachments, and files. Healthcare providers can move PHI between local storage and HIPAA cloud storage as needed. Check-in and check-out systems ensure that everyone works on the latest version of a file. Audit controls let administrators see the history of access, including account usage and access to folders and files.Users can create individual accounts tied to unique email addresses; single sign-on is also available. Other HIPAA-related features include session timeout due to inactivity, identity management, and account lockout after five failed attempts.ShareFile integrates with a variety of other tools, including Microsoft Outlook.Mobile apps are available for Android, iOS, and more. Cloud syncing gives users access to current information on all devices. This streamlined healthcare collaboration system also provides e-signature features for digital document signing.HIPAA features are available only for customers with a Premium plan.

Zoho’s website provides limited information about HIPAA compliance. Even though its tools aren’t for healthcare entities specifically, many of the security features may meet HIPAA requirements.These cloud-based services are comparable to those in Office 365 and G Suite, with solutions for word processing, custom applications, project management, live chat, app integration, and an IoT management platform.The company offers technical, physical, and administrative safeguards for all services, but there are questions about whether these privacy features are sufficient for HIPAA regulations.Zoho states that its apps aren't built for the healthcare industry. Responsibility for compliance remains with the customer.For now, covered entities should check with Zoho for specific security features and updates on each of the available tools.

Many telecommunication firms act as conduits for data transmission and are exempt from signing a business associate agreement (BAA) through the conduit exception rule. Information shared over the phone or using a standard fax machine is not subject to HIPAA compliance. However, other means of communication, including VOIP, SMS, and digital fax services, must meet HIPAA regulations.HelloFax provides AES-256-bit encryption for information at rest and TLS encryption for information in transit, to meet the minimum HIPAA standards. Additionally, each document is encrypted with a unique key, and keys are encrypted with a master key that rotates frequently, which means that if unauthorized people gained access to the hard drive, they wouldn’t be able to decrypt the data.HelloFax advertises “bank-grade” security, including physical and electronic protections. The data center apparently uses strict access controls. Because of these security measures, it may be possible to use the HelloFax system without violating HIPAA requirements.

GoToMeeting provides technical, physical, and administrative safeguards for online meetings and videoconferences. According to the GoToMeeting website, these security controls meet or exceed HIPAA technical standards. One of these features is end-to-end encryption. Data in transit uses AES 128-bit encryption, including chat information, audio, and video files.Additionally, logs of session activity and account connection create an audit trail. Account managers can access management and reporting tools to see account activity. When an account is inactive for a certain period of time, an automatic log-off feature requires a new login before the information can be accessed again.Only authorized individuals can access accounts. Access security features include password protection and unique meeting codes. Meeting organizers have full control over who can join each meeting. GoToMeeting verifies a user’s identity through a unique email address and password.

Avast offers security features that seem to comply with specific HIPAA regulations. But the only mention of HIPAA on their website is in a press release about Virtual Mobile Platform (VMP). Avast VMP allows users to share photos and medical images securely, without storing the data on a personal device. Also, all IM messages and phone calls are encrypted, which may fit HIPAA requirements.

MyFax offers a variety of security and privacy features, but it isn't clear from the website whether this service meets HIPAA requirements. The privacy features of this digital faxing service are more robust than traditional fax machines, but they may not be sufficient for protecting health information.The company J2 Global owns both MyFax and eFax. These platforms are similar, but there are notable differences in privacy, security, and faxing capabilities. MyFax suggests that covered entities use services from its partner, eFax Corporate.

Squarespace offers a variety of software services, Its scheduling tool appears to meet the requirements for the HIPAA security rule.Protections for HIPAA-enabled accounts include email notification privacy, a shortened browser session timeout, and limited access for uploading intake forms. Also, customers can disable third-party integrations that don’t support HIPAA.Squarespace's Powerhouse Player or Enterprise plan may be used to access HIPAA-compliant features for your Scheduling account. Each Scheduling account must be HIPAA enabled before using the service for PHI.Covered entities should obtain a signed business associate agreement (BAA) from Squarespace.

Typeform provides data-collection services through online forms. Typeform has integrated security features to meet HIPAA security and privacy requirements.Both physical security and network security features are in place, including access control, penetration testing, multiple levels of encryption, and other data protection measures. Typeform has an information security department that’s responsible for overseeing all security administration.Since the service offers protection for data and information, it seems that covered entities have the option to use this service for protected health information (PHI). Collecting PHI is part of HIPAA compliance, which means that Typeform is a business associate. Covered entities using this service to gather, store, or transmit PHI should contact Typeform customer service to ensure they have a business associate agreement (BAA) in place.

WordPress offers a variety of website security features, but it is unclear whether the controls are sufficient to meet HIPAA regulations.It is possible to meet specific HIPAA standards in WordPress, but this process is complicated. Controls must be in place to prevent unauthorized access to the administration control panel and PHI. Additionally, transmission security controls are necessary to encrypt data in transit and secure information at rest.If covered entities choose WordPress for website design and content management, they should be careful before considering uploading PHI to the site.

Jotform offers HIPAA compliance features in their Gold plans. If your company needs a HIPAA compliant solution, you can easily enable HIPAA compliance from the settings of your Jotform account and then Jotform will email a BAA to you. You also have to sign the BAA in order to take advantage of HIPAA compliance features.If you already have a Jotform account and would like to upgrade to HIPAA compliance, you don’t need to make any changes on your existing forms. Once you activate HIPAA compliance, your data will be automatically transferred to HIPAA servers so you can be HIPAA compliant. Jotform’s compliant online forms start the encryption of your data as soon as your forms start being populated. The transfer and the storage of your sensitive information also take place under encryption. Jotform also has many integrations with other HIPAA compliant services such as Google Drive, Dropbox, etc. You can also accept online payments with HIPAA-enabled online forms. Jotform offers many different payment gateway integrations.

The HIPAA (Health Insurance Portability and Accountability Act) Privacy Rule does not apply to consumer curation of health data or other protections related to privacy, security, or minimizing access to PHI. Even though 23andMe receives funding from the National Institutes for Health, 23andMe currently asserts that its data-mining analysis does not constitute research on human subjects under the current version of the Common Rule because it de-identifies the data. This means that 23andMe may take the position that any consent it obtains to retain, use, and share consumer data is not necessary for regulatory compliance, but rather is done as a courtesy.

Backblaze offers crucial security features for cloud backups, such as encryption for file transmission and data at rest. Customers can specify their own private encryption keys, adding another layer of security for data privacy.In addition to proactive monitoring of all systems, Backblaze hires third parties to test the system’s security. Before accessing private data, the service requires account verification. Two-factor verification is available to prevent unauthorized access to the account.These privacy features align with HIPAA requirements, but the company website doesn’t offer much information about HIPAA compliance. It appears that HIPAA compliance is available only for customers on the B2 Cloud Storage plan.

IDrive offers online backup services that covered entities can use for protected health information (PHI). Both digital and physical security appear to maintain the confidentiality of patient information.Encryption is a critical feature for ensuring that your backup cloud software is HIPAA compliant. Data encryption and secure transmission help to prevent unauthorized access to individually identifiable health records. If someone hacks the offsite server, encryption protects the files from access and use.IDrive’s data center uses modern technology, including SOC approved data protection, to prevent the unauthorized use of data. Physical safeguards, administrative procedures, and technical security manage access to the data center and vaults.The True Archiving service means that data always remains on the IDrive account until you perform an archive cleanup or manually delete the files from the archive. On the desktop application, users have 30 days to restore files from the trash.

HubSpot has stated that it isn’t a HIPAA-compliant service. Given that, covered entities shouldn’t use it for PHI. On HubSpot’s terms of service page, the company states that its services don’t comply with industry-specific regulations like HIPAA. The terms of service forbid the processing or storage of sensitive health information.

Xero offers useful financial and accounting tools for healthcare businesses, such as expense management, inventory tracking, and more. While Xero is designed for the business management side of the healthcare industry, its website does not state that their tools are HIPAA compliant.Xero offers the option to link to third-party healthcare apps for HIPAA-compliant features, such as practice management and appointment scheduling.

Mindbody has proactive security measures that appear to meet HIPAA regulations. The company has obtained a PCI Level 1 certification, and states that it completes an annual audit and HIPAA risk assessment.HIPAA-related privacy features include network security, encryption, ePHI protection, access control measures, and a Vulnerability Management Program. System alerts are in place to notify admins of unauthorized access.Mindbody offers PHI-related protections utilizing appointment scheduling, contact logs, documents, and transactions. Progress notes allow covered entities to record personal information that’s accessible only by authorized personnel.A business associate agreement (BAA) must be in place before using Mindbody for PHI. Covered entities can email Mindbody to request a signed BAA.

LogMeIn is remote-access software. Covered entities using this tool must implement protections to prevent unauthorized access of protected health information (PHI). HIPAA compliance requires strict measures for access control, including unique user identification, emergency access procedures, automatic logoff features, person authentication, and audit controls. LogMeIn customers should adjust specific account settings before using the service with PHI.LogMeIn also offers transmission security that may meet HIPAA requirements. All data transmitted during chat, remote-access, or file-transfer sessions is protected with 128-bit encryption at minimum. When permitted by the encryption level on the client’s browser, the protection increases to 256-bit encryption.To support customers in meeting HIPAA requirements, LogMeIn provides a detailed outline of considerations and setting recommendations. These technical safeguards and transmission security features may enable covered entities to maintain compliance with HIPAA’s Privacy and Security Rules.

When using e-signatures for protected health information (PHI), you must institute security and privacy protections for electronic transmission and storage of data to meet HIPAA requirements. Adobe Sign offers configuration options to comply with HIPAA standards and allow organizations to meet industry-specific compliance requirements for e-signatures. Each client must configure features such as account time-out, password length, and accessibility settings.Covered entities can use authentication to manage user identities, certify each document’s integrity, maintain audit trails, and track document delivery. This tool is helpful for healthcare providers because the e-signature features can be integrated with other HIPAA-compliant software services.Adobe Sign offers a business associate agreement (BAA) for customers on an Enterprise plan.

Transport Layer Security (TLS encryption) offers security when sending emails, but it doesn’t guarantee secure delivery to the recipient. Even though cryptography codes the messages in transit, security isn’t assured for information at rest.Certain email providers don’t support the delivery of encrypted messages. So the service removes the encryption to deliver the email, resulting in a message that contains plain text without encryption. Also, if the recipient responds, the reply transmits without encryption.Covered entities must make sure they’re using tools that ensure encryption on delivery. To meet HIPAA requirements, both mail servers must use TLS encryption.TLS encryption can be one tool to support HIPAA compliance. But such encryption alone isn’t sufficient for HIPAA requirements because the information can be exposed if the encryption fails.

To be HIPAA compliant, software must include physical, administrative, and technical safeguards to protect PHI, among other safeguards. While Wufoo offers security features, they do not appear to offer all of the features necessary for HIPAA compliance.

Discord is a social media and mobile chat platform created for entertainment and personal communication. No encryption is available for messages sent through Discord, which means this platform lacks a key HIPAA requirement. Also, Discord’s privacy policy states that the company collects information, including images, messages, and documents sent through the chat feature.HIPAA requires privacy for all PHI communication and data storage. Other chat and messaging platforms are available for the healthcare industry, with specific security measures that meet HIPAA standards.

Eset Antivirus can help covered entities secure protected health information (PHI). Technical controls keep unwanted malware off devices, including laptops, smartphones, and tablets. The antivirus services perform full system scans to detect and block executable files that activate computer viruses.Malicious parties use malware in an attempt to access data on devices. Antivirus software is a critical factor in protecting both devices and networks against these attacks. Antivirus and malware protection through Eset block attacks immediately. Encryption provides another layer of security. Additionally, customers have the option to set up two-factor authentication.A web control module through Eset Antivirus keeps users from visiting non-work-related websites, reducing the likelihood of a virus infection. Internet access variations are available for each user’s account, depending on the needs of the organization. Eset Anti-Phishing protection is another valuable tool to help covered entities avoid infected emails that put the account and machine at risk.Antivirus and anti-malware protections are required for HIPAA compliance. Eset provides antivirus protection, and the software doesn’t appear to have access to PHI.

Norton Antivirus helps prevent computer hacking, an essential step in protecting PHI. The goal of antivirus software is to ensure devices are free from malware. Antivirus software is a good choice for all devices that access PHI, including laptops, tablets, and smartphones.Hackers use malware to access private files, such as PHI. Covered entities can reduce the risk of data theft by protecting all devices and networks with antivirus software. Norton Antivirus blocks malware attacks and helps keep computers virus free. Additionally, the encryption features protect all of the information you send, receive, and store.HIPAA regulations require covered entities to use anti-malware and antivirus protection.

FreshBooks provides security and reliability safeguards that seem to align with certain HIPAA requirements, such as 256-bit SSL encryption and firewalls to protect stored data.While FreshBooks’s digital and physical security features seem to comply with HIPAA standards, there is no mention of HIPAA compliance on the company’s website. The company also doesn’t offer information about obtaining a signed business associate agreement (BAA), which is a requirement for covered entities under HIPAA.Since FreshBooks doesn’t specify what its security protocols are for protected health information (PHI), covered entities should consider other invoicing software options.

In its terms of service, SiteGround has stated in a HIPAA disclaimer section that customers are prohibited from using its services to store PHI.Covered entities that need web hosting services should choose a provider that offers digital and physical HIPAA-compliant safeguards. While most hosting providers provide HTTPS protocol and SSL certification for security, these features alone aren’t sufficient to meet HIPAA requirements. For a hosting account to be HIPAA compliant, it must include physical safeguards to protect equipment and servers. Audit controls and access controls are other digital security features that help with HIPAA compliance.

OneNote may be HIPAA compliant, provided the right security features and configurations are used. Physical, technical, and administrative safeguards are available through Microsoft’s cloud services.These security and privacy measures help to prevent unauthorized access of electronic protected health information (PHI). Data stored on OneNote is encrypted, and Microsoft provides user access logs on request.Notes can be shared with other OneNote users through a network or internet connection. Because Microsoft OneNote offers multiuser collaboration, every participating device must meet all HIPAA compliance standards.Storing or sharing PHI on the software requires a signed business associate agreement (BAA) with the software provider. The BAA offers contractual assurances of HIPAA-compliant safeguards. Microsoft provides a BAA for many of its products, including OneNote.

Quip, a cloud-based collaboration tool, uses innovative security controls and measures that appear to align with HIPAA compliance requirements. The system is fully encrypted and offers a variety of customizable privacy options to meet each organization’s unique compliance requirements.Covered entities often pair Quip Shield with Salesforce to take their security to the next level. The combination allows users to collaborate using Salesforce data in a central space while their data is protected with critical security measures such as permissions, version history, and encryption.These cloud-based tools offer security for protected health information (PHI), with technical, physical, and administrative safeguards designed to maintain compliance. Covered entities can build healthcare applications through Salesforce, knowing that Quip provides the security measures intended to protect PHI.Quip has features that allow for data control and audits. Users can tailor the Quip platform based on their unique compliance and security needs. Key security features of Quip Shield include encryption of data in transit and at rest, granular administrative controls, access management, antivirus scanning, and real-time event logging. The option of a private, single-tenant cloud allows for better control of the network, including limits on geographical access.

Apple Notes provides users with a fast and easy way to capture their thoughts or create lists and sketches, making it a convenient tool to collect information. The app also syncs across devices through Apple’s iCloud. It is unknown whether Apple Notes is HIPAA compliant.

Barracuda Messenger provides end-to-end encryption for communications, enabling you to exchange both video and audio calls as well as text messages in a confidential, secure environment.Even though Barracuda Messenger secures conversations in all locations and on all devices, the security features aren’t necessarily sufficient to meet HIPAA requirements. Also, Barracuda Messenger makes no mention of signing a business associate agreement (BAA).Covered entities looking for a video and text messaging platform for PHI should use a tool that meets HIPAA requirements.

Constant Contact offers many security features that appear to align with HIPAA requirements, such as multiuser access, account management, and the ability to limit user access. The service has technical, physical, and administrative safeguards in place to protect email subscriber data. While these security features are sufficient for general email communication, they may not meet the privacy safeguards necessary for transmitting patient information.The HIPAA Privacy Rule applies to protected health information (PHI), which includes any information found in a medical record that’s tied to the identity of an individual, including diagnoses, treatments, and billing. HIPAA rules don’t prohibit covered entities from sending marketing emails, as long as they don’t include protected health information. For example, a medical provider can email patients about changes in business hours or new office policies. However, patients must first give their permission to be added to the email marketing list.Constant Contact is a good solution for general communication. But its email marketing platform doesn’t appear to support the transmission of highly sensitive PHI (personal health and medical information).

Bluehost provides customers with a variety of security features, including SSL certification and HTTPS protocol. While these security features are necessary steps for HIPAA compliance, they aren’t enough. HIPAA compliance requires access control and audit control for digital security. Additionally, facility controls must include physical safeguarding of server equipment.The company is transparent that its services aren’t authorized for patient health data and identifiable medical information.Covered entities that need web hosting services for PHI should choose a service that meets HIPAA requirements.

In its terms of service, SiteGround has stated in a HIPAA disclaimer section that customers are prohibited from using its services to store PHI.Covered entities that need web hosting services should choose a provider that offers digital and physical HIPAA-compliant safeguards. While most hosting providers provide HTTPS protocol and SSL certification for security, these features alone aren’t sufficient to meet HIPAA requirements. For a hosting account to be HIPAA compliant, it must include physical safeguards to protect equipment and servers. Audit controls and access controls are other digital security features that help with HIPAA compliance.

While WPS Office offers a variety of security features, including encryption, to protect customers’ data, the company hasn't said that they have sufficient protection to meet HIPAA guidelines. Covered entities that want to use this free software for word processing, spreadsheets, or presentations shouldn’t put protected health information (PHI) in the files.If you need HIPAA-compliant services, choose an office suite that specializes in HIPAA-compliant solutions.

While WPS Office offers a variety of security features, including encryption, to protect customers’ data, the company hasn't said that they have sufficient protection to meet HIPAA guidelines. Covered entities that want to use this free software for word processing, spreadsheets, or presentations shouldn’t put protected health information (PHI) in the files.If you need HIPAA-compliant services, choose an office suite that specializes in HIPAA-compliant solutions.

Smartsheet enables covered entities to store, access, and share protected health information (PHI). Its security and privacy services appear to meet or exceed HIPAA’s regulatory requirements for protecting health data.Customers can access the Smartsheet HIPAA Implementation Guide to learn how to properly configure Smartsheet for PHI. Covered entities should adjust specific features and security controls for HIPAA compliance. Security features include user access management, user auto-provisioning, activity monitoring, and sharing-control management.Physical, administrative, and technical protections are available through Smartsheet security configurations. External auditors verify the security processes annually. Additionally, customers can request audit reports and penetration test reports.Encryption protects data in transit and at rest. To transmit content securely, users should use the share function to send a link to a cloud-based document. Importing data and sending it through the attachment feature may put the security of PHI at risk.Covered entities should evaluate the security and privacy of each Smartsheet add-on before using it with PHI.File attachments in Smartsheet are stored and managed through Amazon Web Services (AWS). Smartsheet states that it has a BAA in place with AWS.

Dropbox Sign appears to provide HIPAA-compliant solutions for covered entities, ensuring security and privacy for all documents that contain protected health information (PHI). The service uses Transport Layer Security (TLS) encryption for all communications in transit and AES 256-bit encryption for stored files.Enterprise-level security controls include two levels of encryption for each document: a unique document encryption key (DEK) for each file and a master key that protects the DEK, which is regularly rotated for additional security. This configuration offers an extra layer of security in the event that someone bypasses physical security measures to access a hard drive.Dropbox Sign also offers audit reports that track activity and changes made to each document, giving covered entities the ability to view the audit trail as needed. Dropbox Sign conducts regular user access reviews and provides extensive training for employees on HIPAA’s Security and Privacy Rules.Customers must have a Dropbox Sign Enterprise account to access features that comply with HIPAA and Service Organization Control (SOC) 2.

HIPAA compliance is available with ActiveCampaign’s Enterprise plan. The security page states that ActiveCampaign will meet HIPAA standards for enterprise-level customers, but no further information is available about specific security features for HIPAA compliance.The company stresses that each customer is responsible for using the service in a HIPAA-compliant manner. ActiveCampaign provides security to support these needs. According to the HIPAA Security Rule, entities and business associates must take reasonable steps to protect PHI, including end-to-end security. ActiveCampaign will sign its own Business Associate Agreement (BAA) with covered entities. Covered entities must have an enterprise plan and complete a signed BAA before using this service for PHI.

Data encryption is an essential part of HIPAA compliance, and covered entities must ensure that information is fully encrypted both in transit and when stored. While VeraCrypt provides basic security features, its encryption tool may not be sufficient for protected health information (PHI).VeraCrypt’s encryption hasn't been fully compatible with all types of computers, such as certain types of PCs. Additionally, it’s designed to be used on single devices. For HIPAA compliance, it’s best to have a centralized encryption system with administrative features that include remote access and remote encryption capabilities.Information about VeraCrypt’s HIPAA-compliance effort is limited, so covered entities may want to consider choosing a commercial encryption service instead.

Bitlocker has stated that it is HIPAA compliant for data at rest. This service uses the XTS-AES algorithm for data encryption on Windows systems, offering customers both AES 128-bit and 256-bit key lengths. The highest level of protection is available when this encryption is paired with a Trusted Platform Module (TPM) version 1.2 or later.Since Bitlocker integrates with the Microsoft Windows operating system, covered entities should use additional security precautions if cloud storage is involved. Another benefit of using Bitlocker for HIPAA compliance is the data protection feature that addresses data theft risks, including exposure from computers that are stolen, lost, or inappropriately decommissioned.Compliance depends on several criteria, such as integrating Azure cloud service and having volume licensing.