What Is This Product?
AppointmentQuest is an online scheduling tool that offers client self-scheduling, reminders, forms, and payments. At first glance, their page about using their product for healthcare seems to hit all of the right Person-Centered Tech buttons about HIPAA compliance requiring not just buying software with some imaginary “HIPAA Compliant” stamp on it but the HIPAA-compliant use of those products and overall clinician behavior, but then they take an abrupt turn towards reckless misunderstanding of HIPAA compliance when they state:
“HIPAA regulations do not apply to AppointmentQuest scheduling services since AppointmentQuest does not perform insurance, payment or related transactions (HIPAA transactions), and does not collect any medical history from patients.”
Huh? This indicates to us that AppointmentQuest doesn’t understand the relationship between a HIPAA covered entity and the Business Associates of that covered entity. AppointmentQuest is operating as a HIPAA Business Associate but does not offer a Business Associate Agreement (BAA), thus cannot be used in a HIPAA-compliant manner.
Even some of the clarification they provided makes it clear they don’t understand what Electronic Protected Health Information (ePHI) is. They write:
“We do not advice [sic] to store disclosed electronic protected health information (ePHI) in AppointmentQuest databases. Customer contact and appointment information is kept private and shared only with you (service provider).”
Wow. Roy would like to remind you that ePHI most certainly includes customer names, contact info, appointment times, and payment information. We do not recommend AppointmentQuest for any of your appointment-y needs. For a deep dive into what constitutes PHI, and how to protect PHI, please see our CE for OH course — access included in membership — “How to Identify HIPAA Protected Health Information: Finding Your Clients’ Sensitive Information Wherever It Goes.”