HIPAA – Our Commitment to Compliance

MedicalCRM and HIPAA – Our Commitment to Compliance to Protect Your Clinic and Your Patients

MedicalCRM is designed specifically to streamline the operations of your clinic and to enable you to create the best patient experience possible. We act as a service provider, and as such fall under the “business associate” category of the Health Insurance Portability and Accountability Act (HIPAA). That means just as your clinic must be fully HIPAA compliant, as your partner in making your practice the best it can be, we also must be HIPAA compliant, and we take that responsibility very seriously. 

MedicalCRM is designed specifically to meet HIPAA compliance standards, and we constantly reevaluate our security protocols to ensure there is never any lapse in our compliance, safeguarding your compliance as our partner. We understand how important privacy and data security are to your patients, and we understand how important HIPAA compliance is to your practice as a business. That laser-focus on HIPAA is one of the areas that makes MedicalCRM so different, and one of the reasons you can always trust us with your patients’ sensitive Protected Health Information (PHI).


HIPAA Privacy Rule

The HIPAA Privacy Rule (45 CFR Part 160) establishes nation-wide standards for the management and protection of patient medical records and other sensitive data, known as identifiable health information. It also establishes the rights that patients have regarding their Protected Health Information, and establishes standards for medical payment processing. From a CRM standpoint, the most applicable areas of the HIPAA Privacy Rule are the security measures outlined in the HIPAA Security Rule (45 CFR Part 164), a subset of the wider privacy section.В 


HIPAA Security Rule

The HIPAA Security Rule outlines multiple sets of safeguards that must be in place to achieve compliance and to ensure the protection of PHI at all times. The three primary levels of safeguards outlined are technical safeguards, physical safeguards, and administrative safeguards. MedicalCRM is designed specifically to meet the requirements of each of the three safeguard levels to ensure full compliance on our end, resulting in the effective elimination of the risk of our valued partners suffering from CRM-related compliance breaches.В 


Administrative Safeguards (164.308)

The Administrative Section of the HIPAA Security Rule covers safeguards relating to staffing and administration of systems handling protected health information. It outlines multiple requirements for compliance, including:

  • A security management process: HIPAA compliance requires policies and procedures to be in place to prevent, detect, and remedy security concerns.В 
  • Assigned security responsibility: Compliance requires a specific person to be designated as responsible for the procedures and policies covered under this section.В 
  • Workforce security measures: Compliance requires an access management system to be in place so that those with a need for access have it and those without one are blocked out from accessing PHI.В 
  • Training and management: Employees working with PHI must receive the necessary training to ensure they can operate systems securely. They must also be adequately managed, and consequences must exist for breaches of security policy.В 
  • Constant evaluation: Compliant entities must regularly evaluate and assess their systems to ensure continuous adherence to requirements.В 


Physical Safeguards (164.310)

The physical safeguards section covers the measures that must be taken to secure physical facilities, servers, workstations, and devices. It’s designed to ensure that breaches don’t occur due to carelessness in the physical handling and protection of the technology that stores and transmits PHI. There are four primary categories of physical safeguard:

  • Access control: Compliant entities must ensure that physical access to electronic information systems is limited only to those with a legitimate need.
  • Workstation use: Compliance requires policies to be put in place outlining the proper use of workstations in addition to the surroundings of workstations with access to PHI.В 
  • Workstation security: There must be physical security in place to protect individual workstations from unauthorized access.В 
  • Device and media control: Protocols must be put in place to govern the movement of hardware and electronic media containing PHI in and out of facilities. That includes movement, disposal, and backup. It also requires that records be kept of all electronic media for future reference and audit purposes.В 


Technical Safeguards (164.312)

Technical safeguards outline the requirements for securing the actual technology used to store, transmit, and secure PHI. While all sections are equally important, when it comes to electronic Protected Health Information (ePHI), technical safeguards are particularly relevant since ePHI is most vulnerable to remote attacks exploiting weak spots in electronic information systems. The Technical Safeguards section is broken down into five primary categories:В 

  • Access control: A common thread between all sections, access control measures must be put into place to ensure only authorized users with a legitimate need can access electronic information systems containing PHI.В 
  • Audit Control: Hardware, software, or procedural mechanisms must be put into place to monitor and record user access to PHI so that security audits can be performed based on the recorded data.В 
  • Integrity control: Procedures and protocols must be put into place to ensure information integrity, and to stop the improper alteration or destruction of PHI.В 
  • Person or entity authentication: Procedures must be in place to ensure that people or entities accessing PHI are who they say they are.В 
  • Transmission security: Measures must be put into place to protect PHI data during transmission over electronic communication networks to ensure it can’t be intercepted or accessed by unauthorized third parties.В 


MedicalCRM meets or exceeds the requirements outlined in each subcategory of the administrative, physical, and technical protocols. A big part of that is our company’s overall commitment to data and transaction security, which includes regular penetration testing to ensure we’re always one step ahead of any newly emerging external threats. We also use the most secure Amazon Web Services (AWS) platform for all our cloud-based data storage, which means we’re also backed by Amazon’s unwavering commitment to security and HIPAA compliance. Finally, Medical CRM is also fully compliant with HIPAA’s Breach Notification Rule, outlining the steps that must be followed in the case that a security breach does occur. However, the level of security provided by MedicalCRM and AWS ensures that our partners need not worry about breach notifications.В 

If you’re ready to try out MedicalCRM, sign up now for a free 14-day trial! Or, if you’d like more information on MedicalCRM’s HIPAA compliance or how our software can revolutionize the way you run your practice, contact us today and set up a one-on-one demo!

Related Posts

Introducing MedicalCRM
Introducing MedicalCRM: The World’s Premier Patient Relationship Management Software

In any good medical practice, the patient always comes first. Providing the best...

The Best HIPAA-Compliant CRM Software
MedicalCRM – The Best HIPAA-Compliant CRM Software to Help Your Practice Grow

The use of customer resource management software is becoming widely adopted across the...