Keeping your network secure can be challenging, but when you add in HIPAA compliance and SOC regulations into the mix it can be difficult to know what tools are right for your environment.
When employees are sending messages to clients and patients, how do you ensure that the emails and data generated remain compliant? We look at some of the top HIPAA compliant software solutions for patient management.
Here is the list of the best HIPAA compliant solutions:
- Files.com EDITOR’S CHOICE A file storage, sharing, and transfer service that is HIPAA compliant. Unlike many file storage services, Files.com supplies customers with a Business Associate Agreement to enforce HIPAA compliance.
- ExaVault (FREE TRIAL) This cloud storage package with secure file transfer utilities is delivered with physical and procedural security and provides a BAA for HIPAA compliance.
- RapidFireTools Compliance Manager Geared towards IT departments and MSPs, Compliance Manager focuses on automating compliance documentation, and proactively scanning the network to find HIPAA violations, while offering action steps to get those issues corrected.
- GFI FaxMaker An on-premises standalone tool that provides HIPAA compliant internet-based faxes
- Sendinc A Microsoft Outlook plugin that encrypts emails, ideal for HIPAA compliance.
- Mitel HIPAA-Compliant Phone Systems Mitel’s vast network of data centers and cloud-based applications put them high up on this list.
- Doxy.me Telemedicine application that easily allows patients to schedule online appointments with their doctors.
- Tiger Connect Telemedicine application that leverages SMS to secure an encrypted connection between doctors and their patients.
- Carbonite A cloud-based backup solution that incorporates HIPAA friendly protocols to keep network shares secured and compliant.
- Paubox An mail encryption service that provides automatic secure email with zero steps needed from either the sender or the recipient.
- RingRx Simple platform that offers a secure faxing, VoIP, chat, and video package for any sized business.
- UpDox A clinical focused CRM that blends secure patient communication with access to medical records, internal communication, and payment processing.
The best HIPAA compliant software solutions
What should you look for in a HIPAA compliant system for your business?
We reviewed the market for data management systems that reinforce HIPAA compliance and analyzed tools based on the following criteria:
- A system that enforces user account requirements for data access
- Logging that identifies the user responsible for each action on data
- System security to prevent data theft
- Behavior analysis to identify account takeover or insider threats
- Controls for data movement
- A free trial or a demo package so you can fully examine the service before buying
- Value for money from a competent service that is fully compliant with HIPAA
With these selection criteria in mind, we looked for reliable systems that will provide good data management functions together with thorough logging and activity tracking functions.
Files.com is a file management system. It provides storage space, it also offers an SFTP server to transfer files to other businesses, and it can work as a central shared space for document collaboration.
The Files.com system is a cloud service. In terms of legal responsibility for any loss of data under HIPAA, services such as Files.com present a tricky problem. On the one hand, this is just a storage solution and file handling service – it is a tool and so isn’t responsible for the data of its users much in the way that a filing cabinet or an email system would be. However, data is held on the servers owned by Files.com and so, under HIPAA, the service could be held responsible for the safety of any personal information stored on its premises.
- Access controls
- Encryption in transit
- Encryption protected storage
- HIPAA-compliant BAA
- 7-day free trial
Many service providers claim that HIPAA doesn’t apply to them, thus dodging any responsibility. Unfortunately, this is a short-term fudge in order to win customers and when legal scrutiny is focused on these business relationships, everyone gets fined for non-compliance.
Files.com addresses the issue of co-responsibility for data security. Access controls are provided in the form of encrypted storage and access credentials that integrate two-factor authentication. None of the Files.com technicians are able to break into an account and access the data. So, while Files.com is responsible for the physical statuses of its servers, the customer still holds the reigns in terms of logical access.
Similarly, data in the process of being transferred is protected by encryption and session security. The protection of connections is the responsibility of Files.com and is offered as part of the file management service. However, the decision over where files are sent is entirely the responsibility of the customer.
That shared responsibility for data confidentiality and security is spelled out in a Business Association Agreement (BAA), which is part of the documentation set that is created when a company opens up an account with Files.com. The BAA is worded and structured in full compliance with the requirements of HIPAA, the HITECH Act, and the Omnibus rule that binds those two data protection guidelines together. Any company in the Health sector that uses Files.com will need to show that BAA to a compliance office when undergoing an audit.
- Features built-in HIPAA management tools for auditing, access control, and encryption
- Scalable solution, making it ideal for both small businesses and enterprises alike
- Allows users to create links to files that have special rules, such as expiration dates or click tracking
- Supports integrations into other cloud-based storage options such as Dropbox, Google Drive, and OneDrive
- Would like to see a longer trial period
The Files.com service is easy to use and creating an account is a straightforward service. You can try the service without obligation before fully committing by taking advantage of the Files.com 7-day free trial.
Files.com is our top choice for a HIPAA compliant solution because the Cloud-based service has all of the legal problems of shared responsibility sorted out. Outsourced services create a headache when dealing with personal information in the US Health sector but Files.com has put in place all of the procedures and paperwork to pass any HIPAA compliance audit.
Get 7-day free trial: files.com/signup
OS: Cloud based SaaS
ExaVault is a cloud service that provides a file server and secure file transfer utilities. The system is delivered from owned hardware housed in secure locations that are ISO 27001 certified and SOC 2 Type 1 and 2 compliant. These security attributes are exactly what you need if you need to enforce strong data security for HIPAA compliance.
- A secure cloud file server
- User controls
- File access monitoring
- Link-based access invites
- Provides a Business Associate Agreement
HIPAA requires you to demonstrate that you have declared all data leak events or that there haven’t been any. This proof can only be provided by extensive activity logging. The ExaVault system keeps all of your files on its servers and logs all access events.
Accountability is enhanced by the removal of the need to send out copies of files. Instead of transferring or emailing files, the business users of the ExaVault system can email out a link for access. This method can also be used for internal collaboration and file sharing. The user can limit access to others so that they only have read-only permission. All activity is subject to logging and the administrator can revoke access rights in an emergency.
- Receives files via SFTP and FTPS for distribution
- Control over files
- Options for multi-factor authentication on user accounts
- No free tier
There are four plan levels for ExaVault and the highest edition, called Enterprise, offers a Business Associate Agreement (BAA), which is what businesses following HIPAA standards need to spread the legal responsibility for the storage of sensitive data. You can assess ExaVault with a 30-day free trial.
MSPs may find maintaining HIPAA compliance on their networks a challenge. Even when following best technical practices it can be hard to produce documentation and monitor the network in real-time for any violations. To solve this problem, RapidFireTools has developed Compliance Manager.
- Automated compliance documentation.
- Real-time network scanning.
- Automatic storage of compliance reports.
- Non-compliance reports and suggested remediation.
- Easy to use interfaces across all products.
Built with network administrators in mind, Compliance Manager takes the lead by automatically generating documentation and proof that your client is maintaining compliance. In addition to documentation, Compliance Manager will scan your network and report back any non-compliance issue it discovers, along with a recommended plan of action.
In the event of an audit, Compliance Manager saves all of your documentation to one place making it easy to respond to any requests an auditor may have. As a network administrator or MSP, this tool takes the headache out of HIPAA and makes it easy to see the value for both you and your client.
- Caters to larger organizations and MSP environments
- Automatically generates proof of compliance documents
- Offers automated compliance scans paired with actionable resolution steps
- Would like to see a trial version rather than a demo
You can request a demo of Compliance Manager for free. Pricing for the HIPAA compliance module starts at $199.00 (£159.27) per month, with most additional modules starting at $79 (£63.23) per month.
RapidFireTools Compliance Manager automates compliance documentation as it enforces security protection. The Compliance Manager is a particularly useful system for managed service providers that also need to generate SLA compliance documentation. The compliance failure detection in the tool is a great guide to areas of the system that need immediate attention.
If your organization is looking for a secure modern solution to faxing, GFI FaxMaker has you covered. For years GFI has provided a number of tools to the healthcare industry, and now this extends into HIPAA compliance faxing.
- Fax confirmation and receive notifications
- Lightweight installation and requirements.
- Compatible with almost all fax modems.
- Priced competitively with similar products.
- Allows for programmable one push faxing.
- Integrates with your existing contact list
GFI FaxMaker provides your organization with a range of new options for sending and receiving PHI and other sensitive information safely, and conveniently. Traditional fax machines may not physically be secured in your office, or may suffer from a hardware failure that can leave your office dead in the water.
FaxMaker encapsulates fax messages and transmits them securely over the internet by integrating with your mail server. FaxMaker can automatically route faxes to a specific mailbox and you can delegate access to that mailbox based on your own security policies. With internet faxing in place you won’t have to worry about faxes sitting out in the open, or manually moving them into a secure location.
FaxMaker can integrate into an Active Directory environment and allow for pre-programmed faxing destinations. This minimizes the margin of error when sending faxes and is the preferred way of sending faxes among most healthcare organizations.
You’ll also have the option to enable send and receive receipts to let you know when your fax has arrived. This same feature can also let you know if a line is busy, or if there were any problems delivering your fax, such as a busy line or connection issue internally.
GFI FaxMaker is available only for Windows Server 2008-2019 environments. The application is incredibly lightweight and easy to manage. The only additional piece of hardware you’ll need to get up and running is a business fax modem. A list of all compatible hardware can be found on their site.
- Modernizes faxes to be both HIPAA compliant and easier to manage digitally
- Offers access controls for specific user accounts
- Offers a wide range of security policies that are simple to implement
- Volume-based pricing discounts are available
- Focuses solely on faxing
The standalone product for small businesses between 10-49 users can expect to pay $72.00 (£57.58) per user, per year. Larger organizations can expect to pay slightly less per user depending on size.
GFI Faxmaker is available as a free trial to see if internet faxing is right for your business.
Sendinc is an email encryption tool that enables you to send secure messages right from your email application. When enabled, the program automatically uses military-grade encryption to secure your email so that only the recipient can read it. This is ideal for HIPAA compliance and provides an alternative to faxing PHI between facilities. Sendinc can be deployed as an add-in for Microsoft Outlook, making it lightweight and easy for everyone in the office to use.
- 256-bit military-grade encryption.
- No installation required.
- Easy to use Outlook plugin.
Under the settings, you’ll have the option to default all your email as encrypted, or only the messages you choose. Sending an encrypted email is as easy as checking the “Send Secure” button next to your email in Outlook.
One of the best features of Sendinc is that recipients do not need any software on their end to receive encrypted emails. By simply creating a free account and having access to the link, they are able to decrypt and read the message.
Sendinc is an excellent tool if you’re looking to just focus on the email side of HIPAA compliance. Its ease of use and flexibility makes it stand out from other software that requires installation and configuration before use.
- Allows users to encrypt emails directly from their default mail app
- Offers default encryption for all messages as an option
- Recipients do not need special software to decrypt messages
- Focuses solely on email encryption
You can test out Sendinc for free to secure your emails. Plans start at $48.00 (£38.52) a year for additional features such as increased emails per day, unlimited message retention, and custom message expatriation. Try Sendinc for free.
Mitel is a widely known and trusted name in the communication industry, so it’s no surprise that they have an entire cloud-based infrastructure dedicated to serving its customers who must follow HIPAA and SOC regulations.
Mitel ensures any and all voice communications are routed through secure channels that abide by the HIPAA Security Rules. Mitel’s vast network of cloud-based data centers provides peace of mind when it comes to your organization’s uptime, and the ability to effectively communicate across multiple healthcare facilities.
- Cloud and on-premises options for healthcare facilities.
- Different HIPAA solutions for multiple forms of communication.
- Available for both VoIP and PBX phone systems.
- Fast and responsive customer service.
- A comprehensive multi-channel solution.
Mitel’s HIPAA services extend across all mediums of communication and encompass tools such as voicemail, live video, email, and instant secure messaging. Mitel is our number one choice not just because of its ease of use, but because Mitel provides a suite of services that cater to many of the challenges that Primary care facilities face.
For organizations that are looking to securely share electronic records with patients, Mitel’s HIPAA based solution allows for you to securely share surveys and other post-discharge tasks with your patients. Mitel’s cloud can manage and automate your Hospital Consumer Assessment of Healthcare Providers and management Systems (HCAHPS) online medical forms right from their servers in secure data centers.
One of the major benefits of having a cloud-based provider is that there are no costly hardware installations or need for ongoing maintenance. Depending on how many employees your organization has, an on-premise solution can get costly fast. Thankfully, Mitel’s cloud base solutions don’t require any additional hardware outside of phones and can operate over your existing PBX or internet lines.
With much of your communications infrastructure offsite, having solid customer support and fast response time is paramount. Upon testing, we found that you can get a hold of a representative right away who will collect your information, and then have a specialist call you back within 15 to 30 minutes.
- Administrators can enforce encryption for all calls
- HIPAA features can secure voicemail, email, instant messaging, and live video sessions
- Supports secure post-discharge forms and automated tasks
- Affordable for both small and large businesses
- Does not include robust HIPAA auditing or monitoring tools
Mitel’s pricing will vary depending on your organization’s size and needs but you can expect to pay anywhere from $21.00 (£16.80) to $39.00 (£31.20) per user if your office has between 50-100 employees. For the most accurate pricing information, you can contact their support team.
Doxy.me is a tele-medicine software built with HIPAA compliance at it’s foundation. Doxy.me allows secure communication between patients, providers, and clinics. Each connection is secured with 128-bit encryption to ensure that privacy is always maintained. Communications through Doxy.me are HIPAA, GDPR, and PHIPA compliant.
- Easy to use for both doctors and patients.
- Scalable for both small and large healthcare providers.
- No accounts or downloads required.
- No contracts, cancel anytime.
- Customizable landing pages and branding.
The practice management system can use special links that are sent to patients by their doctor to establish a connection and consult with their physician in just a few clicks. For people looking to schedule a video conference with their doctor, no account or download is needed. According to a study by Clemson University, Doxy.me was found to be one of the easiest tele-medicine apps to use for both patients and medical professionals.
Doctors can use the live chat feature to utilize both text messaging and video conferencing at the same time, making this one of the most flexible tele-medicine apps on the market. On the back end, doctors can also view their patient queue to see who has already checked in, and who hasn’t arrived yet. This allows doctors to move their schedule around, and toggle between patient information quickly and efficiently.
Doxy.me’s flexibility extends to both small and large clinics alike by providing a Business Associate Agreement to all of its accounts, even its free version. The clinic plan allows for customized branding, landing pages, and even unique sub-domains. Additional features such as admin control and room access are also available to help manage different facilities needs for secure telecommunications.
With so many other options available, Doxy.me really shines in the medical space where other programs fall short. The attention to detail, security standards, and added features make Doxy.me a solid choice when it comes to choosing a HIPAA compliant video conferencing solution.
- Connects patients and caregivers securely via HIPAA compliant standards
- Simple for both patients and medical staff to set up and use
- Doesn’t require a download or an account to use
- Does not offer HIPAA compliance auditing or monitoring
You can try Doxy.me for free. There are two levels of their paid plans, Professional which starts at $29.00 (£23.28) and Clinic which starts at $50.00 (£40.13). The Clinic plan does have a one-time setup free of $300.00 (£240.78).
Tiger Connect is a secure HIPAA compliant secure messaging app that helps bring patients and medical professionals together through the convenience of texting. Traditionally texting is an insecure form of communication, but with Tiger Connect web-based component patients can easily join a tele-medicine session from a link via SMS.
- Ease of use, familiar user interface.
- Internal office communication between doctors.
- Role based user organization.
- For both Android and Apple.
This tele-medicine service eliminates the back and forth of phone tag and allows patients to view their personal health information or share video and images with their doctor in a safe encrypted environment. With this new level of speed and security, patients no longer have to wait for a follow-up call, or make another commute to a doctor’s office.
Tiger Connect provides a small suite of software tools to enable doctors and physicians to treat their patients with an unmatched level of flexibility. Tiger Connect also provides a secure and familiar platform for doctors and clinicians to communicate with one another and share protected health information internally. See who’s on call, which doctors are currently treating patients, and who is assigned to specific duties and roles right from the Tiger Connect app.
- Makes joining secure communications easy via text messaging
- Features are designed to eliminate phone tag and provide speedy communication
- Doctors can use the platform to see who’s on call, and which staff are treating certain patients
- Offers a wide range of customizable access control and security options
- Would like to see a free trial for testing
Currently, Tiger Connect does not offer a free download but does have the option to request a demo. Pricing for Tiger Connect starts at $10.00 (£8.04) a month per user.
If you’re looking to provide your office with file backups and disaster recovery that is still HIPAA compliant, Carbonite is a great solution.
Carbonite Pro is more appropriate for organizations with 25 or more computers and at least one server. This plan allows for 250 GB of HIPAA compliant storage that can backup individual PCs, external drives, and Network Attached Storage (NAS).
- No hassle HIPAA compliant file backups.
- Flexible options for both endpoints, devices, and servers.
- 128 and 256-bit encryption.
- Cloud fail-over and 7-year data retention.
Carbonite Pro comes with a number of features that are particularly useful for HIPAA compliant environments such as protection from accidental deletion, hard drive failures, viruses, and ransomware. Data backed up by Carbonite Pro is protected with 128-bit level encryption.
The Carbonite Server Backup plan is more geared for saving and backing up entire snapshots of server environments. The Safe Server plan has all the same features as Carbonite Pro with the added benefit of having the ability to restore physical and virtual servers to a bare metal server. All data is backed with 128 or 256-bit level encryption offering both data protection in transit and at rest.
- Focuses on creating reliable HIPAA compliant backups
- Offers protection for accidental deletion
- Data is protected with HIPAA compliant levels of encryption
- Supports network-level backups and incremental restores
- Better suited for larger networks
Carbonite requires one year to be paid upfront for both plans. Carbonite Pro starts at $287.99 (£231.41) annually. Carbonite Safe Server costs start at $600.00 (£482.12) a year. The Safe Server plan does have a more advanced plan that incorporates 7 years of flexible retention and cloud fail-over for $1764 (£1417) every year. Check out the Carbonite Backups Plans.
Paubox is an email encryption software that works without the use of a login, plugin, or any user interaction whatsoever. This allows your organization to send secure HIPAA emails from their email server without the need for a patient portal or any form of training.
- No logins, downloads, or training required.
- Competitive pricing.
- Supports TLS connection fail-over.
- Works with any mail server.
Paubox works by automatically securing your organization’s email traffic with 128/256-bit AES encryption. The email is secured in transit straight to the recipient’s inbox for end-to-end encryption. Paubox requests the mail server to open a TLS connection to accept the secured email. In the rare case that the recipient’s email cannot do this, a link will be delivered to view the message and any attachment in Paubox’s secure web app. Any replies back to the sender are also encrypted.
- Offers email encryption without logins, downloads, or plugins
- Automatically secures email traffic server-side
- Offers fail-over that sends a link to the encrypted message
- Focuses solely on securing email messages
Paubox is unique in the fact that it requires no interaction with the end-user whatsoever. This eliminates the need for training or additional support tickets in your organization. You can operate Paubox for free but additional features start at $10.00 (£9.15) a month per user. Try Paubox for free.
RingRx focuses on providing a holistic solution to HIPAA compliant communication. Their primary service is providing compliant VoIP services for small to medium-sized clinics. RingRx allows for secure phone calls from both the office and call forwarding to your cell phone. RingRx also includes internet faxing, text messaging, and visual voicemails from its mobile app that’s available for both Android and iPhone.
- Simple three-tier pricing.
- Mobile app for both Android and iPhone.
- Geared for small to medium-sized clinics.
The pricing model for RingRx is simple and starts at $15.00 (£12.01) a month per user. If you want to take advantage of their other services outside of VoIP, the $19.00 (£15.21) a month plan encompasses texting, web fax, fax number, and voicemail transcription.
- Includes HIPAA compliant VoIP communications, text messaging, and voicemail services
- Supports Android and iOS apps
- Simple pricing makes RingRX accessible to smaller clinics
- Aimed towards small to medium-sized businesses
RingRx makes its services and pricing structure simple. This ensures small clinics are never paying for what they don’t need while staying in touch and HIPAA compliant. They offer a free trial.
Updox is a certified tele-health solution that functions more like a customer relationship management (CRM) tool. It allows for patient communication via HIPAA compliant secure text, video chat, and VoIP. Updox stands apart from most tools by integrating into a vast network of electronic health record databases that serve over 300,000 users.
- Multi-device support
- Remote and secure patient communication
Healthcare professionals have the ability to schedule appointments, follow-ups, and appointment reminders all from one dashboard. While most tele-medicine platforms focus only on clinics and private practices, Updox has specific tools and core features that cater to the needs of pharmacies as well. Updox can even serve as a payment portal for your clients, allowing you to securely accept credit card transactions within your management system.
Core features such as electronic document signing, electronic fax, and access to the Updox directory. The Updox directory contains over 1.5 million addresses of verified healthcare providers, allowing your office to build out its referral network to better serve your patients.
- Offers CRM functionality while keeping HIPAA standards in mind
- Supports secure VoIP, text messaging, and video chat communications
- Allows staff to set follow up appointments and reminders in one place
- Supports electronic document signing
- Better suited for larger organizations
Prices range from $35 to $65 per user. For the most accurate pricing for your organization, you can request a 30-minute demo of the Updox system.
Choosing a HIPAA Compliant Software Solution
With so many different tools and solutions to choose from, it’s important to know which ones are built with HIPAA compliance in mind. Whether you’re looking to secure your entire business with Mitel’s cloud solution, or just need to send secure internet faxes with GFI FaxMaker, using the right tool can make all the difference when it comes to protecting your patient’s personal health information.
HIPAA Compliance FAQ
Is Zoom HIPAA compliant in 2020?
Yes. Zoom is HIPAA compliant. This makes it suitable for use by businesses in the health sector. However, the compliant business needs to enter into a business associate agreement with Zoom prior to using the platform and follow HIPAA guidance on secure usage when using Zoom.
What is the best chat voice video API solution for Telehealth?
Check out the following chat apps for Telehealth:
- Snap Engage
These are all HIPPA compliant.
What are the three rules of HIPAA?
There are many rules in HIPAA – many more than three. A rule is a set of standards, a little like categories or chapters. There are also more than three rules in the entire HIPAA system. There are three aspects to security safeguards in HIPAA, which are administrative, physical, and technical.
What is the most common HIPAA violation?
The hardest HIPPA violation to control, and therefore the most common, is gossip. Health workers talking about patient circumstances or events surrounding treatment becomes a violation when that information is passed to people who aren’t directly involved in the treatment. Verbal communication outside of the healthcare premises is almost impossible to monitor, prevent, or admit.