Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

2 min read

Can I use Updox and be HIPAA compliant? (2023 update)

Picture of Hoala Greevy Hoala Greevy December 27, 2022

HIPAA Compliance
Can I use Updox and be HIPAA compliant? (2023 update)

We've been getting asked by customers and prospects about various telehealth solutions and whether they can use them in a HIPAA compliant manner.

We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector.

Today we will determine if Updox is a HIPAA compliant telehealth service or not.

 

About Updox

Updox is a healthcare communication and collaboration platform that helps healthcare providers, payers, and other organizations to manage and improve their interactions with patients and other stakeholders. It is designed to provide a secure, convenient, and efficient way to exchange messages, documents, and other information.

Updox includes a range of features and tools to support healthcare communication and collaboration, such as secure messaging, appointment scheduling, document management, and integration with other healthcare systems and tools. It is available on a range of devices, including desktop computers, mobile phones, and tablets, and can be accessed through a web browser or through dedicated mobile apps.

Updox is designed to meet the strict security and privacy requirements of the healthcare industry, and it is compliant with relevant regulations such as HIPAA. It is intended to help healthcare providers, payers, and other organizations to improve patient care, reduce costs, and increase efficiency by enabling them to more easily communicate and collaborate with each other and with patients.

 

Updox and the business associate agreement

We’ve previously talked about how a business associate agreement (BAA) is a written contract between a covered entity and a business associate. It is required by law for HIPAA compliance.

We checked the Updox site and found the relevant answers on their Security Statement and Master Service Agreement pages.

For example, the Updox BAA is included as part of exhibit A of their MSA:

 

 

Exhibit A: HIPAA BUSINESS ASSOCIATE AGREEMENT

Last Modified: 06/10/2021

This HIPAA Business Associate Agreement (“BAA”) amends and is made part of that certain Master Services Agreement (“Service Agreement”), by and between you (“Entity”) and Updox LLC (“Associate”).

Entity and Associate agree that the parties incorporate this BAA into the Service Agreement in order to comply with the requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and their implementing regulations set forth at 45 C.F.R. Parts 160 and Part 164 (the “HIPAA Rules”). To the extent Associate is acting as a Business Associate of Entity pursuant to the Service Agreement, the provisions of this BAA shall apply, and Associate shall be subject to the penalty provisions of HIPAA as specified in 45 CFR Part 160.

 

 

Notification of Enforcement Discretion

Note: With the expiration of COVID-19 related HIPAA Enforcement Discretion measures on May 11, 2023, and the subsequent 90-calendar day transition period ending on August 9, 2023, using non-compliant apps for healthcare may expose providers to penalties and privacy risks. It is crucial to evaluate current technology and procedures and transition to HIPAA compliant solutions during this period to ensure patient privacy, data security, and compliance with federal regulations.

 

When the pandemic first hit in March 2020, the U.S. Department of Health and Human Services (HHS) quickly announced the Notification of Enforcement Discretion, which allowed health care providers to use widely available communication apps without the risk of incurring HIPAA fines.

This notice allows health care providers to use popular applications to provide telehealth services, so long as they are “non-public facing.”

Examples of non-public facing applications include:

  • Amazon Chime
  • Apple FaceTime
  • Doxy.me
  • Facebook Messenger
  • Google Hangouts video
  • Google Hangouts
  • iMessage
  • Jabber
  • Signal
  • Skype
  • Spruce Health Care Messenger
  • Updox
  • VSee
  • WhatsApp
  • Zoom

 

See also: HIPAA privacy and security guidelines as they relate to telehealth

 

Is Updox HIPAA compliant?

The business associate agreement is a key component to HIPAA compliance between a covered entity and a business associate.

As we noted earlier, Updox is willing to sign a BAA with its customers. In fact, it's included in their Master Service Agreement.

In addition, Updox is considered by HHS as a telehealth solution that can be used in a non-public facing manner. While the HHS Notification of Enforcement Discretion is not indefinite, it would allow healthcare entities to use Updox and not be liable for HIPAA fines even if they did not offer a BAA to their customers.

Conclusion: Updox is HIPAA compliant.

 

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.