The healthcare industry relies on secure and compliant communication platforms to handle protected health information (PHI). ClickSend, a cloud-based communications platform, offers various messaging services. This article will assess whether ClickSend is HIPAA compliant.
What is ClickSend?
ClickSend is a cloud-based communication platform that enables businesses and individuals to send and receive messages through various channels, including:
It provides a solution for customer engagement, notifications, marketing campaigns, and more. With its interface and integration capabilities, ClickSend claims to streamline communication processes for businesses across various industries.
ClickSend's privacy and security features
- Industry-standard encryption protocols, such as secure sockets layer (SSL)/transport layer security (TLS), for secure data transmission.
- Secure data centers with robust physical and network security measures.
- Compliance with relevant data protection laws, such as the General Data Protection Regulation (GDPR).
Is ClickSend a business associate?
Under HIPAA, a business associate is an entity that handles PHI on behalf of a covered entity, such as a healthcare provider. Determining whether ClickSend qualifies as a business associate is dependent on the extent to which it handles PHI.
Related: How to know if you're a business associate
Business associate agreement (BAA) provisions
Business associate agreement (BAA) provisions outline the responsibilities, obligations, and safeguards required for a business associate when handling PHI. By signing a BAA, the service provider acknowledges their commitment to maintaining the privacy and security of patient information.
BAA provisions typically include:
- Permitted uses and disclosures of PHI: The BAA specifies the purposes for which the business associate may use or disclose PHI, ensuring compliance with HIPAA's "minimum necessary" principle.
- Safeguards and security measures: The BAA outlines the specific security measures the business associate will implement to protect PHI, including administrative, physical, and technical safeguards.
- Reporting and breach notification: The BAA defines the process for reporting and investigating any potential breaches of PHI, as well as the requirements for breach notification to the covered entity.
- Subcontractor agreements: If the business associate engages subcontractors who will have access to PHI, the BAA should require those subcontractors to comply with the same privacy and security standards.
- Access, amendment, and accounting: The BAA addresses the business associate's obligations regarding individuals' rights to access, amend, and receive an accounting of their PHI.
- Termination and data return/destruction: The BAA specifies the actions to be taken upon termination of the agreement, including the return or destruction of PHI in the business associate's possession.
Related: Business associate agreement provisions
ClickSend and the BAA
According to information available on ClickSend's website, their data center infrastructure provided by AWS is HIPAA compliant. However, ClickSend, as an organization, does not claim HIPAA compliance and is unable to sign BAAs referring to HIPAA compliance. The inability to sign BAAs means that ClickSend does not meet all the criteria required for full HIPAA compliance.
ClickSend states, "While our data centre is HIPAA compliant our organisation is not, we will be unable to sign any BAAs referring to HIPAA compliancy."
Is ClickSend HIPAA compliant?
While ClickSend provides privacy and security features, their organization's stance on signing BAAs suggests they may not be HIPAA compliant. Healthcare organizations requiring HIPAA compliance should exercise caution when considering ClickSend as their communication platform and instead choose explicitly HIPAA compliant messaging platforms.
Conclusion: ClickSend may not be HIPAA compliant
Liyanda Tembani
