Important: HIPAApropriateness reviews, including their summaries, are for informational purposes only. They are neither consultation nor legal advice. Be aware that while we do our best to be thorough and complete, information may be missing or possibly even inaccurate. Products also change quickly, and the review may become out of date. By continuing to read, you agree to use the information in HIPAApropriateness reviews and their summaries at your own risk.

Vital Stats

HIPAA compliance with this product appears possible?: No.
Recommend for your HIPAA risk management needs?: No.

What Is This Product?

Boomerang is email productivity software that currently has products of the same name for Gmail, Outlook and Android. The software allows users to schedule sending of emails, snooze messages, pause their inbox, get reminders about an email if it hasn’t been replied to, and get read receipts.

While Boomerang is a great tool for helping you achieve and maintain that coveted “inbox zero” status, and not forgetting to follow up on something important, it is not something that can be used as an add-on for your email accounts that touch or handle Protected Health Information (PHI.) If you use Boomerang they have access to your email account and its contents, and using the Boomerang services means they’re handling identifiers such as the recipient’s email address, IP address, and the content of the recipient’s response. (If you’re wondering how this constitutes PHI, please see our CE for OH course, included in membership, How to Identify HIPAA Protected Health Information: Finding Your Clients’ Sensitive Information Wherever It Goes.)

For HIPAA covered entities, the deal breaker is that the company won’t execute a Business Associate Agreement (BAA.) Friendly reminder: if a third party qualifies as a Business Associate under HIPAA then a Business Associate Agreement is required, and informed consent does not and can not absolve that requirement. For more on this, see our article What Is a HIPAA Business Associate? And, for a deep dive into it, see the Business Associates and Business Associate Agreements unit from Module 2: Grasping the Basics of HIPAA Security Rule Compliance of our Engaging in HIPAA Security and Digital Confidentiality as a Mental Health Professional course, included in membership.

For mental health providers that are not HIPAA covered entities, we still do not advise using Boomerang: without them being a company that will execute a BAA and being able to meet the HIPAA Security standards required of a Business Associate, you’re giving Boomerang access to your email account and client information without assurances as to how they will secure client information in ways that meet your legal and ethical needs, or the ability to know that they understand what those legal and ethical needs are. (For more on how HIPAA relates to your legal and ethical needs even as a non-covered entity, please see our article Am I a HIPAA Covered Entity? How Much Does It Matter If I Am Or Not?)

By all means, though, feel free to use Boomerang for personal email accounts that don’t handle or touch PHI if its functionality has appeal!