Anywhere in which health care information is electronically leaving the four walls of your practice should be housed in a HIPAA-compliant platform. You should audit and assess your practice for HIPAA adherence throughout the process of engaging with a patient, including:
Patient Making an Appointment
Likely compliant examples include
- Scheduling using online platforms hosted by a secure vendor with whom you have executed a BAA
- Scheduling by phone call
- Maintaining local (e.g., not cloud-based) or paper schedules and records
Likely noncompliant examples include
- Scheduling via texting, voicemail, or email, if not using platforms hosted by a secure vendor with whom you have executed a BAA
- Maintaining an online calendar of appointments with any identifiable patient information on a platform with which you have not executed a BAA
Collecting Patient Information (medical history, payment information, consent to treatment and Notice of Privacy Practices)
Likely compliant examples include
- Collecting patient information using online platforms hosted by a secure vendor with whom you have executed a BAA
- Collecting patient information on forms maintained locally or on paper
Likely noncompliant examples include
- Collecting or maintaining patient information via texting, voicemail, or email, if not using platforms hosted by a secure vendor with whom you have executed a BAA
- Maintaining patient information on a platform with which you have not executed a BAA
Delivering Care
Likely compliant examples include
- Delivering telehealth using online platforms hosted by a secure vendor with whom you have executed a BAA
- Delivering audio-only telehealth through phone calls (not using online audio services providers, like FaceTime with whom you do not have a BAA)
- Seeing patients in person
Likely noncompliant examples include
- Delivering telehealth using FaceTime Audio, Google Voice, or any other voice over IP (VoIP) provider with whom you have not executed a BAA
- Delivering telehealth in public places where others can hear either the clinician or the patient
Maintaining Health Records
Likely compliant examples include
- Maintaining patient information using in an EHR or other platform hosted by a vendor with whom you have executed a BAA
- Maintaining patient information on paper forms maintained locally or on paper
Likely noncompliant examples include
- Maintaining patient information on a platform with which you have not executed a BAA
- Maintaining patient information in physically unrestricted environments, including in an unlocked office or on a computer without a password
Sending Prescriptions
Likely compliant examples include
- Sending electronic prescriptions through a platform hosted by a vendor with whom you have executed a BAA
- Faxing prescriptions
Likely noncompliant examples include
- Texting, emailing, or leaving voicemails to transmit prescriptions if not through platforms with whom parties have executed a BAA
Billing the Patient’s Insurance
Likely compliant examples include
- Using a secure online portal to transmit billing data to the patient’s payer
- Faxing billing data
Likely noncompliant examples include
- Texting, emailing, or leaving voicemails to transmit billing data if not through platforms with whom parties have executed a BAA
Collecting Payment from the Patient (co-pay or out-of-pocket)
Likely compliant examples include
- Collecting payments through a secure online portal with which you have executed a BAA
- Collecting cash or checks
Likely noncompliant examples include
- Using consumer-facing money transfer apps (e.g., Venmo, CashApp) to collect payments
Communicating with the Patient about Any Component of Their Care or Condition
Likely compliant examples include
- Communicating through secure online portals with whom you have executed a BAA
- Communicating via audio-only phone calls
Likely noncompliant examples include
- Texting, emailing, or leaving voicemails to communicate with the patient if not through platforms with whom parties have executed a BAA