Curogram complies with the following HIPAA regulations:
Access Controls Unique User Identification: Each provider is assigned a unique user ID on Curogram. Providers use identified by email address; patients are identified by phone number. If patient or provider decides to change their identification the account is temporarily terminated and transferred to the new phone number or email when it becomes available.
Emergency Access Procedure (required): Curogram uses automatic backups on AWS (Amazon Web Services), which are accessible any time there is an emergency.
Automatic Logoff (addressable): Curogram automatically logs users out of sessions after a period of inactivity, which is user-controlled in settings.
Encryption and Decryption (addressable): All information is encrypted at rest through third-party integrations of AWS Marketplace partners; we are currently using dm-crypt.
Curogram uses Loggly, as well as Curogram's internal logging system. All PHI (Protected Health Information) logs are stored on Curogram's internal logging system; non-PHI logs are stored on Loggly.
Mechanism to Authenticate Electronic Protected Health Information (addressable): Curogram employs AWS S3, which has built-in integrity checking.
Person or Entity Authentication (required): Healthcare providers authenticate to the application using username/email and password.
Integrity Controls (addressable): Curogram employs SSL connections with built-in integrity checking.
Encryption (addressable): Curogram transmission of data is encrypted using SSL certificates.
What constitutes a reportable HIPAA breach? Curogram considers any breach of PHI a HIPAA breach.
Who you must notify in the event of a breach. Possible entities include? In the event of a breach, Curogram alerts providers and patients who have been involved in the breach via email and text messages. In severe cases, Curogram may also alert law enforcement.
How quickly you must notify? HIPAA requires breaches to be reported within 60 days. However, Curogram protocols and procedures will report most breaches within 24 hours of detection.
Last Update: Nov 25, 2016
The short answer is NO. According to FCC rules governing SMS (text) and email marketing, any texts “facilitating, completing, or confirming a previously agreed upon transaction” are considered transactional messages, and not subject to regulation.
Marketing or promotional messages do not directly involve an existing transaction, and do require written permission by the recipient.
Here are some examples that apply to SMS use by a medical office:
There are no rules prohibiting healthcare providers from texting appointment reminders, missed appointment notices, etc. to patients. HIPAA does not prohibit text communication, and in fact does not specifically mention text messaging at all.
Aside from the requirement for obtaining written consent, what are some of the regulatory differences regarding transactional messages and marketing messages?