The HIPAA compliant CRM checklist

Customer relationship management (CRM) refers to software that helps businesses improve current and future client relationships. And in healthcare, it allows providers to interact with patients meaningfully and productively.

But the rise in tools like CRMs also means an increased need to ensure the technology is HIPAA compliant.

Related: HIPAA compliant email: The definitive guide

Why it matters

A CRM can collect and analyze protected health information (PHI) to help providers interact with patients. A good CRM platform organizes patient data efficiently, reduces work time, improves marketing strategy, and personalizes customer interaction.

The HIPAA Act considers PHI something as simple as a name. Healthcare workers spend a lot of time handling sensitive data, so they must defend PHI from unnecessary (and unsecured) use and disclosure.

Here is a checklist to help you assess if your CRM platform is HIPAA compliant.

HIPAA and CRM software

HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards. Title II is most associated with the act and establishes PHI and ePHI (electronic PHI) privacy and security standards. The Privacy Rule sets the guidelines for using and disclosing patients' data. And the Security Rule sets the necessary administrative, technical, and physical safeguards to protect PHI/ePHI.

The HIPAA industry is vast, so we understand why healthcare organizations use technology to make things more efficient. A CRM platform can offer a combination of sales, marketing, and collaboration features to centralize contacts, prioritize needs, and boost overall productivity. It can replace multiple databases, spreadsheets, and paper files.

CRMs streamline patient management, improving the experience of both patients and employees. Such tools encourage healthcare providers to do more for patients.

Many CRM platforms are available, but not all meet HIPAA requirements for encryption, data backup, and access controls. And not all will provide HIPAA assurance through a signed business associate agreement (BAA).

Which CRMs will sign a BAA?

A business associate is a person or entity that performs certain functions or activities that involve PHI. A CRM platform would fall into this category, meaning it must sign a BAA. The Privacy Rule allows healthcare providers to disclose PHI if a business associate guarantees it is protected through a BAA.

Related: When should you ask for a business associates agreement?

We've researched CRM tools to see which companies will sign a BAA and, therefore, may be HIPAA compliant. CRM companies that appear to sign a BAA include:

• Pega
• PlanPlus Online
• Zoho CRM
• Salesforce Health Cloud

And some do not appear to or won't sign a BAA:

• HubSpot
• Optimove
• SharpSpring

It is ultimately up to every healthcare organization to ensure HIPAA compliance.

The HIPAA compliant CRM app checklist

Like all healthcare technology, CRM tools need strong protections, given their numerous access points. Use this checklist to ensure your chosen CRM company keeps you HIPAA compliant.

• Confirm your CRM company will sign a BAA, then get the agreement signed.
• Ensure you and the business associate prioritize security controls customized to meet your needs.
• Properly configure your CRM platform. Employ defensive (i.e., perimeter defenses like firewalls) and offensive strategies to block breaches.
• Backup the data offline and (possibly) to more than one location.
• Configure your CRM to tailor emails and mailings to specific groups of patients or potential patients.
• Obtain written consent from patients to use and disclose any PHI.
• Limit access to authorized staff.
• Train staff in compliance and cybersecurity so they can properly utilize CRM and understand the responsibilities, regulations, policies, and procedures.
• Continuously monitor activity.
• Develop a breach notification plan for possible inadvertent or deliberate breaches.

And as always, stay on top of changes to HIPAA and other state/federal regulations.

Read more: Understanding medical record retention requirements by state

Technology use that is smart, safe, and HIPAA compliant

Nowadays, healthcare providers embrace new technologies that leverage data and digital tools to deliver vital patient care. The increase in technology use demonstrates just how far healthcare organizations have recently come.

One thing that cannot be forgotten while healthcare access to digital technologies grows is the HIPAA Act. Penalties for breaches can be significant, ranging from $100 to $50,000 per violation. For example, the 2015 Anthem, Inc. breach cost $16 million in HIPAA violations and $115 million from a class-action lawsuit.

But the costs don't stop there. A deliberate or accidental breach could lead to ransom payments, downtime, and angry patients. Avoiding a breach means avoiding such costs and continuing to properly treat patients.

Healthcare focuses on patient care; that should include finding new patients and retaining existing ones. This is where a CRM platform tailored to healthcare organizations can offer benefits and promote organizational growth. You can further ensure healthy and happy patients by using a HIPAA compliant checklist like the one above.