Important: HIPAApropriateness reviews, including their summaries, are for informational purposes only. They are neither consultation nor legal advice. Be aware that while we do our best to be thorough and complete, information may be missing or possibly even inaccurate. Products also change quickly, and the review may become out of date. By continuing to read, you agree to use the information in HIPAApropriateness reviews and their summaries at your own risk.

Vital Stats

HIPAA compliance with this product appears possible?: No.
Recommend for your HIPAA risk management needs?: No.

What Is This Product?

Pocketsuite is a scheduling system that focuses heavily on text reminders, payment processing and credit card storing.  The company maintains that they are “HIPAA Certified” based on their security protocols, however they only offer a “HIPAA Statement” and will not execute a BAA.  As it is currently written, Pocketsuites’s HIPAA statement is NOT an adequate substitute for a BAA and is based around arbitrary security standards and a misunderstanding of HIPAA. The company was unwilling to engage with us regarding remediation of this issue.

Despite Pocketsuite’s position about being “HIPAA Certified,” remember there is no authoratative body that approves or allocates “HIPAA Certification” to software companies or products. A crucial, and very basic, indicator of whether a third-party service provider that creates, receives, transmitts, or maintains PHI on your behalf (AKA, a Business Associate) can be used as part of your HIPAA compliance process, is their willingness and ability to execute a HIPAA compliant BAA. Since Pocketsuite directly markest to healthcare companies as a HIPAA Certified product but will not execute a BAA, it is misleading and potentially very damaging to any HIPAA covered entity utilizing Pocketsuite’s service within their practice.

If you are not a HIPAA covered entity and are evaluating Pocketsuite for appropriateness on the basis of ethical and risk management needs, we would advise against selecting a third party service provider who lacks an understanding of the importance of offering a BAA as that is a strong indicator that lack of understanding will translate to them not following the necessary steps for securing protected health information, or be your partner in taking responsibility for the security of such information.

Another friendly reminder, compliance is a process not a product — but when utilizing a service/product, it is essential that the provider of the service/product understands and is willing to be held accountable for performing their responsibilities under HIPAA as a Business Associate.