The HIPAA compliant scheduling app checklist

Using a healthcare-focused scheduling app helps patients and practitioners easily schedule and remember appointments. But like all healthcare communication, security and HIPAA compliance are fundamental. 

Related: HIPAA compliant email: The definitive guide

Why it matters:

The HIPAA Act considers something as simple as a name as protected health information (PHI), to defend from unnecessary use and disclosure, so healthcare practitioners must ensure a scheduling app is HIPAA compliant. HIPAA requires safeguarding all PHI recorded and stored in a scheduling app according to security guidelines. 

So here is a checklist to assess if your scheduling app is HIPAA compliant.

HIPAA and scheduling apps

HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards. Title II is most associated with the act and establishes PHI and ePHI (electronic PHI) privacy and security standards. The Privacy Rule sets the guidelines for using and disclosing patients' data. And the Security Rule sets the necessary administrative, technical, and physical safeguards to safeguard PHI/ePHI.

The idea is to restrict access to PHI and monitor how to properly communicate it. 

Scheduling apps allow patients to book appointments and receive reminders via email or text message. Such tools improve appointment attendance rates, reduce logistics workload, and enhance patient satisfaction by offering convenience and ease. But when scheduling appointments, some may need to include PHI (e.g., a name or reason for an appointment).

That is why it is vital to protect a patient's confidentiality. Many scheduling apps are available, but not all meet HIPAA requirements of encryption, data backup, and access controls. And not all will provide HIPAA assurance through a signed business associate agreement (BAA).

Which scheduling apps will sign a BAA?

A business associate is a person or entity that performs certain functions or activities that involve PHI. A scheduling app would fall into this category, which means the company that created the app must sign a BAA. The Privacy Rule allows healthcare providers to disclose PHI if a business associate guarantees it is protected through a BAA.

Related: When should you ask for a business associates agreement?

We've done the hard work and researched several scheduling apps to see if they will sign a BAA and, therefore, may be HIPAA compliant. Those that will sign (or appear to sign) include:

• Acuity Scheduling
• awarenow
• CareCloud
• CentralReach
• NexHealth
• NueMD
• Phreesia
• PracticeSuite
• RXNT
• ScheduleOnce
• Setmore
• SimplyBook
• WebPT
• Zocdoc

And those that we know won't sign a BAA and should be avoided:

• Appointlet
• Calendly
• HoneyBook

The HIPAA compliant scheduling app checklist

Maintaining patient privacy and complying with HIPAA regulations is essential when communicating to and with patients. Use this checklist to ensure your chosen scheduling app keeps you HIPAA compliant, and your patients' PHI secure.

• Check our list above and ensure your scheduling app will sign a BAA, then get the agreement signed.
• Ensure you and the business associate utilize layered cybersecurity tools that you can customize security to meet your needs. Employ defensive (i.e., perimeter) and offensive strategies to block breaches.
• Remove unencrypted PHI when sending schedule reminders through email or text notifications.
• Set the scheduling app so that it doesn't
• Sync with third-party calendars
• Include any PHI on public-facing calendars.
• Obtain written consent from patients to use and disclose any PHI.
• Limit access to authorized staff only. And for staff with access, ensure they understand the responsibilities, regulations, policies, and procedures.
• Train staff in compliance and security so they can properly utilize scheduling apps.
• Develop a breach notification plan for possible inadvertent or deliberate breaches.

And as always, stay on top of changes to HIPAA and other state/federal regulations.

Technology use that is smart, safe, and HIPAA compliant

Nowadays, healthcare providers embrace new technologies that leverage data and digital tools to deliver better health outcomes. Scheduling apps are just one example.

One thing that cannot be forgotten while healthcare access to digital technologies grows is the HIPAA Act. Penalties for breaches can be significant, ranging from $100 to $50,000 per violation. For example, the 2015 Anthem, Inc. breach cost $16 million in HIPAA violations and $115 million from a class-action lawsuit.

But the costs don't stop there. A deliberate or accidental breach could lead to ransom payments, downtime, and angry payments. Avoiding a breach means avoiding such costs to properly treat patients.

Patient trust is vital to patient care, so it is important to always safeguard their identities. By using a HIPAA compliant checklist like the one above, you can guarantee safe treatment and better health outcomes.