Main Menu
Login See Demo

HIPAA Compliance

Table of Contents

Is Aesthetix CRM HIPAA Compliant?

Yes, Aesthetix CRM can be used in a HIPAA-compliant manner, and it is designed for this use. Aesthetix CRM was created with security and privacy in mind. Aesthetix CRM has a ton of features, but number 1, all of the data that is stored on the platform is stored in a HIPAA-compliant manner (encrypted at rest). All of our secure and standard communication methods can be used in a HIPAA-compliant manner.

HIPAA Privacy & Security Rule Compliance

HIPAA Title II

Also known as the Administrative Simplification provisions, Title II includes the following HIPAA compliance requirements:

  • National Provider Identifier Standard. Each healthcare entity, including individuals, employers, health plans and healthcare providers, must have a unique 10-digit national provider identifier number, or NPI.

  • Transactions and Code Set Standard. Healthcare organizations must follow a standardized mechanism for electronic data interchange (EDI) in order to submit and process insurance claims.

  • HIPAA Privacy Rule. Officially known as the Standards for Privacy of Individually Identifiable Health Information, this rule establishes national standards to protect patient health information.

  • HIPAA Security Rule. The Security Standards for the Protection of Electronic Protected Health Information sets standards for patient data security.

  • HIPAA Enforcement Rule. This rule establishes guidelines for investigations into HIPAA compliance violations.

The two requirements that apply to the relationship between HighLevel, a customer Agency, and the agency’s client (the Practice) are the HIPAA Privacy Rule and the HIPAA Security Rule. The details of each of these rules can be found here: 

Security

Our database automatically encrypts all data before it is written to disk. No setup or configuration is required and no need to modify how you access the service. The data is automatically and transparently decrypted when read by an authorized user.

With server-side encryption, Google manages the cryptographic keys on your behalf using the same hardened key management systems that we use for our encrypted data, including strict key access controls and auditing. Each database object’s data and metadata are encrypted under the 256-bit Advanced Encryption Standard, and each encryption key is itself encrypted with a regularly rotated set of master keys.

Standard (“Non-Secure”) Communication

SMS, Email, Phone Calls, WhatsApp messages, Instagram DMS, Facebook Messages, and Google My Business messages are Standard (Non-Secure) Communications. Please note these conversations are stored in a HIPAA-compliant manner, and some of these communications are encrypted and sent to patients.  All of these communication modalities require that information leave Aesthetix CRM’s control before it can reach its intended recipient. Because of this, Aesthetix CRM cannot guarantee the security of standard communication throughout its entire journey. Importantly, this is not unique to Aesthetix CRM; these communication channels have this limitation no matter which provider is powering them. Despite this, standard communication channels can still be used in a HIPAA-compliant manner, provided that you take care to use them correctly. 

A few key standard communication channels:

Phone Calls

Twilio powers the Aesthetix CRM phone system. The technology underlying Aesthetix CRM telephony, including voicemail storage and transcription, is HIPAA-compliant.

All PHI is stored within the Aesthetix CRM app and not in insecure areas of your personal phone, such as your phone’s general contact book. Patient names, phone numbers, call history, and voicemails are stored securely within Aesthetix CRM.

Email Messages

You can send one-on-one or mass marketing email messages on Aesthetix CRM. On your end, you still compose messages in the Aesthetix CRM app, but the recipient will receive them as standard emails in their inbox on their personal device. With this type of messaging, the email recipient does not need to have a secure account. Because of the limitations of email itself, we cannot guarantee the full security of messages sent with this technology. We are storing all emails on the Aesthetix CRM platform in a HIPAA-compliant manner and applying HIPAA-compliant encryption for all mail in transit. However, we cannot control the patient’s device or security settings.  Despite this, email can still be used in a HIPAA-compliant manner in many cases. Typically, establishing patient preference for this channel is an important step in regulatory compliance. See below.

Text Messages (SMS)

You can send traditional SMS text messages on Aesthetix CRM. On your end, you still compose messages in the Aesthetix CRM app, but the recipient will receive them as standard SMS text messages on their personal device. With this type of messaging, the text recipient does not need to have a secure account. Because of the limitations of SMS itself, we cannot guarantee the full security of messages sent with this technology. Despite this, SMS texting can still be used in a HIPAA-compliant manner in many cases. Typically, establishing patient preference for this channel is an important step in regulatory compliance, and the good news: this is straightforward to do.

Establishing Patient Preference

Your patients may prefer to use standard channels, such as SMS texting, to communicate with you. If this is the case, and you have also made those patients aware of potential security limitations and offered secure alternatives, you have a strong argument that your use of such channels is compliant with the requirements of HIPAA. In such cases, you might prefer to document this patient preference for your records.

You can use this template to document your patients’ written consent and preference for the use of standard, unencrypted email and text messaging (SMS) for medical communication:

I, [Patient Name], hereby consent and state my preference to have my provider, [Provider Name], and other staff at [Practice Name] communicate with me by email or standard SMS messaging regarding various aspects of my medical care, which may include, but shall not be limited to, test results, prescriptions, appointments, and billing.

I understand that email and standard SMS messaging are not confidential methods of communication and may be insecure. I further understand that, because of this, there is a risk that email and standard SMS messaging regarding my medical care might be intercepted and read by a third party.

 

Please Note: This template is not legal advice and is provided for general guidance ONLY. Please consult with legal counsel to consider the specifics of your situation

 

Start Growing Your Practice

Join aesthetic practices of all sizes using Aesthetix CRM to accelerate practice growth.

"*" indicates required fields

This field is for validation purposes and should be left unchanged.
Login
Get Started
Main Menu
Login