Is Doctible HIPAA compliant?

Doctible has been mentioned on calls with our customers recently, so we decided to dig into the details of its HIPAA compliance. Although the company markets directly to the healthcare industry, there are some important caveats in the fine print about how you are allowed to use the product that providers should keep in mind.

About Doctible

Doctible offers products for engaging patients and automating the back-office workflow. It leverages text and email to help collect payments, schedule appointments, send patient reminders, and more.

Doctible and the business associate agreement

The Health Insurance Portability and Accountability Act (HIPAA) was established to govern the security of the data and the confidentiality of patient health information. As per these regulations, your practice is established as a “Covered Entity” and regulates how you use and share any PHI (protected health information) and along with the HITECH Act controls with whom you can share such information. Thus, under these rules, you are a covered entity and Doctible would be classified as a business associate. Upon joining Doctible, every practice is required to sign a ' Business Associate Agreement (BAA).

Doctible and marketing

HIPAA defines marketing as “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.”  In general, HIPAA requires written authorization before a covered entity can use PHI for marketing purposes.  However, there are many types of communication that HIPAA does not consider marketing and which therefore do not require prior authorization to discuss with patients. 

SEE ALSO: HIPAA Definition of Marketing Explained

On its HIPAA information page, Doctible says that the company "does not engage in any communications that would be classified as 'marketing' which requires prior authorization from patients." However, the information provided about Doctible's email campaigns seems to tell a different story.  The website says you can use email campaigns to "organically promote your business" by "sending practice updates, newsletters, and seasonal messages . . . to promote your practice in a fun and organic fashion." It also says you can engage with patients "to announce specials, emergency closures, create newsletters and more!" This seems like a contradiction.  Promoting a business and announcing specials would encourage patients to purchase a product, so it seems like this would clearly fall under HIPAA's definition of marketing (or anyone's, for that matter).

Is Doctible HIPAA compliant?

The business associate agreement is a key component to HIPAA compliance, and Doctible requires every customer to sign one. However, although the platform states that providers cannot use its products to market their businesses, the example use-cases it provides for the campaigns feature seems to tell a different story.

Conclusion

Doctible is HIPAA compliant, but it is unclear how healthcare providers are allowed to use it.

HIPAA email marketing tools comparison

• Sign a BAA
• Provide military-grade encryption
• Allow you to include PHI in your marketing emails
• Allow patients to read your emails directly from their inbox with no extra steps

In addition, Paubox Marketing is HITRUST CSF certified. Compared to the standard marketing tools, Paubox Marketing is the best option for maintaining HIPAA compliance while harnessing the power of personalized email marketing.

SEE ALSO: Why Paubox Marketing is the Best HIPAA Email Marketing Solution Available

(** To use Oracle Eloqua in a HIPAA compliant manner, recipients receive two emails for every message you send. Patients must also log into a secure message center to view your message— it does not appear in their inboxes. This creates friction and makes it less likely that your patients will read your marketing email.)