HIPAA
Contact Sales
Sign Up
Features
Templates
HIPAA Checker
Pricing
Toolkit
Enterprise
More
Security
Webinar
FAQ
Login
Sign Up for Free
Is
Search
Search
HIPAA Compliant?
Categories
HIPAA Compliance Checker
Most popular search results
Dropbox
Users can limit who accesses protected health information (PHI) and monitor how PHI is used. Dropbox also provides recommendations upon request for users looking to make their business accounts HIPAA friendly.
G Suite
Google uses ISO 27001 certification and SOC 2 and SOC 3 Type II audits. Its BAA covers many of the G Suite products, including Gmail, Google Calendar, and Google Drive (Google Docs, Google Sheets, and Google Slides). For Google Meet, however, the BAA currently only covers the chat messaging feature and doesn’t cover the video chat feature.
Zoom
Zoom has Advanced Encryption Standard (AES) encryption and uses 256-bit keys to protect its meetings. For HIPAA accounts, Zoom enables “Fully Encrypted Persistent Chat,” an encrypted messaging system through which public-key cryptography and private keys are generated and can be stored only on users’ devices. Zoom incorporates additional security measures, to ensure the privacy of PHI. There are two different user authentication requirements, as well as access control measures, which regulate who or what can view or use resources on the platform.
Gmail
The free version of Gmail that most people use isn’t HIPAA compliant, but Google’s G Suite can enable HIPAA compliance. G Suite includes Gmail, Google Calendar, and Google Drive, just like the free version, but it also includes security features that, once properly configured, can enable HIPAA compliance.Gmail is the most widely used email service around, with 1.8 billion users worldwide. The ubiquity and familiarity of Gmail make it an appealing option for healthcare companies.HIPAA sets strict standards for protecting patient confidentiality and health information. Sending HIPAA-friendly emails requires training staff to use technological safeguards. Your email provider may follow HIPAA regulations, but that doesn’t automatically make your emails secure. Every employee must understand how HIPAA applies to their email. Training in everything from encrypting sensitive emails to ensuring they’re sent to authorized recipients can help.Healthcare workers are sometimes targeted by phishing and other email attacks. Recent breaches have compromised sensitive personal data, such as Social Security numbers and financial account information, as well as the PHI of hundreds of patients. Continuous training improves the chances that your employees won’t fall prey to phishing scams.Your business needs a straightforward, step-by-step process to help staff comply with both applicable laws, which can include HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act, among others. Now that we’ve considered the importance of strong training and policies, it’s time to take a look at the technical side of things.If you’re a covered entity, or a business associate of a covered entity, you should have a signed business associate agreement (BAA) with every third party that could access the PHI in your custody. Using an email provider is no different. A BAA ensures that your business associate understands how they can use PHI and what security measures are required.The fundamental risk of transmitting PHI via email is that unauthorized people could gain access to that data. Email services that enable HIPAA compliance should have strong security features or allow third-party plug-ins that provide the needed security.Access must be restricted to only those who need the information. Never print emails that contain PHI. These emails should be visible only to the sender and the recipient. Using end-to-end encryption and access controls ensures that ePHI doesn’t fall into the wrong hands.
Google Drive
Google Drive is part of G Suite, which has TLS (Transport Layer Security) encryption to protect PHI. To adhere to HIPAA-compliant procedures, Google Drive users will need to sign a BAA and disable file sharing and syncing. The BAA does not apply to third-party apps that connect with G Suite, so an additional BAA from that app provider may be required to meet HIPAA compliance standards.Google appears willing to sign a BAA with healthcare companies that use G Suite, but not until all security protocols are in place. Using G Suite to transmit or store PHI before you have the BAA in place is risky.Healthcare companies have embraced G Suite because of its robust security features and low cost.Setting up a HIPAA-compliant Gmail accountSimply purchasing G Suite doesn’t make your email HIPAA compliant. To use Gmail, even with G Suite, you must configure your account correctly.
Skype
Skype is one of the most well-known videoconferencing tools; hundreds of millions of people worldwide use it. Since being acquired by Microsoft in 2011, Skype has been available on Windows PCs by default. That’s why so many medical practitioners use it. But no software can enable HIPAA compliance on its own. Skype must be configured properly for HIPAA compliance.
OneDrive
OneDrive is a cloud storage solution provided by Microsoft. As cloud storage is often used to store and transmit electronic patient health information, covered entities should rely on cloud storage solutions that can be used in a HIPAA-compliant manner. OneDrive can enable HIPAA compliance if the organization takes the proper steps. A business associate agreement is an essential part of making any software solution compatible with HIPAA. This agreement states how the parties handling the electronic patient health information (ePHI) will adhere to HIPAA. Without a signed BAA agreement, no technology solution can be considered HIPAA friendly, but Microsoft does provide a BAA. In addition, Exchange Administrator Access Tracking can be turned on so the user can know which administrators have accessed which data. As a result, OneDrive seems to fulfill the access control obligation quite well.
FaceTime
FaceTime isn’t designed to be used as a telecommunications tool in a healthcare setting.
Square
Square aims to protect both their users and the customers of their users. If the user is subject to HIPAA (as a covered entity or business associate) and dealing with Protected Health Information, the user should sign a BAA with Square. The responsibility to decide whether they need to comply with the HIPAA requirement or not belongs to the user. The user can get more information by checking Square's website.
Google Voice
For HIPAA compliance, users need to purchase a paid plan for G Suite, purchase Google Voice, and sign the G Suite BAA.
Google Docs
Privacy settings for each Google Doc should be configured so that they cannot be viewed unless a user has permission. Titles shouldn’t contain any patient information. Additional precautions are recommended, such as backing up Google Docs data.
Slack
HIPAA enablement likely only applies to the messaging and file transfer features of Slack and not to any other Slack features. Caution should be used before relying on the Slack app to communicate with patients, plan members, or their families or employers. With Slack Enterprise Grid, healthcare companies can integrate Slack with their existing medical records system to share and control medical data as part of an overall HIPAA solution.
Office 365
In order to enable HIPAA compliance for Office 365 HIPAA, users must be on one of the following plans: Office 365 Business Premium, Office 365 Business Essentials, Office 365 ProPlus, Office 365 Enterprise E1, Office 365 Enterprise E2, or Office 365 Enterprise E3.
AWS
Amazon supports HIPAA-compliant administrative processes and controls. Covered entities and business associates using AWS need to get training on how to properly configure AWS settings.
WhatsApp
WhatsApp is one of the most used text messaging apps in the world. After it was bought by Facebook, various security measures such as end-to-end encryption were added. However, currently WhatsApp does not state that it enables HIPAA compliance. For starters, access controls, a BAA, and audit controls would be needed for HIPAA compliance.
Evernote
Although Evernote incorporates some protection features that can prevent unauthorized access, the overall security controls aren’t likely sufficient to meet HIPAA standards.Evernote can only be used for medical data storage purposes if it’s completely offline and is going to stay offline. The computer that Evernote is set up on should be encrypted in order to prevent unauthorized personnel from accessing the information.
eFax
eFax is an electronic faxing solution that uses advanced security protocols to make sure ePHI is secure both during transmission and in storage. eFax is known as one of the most secure online fax providers.eFax uses unique user identification and 256-bit SSL encryption to ensure secure document transmission and keep ePHI safe from unauthorized access. eFax also offers secure transport layer security (TLS) encryption protocol, administration privileges to limit access to ePHI, and multilevel audit controls, including secure and automatic fax archiving. Fax transmissions are stored on the eFax cloud and kept safe in Tier III secure servers.
Box
Box appears to check all the boxes for HIPAA compliance. It ensures documents containing sensitive information and PHI are safely stored in the cloud by using numerous security features, including access monitoring, two-factor verification, reporting and audit trails, and data encryption.Box also provides access control, uses a strict logical system, and restricts access to its servers and customer data files.
Mailchimp
Mailchimp provides security measures to reduce the risk of unauthorized access, including physical security controls and encryption. Since encryption is built into the service, it may meet certain HIPAA compliance regulations, but using Mailchimp doesn’t guarantee that all HIPAA compliance standards will be met.According to Mailchimp’s terms and conditions, customers are responsible for ensuring they comply with regulations like HIPAA.Uploading patient information to a Mailchimp email list likely constitutes a disclosure of protected health information (PHI).
Outlook
The free email platform offered by Microsoft, Outlook.com, doesn’t appear to have been built to handle ePHI securely or to comply with HIPAA. However, Outlook can be used as a HIPAA-friendly service with a paid Office 365 subscription and additional client-side encryption.For HIPAA compliance features, users must be on one of the following plans: Office 365 Business Premium, Office 365 Business Essentials, Office 365 ProPlus, Office 365 Enterprise E1, Office 365 Enterprise E2, or Office 365 Enterprise E3.
MetroFax
Metrofax offers secure, encrypted fax communication services. The built-in faxing features allow users to quickly send information from a cell phone or computer as a fax.Even though Metrofax provides encryption to protect transmitted information, it appears to be missing some capabilities required for HIPAA compliance. When sharing PHI through a third-party provider, HIPAA regulations require a signed Business Associate Agreement. This BAA must be in place for Metrofax’s services to meet HIPAA compliance.Check with Metrofax to see if they will sign a BAA.
Teamviewer
Teamviewer states that it is a HIPAA-friendly remote access solution that allows users to access devices no matter where they are. Security is a key objective for Teamviewer. The company has received multiple security certifications from A-LIGN, a provider that helps businesses implement HIPAA security features.All of Teamviewer’s remote support, remote access, and online collaboration features maintain privacy and security. This includes end-to-end encryption, which is why many companies trust Teamviewer.HIPAA has strict standards for the privacy and confidentiality of patient information. When using computers, networks, and mobile devices for PHI, all access and management must follow HIPAA regulations. Additionally, every employee must receive regular HIPAA training. Teamviewer’s security and privacy practices appear to meet HIPAA standards.Before using Teamviewer with PHI, you must get a signed BAA from the company. Submit an inquiry to Teamviewer customer service for assistance in obtaining the BAA. A signed BAA might be available only for organizations that meet a specific spending threshold.
Wix
Wix is a popular website builder. Passive scanning is done periodically, but customers don’t have access to real-time monitoring to protect against hacking.Certain Wix features can be HIPAA friendly when paired with other services. Wix partners with Google Workspace to integrate email hosting. When purchasing Wix services, you may meet HIPAA requirements for email if you use specific security settings and sign a BAA with Google.
Quickbooks
Quickbooks has many features to simplify business invoicing and bookkeeping. While this software is effective in a variety of industries, it isn’t recommended for medical billing. Since deductibles, cash payouts, insurance invoices, and co-pays include patient health information, you should be cautious before entering this information into Quickbooks until you know that Quickbooks supports HIPAA compliance.Some medical clinics use Quickbooks for summarizing revenue and sales receipts. This tool can be a powerful way to track revenue by company, insurance, or even patient category.You might want to avoid using Quickbooks for patient demographic data, information about physical or mental health conditions of patients, health care services offered to each person, or payment for medical services. According to the US Department of Health and Human Services, medical practitioners shouldn’t use non-compliant software services for the above information if there is “a reasonable basis to believe it can be used to identify the individual.”If you are in the healthcare industry and use Quickbooks, you should use caution before inputting “individually identifiable health information” into this software.
Carbonite
Carbonite uses internal privacy and security provisions to safeguard medical information.HIPAA requires business associates to implement risk management measures that protect the integrity, confidentiality, and availability of patient information. Carbonite provides real-time monitoring, a secure firewall, encryption, a vulnerability management program, and a formal incident response process for information security threats.Physical security measures include restricted access at Carbonite’s facilities, so only authorized employees, third parties, and visitors can enter. Security includes both interior and exterior cameras as well as an alarm system and an electronic card access control system. Additionally, Carbonite restricts access to software programs.A Carbonite Safe Pro subscription offers HIPAA compliance features. Carbonite Safe Pro also gives administrators access to view user activity and logins.Carbonite provides a HIPAA handbook to guide customers in keeping their backups HIPAA friendly.
Salesforce
The Salesforce platform can be set up to meet HIPAA compliance standards through certain features that help keep protected health information (PHI) secure in the cloud. Salesforce includes administrative, physical, technical, organizational, and documentation safeguards to protect PHI.Customers can use customer-controlled security features through Salesforce Covered Services. Additionally, Salesforce has security safeguards such as data encryption in transit, ongoing monitoring for security violations, and audit logging to identify changes in activity. Customer administrators can use configurable tools to define permission sets that govern the visibility of data, maintain strict password security, monitor field level history, set security rules to manage data access, define a company-wide sharing model and role hierarchy.In addition to permission sets, customers can define user profiles to limit data record access to authorized employees.It’s a good idea to use the premium set of Salesforce features known as “Salesforce Shield.” These features provide extra monitoring, encryption, and auditing. You might need to enable other features or additional services to ensure the protection of PHI when information is in transit.If you’re planning to use Salesforce for patient information, reach out to your account representative for a signed Business Associate Agreement (BAA). The account representative can also advise you on specific features and settings for HIPAA compliance.
Zapier
Zapier, a widely used automation tool that connects apps and services to automate workflows, has stated that it does not support HIPAA compliance. Despite its robust encryption measures for data transmission and comprehensive activity logging within its network, Zapier’s functionality doesn’t render it HIPAA compliant. Zapier has stated on its website that it won’t sign a Business Associate Agreement (BAA). Because a BAA is required under HIPAA, this prevents Zapier from handling protected health information (PHI) in a HIPAA-compliant manner.BAAs serve as crucial contractual documents that explicitly define the protocols for storing and exchanging sensitive data between entities. They are an essential component of achieving and maintaining HIPAA compliance. Without a properly executed BAA, an organization cannot use any third-party tool or service to handle sensitive information within the scope of HIPAA regulations.
Google Sheets
Google Sheets has stated that it enables HIPAA compliance. Google Sheets also offers a range of security features including access controls, auditing, and encryption.Google Sheets is part of Google Workspace, which uses high-level encryption to protect patient health information (PHI). While Google Sheets offers HIPAA-friendly security features, covered entities are responsible for maintaining the right security settings. Your healthcare organization must configure Google Sheets to enable HIPAA compliance.Admin console logs and reports are an important part of HIPAA security for Google Sheets and all other apps in Google Workspace. Use these tools to monitor user collaboration, examine security risks, track sign-ins, and analyze activity. Administrators can set alerts for activities like suspicious login attempts, suspending users, activating a suspended user, adding a new user, changing a password, and granting or revoking admin privileges.In Google Sheets, administrators set visibility and access permissions for both files and folders. These settings also manage the sharing and editing capabilities of collaborators.When using Google Apps, administrators can separate user access for team members who manage PHI. This feature allows an administrator to activate or deactivate specific services for users. For example, since Google+ and YouTube don’t enable HIPAA compliance, administrators should turn off these apps. Also, consider disabling third-party applications and add-ons from third-party developers.
iCloud
iCloud provides cloud-based storage solutions, with security protections for both data storage and transfer. Authentication controls and access management are necessary for cloud services to meet HIPAA compliance standards. A healthcare provider must be able to monitor who accessed the data and what the user does with the information. iCloud’s controls only meet the minimum HIPAA requirements.When healthcare providers use cloud services with protected health information (PHI), business associates must sign a BAA.
RingCentral
RingCentral is an option that healthcare organizations can use to transmit and store patient health information because it appears to take a proactive approach in ensuring privacy and safety for all communications as a cloud service provider.The service boasts a “seven layers of security” approach to securing data that transfers through its services. These seven layers include physical, network, data, host, business process, application, and enterprise-level security measures.Available security measures include transmission security in the form of transport layer security (TLS) and secure real-time transport protocol (SRTP). This encryption means that information should be secure at rest and when in motion. Infrastructure security uses vulnerability scans, firewalls, user authentication, and intrusion detection. Additionally, RingCentral data centers have security protocols with onsite guards and electronic prevention systems.Healthcare customers must implement proper security measures using the features listed above. Employee training is another important element to ensure the team is using these cloud services in line with HIPAA requirements.
DocuSign
DocuSign appears to fall into the category of a business associate when healthcare providers use its services for protected health information (PHI). DocuSign offers AES 256-bit encryption for data in transit and at rest. This encrypted information is stored on DocuSign’s servers, and the company states that it doesn’t have access to the information.DocuSign seems to meet Health and Human Services (HHS) standards for digital signatures.This service enables HIPAA features through its digital tracking system. Each e-signature has an audit trail that’s fully traceable. DocuSign data centers are SOC 2 audited and ISO 27001 certified.When signing a document, the service captures names, email addresses, time stamps, signing location, public IP addresses, and document completion status.While DocuSign offers essential encryption, auditing, and security standards, it’s the responsibility of each customer to ensure that they share and access PHI in a manner that follows HIPAA regulations.
Virtru
Virtru appears to meet the standards for following HIPAA regulations. Virtru provides data protection services that encrypt email and files to protect confidential patient health information (PHI). HIPAA defines specific technical standards for data encryption. Encryption protects files while they are in transit and at rest.Additionally, Virtru provides administrative controls for managing emails, photos, videos, PDFs, and Office files. You can manage authorization to allow or disallow users to access specific content and types of content. Tracking and monitoring features provide real-time protection for patient information.Other security features include forwarding restrictions and the ability to revoke messages after they are sent.Virtru offers client-side email encryption if you’re using the plug-in with on-device encryption. When creating information on the device, the protection occurs immediately (before distribution). Advanced controls allow end-to-end encryption.Virtru can integrate end-to-end encryption in Gmail. Virtru offers an extra layer of security to strengthen privacy controls after email leaves your inbox.
Sharepoint
Sharepoint has stated that it provides necessary administrative and technical features to meet HIPAA requirements. Some of these features include access control for users, audit control, logs, and encryption. Threat awareness resources make it easy to access real-time reports about information access and usage.Sharepoint is a Microsoft service. The Microsoft website states that Sharepoint online enables HIPAA compliance when paired with Office 365 Enterprise. While Microsoft ensures it meets its responsibilities as a business associate, users are responsible for configuring the platform correctly.A variety of security add-ons are included for Office 365 Enterprise users, such as advanced threat protection, security management, advanced compliance, and threat intelligence. Licensing includes anti-malware, Windows Defender, Cloud App Security (CAS), Azure AD Identity Protection, Azure Security Center, Azure Advanced Threat Protection, and more.If you configure and use Sharepoint correctly, this service can be a HIPAA-friendly solution for information storage, management, and collaboration.
Acuity
Acuity Scheduling is part of the Squarespace platform. While many aspects of Squarespace may not enable HIPAA compliance, Acuity Scheduling includes features designed to allow covered entities to comply with HIPAA regulations.Customers can manage notification settings to limit access to protected health information (PHI). For example, they can prevent emails from displaying the from and reply-to fields that show the patient’s name and email address. You can contact Acuity to disable the feature that attaches a calendar file (ICS invite) containing the client’s name, appointment time, and appointment type to appointment confirmation and rescheduling messages.Covered entities should sign up for the Powerhouse Player plan to enable security features required for HIPAA compliance. Access the Customize Appearance section to manage Scheduling Page Options, and then select the option to enter into a BAA using an electronic signature.
Google Calendar
Google Calendar is a service offered through Google Workspace (formerly G Suite) that makes it easy for users to track appointments and manage their schedules. This tool appears to ensure the safety of PHI, as long as you configure the security, access, and audit settings to prevent the disclosure or misuse of PHI.The default settings in Google Calendar share all information with team members in your domain. Security features allow you to set meetings that involve PHI to “Private” to maintain confidentiality. This setting shows the time as “Busy” without disclosing information about the meeting. With proper privacy settings, the program won’t include PHI, such as the title and description, in the meeting details.Covered entities should be on a paid Google Workspace Business or Enterprise plan. Paid plans give users the option to manage Google Calendar security controls to meet HIPAA requirements.
GoDaddy
GoDaddy provides a variety of services including website hosting, email management, and domain names. Covered entities can use email services for protected health information, but website hosting services may not meet HIPAA requirements.For example, basic website hosting plans are on shared servers. Other technical and physical safeguards aren’t in place for these plans. Covered entities shouldn’t use GoDaddy shared hosting for websites containing patient information.GoDaddy also offers email services through Microsoft Office 365. Two plans, Business Premium and Premium Security, offer HIPAA compliance features. Covered entities may purchase HIPAA-friendly email as an add-on to the service. All email accounts offer the option of full integration with Microsoft Office.
ProtonMail
Even though ProtonMail isn’t designed specifically for the healthcare industry, it offers security features healthcare organizations can use for protected health information (PHI). ProtonMail includes a HIPAA compliance statement on its website that assures the company will do its part to protect patient data..Privacy and security features include end-to-end encryption and zero access data management. The service uses 4,096-bit RSA encryption for all stored communications. Data centers provide physical security for all data backups. The server hardware is located in Switzerland where the servers use fully encrypted hard disks, including multiple password layers in case the hardware is removed from the data center.If a user’s device is stolen or lost, a remote wipe feature can protect PHI. Account owner authorization gives healthcare organizations control over who can access the information. Automated virus checking and data backups are standard. There is also a sophisticated monitoring system.ProtonMail states that its employees don’t have access to PHI. ProtonMail states that it doesn't store paper copies or printed reports in its facilities.
Google Hangouts
Google Hangouts is a communication platform available through Google Workspace. The chat messaging feature in Google Hangouts appears to meet HIPAA compliance standards. These controls should be configured before using Google Hangouts for protected health information (PHI). Covered entities must obtain a signed business associate agreement (BAA). If your organization is planning to use Google Hangouts for PHI, refer to Google’s user guide for detailed information about security and privacy controls.
Webex
Healthcare organizations can use Webex as part of their HIPAA compliance. Healthcare practices (covered entities) must ensure that Webex is configured correctly. Cisco states the responsibilities of both parties (Cisco Webex and the customer) for HIPAA compliance. Cisco Webex states that it is responsible for protecting the confidentiality, privacy, and security of PHI, whereas the healthcare provider is responsible for properly classifying and maintaining data. Cisco also offers a Webex HIPAA Self-Assessment.
Venmo
Venmo does not currently state that it meets HIPAA requirements and doesn’t provide HIPAA protection for sensitive patient health information. Since the platform is typically used by individuals to send money to one another, it may not fit all the PHI-related requirements of healthcare organizations.There are several payment gateways that seem to enable HIPAA compliance, but Venmo, despite being a great payment method for many, is not the best fit for medical institutions to protect PHI.
ShareFile
ShareFile offers HIPAA-friendly tools that allow healthcare providers to exchange data and files with patients and third-party providers. A secure SSL/TLS connection maintains the privacy of protected health information (PHI) in transit. And data at rest is secured with AES 256-bit encryption.These security tools provide bank-level encryption for email, attachments, and files. Healthcare providers can move PHI between local storage and HIPAA cloud storage as needed. Check-in and checkout systems ensure that everyone works on the latest version of a file. Audit controls let administrators see the history of access, including account usage and access to folders and files.Users can create individual accounts tied to unique email addresses; single sign-on is also available. Other HIPAA-related features include session timeout due to inactivity, identity management, and account lockout after five failed attempts.ShareFile integrates with a variety of other tools, including Microsoft Outlook.Mobile apps are available for Android, iOS, and more. Cloud syncing gives users access to current information on all devices. This streamlined healthcare collaboration system also provides e-signature features for digital document signing.HIPAA features are available only for customers with a Premium plan.
Zoho
Zoho’s website provides limited information about HIPAA compliance. Even though its tools aren’t for healthcare entities specifically, many of the security features may meet HIPAA requirements.These cloud-based services are comparable to those in Office 365 and Google Workspace, with solutions for word processing, custom applications, project management, live chat, app integration, and an IoT management platform.The company offers technical, physical, and administrative safeguards for all services, but there are questions about whether these privacy features are sufficient for HIPAA regulations.
Google Forms
Google Forms offers security and privacy configurations that could be made to comply with HIPAA regulations. Covered entities can set the access and visibility of folders and files, as well as grant specific collaborators sharing and editing capabilities.When configuring Google Forms, administrators should set the sharing permissions to manage data visibility and access. Additionally, admins should disable third-party applications that don’t meet HIPAA privacy standards. Software compliance depends on how the software is used, which is why administrators should adjust privacy settings properly before and while using Google Forms to collect and manage patient information. Other possible HIPAA safeguards include encryption to protect sensitive information, user authentication, and audit controls that track information access.If a covered entity uses Google Forms to collect protected health information (PHI), it must have a business associate agreement (BAA) in place before collecting PHI through this tool. Google may offer a signed business associate agreement (BAA) that covers Google Forms as well as other Google Workspace services such as Gmail, Docs, Sheets, Calendar, and Slides.
GoToMeeting
GoToMeeting provides technical, physical, and administrative safeguards for online meetings and videoconferences. According to the GoToMeeting website, these security controls meet or exceed HIPAA technical standards. One of these features is end-to-end encryption. Data in transit uses AES 128-bit encryption, including chat information, audio, and video files.Additionally, logs of session activity and account connection create an audit trail. Account managers can access management and reporting tools to see account activity. When an account is inactive for a certain period of time, an automatic log-off feature requires a new login before the information can be accessed again.Only authorized individuals can access accounts. Access security features include password protection and unique meeting codes. Meeting organizers have full control over who can join each meeting. GoToMeeting verifies a user’s identity through a unique email address and password.
VSee
VSee provides videoconferencing services and offers secure encryption for audio and video communication on its platform. These security standards are available for both free VSee accounts and paid subscriptions.Since videoconferencing may involve the exchange of electronic data, including protected health information (PHI), it must meet HIPAA requirements for covered entities. VSee streams video directly from end point to end point.Covered entities must consider how video collaboration tools meet HIPAA security requirements. For example, videoconferencing can include screen-sharing, text chat, and file transfer. Videoconferences on VSee are advertised as encrypted with FIPS 140-2 compliant, military-grade 256-bit Advanced Encryption Standard.
PayPal
PayPal’s website doesn’t state that it provides HIPAA compliance features for covered entities, so a covered entity should use caution before using the site to share or store protected health information (PHI).HIPAA privacy rules require the protection of all “individually identifiable health information.” Demographic data and payment history fall into this category.
Grasshopper
Grasshopper’s website states that it does not enable HIPAA compliance and that support team members have access to account information and settings to help with technical issues. This access includes all messages that pass through Grasshopper’s calling, texting, and faxing features.If protected health information (PHI) passes through these communication tools, it appears possible that unauthorized individuals could access the information. If Grasshopper doesn’t offer HIPAA-friendly services, covered entities shouldn’t use these tools.
HelloFax
Many telecommunications firms act as conduits for data transmission and are exempt from signing a business associate agreement (BAA) through the conduit exception rule. Information shared over the phone or using a standard fax machine is not subject to HIPAA compliance. However, other means of communication, including VOIP, SMS, and digital fax services, must meet HIPAA regulations.HelloFax provides AES-256-bit encryption for information at rest and TLS encryption for information in transit, to meet the minimum HIPAA standards. Additionally, each document is encrypted with a unique key, and keys are encrypted with a master key that rotates frequently, which means that if unauthorized people gained access to the hard drive, they wouldn’t be able to decrypt the data.HelloFax advertises “bank-grade” security, including physical and electronic protections. The data center apparently uses strict access controls. Because of these security measures, it may be possible to use the HelloFax system without violating HIPAA requirements.
Avast
Avast offers security features that seem to enable compliance with specific HIPAA regulations. But the only mention of HIPAA on the company’s website is in a press release about Virtual Mobile Platform (VMP). Avast VMP allows users to share photos and medical images securely, without storing the data on a personal device. Also, all IM messages and phone calls are encrypted, which may fit HIPAA requirements.
23andMe
The HIPAA (Health Insurance Portability and Accountability Act) Privacy Rule does not apply to consumer curation of health data or other protections related to privacy, security, or minimizing access to PHI. Even though 23andMe receives funding from the National Institutes for Health, 23andMe currently asserts that its data-mining analysis doesn’t constitute research on human subjects under the current version of the Common Rule because it de-identifies the data. This means that 23andMe may take the position that any consent it obtains to retain, use, and share consumer data isn’t necessary for regulatory compliance, but rather is done as a courtesy.
Backblaze
Backblaze offers crucial security features for cloud backups, such as encryption for file transmission and data at rest. Customers can specify their own private encryption keys, adding another layer of security for data privacy.In addition to proactive monitoring of all systems, Backblaze hires third parties to test the system’s security. Before accessing private data, the service requires account verification. Two-factor verification is available to prevent unauthorized access to the account.These privacy features align with HIPAA requirements, but the company website doesn’t offer much information about its own HIPAA enablement. It appears that HIPAA features are available only for customers on the B2 Cloud Storage plan.
IDrive
IDrive offers online backup services that covered entities can use for protected health information (PHI). Both IDrive’s digital and physical security appear to maintain the confidentiality of patient information.Encryption is a critical feature for ensuring that your backup cloud software supports HIPAA compliance. Data encryption and secure transmission help prevent unauthorized access to individually identifiable health records. If someone hacks the offsite server, encryption protects the files from access and use.IDrive’s data center uses modern technology, including SOC-approved data protection, to prevent the unauthorized use of data. Physical safeguards, administrative procedures, and technical security manage access to the data center and vaults.The True Archiving service means that data always remains on the IDrive account until you perform an archive cleanup or manually delete the files from the archive. On the desktop application, users have 30 days to restore files from the trash.
Jotform
Jotform is not inherently HIPAA compliant. However, your company can easily enable HIPAA compliance by using Jotform’s helpful tools and secure forms. Sign a Business Associate Agreement (BAA) with Jotform and enjoy forms that make HIPAA compliance easier.Jotform’s HIPAA-friendly online forms encrypt your data as soon as your forms start being populated. Sensitive information collected through your forms is also encrypted during transfer and in storage. Jotform has many integrations with other HIPAA-friendly services such as Google Drive, Dropbox, etc. You can also accept online payments with HIPAA-friendly online forms. Jotform offers many different payment gateway integrations.
Typeform
Typeform provides data-collection services through online forms, and has integrated security features to meet HIPAA security and privacy requirements.Both physical security and network security features are in place, including access control, penetration testing, multiple levels of encryption, and other data protection measures. Typeform has an information security department that’s responsible for overseeing all security administration.Since the service offers protection for data and information, it seems that covered entities have the option to use this service for protected health information (PHI). Collecting PHI is part of HIPAA compliance, which means that Typeform is a business associate. Covered entities using this service to gather, store, or transmit PHI should contact Typeform customer service to ensure they have a business associate agreement (BAA) in place.
MyFax
MyFax offers a variety of security and privacy features, but it isn’t clear from the website whether this service meets HIPAA requirements. The privacy features of this digital faxing service are more robust than traditional fax machines, but they may not be sufficient for protecting health information.The company J2 Global owns both MyFax and eFax. These platforms are similar, but there are notable differences in privacy, security, and faxing capabilities. MyFax suggests that covered entities use services from its partner, eFax Corporate.
Squarespace
Squarespace offers a variety of software services. Its scheduling tool appears to meet the requirements for the HIPAA Security Rule.Protections for HIPAA accounts include email notification privacy, a shortened browser session timeout, and limited access for uploading intake forms. Also, customers can disable third-party integrations that don’t support HIPAA.Squarespace’s Powerhouse Player or Enterprise plan may be used to access HIPAA compliance features for your Scheduling account. Each Scheduling account must be HIPAA friendly before using the service for PHI.Covered entities should obtain a signed business associate agreement (BAA) from Squarespace.
WordPress
WordPress offers a variety of website security features, but it’s unclear whether the controls are sufficient to meet HIPAA regulations.It is possible to meet specific HIPAA standards in WordPress, but this process is complicated. Controls must be in place to prevent unauthorized access to the administration control panel and PHI. Additionally, transmission security controls are necessary to encrypt data in transit and secure information at rest.If covered entities choose WordPress for website design and content management, they should be careful before considering uploading PHI to the site.
Xero
Xero offers useful financial and accounting tools for healthcare businesses, such as expense management, inventory tracking, and more. While Xero is designed for the business management side of the healthcare industry, its website does not state that its tools enable HIPAA compliance.Xero offers the option to link to third-party healthcare apps for HIPAA compliance features, such as practice management and appointment scheduling.
Mindbody
Mindbody has proactive security measures that appear to meet HIPAA regulations. The company has obtained PCI Level 1 certification, and states that it completes an annual audit and HIPAA risk assessment.HIPAA-related privacy features include network security, encryption, ePHI protection, access control measures, and a Vulnerability Management Program. System alerts are in place to notify admins of unauthorized access.Mindbody offers PHI-related protections for appointment scheduling, contact logs, documents, and transactions. Progress notes allow covered entities to record personal information that’s accessible only by authorized personnel.A business associate agreement (BAA) must be in place before using Mindbody for PHI. Covered entities can email Mindbody to request a signed BAA.
HubSpot
Covered entities shouldn’t use HubSpot for PHI. On HubSpot’s terms of service page, the company states that its services don’t comply with industry-specific regulations like HIPAA. The terms of service forbid the processing or storage of sensitive health information.
Adobe Sign
When using e-signatures for protected health information (PHI), you must institute security and privacy protections for electronic transmission and storage of data to meet HIPAA requirements. Adobe Sign offers configuration options to comply with HIPAA standards and allow organizations to meet industry-specific compliance requirements for e-signatures. Each client must configure features such as account time-out, password length, and accessibility settings.Covered entities can use authentication to manage user identities, certify each document’s integrity, maintain audit trails, and track document delivery. This tool is helpful for healthcare providers because the e-signature features can be integrated with other HIPAA-compliant software services.Adobe Sign offers a business associate agreement (BAA) for customers on an Enterprise plan.
T
TLS encryption
Transport Layer Security (TLS encryption) offers security when sending emails, but it doesn’t guarantee secure delivery to the recipient. Even though cryptography codes the messages in transit, security isn’t assured for information at rest.In addition, certain email providers don’t support the delivery of encrypted messages. So the service removes the encryption to deliver the email, resulting in a message that contains plain text without encryption. Also, if the recipient responds, the reply transmits without encryption.Covered entities must make sure they’re using tools that ensure encryption on delivery. To meet HIPAA requirements, both mail servers must use TLS encryption.TLS encryption can be one tool to support HIPAA compliance. But such encryption alone isn’t sufficient for HIPAA requirements because the information can be exposed if the encryption fails.
Discord
Discord is a social media and mobile chat platform created for entertainment and personal communication. No encryption is available for messages sent through Discord, which means this platform lacks a key HIPAA requirement. Also, Discord’s privacy policy states that the company collects information, including images, messages, and documents sent through the chat feature.HIPAA requires privacy for all PHI and data storage. Other chat and messaging platforms with specific security measures that meet HIPAA standards are available for the healthcare industry.
Wufoo
To enable HIPAA compliance, software must include physical, administrative, and technical safeguards to protect PHI, among other safeguards. While Wufoo offers security features, it doesn’t appear to offer all of the features necessary for HIPAA compliance.
LogMeIn
LogMeIn is remote-access software. Covered entities using this tool must implement protections to prevent unauthorized access of protected health information (PHI). HIPAA compliance requires strict measures for access control, including unique user identification, emergency access procedures, automatic logoff features, person authentication, and audit controls. LogMeIn customers should adjust specific account settings before using the service with PHI.LogMeIn also offers transmission security that may meet HIPAA requirements. All data transmitted during chat, remote-access, or file-transfer sessions is protected with 128-bit encryption at minimum. When permitted by the encryption level on the client’s browser, the protection increases to 256-bit encryption.To support customers in meeting HIPAA requirements, LogMeIn provides a detailed outline of considerations and setting recommendations. These technical safeguards and transmission security features may enable covered entities to maintain compliance with HIPAA’s Privacy and Security Rules.
Eset Antivirus
Eset Antivirus can help covered entities secure protected health information (PHI). Technical controls keep unwanted malware off devices, including laptops, smartphones, and tablets. The antivirus services perform full system scans to detect and block executable files that activate computer viruses.Malicious parties use malware in an attempt to access data on devices. Antivirus software is a critical factor in protecting both devices and networks against these attacks. Antivirus and malware protection through Eset block attacks immediately. Encryption provides another layer of security. Additionally, customers have the option to set up two-factor authentication.A web control module through Eset Antivirus keeps users from visiting non-work-related websites, reducing the likelihood of a virus infection. Internet access variations are available for each user’s account, depending on the needs of the organization. Eset Anti-Phishing protection is another valuable tool to help covered entities avoid infected emails that put the account and machine at risk.Antivirus and anti-malware protections are required for HIPAA compliance. Eset provides antivirus protection, and the software doesn’t appear to have access to PHI.
Norton Antivirus
Norton Antivirus helps prevent computer hacking, an essential step in protecting PHI. The goal of antivirus software is to ensure devices are free from malware. Antivirus software is a good choice for all devices that access PHI, including laptops, tablets, and smartphones.Hackers use malware to access private files, such as PHI. Covered entities can reduce the risk of data theft by protecting all devices and networks with antivirus software. Norton Antivirus blocks malware attacks and helps keep computers virus free. Additionally, the encryption features protect all of the information you send, receive, and store.HIPAA regulations require covered entities to use anti-malware and antivirus protection.
FreshBooks
FreshBooks provides security and reliability safeguards that seem to align with certain HIPAA requirements, such as 256-bit SSL encryption and firewalls to protect stored data.While FreshBooks’s digital and physical security features seem to comply with HIPAA standards, there is no mention of HIPAA enablement on the company’s website. The company also doesn’t offer information about obtaining a signed business associate agreement (BAA), which is a requirement for covered entities under HIPAA.Since FreshBooks doesn’t specify what its security protocols are for protected health information (PHI), covered entities should consider other invoicing software options.
Bluehost
Bluehost provides customers with a variety of security features, including SSL certification and HTTPS protocol. While these security features are necessary steps for HIPAA compliance, they aren’t enough. HIPAA compliance requires access control and audit control for digital security. Additionally, facility controls must include physical safeguarding of server equipment.The company is transparent that its services aren’t authorized for patient health data and identifiable medical information.Covered entities that need web hosting services for PHI should choose a service that meets HIPAA requirements.
SiteGround
In its terms of service, SiteGround has stated in a HIPAA disclaimer section that customers are prohibited from using its services to store PHI.Covered entities that need web hosting services should choose a provider that offers digital and physical HIPAA-compliant safeguards. While most hosting providers provide HTTPS protocol and SSL certification for security, these features alone aren’t sufficient to meet HIPAA requirements. For a hosting account to be HIPAA compliant, it must include physical safeguards to protect equipment and servers. Audit controls and access controls are other digital security features that help with HIPAA compliance.
HelloSign
Dropbox Sign appears to provide HIPAA-friendly solutions for covered entities, ensuring security and privacy for all documents that contain protected health information (PHI). The service uses Transport Layer Security (TLS) encryption for all communications in transit and AES 256-bit encryption for stored files.Enterprise-level security controls include two levels of encryption for each document: a unique document encryption key (DEK) for each file and a master key that protects the DEK, which is regularly rotated for additional security. This configuration offers an extra layer of security in the event that someone bypasses physical security measures to access a hard drive.Dropbox Sign also offers audit reports that track activity and changes made to each document, giving covered entities the ability to view the audit trail as needed. Dropbox Sign conducts regular user access reviews and provides extensive training for employees on HIPAA’s security and privacy rules.Customers must have a Dropbox Sign Enterprise account to access features that enable HIPAA compliance and Service Organization Control (SOC) 2.
ActiveCampaign
ActiveCampaign has stated that it enables HIPAA compliance. This service offers security features that align with HIPAA regulations.HIPAA compliance features are available with ActiveCampaign’s Enterprise plan. The security page states that ActiveCampaign can meet HIPAA standards for enterprise-level customers, but no further information is available about specific security features for HIPAA compliance.The company stresses that each customer is responsible for using the service in a HIPAA-compliant manner. ActiveCampaign provides security to support these needs. According to the HIPAA Security Rule, entities and business associates must take reasonable steps to protect PHI, including end-to-end security.
Constant Contact
Constant Contact offers many security features that appear to align with HIPAA requirements, such as multiuser access, account management, and the ability to limit user access. The service has technical, physical, and administrative safeguards in place to protect email subscriber data. While these security features are sufficient for general email communication, they may not meet the privacy safeguards necessary for transmitting patient information.The HIPAA Privacy Rule applies to protected health information (PHI), which includes any information found in a medical record that’s tied to the identity of an individual, including diagnoses, treatments, and billing. HIPAA rules don’t prohibit covered entities from sending marketing emails, as long as they don’t include protected health information. For example, a medical provider can email patients about changes in business hours or new office policies. However, patients must first give their permission to be added to the email marketing list.Constant Contact is a good solution for general communication. But its email marketing platform doesn’t appear to support the transmission of highly sensitive PHI (personal health and medical information).
Barracuda Messenger
Barracuda Messenger provides end-to-end encryption for communications, enabling you to exchange both video and audio calls as well as text messages in a confidential, secure environment.Even though Barracuda Messenger secures conversations in all locations and on all devices, the security features aren’t necessarily sufficient to meet HIPAA requirements. Also, Barracuda Messenger makes no mention of signing a business associate agreement (BAA).Covered entities looking for a video and text messaging platform for PHI should use a tool that meets HIPAA requirements.
VeraCrypt
Data encryption is an essential part of HIPAA compliance, and covered entities must ensure that information is fully encrypted both in transit and when stored. While VeraCrypt provides basic security features, its encryption tool may not be sufficient for protected health information (PHI).VeraCrypt’s encryption hasn't been fully compatible with all types of computers, such as certain types of PCs. Additionally, it’s designed to be used on single devices. For HIPAA compliance, it’s best to have a centralized encryption system with administrative features that include remote access and remote encryption capabilities.Information about VeraCrypt’s HIPAA-compliance effort is limited, so covered entities may want to consider choosing a commercial encryption service instead.
Apple Notes
Apple Notes provides users with a fast and easy way to capture their thoughts or create lists and sketches, making it a convenient tool to collect information. The app also syncs across devices through Apple’s iCloud. It’s unknown whether Apple Notes enables HIPAA compliance.
OneNote
OneNote may be HIPAA compliant, provided the right security features and configurations are used. Physical, technical, and administrative safeguards are available through Microsoft’s cloud services.These security and privacy measures help to prevent unauthorized access of electronic protected health information (PHI). Data stored on OneNote is encrypted, and Microsoft provides user access logs on request.Notes can be shared with other OneNote users through a network or internet connection. Because Microsoft OneNote offers multiuser collaboration, every participating device must meet all HIPAA compliance standards.Storing or sharing PHI on the software requires a signed business associate agreement (BAA) with the software provider. The BAA offers contractual assurances of HIPAA-compliant safeguards. Microsoft provides a BAA for many of its products, including OneNote.
Power Automate
Microsoft has stated that it enables HIPAA compliance by offering customers that are covered entities and business associates a Business Associate Agreement (BAA). This agreement covers in-scope Microsoft services, which include Power Automate. This applies whether the Power Automate cloud service is being used as a standalone service or as part of an Office 365 or Dynamics 365 branded plan or suite.
WPS Office
While WPS Office offers a variety of security features, including encryption, to protect customers’ data, the company hasn’t said that it has sufficient protection to meet HIPAA guidelines. Covered entities that want to use this free software for word processing, spreadsheets, or presentations shouldn’t put protected health information (PHI) in the files.If you need services that enable HIPAA compliance, choose an office suite that specializes in HIPAA solutions.
Smartsheet
Smartsheet enables covered entities to store, access, and share protected health information (PHI). Its security and privacy services appear to meet or exceed HIPAA’s regulatory requirements for protecting health data.Customers can access the Smartsheet HIPAA Implementation Guide to learn how to properly configure Smartsheet for PHI. Covered entities should adjust specific features and security controls for HIPAA compliance. Security features include user access management, user auto-provisioning, activity monitoring, and sharing-control management.Physical, administrative, and technical protections are available through Smartsheet security configurations. External auditors verify the security processes annually. Additionally, customers can request audit reports and penetration test reports.Encryption protects data in transit and at rest. To transmit content securely, users should use the share function to send a link to a cloud-based document. Importing data and sending it through the attachment feature may put the security of PHI at risk.Covered entities should evaluate the security and privacy of each Smartsheet add-on before using it with PHI.File attachments in Smartsheet are stored and managed through Amazon Web Services (AWS). Smartsheet states that it has a BAA in place with AWS.
WPS Office
While WPS Office offers a variety of security features, including encryption, to protect customers’ data, the company hasn’t said that it has sufficient protection to meet HIPAA guidelines. Covered entities that want to use this free software for word processing, spreadsheets, or presentations shouldn’t put protected health information (PHI) in the files.If you need services that enable HIPAA compliance, choose an office suite that specializes in HIPAA solutions.
Quip
Quip, a cloud-based collaboration tool, uses innovative security controls and measures that appear to align with HIPAA compliance requirements. The system is fully encrypted and offers a variety of customizable privacy options to meet each organization’s unique compliance requirements.Covered entities often pair Quip Shield with Salesforce to take their security to the next level. The combination allows users to collaborate using Salesforce data in a central space while their data is protected with critical security measures such as permissions, version history, and encryption.These cloud-based tools offer security for protected health information (PHI), with technical, physical, and administrative safeguards designed to maintain compliance. Covered entities can build healthcare applications through Salesforce, knowing that Quip provides the security measures intended to protect PHI.Quip has features that allow for data control and audits. Users can tailor the Quip platform based on their unique compliance and security needs. Key security features of Quip Shield include encryption of data in transit and at rest, granular administrative controls, access management, antivirus scanning, and real-time event logging. The option of a private, single-tenant cloud allows for better control of the network, including limits on geographical access.
SiteGround
In its terms of service, SiteGround has stated in a HIPAA disclaimer section that customers are prohibited from using its services to store PHI.Covered entities that need web hosting services should choose a provider that offers digital and physical HIPAA-compliant safeguards. While most hosting providers provide HTTPS protocol and SSL certification for security, these features alone aren’t sufficient to meet HIPAA requirements. For a hosting account to be HIPAA compliant, it must include physical safeguards to protect equipment and servers. Audit controls and access controls are other digital security features that help with HIPAA compliance.
Bitlocker
Bitlocker enables HIPAA compliance for data at rest by using the XTS-AES algorithm for data encryption on Windows systems, offering customers both AES 128-bit and 256-bit key lengths. The highest level of protection is available when this encryption is paired with a Trusted Platform Module (TPM) version 1.2 or later.Since Bitlocker integrates with the Microsoft Windows operating system, covered entities should use additional security precautions if cloud storage is involved. Another benefit of using Bitlocker for HIPAA compliance is the data protection feature that addresses data theft risks, including exposure from computers that are stolen, lost, or inappropriately decommissioned.Compliance depends on several criteria, such as integrating Azure cloud service and having volume licensing.
Gravity Forms
Gravity Forms, a widely used WordPress plug-in designed to create online forms, has stated that it can be HIPAA-compliant, but it does not come pre-configured with HIPAA compliance features. Instead, it offers functionalities that can be used to develop forms that adhere to HIPAA standards, as long as users take specific precautions and comply with essential security protocols.According to Gravity Forms, data collected through its plug-in is stored in tables within the user's WordPress database, which is hosted by the user’s chosen hosting provider. Gravity Forms then uses the existing infrastructure provided by WordPress to ensure that the collected data is securely stored within the user’s database environment. This approach ensures that the data remains under the user’s control and within the parameters of their selected hosting provider. Keep in mind that Gravity Forms states, “By default, [t]he data collected by Gravity Forms is not encrypted during storage. If required, encryption of data at rest would need to be provided by an add-on or the custom code.” Because Gravity Forms has stated that it does not host or store collected form data on your behalf and that it does not sign Business Associate Agreements, you must do this with your website host or data services provider.
Related Content
Who does HIPAA apply to?
The 5 best medical office software programs
The 5 best HIPAA One alternatives
Top 5 intakeQ alternatives
TherapyNotes vs TheraNest
Solutionreach vs Demandforce
Lighthouse 360 vs Solutionreach
How to collect COVID-19 test requests
Finding common ground between HIPAA and the COVID-19 vaccine
How to hold a vaccine event for your community
7 ways to increase patient satisfaction
Webinar: How to manage COVID-19 vaccine distribution with JotForm
How to get vaccination consent from the public
The top 10 medical apps for doctors
10 HIPAA-compliant email alternatives for therapists
Best HIPAA-friendly survey tool: Jotform
The best HIPAA-compliant remote access software
Best HIPAA-compliant text messaging and chat apps
6 best HIPAA-compliant hosting services for 2023
Best HIPAA-compliant CRM software to grow your practice
18 best HIPAA-compliant video conferencing tools
Use the best HIPAA-compliant fax services to avoid fines and lawsuits
Best HIPAA-compliant email providers for small practices
What are the main types of HIPAA-friendly forms?