HIPAA Compliance Checker

Users can limit who accesses protected health information (PHI) and monitor how PHI is used. Dropbox also provides recommendations upon request for users looking to make their business accounts HIPAA friendly.

Google uses ISO 27001 certification and SOC 2 and SOC 3 Type II audits. Its BAA covers many of the G Suite products, including Gmail, Google Calendar, and Google Drive (Google Docs, Google Sheets, and Google Slides). For Google Meet, however, the BAA currently only covers the chat messaging feature and doesn’t cover the video chat feature.

Zoom has Advanced Encryption Standard (AES) encryption and uses 256-bit keys to protect its meetings. For HIPAA accounts, Zoom enables “Fully Encrypted Persistent Chat,” an encrypted messaging system through which public-key cryptography and private keys are generated and can be stored only on users’ devices. Zoom incorporates additional security measures, to ensure the privacy of PHI. There are two different user authentication requirements, as well as access control measures, which regulate who or what can view or use resources on the platform.

The free version of Gmail that most people use isn’t HIPAA compliant, but Google’s G Suite can enable HIPAA compliance. G Suite includes Gmail, Google Calendar, and Google Drive, just like the free version, but it also includes security features that, once properly configured, can enable HIPAA compliance.Gmail is the most widely used email service around, with 1.8 billion users worldwide. The ubiquity and familiarity of Gmail make it an appealing option for healthcare companies.HIPAA sets strict standards for protecting patient confidentiality and health information. Sending HIPAA-friendly emails requires training staff to use technological safeguards. Your email provider may follow HIPAA regulations, but that doesn’t automatically make your emails secure. Every employee must understand how HIPAA applies to their email. Training in everything from encrypting sensitive emails to ensuring they’re sent to authorized recipients can help.Healthcare workers are sometimes targeted by phishing and other email attacks. Recent breaches have compromised sensitive personal data, such as Social Security numbers and financial account information, as well as the PHI of hundreds of patients. Continuous training improves the chances that your employees won’t fall prey to phishing scams.Your business needs a straightforward, step-by-step process to help staff comply with both applicable laws, which can include HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act, among others. Now that we’ve considered the importance of strong training and policies, it’s time to take a look at the technical side of things.If you’re a covered entity, or a business associate of a covered entity, you should have a signed business associate agreement (BAA) with every third party that could access the PHI in your custody. Using an email provider is no different. A BAA ensures that your business associate understands how they can use PHI and what security measures are required.The fundamental risk of transmitting PHI via email is that unauthorized people could gain access to that data. Email services that enable HIPAA compliance should have strong security features or allow third-party plug-ins that provide the needed security.Access must be restricted to only those who need the information. Never print emails that contain PHI. These emails should be visible only to the sender and the recipient. Using end-to-end encryption and access controls ensures that ePHI doesn’t fall into the wrong hands.

There is no mention of HIPAA or Business Associate Agreements on the Teams homepage; however, a support article on the Microsoft website states that Teams is Tier-D compliant with HIPAA standards. As with Office 365, this basically means as long as users are on the right Microsoft plan, follow the appropriate practices, and sign a Microsoft Business Associate Agreement (BAA), the platform can be used in a way that complies with HIPAA regulations.In order to enable HIPAA compliance for Office 365, users must be on one of the following plans: Microsoft 365 Business Premium, Microsoft 365 Business Essentials, Office 365 E3, Microsoft 365 E3, Office 365 E5, or Microsoft 365 E5.

Google Drive is part of G Suite, which has TLS (Transport Layer Security) encryption to protect PHI. To adhere to HIPAA-compliant procedures, Google Drive users will need to sign a BAA and disable file sharing and syncing. The BAA does not apply to third-party apps that connect with G Suite, so an additional BAA from that app provider may be required to meet HIPAA compliance standards.Google appears willing to sign a BAA with healthcare companies that use G Suite, but not until all security protocols are in place. Using G Suite to transmit or store PHI before you have the BAA in place is risky.Healthcare companies have embraced G Suite because of its robust security features and low cost.Setting up a HIPAA-compliant Gmail accountSimply purchasing G Suite doesn’t make your email HIPAA compliant. To use Gmail, even with G Suite, you must configure your account correctly.

Google Meet is part of the Google Workspace suite of apps. Questions about compliance are addressed in the FAQ section on the Google Workspace main page, not individual product pages. Google Workspace claims to support customers’ compliance with HIPAA. Customers who use Google Workspace and its products, including Google Meet, to process and store PHI will need a Business Associate Agreement (BAA) with Google. The BAA process is detailed in the platform’s online Help Center. However, it isn’t clear which paid Google Workspace plans customers need to have in order to access features that enable HIPAA compliance for Google Meet. Those who need to discuss PHI during videoconferences should check with Google before purchasing a paid plan.

Skype is one of the most well-known videoconferencing tools; hundreds of millions of people worldwide use it. Since being acquired by Microsoft in 2011, Skype has been available on Windows PCs by default. That’s why so many medical practitioners use it. But no software can enable HIPAA compliance on its own. Skype must be configured properly for HIPAA compliance.

OneDrive is a cloud storage solution provided by Microsoft. As cloud storage is often used to store and transmit electronic patient health information, covered entities should rely on cloud storage solutions that can be used in a HIPAA-compliant manner. OneDrive can enable HIPAA compliance if the organization takes the proper steps. A business associate agreement is an essential part of making any software solution compatible with HIPAA. This agreement states how the parties handling the electronic patient health information (ePHI) will adhere to HIPAA. Without a signed BAA agreement, no technology solution can be considered HIPAA friendly, but Microsoft does provide a BAA. In addition, Exchange Administrator Access Tracking can be turned on so the user can know which administrators have accessed which data. As a result, OneDrive seems to fulfill the access control obligation quite well.

FaceTime isn’t designed to be used as a telecommunications tool in a healthcare setting.

You won’t find any mention of HIPAA or Business Associate Agreements on the Calendly website. Even the Help Center turns up no search results for the terms.There is a privacy and security page that covers Calendly’s commitment to trust, its physical infrastructure, PCI certification, security best practices, and GDPR compliance, but again, there’s no mention of HIPAA. In case of concerns about whether Calendly complies with HIPAA and in the absence of any information from Calendly on HIPAA compliance, those who need to abide by HIPAA regulations may want to look for a different scheduling tool.

Square aims to protect both their users and the customers of their users. If the user is subject to HIPAA (as a covered entity or business associate) and dealing with Protected Health Information, the user should sign a BAA with Square. The responsibility to decide whether they need to comply with the HIPAA requirement or not belongs to the user. The user can get more information by checking Square's website.

For HIPAA compliance, users need to purchase a paid plan for G Suite, purchase Google Voice, and sign the G Suite BAA.

Privacy settings for each Google Doc should be configured so that they cannot be viewed unless a user has permission. Titles shouldn’t contain any patient information. Additional precautions are recommended, such as backing up Google Docs data.

HIPAA enablement likely only applies to the messaging and file transfer features of Slack and not to any other Slack features. Caution should be used before relying on the Slack app to communicate with patients, plan members, or their families or employers. With Slack Enterprise Grid, healthcare companies can integrate Slack with their existing medical records system to share and control medical data as part of an overall HIPAA solution.

In order to enable HIPAA compliance for Office 365 HIPAA, users must be on one of the following plans: Office 365 Business Premium, Office 365 Business Essentials, Office 365 ProPlus, Office 365 Enterprise E1, Office 365 Enterprise E2, or Office 365 Enterprise E3.

Amazon supports HIPAA-compliant administrative processes and controls. Covered entities and business associates using AWS need to get training on how to properly configure AWS settings.

WhatsApp is one of the most used text messaging apps in the world. After it was bought by Facebook, various security measures such as end-to-end encryption were added. However, currently WhatsApp does not state that it enables HIPAA compliance. For starters, access controls, a BAA, and audit controls would be needed for HIPAA compliance.

Although Evernote incorporates some protection features that can prevent unauthorized access, the overall security controls aren’t likely sufficient to meet HIPAA standards.Evernote can only be used for medical data storage purposes if it’s completely offline and is going to stay offline. The computer that Evernote is set up on should be encrypted in order to prevent unauthorized personnel from accessing the information.

eFax is an electronic faxing solution that uses advanced security protocols to make sure ePHI is secure both during transmission and in storage. eFax is known as one of the most secure online fax providers.eFax uses unique user identification and 256-bit SSL encryption to ensure secure document transmission and keep ePHI safe from unauthorized access. eFax also offers secure transport layer security (TLS) encryption protocol, administration privileges to limit access to ePHI, and multilevel audit controls, including secure and automatic fax archiving. Fax transmissions are stored on the eFax cloud and kept safe in Tier III secure servers.

Qualtrics calls its platform an “industry leader in security.” Among the many certifications it lists on its website is Health Information Trust Alliance (HITRUST). The HITRUST framework helps organizations demonstrate compliance with HIPAA and HITECH regulations. Qualtrics claims to be the only experience management platform that’s HITRUST certified. Though there is no mention of a Business Associate Agreement on the Qualtrics website, a sample Qualtrics Contractor Business Associate Agreement can be found through a Google search.

Box appears to check all the boxes for HIPAA compliance. It ensures documents containing sensitive information and PHI are safely stored in the cloud by using numerous security features, including access monitoring, two-factor verification, reporting and audit trails, and data encryption.Box also provides access control, uses a strict logical system, and restricts access to its servers and customer data files.

According to the platform’s online knowledge base, customers with 25 or more users on a monday.com Enterprise plan have access to features that enable HIPAA compliance. But if a customer changes to a different plan, they will no longer have access to HIPAA compliance features.Customers must accept the conditions of the Business Associate Agreement (BAA) and configure their account for HIPAA. The full BAA for HIPAA compliance is online, with step-by-step instructions on how to complete it.

Mailchimp provides security measures to reduce the risk of unauthorized access, including physical security controls and encryption. Since encryption is built into the service, it may meet certain HIPAA compliance regulations, but using Mailchimp doesn’t guarantee that all HIPAA compliance standards will be met.According to Mailchimp’s terms and conditions, customers are responsible for ensuring they comply with regulations like HIPAA.Uploading patient information to a Mailchimp email list likely constitutes a disclosure of protected health information (PHI).

The free email platform offered by Microsoft, Outlook.com, doesn’t appear to have been built to handle ePHI securely or to comply with HIPAA. However, Outlook can be used as a HIPAA-friendly service with a paid Office 365 subscription and additional client-side encryption.For HIPAA compliance features, users must be on one of the following plans: Office 365 Business Premium, Office 365 Business Essentials, Office 365 ProPlus, Office 365 Enterprise E1, Office 365 Enterprise E2, or Office 365 Enterprise E3.

iMessage is an Apple product. The iMessage Support section of Apple’s comprehensive website doesn’t mention HIPAA or Business Associate Agreements. Those features are only mentioned for the Apple Health App. Users who need to use a messaging app for PHI may want to consider the Apple Health App or a different app, rather than iMessage.

Signal calls itself a secure messenger that offers end-to-end encryption, but there is no mention of HIPAA compliance anywhere on the platform’s website. A search on Signal’s Support page returns no mentions of HIPAA either. Likewise, there is no mention of Business Associate Agreements (BAA) on the website. Those who need a secure messaging app to transmit protected health information may want to use a different tool.

Stripe’s website mentions HIPAA only briefly in the Docs section under unsupported use cases. It states that Stripe may not be used to process Personal Health Information (PHI) by a HIPAA-covered entity. There is no mention of Business Associate Agreements (BAA) on the website.

According to the platform’s online knowledge base, customers with 25 or more users on a monday.com Enterprise plan have access to features that enable HIPAA compliance. But if a customer changes to a different plan, they will no longer have access to HIPAA compliance features.Customers must accept the conditions of the Business Associate Agreement (BAA) and configure their account for HIPAA. The full BAA for HIPAA compliance is online, with step-by-step instructions on how to complete it.

Airtable is transparent when it comes to HIPAA compliance. Its website states that Airtable is designed to adhere to the three HIPAA rules — privacy, security, and breach notification — to ensure customers can use the service in a HIPAA-compliant manner. Airtable claims to support HIPAA compliance through Enterprise Key Management, data loss prevention, enterprise single sign-on, and audit logs. HIPAA features are available only with Airtable’s Enterprise Scale Plan, though. Customers can sign Airtable’s Business Associate Agreement.

Grammarly states that it’s committed to security and privacy. The company lists 10 certifications and attestations on its website, including one for HIPAA. However, not all users can access features that enable HIPAA compliance.Potential users are asked to contact the Grammarly sales team about obtaining a Business Associate Agreement. If you dig further into the Privacy and Security section of the website, you’ll see that the company offers BAAs to those on Grammarly for Business Enterprise plans only. The website states that the organization is trying to “ramp up HIPAA support for…other customers.”

According to the company’s Help Center, Notion can be configured to enable HIPAA compliance; however, quite a few of its products are excluded from this type of use. The Notion website states that HIPAA features are available to customers on an Enterprise Plan with more than 100 members. Business Associate Agreements (BAA) are offered, but not all features are covered by the agreement. According to Notion’s FAQs about enabling HIPAA compliance, customers that need to use Notion for personal health information (PHI), should be aware of the the following limitations:Notion cannot be used to communicate with patients, plan members, their families, or employees.Users cannot include PHI in workspace or organization names, teamspace names, file names, account profiles, or user group names.Support requests can’t contain PHI.

Metrofax offers secure, encrypted fax communication services. The built-in faxing features allow users to quickly send information from a cell phone or computer as a fax.Even though Metrofax provides encryption to protect transmitted information, it appears to be missing some capabilities required for HIPAA compliance. When sharing PHI through a third-party provider, HIPAA regulations require a signed Business Associate Agreement. This BAA must be in place for Metrofax’s services to meet HIPAA compliance.Check with Metrofax to see if they will sign a BAA.

Teamviewer states that it is a HIPAA-friendly remote access solution that allows users to access devices no matter where they are. Security is a key objective for Teamviewer. The company has received multiple security certifications from A-LIGN, a provider that helps businesses implement HIPAA security features.All of Teamviewer’s remote support, remote access, and online collaboration features maintain privacy and security. This includes end-to-end encryption, which is why many companies trust Teamviewer.HIPAA has strict standards for the privacy and confidentiality of patient information. When using computers, networks, and mobile devices for PHI, all access and management must follow HIPAA regulations. Additionally, every employee must receive regular HIPAA training. Teamviewer’s security and privacy practices appear to meet HIPAA standards.Before using Teamviewer with PHI, you must get a signed BAA from the company. Submit an inquiry to Teamviewer customer service for assistance in obtaining the BAA. A signed BAA might be available only for organizations that meet a specific spending threshold.

Wix is a popular website builder. Passive scanning is done periodically, but customers don’t have access to real-time monitoring to protect against hacking.Certain Wix features can be HIPAA friendly when paired with other services. Wix partners with Google Workspace to integrate email hosting. When purchasing Wix services, you may meet HIPAA requirements for email if you use specific security settings and sign a BAA with Google.

Quickbooks has many features to simplify business invoicing and bookkeeping. While this software is effective in a variety of industries, it isn’t recommended for medical billing. Since deductibles, cash payouts, insurance invoices, and co-pays include patient health information, you should be cautious before entering this information into Quickbooks until you know that Quickbooks supports HIPAA compliance.Some medical clinics use Quickbooks for summarizing revenue and sales receipts. This tool can be a powerful way to track revenue by company, insurance, or even patient category.You might want to avoid using Quickbooks for patient demographic data, information about physical or mental health conditions of patients, health care services offered to each person, or payment for medical services. According to the US Department of Health and Human Services, medical practitioners shouldn’t use non-compliant software services for the above information if there is “a reasonable basis to believe it can be used to identify the individual.”If you are in the healthcare industry and use Quickbooks, you should use caution before inputting “individually identifiable health information” into this software.

Carbonite uses internal privacy and security provisions to safeguard medical information.HIPAA requires business associates to implement risk management measures that protect the integrity, confidentiality, and availability of patient information. Carbonite provides real-time monitoring, a secure firewall, encryption, a vulnerability management program, and a formal incident response process for information security threats.Physical security measures include restricted access at Carbonite’s facilities, so only authorized employees, third parties, and visitors can enter. Security includes both interior and exterior cameras as well as an alarm system and an electronic card access control system. Additionally, Carbonite restricts access to software programs.A Carbonite Safe Pro subscription offers HIPAA compliance features. Carbonite Safe Pro also gives administrators access to view user activity and logins.Carbonite provides a HIPAA handbook to guide customers in keeping their backups HIPAA friendly.

The Salesforce platform can be set up to meet HIPAA compliance standards through certain features that help keep protected health information (PHI) secure in the cloud. Salesforce includes administrative, physical, technical, organizational, and documentation safeguards to protect PHI.Customers can use customer-controlled security features through Salesforce Covered Services. Additionally, Salesforce has security safeguards such as data encryption in transit, ongoing monitoring for security violations, and audit logging to identify changes in activity. Customer administrators can use configurable tools to define permission sets that govern the visibility of data, maintain strict password security, monitor field level history, set security rules to manage data access, define a company-wide sharing model and role hierarchy.In addition to permission sets, customers can define user profiles to limit data record access to authorized employees.It’s a good idea to use the premium set of Salesforce features known as “Salesforce Shield.” These features provide extra monitoring, encryption, and auditing. You might need to enable other features or additional services to ensure the protection of PHI when information is in transit.If you’re planning to use Salesforce for patient information, reach out to your account representative for a signed Business Associate Agreement (BAA). The account representative can also advise you on specific features and settings for HIPAA compliance.

Zapier, a widely used automation tool that connects apps and services to automate workflows, has stated that it does not support HIPAA compliance. Despite its robust encryption measures for data transmission and comprehensive activity logging within its network, Zapier’s functionality doesn’t render it HIPAA compliant. Zapier has stated on its website that it won’t sign a Business Associate Agreement (BAA). Because a BAA is required under HIPAA, this prevents Zapier from handling protected health information (PHI) in a HIPAA-compliant manner.BAAs serve as crucial contractual documents that explicitly define the protocols for storing and exchanging sensitive data between entities. They are an essential component of achieving and maintaining HIPAA compliance. Without a properly executed BAA, an organization cannot use any third-party tool or service to handle sensitive information within the scope of HIPAA regulations.

Zendesk offers two plans — Suite Professional and Suite Enterprise — that the company refers to as “HIPAA enabled.” According to Zendesk, to secure a HIPAA-enabled account, customers must do three things:1.Purchase the Advanced Security Deployed Associated Service or Advanced Compliance Deployed Associated Service Add-on2.Set up specific security configurations outlined by Zendesk3.Sign Zendesk’s Business Associate Agreement (BAA)  On its website, Zendesk provides a list of services eligible for coverage by the BAA

Google Sheets has stated that it enables HIPAA compliance. Google Sheets also offers a range of security features including access controls, auditing, and encryption.Google Sheets is part of Google Workspace, which uses high-level encryption to protect patient health information (PHI). While Google Sheets offers HIPAA-friendly security features, covered entities are responsible for maintaining the right security settings. Your healthcare organization must configure Google Sheets to enable HIPAA compliance.Admin console logs and reports are an important part of HIPAA security for Google Sheets and all other apps in Google Workspace. Use these tools to monitor user collaboration, examine security risks, track sign-ins, and analyze activity. Administrators can set alerts for activities like suspicious login attempts, suspending users, activating a suspended user, adding a new user, changing a password, and granting or revoking admin privileges.In Google Sheets, administrators set visibility and access permissions for both files and folders. These settings also manage the sharing and editing capabilities of collaborators.When using Google Apps, administrators can separate user access for team members who manage PHI. This feature allows an administrator to activate or deactivate specific services for users. For example, since Google+ and YouTube don’t enable HIPAA compliance, administrators should turn off these apps. Also, consider disabling third-party applications and add-ons from third-party developers.

iCloud provides cloud-based storage solutions, with security protections for both data storage and transfer. Authentication controls and access management are necessary for cloud services to meet HIPAA compliance standards. A healthcare provider must be able to monitor who accessed the data and what the user does with the information. iCloud’s controls only meet the minimum HIPAA requirements.When healthcare providers use cloud services with protected health information (PHI), business associates must sign a BAA.

RingCentral is an option that healthcare organizations can use to transmit and store patient health information because it appears to take a proactive approach in ensuring privacy and safety for all communications as a cloud service provider.The service boasts a “seven layers of security” approach to securing data that transfers through its services. These seven layers include physical, network, data, host, business process, application, and enterprise-level security measures.Available security measures include transmission security in the form of transport layer security (TLS) and secure real-time transport protocol (SRTP). This encryption means that information should be secure at rest and when in motion. Infrastructure security uses vulnerability scans, firewalls, user authentication, and intrusion detection. Additionally, RingCentral data centers have security protocols with onsite guards and electronic prevention systems.Healthcare customers must implement proper security measures using the features listed above. Employee training is another important element to ensure the team is using these cloud services in line with HIPAA requirements.

DocuSign appears to fall into the category of a business associate when healthcare providers use its services for protected health information (PHI). DocuSign offers AES 256-bit encryption for data in transit and at rest. This encrypted information is stored on DocuSign’s servers, and the company states that it doesn’t have access to the information.DocuSign seems to meet Health and Human Services (HHS) standards for digital signatures.This service enables HIPAA features through its digital tracking system. Each e-signature has an audit trail that’s fully traceable. DocuSign data centers are SOC 2 audited and ISO 27001 certified.When signing a document, the service captures names, email addresses, time stamps, signing location, public IP addresses, and document completion status.While DocuSign offers essential encryption, auditing, and security standards, it’s the responsibility of each customer to ensure that they share and access PHI in a manner that follows HIPAA regulations.

Virtru appears to meet the standards for following HIPAA regulations. Virtru provides data protection services that encrypt email and files to protect confidential patient health information (PHI). HIPAA defines specific technical standards for data encryption. Encryption protects files while they are in transit and at rest.Additionally, Virtru provides administrative controls for managing emails, photos, videos, PDFs, and Office files. You can manage authorization to allow or disallow users to access specific content and types of content. Tracking and monitoring features provide real-time protection for patient information.Other security features include forwarding restrictions and the ability to revoke messages after they are sent.Virtru offers client-side email encryption if you’re using the plug-in with on-device encryption. When creating information on the device, the protection occurs immediately (before distribution). Advanced controls allow end-to-end encryption.Virtru can integrate end-to-end encryption in Gmail. Virtru offers an extra layer of security to strengthen privacy controls after email leaves your inbox.

The doxy.me website discusses privacy and security as it relates to providers and patients. A telemedicine platform, doxy.me features state-of-the-art security and encryption protocols for data integrity and privacy. The company states that it complies with HIPAA, GDPR, PHIPA/PIPEDA, and HITECH requirements and claims to be secure worldwide. A free Business Associate Agreement (BAA) is included in every plan. For patients, in addition to all data being encrypted, sessions are anonymous. There is no software to download, and users don’t have to create an account to use doxy.me.

Jira is one of several products offered by software company Atlassian. Among the features spotlighted on the Jira web page are world-class security and compliance. Atlassian claims that it provides comprehensive privacy and security protections that enable customers to operate its products, including Jira, in compliance with HIPAA. This includes security measures to protect PHI; assessments; an annual HIPAA security attestation, gap assessment, and security risk analysis; and regular review of HIPAA policies and procedures.Per the Jira website, customers who purchase the Standard, Premium, or Enterprise Plan for Jira can enter into a Business Associate Agreement (BAA) with Atlassian.

Sharepoint has stated that it provides necessary administrative and technical features to meet HIPAA requirements. Some of these features include access control for users, audit control, logs, and encryption. Threat awareness resources make it easy to access real-time reports about information access and usage.Sharepoint is a Microsoft service. The Microsoft website states that Sharepoint online enables HIPAA compliance when paired with Office 365 Enterprise. While Microsoft ensures it meets its responsibilities as a business associate, users are responsible for configuring the platform correctly.A variety of security add-ons are included for Office 365 Enterprise users, such as advanced threat protection, security management, advanced compliance, and threat intelligence. Licensing includes anti-malware, Windows Defender, Cloud App Security (CAS), Azure AD Identity Protection, Azure Security Center, Azure Advanced Threat Protection, and more.If you configure and use Sharepoint correctly, this service can be a HIPAA-friendly solution for information storage, management, and collaboration.

Acuity Scheduling is part of the Squarespace platform. While many aspects of Squarespace may not enable HIPAA compliance, Acuity Scheduling includes features designed to allow covered entities to comply with HIPAA regulations.Customers can manage notification settings to limit access to protected health information (PHI). For example, they can prevent emails from displaying the from and reply-to fields that show the patient’s name and email address. You can contact Acuity to disable the feature that attaches a calendar file (ICS invite) containing the client’s name, appointment time, and appointment type to appointment confirmation and rescheduling messages.Covered entities should sign up for the Powerhouse Player plan to enable security features required for HIPAA compliance. Access the Customize Appearance section to manage Scheduling Page Options, and then select the option to enter into a BAA using an electronic signature.

Google Calendar is a service offered through Google Workspace (formerly G Suite) that makes it easy for users to track appointments and manage their schedules. This tool appears to ensure the safety of PHI, as long as you configure the security, access, and audit settings to prevent the disclosure or misuse of PHI.The default settings in Google Calendar share all information with team members in your domain. Security features allow you to set meetings that involve PHI to “Private” to maintain confidentiality. This setting shows the time as “Busy” without disclosing information about the meeting. With proper privacy settings, the program won’t include PHI, such as the title and description, in the meeting details.Covered entities should be on a paid Google Workspace Business or Enterprise plan. Paid plans give users the option to manage Google Calendar security controls to meet HIPAA requirements.

Vargaro serves three business sectors — beauty, wellness, and fitness. The only time HIPAA is mentioned on the Vagaro website is under its wellness offerings, specifically its medical spa management software. Vagaro claims its all-in-one booking and management software is HIPAA and EMR compliant but doesn’t provide any details. Business Associate Agreements (BAAs) aren’t mentioned on the site.

Microsoft Azure is a cloud platform of more than 200 products and services. According to the Azure website, its Health Data Services product for protected health information (PHI) meets all regional compliance requirements for HIPAA, GDPR, and CCPA. Azure Health Data Services allows healthcare providers and other users to collect, store, and analyze health data from different sources and in different formats, such as Fast Healthcare Interoperability Resource (FHIR®) and Digital Imaging and Communications in Medicine (DICOM®).Microsoft has stated that Azure enables “the physical, technical, and administrative safeguards required by HIPAA and the HITECH Act inside Windows Azure core services.” The company provides customers and partners with a Business Associate Agreement (BAA) for Azure. 

On its website, ShareFile states that it has a long history of supporting regulated industries with features that enable HIPAA compliance.The ShareFile Help Center provides an in-depth HIPAA Support document with an overview of user responsibilities and ShareFile’s HIPAA features. The Help Center document also states that ShareFile with HIPAA support is available only with a ShareFile Premium Account. Per the website, customers must sign the ShareFile Business Associate Agreement (BAA). 

GoDaddy provides a variety of services including website hosting, email management, and domain names. Covered entities can use email services for protected health information, but website hosting services may not meet HIPAA requirements.For example, basic website hosting plans are on shared servers. Other technical and physical safeguards aren’t in place for these plans. Covered entities shouldn’t use GoDaddy shared hosting for websites containing patient information.GoDaddy also offers email services through Microsoft Office 365. Two plans, Business Premium and Premium Security, offer HIPAA compliance features. Covered entities may purchase HIPAA-friendly email as an add-on to the service. All email accounts offer the option of full integration with Microsoft Office.

Even though ProtonMail isn’t designed specifically for the healthcare industry, it offers security features healthcare organizations can use for protected health information (PHI). ProtonMail includes a HIPAA compliance statement on its website that assures the company will do its part to protect patient data..Privacy and security features include end-to-end encryption and zero access data management. The service uses 4,096-bit RSA encryption for all stored communications. Data centers provide physical security for all data backups. The server hardware is located in Switzerland where the servers use fully encrypted hard disks, including multiple password layers in case the hardware is removed from the data center.If a user’s device is stolen or lost, a remote wipe feature can protect PHI. Account owner authorization gives healthcare organizations control over who can access the information. Automated virus checking and data backups are standard. There is also a sophisticated monitoring system.ProtonMail states that its employees don’t have access to PHI. ProtonMail states that it doesn't store paper copies or printed reports in its facilities.

There is a very detailed privacy policy page on Telegram’s website, but it contains no mention of HIPAA or Business Associate Agreements.The page briefly mentions how to submit GDPR-related queries and mentions secret chats, but it has no information about HIPAA compliance. Though security is a differentiator for Telegram, because of the lack of information about HIPAA on its site, users who need to collect PHI may want to explore using a different messaging app.

Dialpad considers itself a HIPAA-compliant platform with enterprise-level encryption and customizable data retention policies. If you dig a little further into the website, you’ll see Dialpad refer to its products as “HIPAA-ready.” Healthcare clients can sign a Business Associate Agreement (BAA) with one click. The website explains one stipulation with the BAA: It doesn’t cover the use of Dialpad fax for PHI or the use of text messaging to communicate patient information to non-Dialpad users.

Google Hangouts is a communication platform available through Google Workspace. The chat messaging feature in Google Hangouts appears to meet HIPAA compliance standards. These controls should be configured before using Google Hangouts for protected health information (PHI). Covered entities must obtain a signed business associate agreement (BAA). If your organization is planning to use Google Hangouts for PHI, refer to Google’s user guide for detailed information about security and privacy controls.

Healthcare organizations can use Webex as part of their HIPAA compliance. Healthcare practices (covered entities) must ensure that Webex is configured correctly. Cisco states the responsibilities of both parties (Cisco Webex and the customer) for HIPAA compliance. Cisco Webex states that it is responsible for protecting the confidentiality, privacy, and security of PHI, whereas the healthcare provider is responsible for properly classifying and maintaining data. Cisco also offers a Webex HIPAA Self-Assessment.

Venmo does not currently state that it meets HIPAA requirements and doesn’t provide HIPAA protection for sensitive patient health information. Since the platform is typically used by individuals to send money to one another, it may not fit all the PHI-related requirements of healthcare organizations.There are several payment gateways that seem to enable HIPAA compliance, but Venmo, despite being a great payment method for many, is not the best fit for medical institutions to protect PHI.

Trello is one of several products offered by software company Atlassian. While there is no mention of HIPAA on Trello’s main website, Atlassian Support offers a HIPAA Implementation Guide and an article to further explain HIPAA compliance for Atlassian products. The Implementation Guide states that Atlassian will enter into a Business Associate Agreement for eligible products; however, Trello is not on that list of products.

Firebase is a Google product. The Support section of the Firebase website addresses HIPAA and Business Associate Agreements, stating that Google doesn’t intend Firebase to be used for protected health information (PHI). The site goes on to state that Google makes no representations that Firebase services satisfy HIPAA requirements. According to the website, if you are or become a business associate as defined by HIPAA, you must not use Firebase “for any purpose or in any manner involving transmitting protected health information to Google unless you have received prior written consent to such use from Google.”

There is no specific mention of HIPAA or Business Associate Agreements on Genius Scan’s website, even on the privacy and security overview page.

Google Workspace offers four plans, one of which is the Business Starter plan. Questions about compliance are addressed in the FAQ section on the Google Workspace main page, not individual plan pages. Google Workspace claims it supports customers’ compliance with HIPAA. Customers who use Google Workspace and its products to process and store PHI will need a Business Associate Agreement (BAA) with Google. The BAA process is detailed in the platform’s online Help Center. The website doesn’t mention the BAA being limited to certain plans. However, when you compare the plans in detail, you can see that the three Business level plans — Starter, Standard, and Plus — are missing several of the security and management functions needed for HIPAA compliance. These functions are available only in the Enterprise plan.

Zoho’s website provides limited information about HIPAA compliance. Even though its tools aren’t for healthcare entities specifically, many of the security features may meet HIPAA requirements.These cloud-based services are comparable to those in Office 365 and Google Workspace, with solutions for word processing, custom applications, project management, live chat, app integration, and an IoT management platform.The company offers technical, physical, and administrative safeguards for all services, but there are questions about whether these privacy features are sufficient for HIPAA regulations.

PandaDoc appears to have all the necessary safeguards in place to help healthcare organizations comply with HIPAA regulations while using its e-signature features.The platform touts document encryption, user-level permissions, dedicated monitoring and alerts, and secure architecture to protect electronic patient health information (e-PHI).According to the PandaDoc website, the platform complies with SOC 2 Type II, GDPR, and eIDAS. The company states that it will provide customers with a signed Business Associate Agreement (BAA). 

SendGrid doesn’t mess around when answering this question: “Twilio SendGrid does not natively support HIPAA (Health Insurance Portability and Accountability Act) compliant data transmission.” The platform doesn’t offer any encryption or security measures beyond simple mail transfer protocol (SMTP). SendGrid suggests its users encrypt their emails themselves if they are worried about HIPAA compliance and provide a secure download link for sensitive documents. There is no mention of a Business Associate Agreement (BAA) on the SendGrid website.

Google Forms offers security and privacy configurations that could be made to comply with HIPAA regulations. Covered entities can set the access and visibility of folders and files, as well as grant specific collaborators sharing and editing capabilities.When configuring Google Forms, administrators should set the sharing permissions to manage data visibility and access. Additionally, admins should disable third-party applications that don’t meet HIPAA privacy standards. Software compliance depends on how the software is used, which is why administrators should adjust privacy settings properly before and while using Google Forms to collect and manage patient information. Other possible HIPAA safeguards include encryption to protect sensitive information, user authentication, and audit controls that track information access.If a covered entity uses Google Forms to collect protected health information (PHI), it must have a business associate agreement (BAA) in place before collecting PHI through this tool. Google may offer a signed business associate agreement (BAA) that covers Google Forms as well as other Google Workspace services such as Gmail, Docs, Sheets, Calendar, and Slides.

GoToMeeting provides technical, physical, and administrative safeguards for online meetings and videoconferences. According to the GoToMeeting website, these security controls meet or exceed HIPAA technical standards. One of these features is end-to-end encryption. Data in transit uses AES 128-bit encryption, including chat information, audio, and video files.Additionally, logs of session activity and account connection create an audit trail. Account managers can access management and reporting tools to see account activity. When an account is inactive for a certain period of time, an automatic log-off feature requires a new login before the information can be accessed again.Only authorized individuals can access accounts. Access security features include password protection and unique meeting codes. Meeting organizers have full control over who can join each meeting. GoToMeeting verifies a user’s identity through a unique email address and password.

VSee provides videoconferencing services and offers secure encryption for audio and video communication on its platform. These security standards are available for both free VSee accounts and paid subscriptions.Since videoconferencing may involve the exchange of electronic data, including protected health information (PHI), it must meet HIPAA requirements for covered entities. VSee streams video directly from end point to end point.Covered entities must consider how video collaboration tools meet HIPAA security requirements. For example, videoconferencing can include screen-sharing, text chat, and file transfer. Videoconferences on VSee are advertised as encrypted with FIPS 140-2 compliant, military-grade 256-bit Advanced Encryption Standard.

PayPal’s website doesn’t state that it provides HIPAA compliance features for covered entities, so a covered entity should use caution before using the site to share or store protected health information (PHI).HIPAA privacy rules require the protection of all “individually identifiable health information.” Demographic data and payment history fall into this category.

WeTransfer is located in the European Union and is not subject to HIPAA regulations. There is no mention of HIPAA compliance or Business Associate agreements on the WeTransfer site. For that reason, users who need HIPAA compliance features may want to investigate other file sharing services. 

To get a clear picture of whether or not ClickUp enables HIPAA compliance, you have to pay attention to detail. The website states that the platform is HIPAA compliant only if you purchase the Enterprise plan. Business Associate Agreements (BAAs) are only issued to Enterprise users. Customers on any of the other three ClickUp plans do not have access to HIPAA compliance features.

Grasshopper’s website states that it does not enable HIPAA compliance and that support team members have access to account information and settings to help with technical issues. This access includes all messages that pass through Grasshopper’s calling, texting, and faxing features.If protected health information (PHI) passes through these communication tools, it appears possible that unauthorized individuals could access the information. If Grasshopper doesn’t offer HIPAA-friendly services, covered entities shouldn’t use these tools.

Many telecommunications firms act as conduits for data transmission and are exempt from signing a business associate agreement (BAA) through the conduit exception rule. Information shared over the phone or using a standard fax machine is not subject to HIPAA compliance. However, other means of communication, including VOIP, SMS, and digital fax services, must meet HIPAA regulations.HelloFax provides AES-256-bit encryption for information at rest and TLS encryption for information in transit, to meet the minimum HIPAA standards. Additionally, each document is encrypted with a unique key, and keys are encrypted with a master key that rotates frequently, which means that if unauthorized people gained access to the hard drive, they wouldn’t be able to decrypt the data.HelloFax advertises “bank-grade” security, including physical and electronic protections. The data center apparently uses strict access controls. Because of these security measures, it may be possible to use the HelloFax system without violating HIPAA requirements.

According to the virtual Help Center assistant on the Shopify website, Shopify doesn’t directly support HIPAA compliance. There is no mention of Business Associate Agreements on the main Shopify site or in the Help Center.Those looking for an e-commerce platform may want to consider a different service.

Avast offers security features that seem to enable compliance with specific HIPAA regulations. But the only mention of HIPAA on the company’s website is in a press release about Virtual Mobile Platform (VMP). Avast VMP allows users to share photos and medical images securely, without storing the data on a personal device. Also, all IM messages and phone calls are encrypted, which may fit HIPAA requirements.

The HIPAA (Health Insurance Portability and Accountability Act) Privacy Rule does not apply to consumer curation of health data or other protections related to privacy, security, or minimizing access to PHI. Even though 23andMe receives funding from the National Institutes for Health, 23andMe currently asserts that its data-mining analysis doesn’t constitute research on human subjects under the current version of the Common Rule because it de-identifies the data. This means that 23andMe may take the position that any consent it obtains to retain, use, and share consumer data isn’t necessary for regulatory compliance, but rather is done as a courtesy.

Backblaze offers crucial security features for cloud backups, such as encryption for file transmission and data at rest. Customers can specify their own private encryption keys, adding another layer of security for data privacy.In addition to proactive monitoring of all systems, Backblaze hires third parties to test the system’s security. Before accessing private data, the service requires account verification. Two-factor verification is available to prevent unauthorized access to the account.These privacy features align with HIPAA requirements, but the company website doesn’t offer much information about its own HIPAA enablement. It appears that HIPAA features are available only for customers on the B2 Cloud Storage plan.

According to the Egnyte website, the platform’s comprehensive data security enables HIPAA compliance for payer, provider, pharmaceutical, and biomedical businesses.Egnyte states that it will enter into a Business Associate Agreement (BAA) with its customers once they have signed up for Egnyte’s services.There are three plans offered through Egnyte. Storage that enables HIPAA compliance is listed as a feature for all of them. Other features required to support compliance are available on only some of the plans.

There is no mention of HIPAA compliance or Business Associate Agreements (BAA) on the FileZilla website. The extensive Knowledge Base for FileZilla and FileZilla Pro doesn’t mention HIPAA either.Several questions regarding HIPAA compliance have been posted to FileZilla forums, and most answers state that FileZilla does not enable HIPAA compliance.FileZilla apparently supports secure file transfer protocol (SFTP) and file transfer protocol secure (FTPS), but without access controls, audit trails, and signed BAAs, these measures aren’t enough to satisfy HIPAA regulations. 

IDrive offers online backup services that covered entities can use for protected health information (PHI). Both IDrive’s digital and physical security appear to maintain the confidentiality of patient information.Encryption is a critical feature for ensuring that your backup cloud software supports HIPAA compliance. Data encryption and secure transmission help prevent unauthorized access to individually identifiable health records. If someone hacks the offsite server, encryption protects the files from access and use.IDrive’s data center uses modern technology, including SOC-approved data protection, to prevent the unauthorized use of data. Physical safeguards, administrative procedures, and technical security manage access to the data center and vaults.The True Archiving service means that data always remains on the IDrive account until you perform an archive cleanup or manually delete the files from the archive. On the desktop application, users have 30 days to restore files from the trash.

The security & privacy section of the OpenAI website states that the company helps “customers meet regulatory, industry, and contractual requirements like HIPAA”; however, ChatGPT isn’t currently covered by OpenAI’s BAA. According to OpenAI, only API services with “endpoints that are eligible for zero retention are covered” by its BAA. Customers do not have to be on an Enterprise plan to be eligible for OpenAI’s BAA.

Power BI is a Microsoft product. According to a blog on the platform’s website, Power BI was added to the Microsoft Trust Center in April 2016. The Microsoft Trust center is a single point of reference that documents compliance with various regulations. HIPAA and the HITECH Act are spotlighted in the Microsoft Trust Center. As a cloud service provider, Microsoft considers itself a business associate for HIPAA-covered entities: “To support our customers’ compliance with HIPAA when utilizing Microsoft enterprise products and services, Microsoft will enter into Business Associate Agreements with its covered entity and business associate customers.”In the Trust Center, Power BI is listed as an in-scope cloud platform either as a standalone service or included in an Office 365 or Dynamics 365 branded plan or suite.

Rocketbook enables users to upload their handwritten notes to the cloud. In most cases, notes aren’t stored on Rocketbook’s servers. However, this doesn’t mean that the app meets HIPAA requirements.According to its website, Rocketbook does not enable HIPAA compliance. There is currently no mention of Business Associate Agreements (BAA) on the website.

HIPAA compliance is addressed on the ServiceNow website in a 17-page white paper titled “ServiceNow security & HIPAA.” The document can be found under the Industry Resources section in the Trust and Compliance Center. In the white paper, ServiceNow claims to include features that enable healthcare customers to comply with HIPAA privacy and security requirements. As far as Business Associate Agreements are concerned, ServiceNow says it will enter into a BAA “if the covered entity chooses to store ePHI in their instance.” There’s a long list of exceptions outlined in the white paper, and ServiceNow cautions that it “is not a typical business associate.” ServiceNow states that it will not enter into a BAA that requires it to carry out the customer’s obligations under HIPAA. 

Snowflake offers a Healthcare and Life Sciences Data Cloud solution. On its website, Snowflake states that sensitive data can be shared with this solution because it has built-in security and governance that support HIPAA requirements, among several other security protocols. Snowflake offers a free e-book called HIPAA and the Data Warehouse Built for the Cloud to help business associates translate the regulations into technical requirements. A complete look at all Snowflake’s security and compliance reports can be found online as well. 

Hushmail gets straight to the point on its website, calling the platform secure and stressing that it’s trusted by healthcare professionals worldwide. Hushmail says it is configured for HIPAA compliance right out of the box. All plans under Hushmail for Healthcare, from Starter to Custom, appear to include features that enable HIPAA compliance, a signed Business Associate Agreement (BAA), and email archiving. The archiving feature is essential in case of an audit, according to the website.

Backblaze offers crucial security features for cloud backups, such as encryption for file transmission and data at rest. Customers can specify their own private encryption keys, adding another layer of security for data privacy.In addition to proactive monitoring of all systems, Backblaze hires third parties to test the system’s security. Before accessing private data, the service requires account verification. Two-factor verification is available to prevent unauthorized access to the account.These privacy features align with HIPAA requirements, but the company website doesn’t offer much information about its own HIPAA enablement. It appears that HIPAA features are available only for customers on the B2 Cloud Storage plan.

The purpose of a virtual private network (VPN) is to encrypt data shared between devices. But there is no mention of NordVPN’s ability to enable HIPAA compliance or of the company’s willingness to sign a Business Associate Agreement (BAA) on the NordVPN website. NordLayer — NordVPN’s business VPN solution — claims to enable HIPAA compliance with appropriate measures for securing access to Protected Health Information (PHI). The NordLayer Help Center provides additional information about HIPAA and NordLayer. Plans are discussed on the website, but there is no specific mention of which ones enable HIPAA compliance.

Rocketbook enables users to upload their handwritten notes to the cloud. In most cases, notes aren’t stored on Rocketbook’s servers. However, this doesn’t mean that the app meets HIPAA requirements.According to its website, Rocketbook does not enable HIPAA compliance. There is currently no mention of Business Associate Agreements (BAA) on the website.

Power BI is a Microsoft product. According to a blog on the platform’s website, Power BI was added to the Microsoft Trust Center in April 2016. The Microsoft Trust center is a single point of reference that documents compliance with various regulations. HIPAA and the HITECH Act are spotlighted in the Microsoft Trust Center. As a cloud service provider, Microsoft considers itself a business associate for HIPAA-covered entities: “To support our customers’ compliance with HIPAA when utilizing Microsoft enterprise products and services, Microsoft will enter into Business Associate Agreements with its covered entity and business associate customers.”In the Trust Center, Power BI is listed as an in-scope cloud platform either as a standalone service or included in an Office 365 or Dynamics 365 branded plan or suite.

Your company can easily enable HIPAA compliance by using Jotform’s helpful tools and secure forms. Sign a Business Associate Agreement (BAA) with Jotform and enjoy forms that make HIPAA compliance easier.Jotform’s HIPAA-friendly online forms encrypt your data as soon as your forms start being populated. Sensitive information collected through your forms is also encrypted during transfer and in storage. Jotform has many integrations with other HIPAA-friendly services such as Google Drive, Dropbox, etc. You can also accept online payments with HIPAA-friendly online forms. Jotform offers many different payment gateway integrations.

Typeform provides data-collection services through online forms, and has integrated security features to meet HIPAA security and privacy requirements.Both physical security and network security features are in place, including access control, penetration testing, multiple levels of encryption, and other data protection measures. Typeform has an information security department that’s responsible for overseeing all security administration.Since the service offers protection for data and information, it seems that covered entities have the option to use this service for protected health information (PHI). Collecting PHI is part of HIPAA compliance, which means that Typeform is a business associate. Covered entities using this service to gather, store, or transmit PHI should contact Typeform customer service to ensure they have a business associate agreement (BAA) in place.

According to its website, Clover for healthcare is used for payment processing only, which exempts the service from HIPAA requirements. Clover states that it restricts healthcare merchants in specific categories from installing apps that require data likely to contain Protected Healthcare Information (PHI). Since the use of Clover is restricted to payment transactions only, Clover states that it will not sign Business Associate Agreements.

There is no mention of HIPAA on the Basecamp website. Basecamp is designed, built, and backed by 37signals. The 37signals Security Overview page doesn’t address HIPAA compliance either. Business Associate Agreements (BAAs) are not mentioned on either site.

MyFax offers a variety of security and privacy features, but it isn’t clear from the website whether this service meets HIPAA requirements. The privacy features of this digital faxing service are more robust than traditional fax machines, but they may not be sufficient for protecting health information.The company J2 Global owns both MyFax and eFax. These platforms are similar, but there are notable differences in privacy, security, and faxing capabilities. MyFax suggests that covered entities use services from its partner, eFax Corporate.

Squarespace offers a variety of software services. Its scheduling tool appears to meet the requirements for the HIPAA Security Rule.Protections for HIPAA accounts include email notification privacy, a shortened browser session timeout, and limited access for uploading intake forms. Also, customers can disable third-party integrations that don’t support HIPAA.Squarespace’s Powerhouse Player or Enterprise plan may be used to access HIPAA compliance features for your Scheduling account. Each Scheduling account must be HIPAA friendly before using the service for PHI.Covered entities should obtain a signed business associate agreement (BAA) from Squarespace.

WordPress offers a variety of website security features, but it’s unclear whether the controls are sufficient to meet HIPAA regulations.It is possible to meet specific HIPAA standards in WordPress, but this process is complicated. Controls must be in place to prevent unauthorized access to the administration control panel and PHI. Additionally, transmission security controls are necessary to encrypt data in transit and secure information at rest.If covered entities choose WordPress for website design and content management, they should be careful before considering uploading PHI to the site.

The Jane homepage states that the platform follows all requirements for HIPAA, PIPEDA, and GDPR compliance. No telehealth sessions are recorded or stored locally, the site explains, and Jane software is encrypted with bank-grade security.A lengthy article in Jane’s Guide spells out the processes that Jane uses to keep patient data secure and protected. Business Associate Agreements (BAA) are discussed under the Security Rule section. The article states that the platform will help users develop an appropriate BAA agreement.

Xero offers useful financial and accounting tools for healthcare businesses, such as expense management, inventory tracking, and more. While Xero is designed for the business management side of the healthcare industry, its website does not state that its tools enable HIPAA compliance.Xero offers the option to link to third-party healthcare apps for HIPAA compliance features, such as practice management and appointment scheduling.

The Jane homepage states that the platform follows all requirements for HIPAA, PIPEDA, and GDPR compliance. No telehealth sessions are recorded or stored locally, the site explains, and Jane software is encrypted with bank-grade security.A lengthy article in Jane’s Guide spells out the processes that Jane uses to keep patient data secure and protected. Business Associate Agreements (BAA) are discussed under the Security Rule section. The article states that the platform will help users develop an appropriate BAA agreement.

Mindbody has proactive security measures that appear to meet HIPAA regulations. The company has obtained PCI Level 1 certification, and states that it completes an annual audit and HIPAA risk assessment.HIPAA-related privacy features include network security, encryption, ePHI protection, access control measures, and a Vulnerability Management Program. System alerts are in place to notify admins of unauthorized access.Mindbody offers PHI-related protections for appointment scheduling, contact logs, documents, and transactions. Progress notes allow covered entities to record personal information that’s accessible only by authorized personnel.A business associate agreement (BAA) must be in place before using Mindbody for PHI. Covered entities can email Mindbody to request a signed BAA.

CrashPlan addresses HIPAA compliance on its homepage, stating that the platform enables HIPAA compliance for business users. The website also states that CrashPlan will sign a Business Associate Agreement (BAA) with users on Professional and Enterprise plans. The Help Center provides information that addresses what users need to do to use CrashPlan in a way that follows HIPAA regulations. It also includes links for users to request BAAs.

There is no mention of HIPAA or Business Associate Agreements (BAAs) on the Eventbrite website. The company’s expansive Security and Safety Guide describes the platform’s security features, as well as the security laws and regulations it strives to comply with, but mention of HIPAA is notably absent as of the date of this post. Despite strong encryption and security, Eventbrite does not appear to meet HIPAA requirements for safeguarding protected health information, at least from what one can presently glean from the company’s website. 

On its website, Hightail states that because of the nature of its business, the platform isn’t subject to HIPAA compliance. However, it also claims that many customers using both its Enterprise and individual accounts use Hightail to securely deliver protected health information (PHI). Examples of these security measures include SSL/TLS and AES 256-bit encryption, forward secrecy, and dynamically scrambled file names. There is no mention of Business Associate Agreements on the Hightail website.

According to Vimeo’s Help Center, its self-serve platform is not HIPAA compliant; therefore, Vimeo advises its users not to upload any material that would fall under HIPAA regulations, even to a private channel.Vimeo states that its platform does offer a solution that enables HIPAA compliance for Enterprise clients and indicates that it is willing to sign Business Associate Agreements with covered entities.

Covered entities shouldn’t use HubSpot for PHI. On HubSpot’s terms of service page, the company states that its services don’t comply with industry-specific regulations like HIPAA. The terms of service forbid the processing or storage of sensitive health information.

When using e-signatures for protected health information (PHI), you must institute security and privacy protections for electronic transmission and storage of data to meet HIPAA requirements. Adobe Sign offers configuration options to comply with HIPAA standards and allow organizations to meet industry-specific compliance requirements for e-signatures. Each client must configure features such as account time-out, password length, and accessibility settings.Covered entities can use authentication to manage user identities, certify each document’s integrity, maintain audit trails, and track document delivery. This tool is helpful for healthcare providers because the e-signature features can be integrated with other HIPAA-compliant software services.Adobe Sign offers a business associate agreement (BAA) for customers on an Enterprise plan.

According to the Dubsado Help Center, Dubsado does not enable HIPAA compliance. Additional safeguards would have to be put in place in order for the platform to comply with HIPAA rules. The website states that Dubsado has no immediate plans to make the changes necessary to enable HIPAA compliance. A look at its roadmap portal confirms no plans have been published. There is also no mention of Business Associate Agreements (BAA) on the website.

Transport Layer Security (TLS encryption) offers security when sending emails, but it doesn’t guarantee secure delivery to the recipient. Even though cryptography codes the messages in transit, security isn’t assured for information at rest.In addition, certain email providers don’t support the delivery of encrypted messages. So the service removes the encryption to deliver the email, resulting in a message that contains plain text without encryption. Also, if the recipient responds, the reply transmits without encryption.Covered entities must make sure they’re using tools that ensure encryption on delivery. To meet HIPAA requirements, both mail servers must use TLS encryption.TLS encryption can be one tool to support HIPAA compliance. But such encryption alone isn’t sufficient for HIPAA requirements because the information can be exposed if the encryption fails.

Discord is a social media and mobile chat platform created for entertainment and personal communication. No encryption is available for messages sent through Discord, which means this platform lacks a key HIPAA requirement. Also, Discord’s privacy policy states that the company collects information, including images, messages, and documents sent through the chat feature.HIPAA requires privacy for all PHI and data storage. Other chat and messaging platforms with specific security measures that meet HIPAA standards are available for the healthcare industry.

Doximity describes its platform as secure and claims to facilitate encrypted patient communications that follow HIPAA regulations. Doximity also claims that its voice, video, and no-reply texting feature, Doximity Dialer, enables HIPAA compliance, stating that calls are never recorded and all calls and messages are encrypted.  Doximity states that it enters into a Business Associate Agreement (BAA) with all individual users once they register for the service. Institutional BAAs are part of the platform’s Enterprise solution.

Facebook provides several privacy controls but may not have the technical, administrative, and physical safeguards that HIPAA regulations require. The Facebook pixel, in particular, seems to risk exposing patient data to third parties. And, despite end to end encryption, Facebook Messenger lacks features like audit logs and access reports that are necessary to protect PHI. The Facebook site and the terms and policies on Meta’s site do not mention HIPAA compliance or Business Associate Agreements.

Sideline provides users with a second phone number to protect their primary phone number, and thus, their privacy. The app is available for iOS and Android.Sideline admits on its website that its services are not designed to enable HIPAA compliance. The platform apparently doesn’t encrypt messages sent through its app. In addition, Sideline doesn’t currently seem to offer Business Associate Agreements (BAAs). 

According to the Dubsado Help Center, Dubsado does not enable HIPAA compliance. Additional safeguards would have to be put in place in order for the platform to comply with HIPAA rules. The website states that Dubsado has no immediate plans to make the changes necessary to enable HIPAA compliance. A look at its roadmap portal confirms no plans have been published. There is also no mention of Business Associate Agreements (BAA) on the website.

According to its website, Formsite offers a solution that enables HIPAA compliance for users who need to collect and process Protected Health Information (PHI). The website also confirms that Formsite will enter into a Business Associate Agreement (BAA) with organizations so they can collect PHI using Formsite forms.  Per Formsite’s pricing page, HIPAA compliance features are offered only to users on the Enterprise plan. 

To enable HIPAA compliance, software must include physical, administrative, and technical safeguards to protect PHI, among other safeguards. While Wufoo offers security features, it doesn’t appear to offer all of the features necessary for HIPAA compliance.

Apple calls Apple Pay safe, sound, and secure, with privacy and security built in, but there is no discussion of HIPAA compliance or Business Associate Agreements (BAA) on the platform’s website.Payment processors are exempt from HIPAA regulations according to Section 1179 of the HIPAA Act. 

According to the Dubsado Help Center, Dubsado does not enable HIPAA compliance. Additional safeguards would have to be put in place in order for the platform to comply with HIPAA rules. The website states that Dubsado has no immediate plans to make the changes necessary to enable HIPAA compliance. A look at its roadmap portal confirms no plans have been published. There is also no mention of Business Associate Agreements (BAA) on the website.

LogMeIn is remote-access software. Covered entities using this tool must implement protections to prevent unauthorized access of protected health information (PHI). HIPAA compliance requires strict measures for access control, including unique user identification, emergency access procedures, automatic logoff features, person authentication, and audit controls. LogMeIn customers should adjust specific account settings before using the service with PHI.LogMeIn also offers transmission security that may meet HIPAA requirements. All data transmitted during chat, remote-access, or file-transfer sessions is protected with 128-bit encryption at minimum. When permitted by the encryption level on the client’s browser, the protection increases to 256-bit encryption.To support customers in meeting HIPAA requirements, LogMeIn provides a detailed outline of considerations and setting recommendations. These technical safeguards and transmission security features may enable covered entities to maintain compliance with HIPAA’s Privacy and Security Rules.

Quickbase states on its website that the platform “enables its customers to build applications compliant with the HIPAA Security Rule.” The company points out that customers are responsible for determining whether they are covered entities or business associates, if a Business Associate Agreement (BAA) is required, and for ensuring their company uses Quickbase in compliance with all HIPAA requirements.Quickbase will sign BAAs with business and enterprise customers that have an annual or multiyear contract. 

According to the platform’s website, Okta’s Identity as a Service (IDaaS) cell for HIPAA is specifically designed to help service providers meet HIPAA requirements. Okta requires customers to sign a Business Associate Agreement (BAA) prior to storing HIPAA-related information.

On its website, 8X8 claims to enable HIPAA compliance. The company states that it will provide Business Associate Agreements for covered entities and business associates. There are five 8X8 plans to choose from. Compliance with and certifications in several regulations and laws, including HIPAA, are listed as being included with each plan.

Eset Antivirus can help covered entities secure protected health information (PHI). Technical controls keep unwanted malware off devices, including laptops, smartphones, and tablets. The antivirus services perform full system scans to detect and block executable files that activate computer viruses.Malicious parties use malware in an attempt to access data on devices. Antivirus software is a critical factor in protecting both devices and networks against these attacks. Antivirus and malware protection through Eset block attacks immediately. Encryption provides another layer of security. Additionally, customers have the option to set up two-factor authentication.A web control module through Eset Antivirus keeps users from visiting non-work-related websites, reducing the likelihood of a virus infection. Internet access variations are available for each user’s account, depending on the needs of the organization. Eset Anti-Phishing protection is another valuable tool to help covered entities avoid infected emails that put the account and machine at risk.Antivirus and anti-malware protections are required for HIPAA compliance. Eset provides antivirus protection, and the software doesn’t appear to have access to PHI.

Norton Antivirus helps prevent computer hacking, an essential step in protecting PHI. The goal of antivirus software is to ensure devices are free from malware. Antivirus software is a good choice for all devices that access PHI, including laptops, tablets, and smartphones.Hackers use malware to access private files, such as PHI. Covered entities can reduce the risk of data theft by protecting all devices and networks with antivirus software. Norton Antivirus blocks malware attacks and helps keep computers virus free. Additionally, the encryption features protect all of the information you send, receive, and store.HIPAA regulations require covered entities to use anti-malware and antivirus protection.

FreshBooks provides security and reliability safeguards that seem to align with certain HIPAA requirements, such as 256-bit SSL encryption and firewalls to protect stored data.While FreshBooks’s digital and physical security features seem to comply with HIPAA standards, there is no mention of HIPAA enablement on the company’s website. The company also doesn’t offer information about obtaining a signed business associate agreement (BAA), which is a requirement for covered entities under HIPAA.Since FreshBooks doesn’t specify what its security protocols are for protected health information (PHI), covered entities should consider other invoicing software options.

Bluehost provides customers with a variety of security features, including SSL certification and HTTPS protocol. While these security features are necessary steps for HIPAA compliance, they aren’t enough. HIPAA compliance requires access control and audit control for digital security. Additionally, facility controls must include physical safeguarding of server equipment.The company is transparent that its services aren’t authorized for patient health data and identifiable medical information.Covered entities that need web hosting services for PHI should choose a service that meets HIPAA requirements.

In its terms of service, SiteGround has stated in a HIPAA disclaimer section that customers are prohibited from using its services to store PHI.Covered entities that need web hosting services should choose a provider that offers digital and physical HIPAA-compliant safeguards. While most hosting providers provide HTTPS protocol and SSL certification for security, these features alone aren’t sufficient to meet HIPAA requirements. For a hosting account to be HIPAA compliant, it must include physical safeguards to protect equipment and servers. Audit controls and access controls are other digital security features that help with HIPAA compliance.

Dropbox Sign appears to provide HIPAA-friendly solutions for covered entities, ensuring security and privacy for all documents that contain protected health information (PHI). The service uses Transport Layer Security (TLS) encryption for all communications in transit and AES 256-bit encryption for stored files.Enterprise-level security controls include two levels of encryption for each document: a unique document encryption key (DEK) for each file and a master key that protects the DEK, which is regularly rotated for additional security. This configuration offers an extra layer of security in the event that someone bypasses physical security measures to access a hard drive.Dropbox Sign also offers audit reports that track activity and changes made to each document, giving covered entities the ability to view the audit trail as needed. Dropbox Sign conducts regular user access reviews and provides extensive training for employees on HIPAA’s security and privacy rules.Customers must have a Dropbox Sign Enterprise account to access features that enable HIPAA compliance and Service Organization Control (SOC) 2.

ActiveCampaign has stated that it enables HIPAA compliance. This service offers security features that align with HIPAA regulations.HIPAA compliance features are available with ActiveCampaign’s Enterprise plan. The security page states that ActiveCampaign can meet HIPAA standards for enterprise-level customers, but no further information is available about specific security features for HIPAA compliance.The company stresses that each customer is responsible for using the service in a HIPAA-compliant manner. ActiveCampaign provides security to support these needs. According to the HIPAA Security Rule, entities and business associates must take reasonable steps to protect PHI, including end-to-end security.

Constant Contact offers many security features that appear to align with HIPAA requirements, such as multiuser access, account management, and the ability to limit user access. The service has technical, physical, and administrative safeguards in place to protect email subscriber data. While these security features are sufficient for general email communication, they may not meet the privacy safeguards necessary for transmitting patient information.The HIPAA Privacy Rule applies to protected health information (PHI), which includes any information found in a medical record that’s tied to the identity of an individual, including diagnoses, treatments, and billing. HIPAA rules don’t prohibit covered entities from sending marketing emails, as long as they don’t include protected health information. For example, a medical provider can email patients about changes in business hours or new office policies. However, patients must first give their permission to be added to the email marketing list.Constant Contact is a good solution for general communication. But its email marketing platform doesn’t appear to support the transmission of highly sensitive PHI (personal health and medical information).

Barracuda Messenger provides end-to-end encryption for communications, enabling you to exchange both video and audio calls as well as text messages in a confidential, secure environment.Even though Barracuda Messenger secures conversations in all locations and on all devices, the security features aren’t necessarily sufficient to meet HIPAA requirements. Also, Barracuda Messenger makes no mention of signing a business associate agreement (BAA).Covered entities looking for a video and text messaging platform for PHI should use a tool that meets HIPAA requirements.

Data encryption is an essential part of HIPAA compliance, and covered entities must ensure that information is fully encrypted both in transit and when stored. While VeraCrypt provides basic security features, its encryption tool may not be sufficient for protected health information (PHI).VeraCrypt’s encryption hasn't been fully compatible with all types of computers, such as certain types of PCs. Additionally, it’s designed to be used on single devices. For HIPAA compliance, it’s best to have a centralized encryption system with administrative features that include remote access and remote encryption capabilities.Information about VeraCrypt’s HIPAA-compliance effort is limited, so covered entities may want to consider choosing a commercial encryption service instead.

Apple Notes provides users with a fast and easy way to capture their thoughts or create lists and sketches, making it a convenient tool to collect information. The app also syncs across devices through Apple’s iCloud. It’s unknown whether Apple Notes enables HIPAA compliance.

OneNote may be HIPAA compliant, provided the right security features and configurations are used. Physical, technical, and administrative safeguards are available through Microsoft’s cloud services.These security and privacy measures help to prevent unauthorized access of electronic protected health information (PHI). Data stored on OneNote is encrypted, and Microsoft provides user access logs on request.Notes can be shared with other OneNote users through a network or internet connection. Because Microsoft OneNote offers multiuser collaboration, every participating device must meet all HIPAA compliance standards.Storing or sharing PHI on the software requires a signed business associate agreement (BAA) with the software provider. The BAA offers contractual assurances of HIPAA-compliant safeguards. Microsoft provides a BAA for many of its products, including OneNote.

Microsoft has stated that it enables HIPAA compliance by offering customers that are covered entities and business associates a Business Associate Agreement (BAA). This agreement covers in-scope Microsoft services, which include Power Automate. This applies whether the Power Automate cloud service is being used as a standalone service or as part of an Office 365 or Dynamics 365 branded plan or suite.

While WPS Office offers a variety of security features, including encryption, to protect customers’ data, the company hasn’t said that it has sufficient protection to meet HIPAA guidelines. Covered entities that want to use this free software for word processing, spreadsheets, or presentations shouldn’t put protected health information (PHI) in the files.If you need services that enable HIPAA compliance, choose an office suite that specializes in HIPAA solutions.

Smartsheet enables covered entities to store, access, and share protected health information (PHI). Its security and privacy services appear to meet or exceed HIPAA’s regulatory requirements for protecting health data.Customers can access the Smartsheet HIPAA Implementation Guide to learn how to properly configure Smartsheet for PHI. Covered entities should adjust specific features and security controls for HIPAA compliance. Security features include user access management, user auto-provisioning, activity monitoring, and sharing-control management.Physical, administrative, and technical protections are available through Smartsheet security configurations. External auditors verify the security processes annually. Additionally, customers can request audit reports and penetration test reports.Encryption protects data in transit and at rest. To transmit content securely, users should use the share function to send a link to a cloud-based document. Importing data and sending it through the attachment feature may put the security of PHI at risk.Covered entities should evaluate the security and privacy of each Smartsheet add-on before using it with PHI.File attachments in Smartsheet are stored and managed through Amazon Web Services (AWS). Smartsheet states that it has a BAA in place with AWS.

While WPS Office offers a variety of security features, including encryption, to protect customers’ data, the company hasn’t said that it has sufficient protection to meet HIPAA guidelines. Covered entities that want to use this free software for word processing, spreadsheets, or presentations shouldn’t put protected health information (PHI) in the files.If you need services that enable HIPAA compliance, choose an office suite that specializes in HIPAA solutions.

Quip, a cloud-based collaboration tool, uses innovative security controls and measures that appear to align with HIPAA compliance requirements. The system is fully encrypted and offers a variety of customizable privacy options to meet each organization’s unique compliance requirements.Covered entities often pair Quip Shield with Salesforce to take their security to the next level. The combination allows users to collaborate using Salesforce data in a central space while their data is protected with critical security measures such as permissions, version history, and encryption.These cloud-based tools offer security for protected health information (PHI), with technical, physical, and administrative safeguards designed to maintain compliance. Covered entities can build healthcare applications through Salesforce, knowing that Quip provides the security measures intended to protect PHI.Quip has features that allow for data control and audits. Users can tailor the Quip platform based on their unique compliance and security needs. Key security features of Quip Shield include encryption of data in transit and at rest, granular administrative controls, access management, antivirus scanning, and real-time event logging. The option of a private, single-tenant cloud allows for better control of the network, including limits on geographical access.

In its terms of service, SiteGround has stated in a HIPAA disclaimer section that customers are prohibited from using its services to store PHI.Covered entities that need web hosting services should choose a provider that offers digital and physical HIPAA-compliant safeguards. While most hosting providers provide HTTPS protocol and SSL certification for security, these features alone aren’t sufficient to meet HIPAA requirements. For a hosting account to be HIPAA compliant, it must include physical safeguards to protect equipment and servers. Audit controls and access controls are other digital security features that help with HIPAA compliance.

Bitlocker enables HIPAA compliance for data at rest by using the XTS-AES algorithm for data encryption on Windows systems, offering customers both AES 128-bit and 256-bit key lengths. The highest level of protection is available when this encryption is paired with a Trusted Platform Module (TPM) version 1.2 or later.Since Bitlocker integrates with the Microsoft Windows operating system, covered entities should use additional security precautions if cloud storage is involved. Another benefit of using Bitlocker for HIPAA compliance is the data protection feature that addresses data theft risks, including exposure from computers that are stolen, lost, or inappropriately decommissioned.Compliance depends on several criteria, such as integrating Azure cloud service and having volume licensing.

Gravity Forms, a widely used WordPress plug-in designed to create online forms, has stated that it can be HIPAA-compliant, but it does not come pre-configured with HIPAA compliance features. Instead, it offers functionalities that can be used to develop forms that adhere to HIPAA standards, as long as users take specific precautions and comply with essential security protocols.According to Gravity Forms, data collected through its plug-in is stored in tables within the user's WordPress database, which is hosted by the user’s chosen hosting provider. Gravity Forms then uses the existing infrastructure provided by WordPress to ensure that the collected data is securely stored within the user’s database environment. This approach ensures that the data remains under the user’s control and within the parameters of their selected hosting provider. Keep in mind that Gravity Forms states, “By default, [t]he data collected by Gravity Forms is not encrypted during storage. If required, encryption of data at rest would need to be provided by an add-on or the custom code.” Because Gravity Forms has stated that it does not host or store collected form data on your behalf and that it does not sign Business Associate Agreements, you must do this with your website host or data services provider.