HIPAA is legislation in the United States of America that requires any US-based healthcare organization to ensure there are adequate protections around Protected Health Information (PHI). As a software provider for your business, it's our job to ensure that we help you with HIPAA compliance by giving you the tools you need to protect the information that you keep in Cliniko.
This guide will let you know how Cliniko can help you to comply with the HIPAA regulations. It's important to note that by following these steps and using the features we've provided, your business won't automatically be compliant with HIPAA—these are specifically to allow your use of Cliniko to be compliant with HIPAA.
Business Associate Agreement
A Business Associate Agreement (BAA for short) is a document that HIPAA requires you (a healthcare business) to have with us (your software provider). While Cliniko doesn't directly collect PHI, it's used to store PHI. It's basically meant to ensure that both parties (you and us) are adhering to HIPAA, and it outlines what's required on each side if a breach were to occur.
You can request a BAA from within your Cliniko account's patient privacy settings.
Appointed Privacy Officers
As required by HIPAA, we've appointed Privacy Officers. These folks will ensure that Cliniko remains compliant—as well as make sure that BAAs are sent out and completed in a reasonable time! They're also responsible for ensuring that all Cliniko team members are properly trained on HIPAA and understand the importance of securing PHI.
Our Privacy Officers can be contacted at email@example.com.
"HIPAA" privacy setting
Cliniko is used worldwide, so not everyone who uses Cliniko needs to abide by HIPAA. So that we know who requires HIPAA compliance, there's a setting you can enable within Cliniko. This, by default, will turn on HIPAA required settings:
You can find more information in our "turning on HIPAA" article.
There are certain features within Cliniko that may not be compliant with HIPAA—for example, sending an SMS or an email that contains PHI might be on the list of things not to do! To help you make the right choices, there are alerts that will show up on specific pages, depending on what you're doing.
Along with this, there are many third-party integrations that can be used with Cliniko. However, some integrators may not be HIPAA-compliant. We recommend checking that any integrations you use with Cliniko are compliant!
User activity monitoring
Under HIPAA, a patient has the right to know who has accessed their PHI. You can export a CSV spreadsheet file that contains user activity, such as sign-in attempts and various actions that users have taken. This will include users on your Cliniko account, and will also show if the Cliniko support team has accessed anything (this may happen if support is requested and permission given to access specific information).
Cliniko allows for automatic sign-out—if a user is inactive for a certain period of time, they'll automatically be signed out. This helps to secure your account!
While 12 hours is the default duration, we recommend considering the appropriate amount of time for your business. You're able to adjust the duration in your account settings.
Emailing invoices, payment receipts, and account statements
Invoices, payment receipts, and account statements may likely contain PHI—and according to HIPAA, it's no-no to send this type of information via email. Cliniko has a setting which can be turned on that will restrict the ability to email these types of documents directly from the software.
Anonymise patient records when deleted
When a patient is deleted, their associated records will also be automatically deleted. The exceptions to this are appointments and invoices/payment receipts. These will not be automatically deleted, because you likely need to hold onto them for your business records!
You can make it so that none of this information contains the deleted patients, though—this will help to ensure that PHI is removed from your account, while still retaining the records that you need.
Security and encryption
Cliniko information is encrypted in both transit and at rest. At rest, we are using EBS encrypted volumes on all servers. During transmission between customers and Cliniko, we are using TLS (HTTPS) and, where possible, TLS via e-mail. You can learn more on our security page.
In order for Cliniko to function, we may have to utilise certain third-party tools ("sub-processors"). We've ensured that subprocessors that receive PHI on our behalf are compliant with HIPAA. We have also signed BAAs with any subprocessor who may be handling PHI.
These are some of the ways in which Cliniko can assist with you with HIPAA compliance—please note that it is not an exhaustive list, and it's up to your business to ensure that you are (and remain) compliant. For more information on how you can be compliant, visit the US Department of Health & Human Services at https://www.hhs.gov/hipaa/index.html.
As always, if you have any questions about any of this, reach out to our support team via the chat bubble in the lower-right! We'll be more than happy to discuss things with you! 😊