HoneyBook is not HIPAA compliant for creating, collecting, storing, maintaining, or transmitting electronic Protected Health Information when a healthcare provider is a HIPAA Covered Entity or is acting as a Business Associate, and it may only be used when electronic Protected Health Information is not accessible to HoneyBook’s servers or when a patient has executed a valid authorization permitting disclosure to HoneyBook.
HoneyBook is a client flow management platform that supports enquiries, appointment scheduling, invoicing, and payment acceptance. HoneyBook plan tiers support integrations with applications such as Calendly, Gmail, Outlook, QuickBooks, and Zapier, which can extend where information is stored and shared when those connected services are used.
HIPAA does not apply to every individual healthcare provider or small medical practice. Providers that bill patients directly, or that do not conduct the electronic transactions for which the U.S. Department of Health and Human Services has published Part 162 standards, do not qualify as HIPAA Covered Entities unless they perform functions or activities for or on behalf of a HIPAA Covered Entity as a Business Associate.
When HIPAA applies, the HIPAA Privacy Rule governs protections against unauthorized uses and disclosures of Protected Health Information, including information in a designated record set. When non-health information is stored in the same designated record set, it is protected to the same standard. The HIPAA Security Rule governs safeguards for electronic Protected Health Information and applies to outsourced services that use electronic Protected Health Information.
HoneyBook states that it has not been designed to accommodate healthcare privacy and security requirements and does not provide sufficient safeguards to protect the confidentiality, integrity, and availability of electronic Protected Health Information. Healthcare providers subject to HIPAA must not use HoneyBook, or applications connected to HoneyBook, to create, collect, maintain, or transmit electronic Protected Health Information unless the patient has provided a valid authorization for disclosure to HoneyBook.
HoneyBook can be used for limited administrative functions when electronic Protected Health Information is not entered into the platform. Uses described for this purpose include receiving enquiries containing names and contact details, scheduling appointments without including the nature of a health condition, invoicing patients, and accepting payments, with payment processing exempt under §1179 of the Social Security Act.
Healthcare providers that need a customer relationship management platform for activities involving electronic Protected Health Information should use an alternative that supports a Business Associate Agreement with the vendor and can be configured to support HIPAA compliance.