Messaging, Automated Reminders, and HIPAA Compliance

HIPAA compliance & Kalix's messaging (appointment reminders & notices, billing & late payment reminders, online forms & ad hoc messaging.)

Updated over a week ago

Kalix allows you to send SMS (text messages), text-to-voice (voice messages) and email messages from your account to your clients and contacts. Messages can be automated to remind (Appointment Reminders) and notify (Appointment Notices) about upcoming appointments, and as a reminder to pay outstanding bills (Billing and Late Payment Reminders). Alternatively, messages can be sent manually; i.e. to collect client information via online forms and electronic paperwork), to communicate with other healthcare providers, to send invoices and bills, as well as on an ad hoc basis. 

What Does HIPAA Say About Messaging (Email, Text Message & Voice Message)

HIPAA does not explicitly prohibit the unencrypted transmission of electronic protected health information (ePHI)*. HIPAA does mandate that covered entities** (you) inform your patients on where their electronic Protected Health Information (ePHI) is stored, how it is transmitted, and how it is accessed via a Notice of Privacy Practices. Covered entities (you) must also undertake reasonable precautions to minimize the amount of ePHI* going over an insecure channel, and made an effort to implement safeguards to protect client privacy and to minimize the risk of a security breach.  

Kalix and HIPAA Compliance

Here at Kalix we view HIPAA regulations very seriously. As your business associate***, we also must also comply with HIPAA requirements to protect the privacy and security of health information. We have the most stringent procedures and cutting edge technology in place, making sure Kalix meets government privacy and security requirements. We request all paying users based in the United States of America enter into a Business Associate Agreement (BAA) with us in accordance and compliance with the Privacy Rule. Our BAA incorporates the Kalix terms and conditions into the BAA. If there is a conflict between those terms and the BAA, the BAA prevails click here for further information.

As stated above, HIPAA requires covered entities (you) to inform your patients on where their electronic Protected Health Information (ePHI) is stored, transmitted, accessed. Covered entities (you) must also undertake reasonable precautions to minimize the amount of ePHI* going over an insecure channel, and made an effort to implement safeguards to protect client privacy and to minimize the risk of a security breach. Below we summarize how Kalix makes it easy for you to meet HIPAA requirements:  

Messaging safeguards offered by Kalix:

  • Data is encrypted in transit between Kalix and our third party messaging providers.

  • Emails are encrypted in transit whenever possible. 

  • All data is encrypted at rest including all backup copies.

  • At Kalix, access controls are in place that include the electronic identification and limiting physical on-site data access to a restricted list of people.

  • Kalix's messaging and reminders, limit ePHI transmission to the minimum necessary, for example only a client's first name can be included in a message, not their full name or other identifying information.  

  • Messaging can be “opt in" only, requiring your clients to consent prior to receiving messages via Kalix.

  • HIPAA form - Notice of Privacy Practices can be completed via Kalix's Client Access Form functionality.

  • Your clients have the ability to opt out from receiving messages at any time. 

  • Kalix does not send forms or documents via email, text-to-voice or SMS, but instead uses a secure weblink, along with a code to unlock the form or document. The form or document is view and completed within Kalix, in an encrypted environment. 

Further Details - Messaging Methods

Email

Kalix's email messaging (and reminders) are encrypted in transit between Kalix and our third party provider. Our HIPAA compliant third party email provider encrypts data at rest (in storage). When transmitting emails to your clients and contacts, by default, our third party provider uses TLS (Transport Layer Security)***. They also check the validity and legitimacy of the mail server’s certificate. In situations that your clients' or contacts' email provider doesn’t support TLS, they fall back to sending messages un-encrypted (so messages are successfully received). 

Text Messaging & Voice Messaging

Kalix's text and voice messaging (and reminders) are encrypted in transit between Kalix and our third party provider. For privacy and security, our third party provider does not store a record of your text and voice messages within their system. However, because text and voice messages are sent via the regular phone system, data is sent from our third party provider, to your clients' or contacts' phone un-encrypted. This is because, when transmitting text or voice messages, no technology currently exists to support encrypted messaging without the receiver downloading and using a specialized app. As described above, HIPAA, allows you to send messages through un-encrypted channels i.e text and voice message, if certain safeguards are implemented. 

Other Administrative, Physical and Technical safeguards YOU Should Take

As a covered entity, it is your responsibility to take appropriate administrative, physical and technical safeguards safe guards to ensure the safe transmission and storage of ePHI. Below is a list of factors and suggestions you should consider:

Education 

  • Educate your staff and clients as to the risks of using email, text and voice messaging communication and how to mitigate these risks.

Access controls 

  • Limit your staff's access to Kalix , allow only required staff to access Kalix.

  • Staff that access Kalix, each member should have their own log in and unique password.

  • Assign staff that access Kalix appropriate access levels, click here for details. Choose the lower access level when possible.

  • Password lock all computers and devices that access Kalix, so others cannot obtain access when you and your staff leave them unattended.

  • Enable computer locking when there is no activity (mouse or keyboard movement).

Policies

  • Set policies around the use of messaging and reminders.

  • Set up policies and procedures relating to use and disclosure of PHI. Make sure they are understood and followed by all staff.

Password Protection

  • For your Kalix log in, choose strong passwords: at least 8 characters (the longer the better), with a combination of uppercase and lowercase letters, numbers and symbols. Do not choose commonly used passwords.

  • Do not re-use the same password on multiple programs.

  • Do not share your Kalix log in or password with others.

  • Don't leave notes with your passwords to various sites on your computer or desk. People who walk by can easily steal this information and use it to compromise your account.

Terms

* Protected Health Information: is any identifiable demographic and other information relating to the past, present, or future physical or mental health or condition of an individual. This includes information related to the provision or payment of health care services to an individual that is created or received by a health care provider, health plan, employer, or health care clearinghouse. 

** Covered Entities: HIPAA-covered entities include health plans, clearinghouses, and certain health care providers. Click on the link to use Covered Entity Guidance tool.

*** Business Associate is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of a covered entity. 

****TLS provides secure communications (encrypted) on the internet for such things as e-mail and other data transfers. 

Did this answer your question?