Is DrChrono HIPAA compliant?

DrChrono is a software platform and mobile application designed to provide healthcare providers with a single solution for electronic medical records and medical practice management. 

DrChrono 

DrChrono is designed for healthcare providers to create easy on-the-go access to various forms of patient data. They offer a range of features and functionalities that enhance the efficiency and convenience of medical practice management. These include:

1. Electronic health records (EHR): Comprehensive patient profiles allow access to a variety of information relating to patient health. DrChrono also allows for alerts and reminders relating to patient allergies and various medical interactions. 
2. Medical billing and revenue cycle management: It manages medical billing as well as the tracking of the revenue cycle of the organization.
3. Scheduling and appointment management: The app and software provide healthcare providers with a centralized calendar for scheduling and managing patient appointments. Waitlist management enables healthcare providers to fill cancellations and optimize appointment availability.
4. ePrescribing: Healthcare providers can create prescriptions without errors from handwritten prescriptions. 
5. Patient engagement and communication: The patient portal allows patients to access medical records and contact healthcare providers. 
6. Reporting and analytics: Generate various reports and analytics on patient data. 

DrChrono and HIPAA compliance 

Business associates agreement

As a software platform that handles sensitive PHI and provides services to healthcare providers, DrChrono is considered a business associate under HIPAA. A business associate is any entity that handles PHI on behalf of a covered entity, such as a healthcare provider.

To comply with HIPAA regulations, DrChrono recognizes the importance of securing patient privacy and security. As mentioned on its website, DrChrono explicitly states the need for covered entities to sign a business associate agreement (BAA) when using its services. The BAA is a legally binding contract that establishes the responsibilities and obligations of Drchrono as a business associate, ensuring that appropriate safeguards are in place to protect PHI.

By signing a BAA, the covered entity and DrChrono establish a mutual understanding of their HIPAA compliance obligations, including the requirements for safeguarding PHI, reporting breaches, and complying with HIPAA regulations.

Covered entities must carefully review and sign a BAA with any business associate, including Drchrono, to ensure HIPAA compliance and protect patient privacy and security when using their services.

Related: Business associate agreement provisions

Security practices and policies

1. Data encryption: DrChrono's security policy states that its data center is physically and electronically secured. They say, "Our servers are protected behind the Internet by using a firewall system that blocks access by unauthorized parties."
2. Access controls: There is no plain text version of user passwords saved. This allows no individual at DrChrono to know the user's password, and upon password recovery, the user is prompted to create a new one. 
3. Role-based permissions: Users within an organization are provided a variety of access levels depending on their position. 
4. Audit trails and logging: Detailed audit trails and logs of system activities are maintained, including user actions, to monitor and track any unauthorized access or suspicious activities. These logs are regularly reviewed to detect and respond to potential security incidents.
5. Regular security audits and assessments: Regular security audits and assessments are conducted to evaluate the effectiveness of its security controls and identify any vulnerabilities or areas for improvement. This helps ensure ongoing compliance with industry best practices and regulatory requirements.

Conclusion

DrChrono is HIPAA compliant. When considering the use of Drchrono or any other HIPAA compliant software, it's recommended that healthcare providers thoroughly review the security measures and capabilities of the platform, including data encryption, access controls, and compliance with industry standards like HIPAA, to ensure the protection of patient information.

Related: HIPAA Compliant Email: The Definitive Guide