In this document:
Introduction
In this guide, we want to go over how Simply Schedule Appointments is HIPAA-Capable rather than fully HIPAA-Compliant.
For more information on how SSA handles privacy and data, check out our Privacy and Data Processing FAQ page.
HIPAA-Capable vs HIPAA-Compliant
HIPAA compliance is the process that business associates and covered entities follow to protect and secure Protected Health Information (PHI) as prescribed by the Health Insurance Portability and Accountability Act.
Protected health information (PHI) is personally identifiable medical or payment information related to health services. That includes:
- Identifiable demographic or genetic information related to health.
- Information relating to the physical or mental condition of an individual.
- Payment or financial information related to healthcare.
HIPAA-Compliance in Websites
HIPAA-Compliance for WordPress websites is dictated mostly by the hosting company and the site configuration. Both of which are out of our hands, and why we can only say SSA is HIPAA-capable and not HIPAA-compliant.
Your hosting company will need to be HIPAA-compliant and help you set up the required HIPAA configurations. It has to be able to securely encrypt the database, has to have logs of every person who accesses the database, needs to encrypt your emails, etc.
As a plugin author, none of this process is under our control.
Simply Schedule Appointments as HIPAA-Capable
Simply Schedule Appointments is a completely self-hosted plugin, meaning that none of your customers’ data is stored on our servers. All of their data is stored on your website.
SSA is HIPAA-Capable, but this heavily relies on your website’s host to encrypt the entire database and for you to be careful of the information that you pass on to the 3rd party services used in our plugin.
Cautionary Features Within Simply Schedule Appointments
Some of our features notify and sync customers and other 3rd party services with the appointments. But, it is up to you to ensure that no identifiable patient information is passed on to these services.
Features to be cautious of:
- Email notifications
- Google Calendar
- Twilio for SMS
- Webhooks
- Mailchimp
- Payments with Stripe and PayPal
- Tracking with Google Analytics or Facebook Pixel
For example, even if you have HIPAA-compliant hosting and do everything perfectly, but then include private health information in unencrypted email notifications, then it’s no longer HIPAA-compliant.
You must be vigilant about any data that leaves SSA.
Avoiding PHI in the Plugin Altogether
Another option is to avoid collecting PHI (protected health information), which is individually identifiable medical information, such as symptoms, conditions, or requested healthcare services, on the Simply Schedule Appointments booking form.
You could use SSA to simply book appointments by only collecting the patient’s Name and Email.
But, this will only work if your Appointment Type Names also don’t identify their medical information, symptoms, conditions, etc. For example, if Mary books a “Diabetes Pre-Screening” appointment with you, you will need to handle Mary’s Name and Email under HIPAA guidelines.
Business Associate Contracts
A business associate contract is an agreement between an organization and its “business associate” that has access to PHI collected by the organization. The contract requires that business partners follow HIPAA guidelines to keep PHI secure.
Since Simply Schedule Appointments does not store, transmit, or have access to PHI, we do not have to sign a Business Associate Contract.
Troubleshooting HIPAA-Sensitive Sites
If you’re concerned with exposing PHI to our support team during the troubleshooting process and this prevents us from receiving logins, we’d be happy to troubleshoot through an anonymized export of your SSA Settings (this will anonymize all user information provided in appointments).
Resources
- A Beginner’s Guide to HIPAA Compliant Websites by Full Media
- Summary of the HIPAA Security Rule by the U.S Department of Health and Human Services