If you're using 10to8 for medical appointments in the US, you need to enable 10to8’s HIPAA security tools. These tools help you to use 10to8 in a fully compliant manner. You also need to have signed 10to8’s BAA before storing medical data in 10to8.
10to8 has been built from the ground up to protect your customers’ data security. Our HIPAA tools give you additional control over the data you store and share.
Note: to use 10to8's HIPAA security tools, you'll need a subscription to our Premium plan or above. If you're interested in upgrading to Premium or would like to talk about building a bespoke plan for your business, book a call with our sales team here.
SECTIONS:
10to8's automatic and custom communications
10to8’s BAA
You must have a signed BAA (Business Associate Agreement) in place before storing sensitive patient data (Protected Health Information or ‘PHI’) in 10to8.
10to8's BAA provides the legal basis for 10to8 storing and processing data on your (the Covered Entity's) behalf. This can be requested by:
-
Visiting 'Setup' > 'GDPR & HIPAA'
-
Enabling HIPAA Security Tools
-
Clicking 'Request Signed Business Associate Agreement'
Note: 10to8 does not accept ‘outside’ BAAs.
Your responsibilities
You must not send any PHI (Protected Health Information) over email and SMS as these are third-party services not covered by the BAA. 10to8 reduces the information shared with your customers when HIPAA tools are enabled, however, 10to8 cannot take responsibility for messages written by yourself on our platform.
Make sure you have and can manage your customers’ consent, both to have their data stored within 10to8 and also to be reminded of their bookings via email and SMS. 10to8 has a set of tools that can help you with managing consent. Click here for more information.
You must respond within a reasonable amount of time to your customers’ data requests under HIPAA. Failure to do so will result in your account being suspended.
10to8's automatic and custom communications
10to8’s HIPAA tools allow you to limit the amount of information sent via email and SMS communications. In the extreme, you can simply send reminders for an appointment that excludes all information about the appointment type, location, and your business name. Please make sure that you set an appropriate level of information for your business so as not to share PHI over automated communications.
To automatically exclude PHI, you can use the checklist provided under 'Setup' > 'GDPR & HIPAA'. You can also edit the content of your email and SMS messages under 'Configuration' > 'Customer Messaging'.