HIPAA Compliance

Table of Contents

Is Aesthetix CRM HIPAA Compliant?

Yes, Aesthetix CRM can be used in a HIPAA-compliant manner, and it is designed for this use. Aesthetix CRM was created with security and privacy in mind. Aesthetix CRM has a ton of features, but number 1, all of the data that is stored on the platform is stored in a HIPAA-compliant manner (encrypted at rest). All of our secure and standard communication methods can be used in a HIPAA-compliant manner.

Standard (“Non-Secure”) Communication

SMS, Email, Phone Calls, WhatsApp messages, Instagram DMS, Facebook Messages, and Google My Business messages are Standard (Non-Secure) Communications. Please note these conversations are stored in a HIPAA-compliant manner, and some of these communications are encrypted and sent to patients.  All of these communication modalities require that information leave Aesthetix CRM’s control before it can reach its intended recipient. Because of this, Aesthetix CRM cannot guarantee the security of standard communication throughout its entire journey. Importantly, this is not unique to Aesthetix CRM; these communication channels have this limitation no matter which provider is powering them. Despite this, standard communication channels can still be used in a HIPAA-compliant manner, provided that you take care to use them correctly. 

A few key standard communication channels:

Phone Calls

Twilio powers the Aesthetix CRM phone system. The technology underlying Aesthetix CRM telephony, including voicemail storage and transcription, is HIPAA-compliant.

All PHI is stored within the Aesthetix CRM app and not in insecure areas of your personal phone, such as your phone’s general contact book. Patient names, phone numbers, call history, and voicemails are stored securely within Aesthetix CRM.

Email Messages

You can send one-on-one or mass marketing email messages on Aesthetix CRM. On your end, you still compose messages in the Aesthetix CRM app, but the recipient will receive them as standard emails in their inbox on their personal device. With this type of messaging, the email recipient does not need to have a secure account. Because of the limitations of email itself, we cannot guarantee the full security of messages sent with this technology. We are storing all emails on the Aesthetix CRM platform in a HIPAA-compliant manner and applying HIPAA-compliant encryption for all mail in transit. However, we cannot control the patient’s device or security settings.  Despite this, email can still be used in a HIPAA-compliant manner in many cases. Typically, establishing patient preference for this channel is an important step in regulatory compliance. See below.

Text Messages (SMS)

You can send traditional SMS text messages on Aesthetix CRM. On your end, you still compose messages in the Aesthetix CRM app, but the recipient will receive them as standard SMS text messages on their personal device. With this type of messaging, the text recipient does not need to have a secure account. Because of the limitations of SMS itself, we cannot guarantee the full security of messages sent with this technology. Despite this, SMS texting can still be used in a HIPAA-compliant manner in many cases. Typically, establishing patient preference for this channel is an important step in regulatory compliance, and the good news: this is straightforward to do.

Establishing Patient Preference

Your patients may prefer to use standard channels, such as SMS texting, to communicate with you. If this is the case, and you have also made those patients aware of potential security limitations and offered secure alternatives, you have a strong argument that your use of such channels is compliant with the requirements of HIPAA. In such cases, you might prefer to document this patient preference for your records.

You can use this template to document your patients’ written consent and preference for the use of standard, unencrypted email and text messaging (SMS) for medical communication:

I, [Patient Name], hereby consent and state my preference to have my provider, [Provider Name], and other staff at [Practice Name] communicate with me by email or standard SMS messaging regarding various aspects of my medical care, which may include, but shall not be limited to, test results, prescriptions, appointments, and billing.

I understand that email and standard SMS messaging are not confidential methods of communication and may be insecure. I further understand that, because of this, there is a risk that email and standard SMS messaging regarding my medical care might be intercepted and read by a third party.

 

Please Note: This template is not legal advice and is provided for general guidance ONLY. Please consult with legal counsel to consider the specifics of your situation