OhMD and HIPAA Compliance

Important: HIPAApropriateness reviews, including their summaries, are for informational purposes only. They are neither consultation nor legal advice. Be aware that while we do our best to be thorough and complete, information may be missing or possibly even inaccurate. Products also change quickly, and the review may become out of date. By continuing to read, you agree to use the information in HIPAApropriateness reviews and their summaries at your own risk.

Vital Stats

HIPAA compliance with this product appears possible?: Yes.

Recommend for your HIPAA risk management needs?: Yes. If you're a solo/solo+ provider (meaning there is only one clinician/HIPAA covered entity within your organization) -- then the "base" plan should be sufficient for your HIPAA security needs. If you're a group practice, then you should obtain the "plus" or "reach" option in order to have the chat auditing feature. If you wish to have both conventional SMS and secure messaging, you need OhMD's "reach" tier.

# of Caveats: 0 view caveats→

# of Usage Notes: 2 view notes→

Relevant Product Characteristics

This product is designed specifically with mental/behavioral health professionals in mind.
The leadership or management behind this product includes at least one health care professional (but no mental/behavioral health professionals that we could find.)

What Is This Product?

OhMD is a secure messaging system designed specifically for the healthcare industry, that’s oriented to providing efficient and secure texting between both clinicians/providers and clients/patients, as well as between providers. OhMD works with your existing phone number (or they can obtain a new phone number for you, but that number will be used only for messaging — not for voice calls, as they’re not a VoIP service.)

OhMD has 3 different plan tiers, each of which includes a HIPAA Business Associate Agreement (BAA.) Their free “base” tier is ideally suited for solo/solo+ providers (meaning there is only one clinician/HIPAA covered entity within your organization.) For those in group practice (more than one clinician within the organization/as part of the HIPAA covered entity,) their “plus” and “reach” plans are designed for both your security and functionality needs. The “plus” and “reach” plans both include a “chat auditing” feature that’s necessary for retaining data availability — any system that handles Protected Health Information (PHI) on behalf of the practice, should have control over and access to all information handled by said system maintained by the practice (keep it “in the circle.” This chat auditing feature is not available on the base plan — though one can still see all messages exchanged within an individual’s user account, which is why the base plan is best suited for solo/solo+ practices.

OhMD, on both the “base” and “plus” plans, functions as a proprietary messaging app, which does require that the client download it — remember, encryption is a two-party game and both parties must have the decoder ring. However, this is a simple and streamlined process for the client; the provider simply sends them an invitation (which is generic and sent from OhMD, not directly from the provider — which is preferred from a risk management perspective) to download the app and setup a profile. Once the profile is setup, the client can securely communicate with their provider — or if you’re on the “plus” or “reach” plan, you can create a care team or admin team and the messages can be directed to those within that designated group. If you want additional functionality, such as secure chat messaging embedded on your website (with configurable operational hours, away messages, and customized batch messaging) you can opt for OhMD’s “reach” plan. The “reach” plan also includes conventional SMS messaging functionality, so clients don’t have to download the app — however, if you utilize this functionality you must ensure you’ve done the request for non-secure communications and collaborative risk analysis for non-secure communications process with clients before utilizing it (something the company will also tell you. Note, it’s a good sign when a company is willing to step up and partner in your HIPAA Security compliance process needs and inform you of your responsibilities as a user!)

Caveats

Caveats are criticsms of the company or product that we feel are relevant to your risk management or other important considerations.

None

Notes

Notes cover points where the product can’t ensure compliance or ethical action for you. These help you know what your part of the compliance puzzle looks like when using this product. A high note count usually correlates with a feature-rich product, and not necessarily with a product that has problems.

1) Ascertain which plan tier meets your needs — and what your responsibilities are

If you’re not a solo/solo+ provider, you’ll need the “plus” tier in order to meet your HIPAA compliancy requirements (see commentary above.)

If you’re utilizing the “reach” tier that includes conventional SMS texting functionality, be sure to perform your collaborative risk analysis and obtain the request for non-secure communications documentation from client(s) before using this functionality. (You can find resources for both on our site under the “my free downloads” tab on your dashboard, when logged into your user account.)

2) “Harden” any devices that have the app/access the web dashboard

Remember, any device that accesses a practice system that contains Protected Health Info (PHI) at any time must be properly hardened so that the info those system(s) contain isn’t potentially jeopardized by the device being compromised. For why device hardening is crucial, see our free article here: Holding Safe Space Through Device Security. For our device security to-do checklist, see here: Computer and Smartphone HIPAA Security Checklist.