At Doctible, we constantly invest in processes and technology to support your every effort in upholding HIPAA’s privacy and security rules. Our data infrastructure is HITRUST CSF certified which means that we take extreme measures to protect all data and has all the right processes built in to ensure the security and compliance requirements that apply to a healthcare practice.
The Health Insurance Portability and Accountability Act (HIPAA) was established to govern the security of the data and the confidentiality of patient health information. As per these regulations, your practice is established as a “Covered Entity” and regulates how you use and share any PHI (protected health information) and along with the HITECH Act controls with whom you can share such information. Thus, under these rules, you are a covered entity and Doctible would be classified as a business associate.
Upon joining Doctible, every practice is required to sign a Business Associate Agreement (BAA). Copy of BAA can be found here.
Among other things, Doctible’s privacy and security procedures include the following:
- Doctible does not sell, rent, disclose or use PHI without patient authorization or unless permitted or required by law.
- Doctible employs security measures to store and protect PHI. PHI is firewall-protected and is under electronic surveillance 24 hours a day, 7 days a week.
- Patient data is stored in a highly-secured data center, protected by multi-layer security. This means:
- The servers that house the data are stored in a secured building with multiple layers of physical security.
- At the network level, these servers are placed in a secure subnet and protected by firewalls.
- The security of all server networks is monitored by an intrusion detection system that is staffed 24/7 by trained security professionals.
- Within the database server, the data is stored in an encrypted form. Patient data is stored using AES encryption, with a key size of 256 bits.
Compliance in Communications
Doctible does not engage in any communications that would be classified as “marketing” which requires prior authorization from patients.
- Email: The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. 45 C.F.R. § 164.530(c). For example, certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending. Since Doctible leverages your practice management software to obtain all patient contact information, it is your responsibility to ensure that you have each patient’s correct email address on file.
- Texting and TCPA compliance: Telephone Consumer Protection Act was created to protect consumers (patients) from unsolicited telemarketing messages (both phone calls and texts). On July 10, 2015, the FCC issued a new Declaratory Ruling/ Order which clarified and expanded the health care exemptions to cover wireless/ cellphones, permitting health care providers to place artificial/ prerecorded voice and text messages to cellphones, without the consumers’ prior express consent, written or otherwise, in order to convey important “health care messages” as defined and covered by HIPAA. Healthcare messages include messages relating to “Appointments and exams”; “Confirmations and reminders”, “Wellness checkups”, “pre-registration instructions”, “pre-operative instructions”, “post discharge followup”, “home healthcare instructions”.
THIS IS NOT LEGAL ADVICE
For questions about these regulations, always confer with your attorney. The information contained herein should not be construed as legal advice.