HIPAA has a lot of moving parts (and requirements). In order to help you, we've ensured that Cliniko can provide the functions that you need in order be HIPAA-compliant. Throughout this article, we'll discuss how each feature works.
There's also an account-wide HIPAA-compliance setting that, when turned on, will automatically enable the features mentioned above—it's important to note, however, that they can be turned off (or on) individually at any time.
Please keep in mind that while we've provided you with the tools you need in order to be HIPAA-compliant, your account may not meet requirements if you choose to use any features of Cliniko that may not comply with HIPAA regulations. It's important that you review the settings within your account to be sure that you're meeting the requirements.
Read on for how your account will function with HIPAA-compliance settings in place.
The HIPAA-compliance setting
You're able to turn on all HIPAA-related features by turning on a feature—"Enable support for HIPAA compliance". This can be found by heading to Settings, and then Patient privacy:
Simply turn it to on, and then save!
Anonymise appointments, invoices, and payment receipts if a patient is deleted
If you delete a patient, all of their associated records get deleted—except for appointments, invoices, and payments, which you probably need for record keeping! These can be anonymised, so the patient's name or other Protected Health Information (PHI) will not show up.
Hide patient names in practitioner booking notifications
Practitioners can receive email and/or SMS notifications when an appointment is booked or cancelled. Normally, these include the name of the patient—however, the patient names can be hidden, meaning PHI won't be visible in these messages.
Prevent invoices, payment receipts, and account statements from being emailed from Cliniko
Invoices, payment receipts, and account statements may contain PHI. With this in mind, it may not be HIPAA-compliant to email these documents to someone (your patient, or a third party) from Cliniko directly.
With this setting turned on, the "Email" buttons will not be shown on invoices, payment receipts, and account statements—meaning that no one can email them directly from Cliniko.
Hide patient names from an external calendar
If you've integrated your Cliniko account with an external calendar, appointment details are sent to that calendar. It may not be considered HIPAA-compliant to store patient names outside of your practice management system (in this case, Cliniko), so you have the option to prevent names from being sent to that other calendar.
Hide patient names from browser tabs
When viewing a patient-specific page in Cliniko, their name might be a part of the "page title"—this means that on some occasions, it might show up on page tabs and in your browsing history. With the restriction in place, names will only show up on the actual page—not in tabs or when viewing your browsing history.
You'll be presented with an alert if you're about to proceed with an action that may not be considered HIPAA-compliant. For example, if you're going to send an SMS message from Cliniko, you would see this:
When HIPAA settings are enabled, you'll be able to trace various activity that occurs in (and around) your account. All activity logs can be exported from your account via the "user actions" data export:
That will give you a spreadsheet where you can see any activity that has occurred in your account.
Please keep in mind that while we've provided you with the tools you need in order to be HIPAA-compliant, your account may not meet requirements if you choose to disable the HIPAA setting, or turn on any features that do not comply with HIPAA regulations. It's important that you review the settings within your account to be sure that you're meeting the requirements.
If you have any questions, you can reach out to our support team, and they can help out! 💬