Health Insurance Portability and Accountability Act (HIPAA) compliance and EasyPractice

As a practitioner, you are working with sensitive data about your clients. Different countries are getting more and more aware of the importance of the proper handling of personal data. HIPAA is a detailed piece of legislation that you, as a clinician or practitioner, need to consider in your business. Here, we will show you how EasyPractice handles HIPAA compliance and what you can do to ensure your compliance.

HIPAA compliance and EasyPractice
Is EasyPractice compliant? Tick Icon confirming compliance
Am I compliant? Tick Icon confirming compliance

BAA (Business Associate Agreement)

No action for you to take, EasyPractice has you covered.

Should I – as a processor – do something myself?

Creating the EasyPractice account requires you to accept the Terms and Conditions and the DPA.

When creating an EasyPractice account, you must agree to our Terms and Conditions and our Data Processing Agreement. The Data Processing Agreement is a document signed between the Data controller (Users of EasyPractice) and the Data Processor (EasyPractice). This agreement outlines the obligations and rights of both parties regarding handling data. You can find the DPA on this page under documents.

 

Is EasyPractice compliant? Tick Icon confirming compliance
Am I compliant? Tick Icon confirming compliance

Data Processors and Data Controllers

No action for you to take, EasyPractice has you covered.

Should I – as a processor – do something myself?

No. This is just a matter of definitions. You have accepted our agreement on data processing once you have been set up with EasyPractice.

When we talk about personal data, we work with the terms “Data Processor” and “Data Controller”. In this context, EasyPractice is a data processor, and our users are the data controllers since we process your client data on your behalf and in your interest. Therefore, you also have control over how we process your data since we process it only as instructed by you.

Is EasyPractice compliant? Tick Icon confirming compliance
Am I compliant? exclamation icon suggesting that some action is needed

Consent for Data Processing

We have you covered but action is needed from you.

Should I – as a processor – do something myself?

Yes. You must ask your clients to give their consent for you to store and process their data. We have a “Consent” app that allows you to collect consent from your clients easily.

Your role as a data controller is to be transparent and concise with your clients about storing or processing their data. There are instances where you can disclose PHI (Protected Health Information) without explicit consent. It can be disclosed without consent, only for treatment, securing payment, and in connection with the operations of a healthcare provider. But in most cases, written consent for storing and processing data is required.

Your client must be informed of:

  • what personal data you shall register,
  • what the personal data shall be processed for,
  • who has access to that information,
  • that they are entitled to see and receive a copy of their information,
  • that they can ask to have their medical information shared with a third party,
  • that your client is entitled to have his/her information corrected,
  • that the client can at any time withdraw his/her consent and how this may be done,
  • where requests regarding the above can be rectified.

For example, if you set up clients in EasyPractice, the client shall expressly consent to this, and in that connection will receive the above information. If you have Online Booking in EasyPractice, you can set it up so that specific conditions must be approved before a booking is made, to ensure consent, and you should always do this.

Is EasyPractice compliant? Tick Icon confirming compliance
Am I compliant? Tick Icon confirming compliance

Data Protection Officer

No action for you to take, EasyPractice has you covered.

Should I – as a processor – do something myself?

No. EasyPractice has already dealt with this for you by appointing a DPO, who, among other things, deals with inquiries from your clients regarding the processing of their personal data.

As a data processor, we are now required to have a Data Protection Officer (DPO). A DPO must ensure that a company meets the requirements of the new HIPAA regulations. Read more about what a DPO is.

Is EasyPractice compliant? Tick Icon confirming compliance
Am I compliant? exclamation icon suggesting that some action is needed

Secure Email and SMS communication

We have you covered but action is needed from you.

Should I – as a processor – do something myself?

Yes and no. Our messages and system are secure, but to be 100% compliant you must be careful not to share PHI in your messages.

It is important to make sure that the communication between you and your client is secure. We have you covered in this aspect. With our app “Secure Messages” you can send your clients encrypted and secure SMS messages and emails. With this app, you can send general messages, invoices, journal entries, and other files.

Is EasyPractice compliant? Tick Icon confirming compliance
Am I compliant? Tick Icon confirming compliance

Technical Safeguards

No action for you to take, EasyPractice has you covered.

Should I – as a processor – do something myself?

No. We got you covered!

There are several technical safeguards implemented in EasyPractice systems to ensure that your data is secure.

Our platform also automatically runs with SSL security (can be recognized by a small padlock before the URL in your browser), but many systems don’t. If you are using a system without SSL security we recommend switching to a system that has it. We also run data safety audits to make sure our protection is up to date. There is a regular backup of sensitive data in place. We make sure that your data is encrypted and secure.

Is EasyPractice compliant? Tick Icon confirming compliance
Am I compliant? exclamation icon suggesting that some action is needed

Access Only to Authorised Users

We have you covered but action is needed from you.

Should I – as a processor – do something myself?

Yes, we have created the apps, but it is up to you to assign clients and access to your employees.

An important aspect of handling sensitive data is making sure that only authorized people have access to it. This can be done with our “Employee app”. The app allows you to create profiles for your employees and give them access to only view or edit either:

  • All clients
  • Their own clients
  • Or no clients

This way, your employees will only be able to access clients and data that they are authorized to access.

An extra step of protection for you and your employees can be achieved through our app “Two-factor authentication”, where you will receive an extra code each time you log in.

Is EasyPractice compliant? Tick Icon confirming compliance
Am I compliant? exclamation icon suggesting that some action is needed

Risk Analysis

We have you covered but action is needed from you.

Should I – as a processor – do something myself?

Yes. You must prepare the impact assessment yourself. We can assist you with this, via our lawyer, if you contact us at [email protected].

The HIPAA Security Rule requires Covered Entities and their Business Associates to conduct an annual HIPAA risk assessment and implement security measures in order to help keep PHI safe. The goal of the risk assessment is to: “identify potential risks and vulnerabilities to the confidentiality, availability, and integrity of all PHI that an organization creates, receives, maintains, or transmits.”

Privacy risk assessments and security risk assessments need to be done regularly from your side, and our side.

Is EasyPractice compliant? Tick Icon confirming compliance
Am I compliant? exclamation icon suggesting that some action is needed

Third Party Integrations

We have you covered but action is needed from you.

Should I – as a processor – do something myself?

For instance, if you are using the Google Calendar, you need to assess if the integration is acceptable for you and modify it to meet your HIPAA compliance obligations. 

 

All integrations through EasyPractice run with SSL security (encrypted, secure communication) and thus we ensure that data cannot be “leaked” by integrating platforms. However, perhaps some of the third-party integrations aren’t HIPAA compliant. You should be aware if the platforms you are using are compliant, and disable those that aren’t.

 

Is EasyPractice compliant? Tick Icon confirming compliance
Am I compliant? exclamation icon suggesting that some action is needed

Notification duty regarding data breaches

We have you covered but action is needed from you.

Should I – as a processor – do something myself?

Yes. You must notify the Danish Data Protection Agency if you receive a notification from us about any data breach, but of course, we will help you in the formulation of the notification so you do not have to worry about the technical aspects.

Since we are operating from Denmark, and we are under strict General Data Protection Regulation there is also a duty to inform the national personal data agency (i.e. the Danish Data Protection Agency in Denmark) about data breaches. This must be done within 72 hours after a data breach. As data processors, we are obliged to inform both our users and the Danish Data Protection Agency about a breach and we have ensured that we have a procedure for that in our company. Remember that as a data controller you are also required to disclose any data breaches.

We've got your message

Our support team will be in touch as soon as possible to help you out.

Oh no!

Something has gone wrong, please try sending your message again or contact us directly on [email protected]

Have a question? close