Page Icon

Health Insurance Portability and Accountability Act (HIPAA)

Is Curogram HIPAA compliant?


How is Curogram HIPAA compliant?

Curogram complies with the following HIPAA regulations:

The Security Rule – Technical Safeguards

Access Controls Unique User Identification: Each provider is assigned a unique user ID on Curogram. Providers use identified by email address; patients are identified by phone number. If patient or provider decides to change their identification the account is temporarily terminated and transferred to the new phone number or email when it becomes available.

Emergency Access Procedure (required): Curogram uses automatic backups on AWS (Amazon Web Services), which are accessible any time there is an emergency.

Automatic Logoff (addressable): Curogram automatically logs users out of sessions after a period of inactivity, which is user-controlled in settings.

Encryption and Decryption (addressable): All information is encrypted at rest through third-party integrations of AWS Marketplace partners; we are currently using dm-crypt.

Audit Controls

Curogram uses Loggly, as well as Curogram's internal logging system. All PHI (Protected Health Information) logs are stored on Curogram's internal logging system; non-PHI logs are stored on Loggly.

Integrity Controls

Mechanism to Authenticate Electronic Protected Health Information (addressable): Curogram employs AWS S3, which has built-in integrity checking.

Person or Entity Authentication (required): Healthcare providers authenticate to the application using username/email and password.

Transmission Security

Integrity Controls (addressable): Curogram employs SSL connections with built-in integrity checking.

Encryption (addressable): Curogram transmission of data is encrypted using SSL certificates.

The Breach Notification Rule

What constitutes a reportable HIPAA breach? Curogram considers any breach of PHI a HIPAA breach.

Who you must notify in the event of a breach. Possible entities include? In the event of a breach, Curogram alerts providers and patients who have been involved in the breach via email and text messages. In severe cases, Curogram may also alert law enforcement.

How quickly you must notify? HIPAA requires breaches to be reported within 60 days. However, Curogram protocols and procedures will report most breaches within 24 hours of detection.

See Also: HIPAA Policies and Procedures

Last Update: Nov 25, 2016

Page Icon

Do offices need written consent to initiate text messages with patients?

The short answer is NO. According to FCC rules governing SMS (text) and email marketing, any texts “facilitating, completing, or confirming a previously agreed upon transaction” are considered transactional messages, and not subject to regulation.

Marketing or promotional messages do not directly involve an existing transaction, and do require written permission by the recipient.

Here are some examples that apply to SMS use by a medical office:

Transactional Texts

  • Appointment reminders
  • Check-up reminders
  • Messages regarding account balance
  • Purchase order confirmations
  • Delivery status
  • Sign up details
  • Customer greetings (holiday, birthday, etc.)
  • Confirmation messages relating to purchases

Promotional Texts

  • Reminders to schedule the next appointment (not a follow-up)
  • Advertising new services
  • Health tips
  • Coupons, discounts or exclusive offers
  • Customer loyalty programs and rewards

Does HIPAA prohibit messaging without consent?

There are no rules prohibiting healthcare providers from texting appointment reminders, missed appointment notices, etc. to patients. HIPAA does not prohibit text communication, and in fact does not specifically mention text messaging at all.

Aside from the requirement for obtaining written consent, what are some of the regulatory differences regarding transactional messages and marketing messages?

Some more regulations

Transactional SMS (text) Regulations

  • Send any kind of information, e.g. bank transactions, alerts, notifications
  • May be sent any time of the day
  • May be sent to DND (Do Not Disturb) numbers

Promotional SMS (text) Regulations

  • Send any marketing/promotional content
  • Can be sent only between 9 am and 9 pm
  • Cannot be sent to DND numbers