Text messaging is one of the most effective ways companies can communicate with clients. In fact, as of May 2020, SMS open rates are amongst the highest in the marketing mix and account for 99% of messages opened and 95% opened and responded to within the first three minutes of being delivered. While having a text messaging marketing plan as part of an overall marketing strategy might sound obvious based on these statistics, key decision-makers in the healthcare space need to make absolutely sure they are not violating HIPAA rules when it comes to using these services. In this blog, we’ll go over one such provider, Avochato, and discover whether or not it is HIPAA compliant.
WATCH THE VIDEO: HIPAA Compliance Basics for Small Healthcare Providers
What is Avochato?
Avochato is a platform that allows for one-on-one text message communication with clients. In the realm of healthcare, covered entities or business associates would use it to communicate with patients. The Avochato platform also provides internal teams with organizational templates, auto-assignment notes, tags, and conversation history for cross-collaboration across SMS, MMS, and voice-call communications.
The business associate agreement and HIPAA compliance
A business associate is a person or company that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) for a covered entity . If a business associate handles, stores, or in any way uses PHI for a covered entity, then a business associate agreement (BAA) must be in place. A BAA is a written contract between a covered entity and a business associate and is required by law for HIPAA compliance.
Is Avochato HIPAA compliant?
While Avochato might hold the key to some of the strongest marketing results for your practice, it is important to understand that the service is not HIPAA compliant. When asked directly, a representative from Avochato stated that:
Avochato is not HIPAA compliant. From our research true HIPAA for SMS requires a stream of compliance meaning . . . providers like Twilio, Messagebird, and Ytel would need to be [HIPAA compliant] and so would the actual carriers (Verizon, AT&T, Sprint, etc).
This means that all businesses involved in delivering Avochato’s text messages would need to be HIPAA compliant in order for Avochato to claim HIPAA compliance as well. While some telecommunications carriers and cloud messaging platforms will sign business associates agreements, some will not. According to the representative we spoke with, Avochato is open to signing a BAA that has an SMS carveout or an agreement with “some language that makes an exception for SMS.” That being said, all messages are encrypted at-rest . This means that messages from clients that are stored in the Avochato database are secured via encryption tools that make hacking much more difficult. Additionally, Avochato does have SOC-2 certification . This means that outside auditors have determined the service trustworthy in five realms: security, availability, confidentiality, processing integrity, and privacy. Having regular audits done in these categories ensures that a SaaS or cloud computing service has done its due diligence and is worthy of handling secured data from normal enterprise partners. However, these security measures and audit checks do not make Avochato HIPAA compliant. Healthcare providers are subject to additional rules that most companies are not. There is always the risk that partnering with any business that does not guarantee HIPAA compliance can leave you liable for millions of dollars in HIPAA fines due to a data breach. Conclusion: Avochato is not compliant with HIPAA regulations because it relies on other cloud platforms and telecommunication carriers which may not be HIPAA compliant. SEE ALSO: Healthcare Data Breaches – A Haunting Reality
How HIPAA compliant email can help
While a text message marketing platform like Avochato is not a HIPAA compliant option for outreach to your patients, email continues to be a proven marketing powerhouse. And unlike mobile messaging platforms that may rely on carriers that will not sign a BAA, HIPAA compliant email solutions like Paubox Email Suite don’t rely on carriers, and Paubox signs a BAA for every customer. With Paubox Email Suite, every email you send from your regular email platform (like Google Workspace or Microsoft 365 ) is encrypted by default. Emails arrive directly to your recipient’s inbox, no password or portal required. Paubox also offers a HIPAA compliant email marketing solution that allows you to send personalized email marketing to grow your business and increase patient engagement at the same time. Paubox can help you do a fantastic job of engaging your target audience without breaking the rules.