Is HoneyBook HIPAA Compliant?


HoneyBook is not HIPAA compliant and should not be used by HIPAA covered entities or business associates to create, collect, store, or transmit electronic Protected Health Information (ePHI). However, it is still possible for healthcare providers to use HoneyBook for some customer relationship activities.

HoneyBook styles itself as “client flow management software” that can help independent professionals and small businesses better manage customer relationships and backend administration. HoneyBook provides this help via an “all-in-one” platform that includes capabilities such as enquiry management, appointment scheduling, and workflow automation. Businesses can also invoice clients and receive payments through the HoneyBook platform.

Business owners can increase the platform’s capabilities by upgrading their subscriptions and/or integrating apps such as Mailchimp, Trello, and QuickBooks Online. The versatility of HoneyBook makes it ideal for solo healthcare providers and small medical practices who want to spend more time treating patients and less time doing paperwork, while the price of a HoneyBook subscription makes it a cost-effective alternative to most CRM solutions.

Is HoneyBook HIPAA Compliant?

When evaluating a new software solution, an important consideration for most healthcare providers is whether the software solution supports HIPAA compliance. This means that the software has the necessary safeguards for healthcare providers to comply with the HIPAA Security Rule, that any electronic Protected Health Information (ePHI) used by the software solution will remain secure, and that the vendor will enter into a Business Associate Agreement.

HoneyBook meets none of these criteria. HoneyBook acknowledges that the platform does not have the necessary safeguards to make HoneyBook HIPAA compliant and cannot guarantee the security of ePHI. HoneyBook will not enter into a Business Associate Agreement with HIPAA covered entities and business associates, and consequently HoneyBook cannot be used to create, collect, store, or transmit ePHI. To do so would be a violation of HIPAA.

In addition, because HoneyBook is not HIPAA compliant, any HIPAA compliant apps connected to the HoneyBook platform are no longer HIPAA compliant. For example, if you were to connect a HIPAA compliant Outlook account to HoneyBook, and the Outlook account transmitted ePHI into a HoneyBook activity feed via an email, the actions of the Outlook account would violate HIPAA. However, this does not mean all customer relationship activities are prohibited.

How to Use HoneyBook for Healthcare

Using HoneyBook for healthcare requires an understanding of ePHI is and what it isn’t. As explained in this article, PHI (with or without the “e”) is individually identifiable health information that relates to an individual’s health condition, treatment for the health condition, or payment for the treatment. In addition, any identifying non-health information maintained in the same designated record set as PHI assumes the same protections as PHI.

However, if identifying non-health information is maintained separately from PHI, it can be used by healthcare providers and medical practices without restriction. This means HoneyBook can be used in healthcare for customer relationship activities such as enquiry receipt and response, appointment scheduling, and patient invoicing – provided only non-health information is communicated and provided any PHI received from patients is deleted from the platform.

Solo healthcare providers and small medical practices who are unsure about the distinction between PHI and identifying non-health information, or who need further advice about using customer relationship management software in compliance with HIPAA should independent advice from a compliance professional.