If you're using Sign In Scheduling for medical appointments in the US, you need to enable Sign In Scheduling’s HIPAA security tools. These tools help you to use Sign In Scheduling in a fully compliant manner. You also need to have signed Sign In Scheduling’s BAA before storing medical data in Sign In Scheduling.
Sign In Scheduling has been built from the ground up to protect your customers’ data security. Our HIPAA tools give you additional control over the data you store and share.
Note: to use Sign In Scheduling's HIPAA security tools, you'll need a subscription to our Premium plan or above. If you're interested in upgrading to Premium or would like to talk about building a bespoke plan for your business, book a call with our sales team here.
Sign In Scheduling’s BAA
You must have a signed BAA (Business Associate Agreement) in place before storing sensitive patient data (Protected Health Information or ‘PHI’) in Sign In Scheduling.
Sign In Scheduling's BAA provides the legal basis for Sign In Scheduling storing and processing data on your (the Covered Entity's) behalf. This can be requested by:
Visiting 'Setup' > 'HIPAA'
Enabling HIPAA security tools
Clicking 'Request signed business associate agreement'
Note: Sign In Scheduling does not accept ‘outside’ BAAs.
You must not send any PHI (Protected Health Information) over email and SMS as these are third-party services not covered by the BAA. Sign In Scheduling reduces the information shared with your customers when HIPAA tools are enabled, however, Sign In Scheduling cannot take responsibility for messages written by yourself on our platform.
Make sure you have and can manage your customers’ consent, both to have their data stored within Sign In Scheduling and also to be reminded of their bookings via email and SMS. Sign In Scheduling has a set of tools that can help you with managing consent. Click here for more information.
You must respond within a reasonable amount of time to your customers’ data requests under HIPAA. Failure to do so will result in your account being suspended.
Sign In Scheduling's automatic and custom communications
Sign In Scheduling’s HIPAA tools allow you to limit the amount of information sent via email and SMS communications. In the extreme, you can simply send reminders for an appointment that excludes all information about the appointment type, location, and your business name. Please make sure that you set an appropriate level of information for your business so as not to share PHI over automated communications.
To automatically exclude PHI, you can use the checklist provided under 'Setup' > ' HIPAA'. You can also edit the content of your email and SMS messages under 'Setup' > 'Customer messaging'.