Important: HIPAApropriateness reviews, including their summaries, are for informational purposes only. They are neither consultation nor legal advice. Be aware that while we do our best to be thorough and complete, information may be missing or possibly even inaccurate. Products also change quickly, and the review may become out of date. By continuing to read, you agree to use the information in HIPAApropriateness reviews and their summaries at your own risk.

Vital Stats

HIPAA compliance with this product appears possible?: Yes.
Recommend for your HIPAA risk management needs?: Yes. Be sure to read the notes and the caveat for some important usage notes.
# of Caveats: 1 view caveats→
# of Usage Notes: 5 view notes→

Relevant Product Characteristics

  • This product is designed specifically with the healthcare industry in mind.
  • At least one technical leader or manager behind this product has an extensive background serving the health care industry.

What Is This Product?

RingRx is a “Cloud Phone System Designed with Doctors in Mind.” RingRx offers a full featured system with deskphones, smartphone app, menus, voicemail, on-call rotation schedules for larger group practices or clinics and professional greetings; they also offer a web-based faxing add-on. This review is specifically for the RingRx smartphone mobile app.

Their leadership and support were very responsive to our requests and quite knowledgeable about the ins and outs of their security options. RingRx had many recommendations about account settings to utilize in order to best protect PHI; many of the account settings concerns that are a factor when reviewing other VoIP systems had already been taken into account by RingRx and are reflected in the prompts when configuring account settings. RingRx is also a good example of how a product can be better suited to the risk management needs of those in the mental healthcare and healthcare fields when the product is designed specifically for their use by a company that understands the legal and ethical needs of its users.

On item of note, but unrelated to HIPAA-compliance, is that most of the e-mails from RingRx’s team went to our Gmail spam folder, and every message had big red warnings of potential attempts to steal person information. We shared this with their team and they were very responsive, but you should be aware you may see such warnings and might miss the e-mail with the initial setup info if it goes to your spam folder.

 

This product offers a free service tier or a free trial account:

We encourage all clinicians interested in this product to try out the free trial or experiment with the free tier to see if it suits your needs.

If you discover anything of concern that isn’t addressed in this review yet, please tell Liath about it at info@personcenteredtech.com.

Caveats

Caveats are criticsms of the company or product that we feel are relevant to your risk management or other important considerations.

1) RingRx does not provide ready access to access logs

Part of HIPAA compliance requires that clinicians perform regular checks of access logs to see if there has been any unauthorized access to their records. This is an especially large concern for systems where you keep client records, however, it is a concern for all cloud system. One of Roy’s favorite methods is simply checking access logs first thing on Monday morning to see if there were any weekend access attempts.

RingRx does not offer clinicians the ability to view access logs themselves, but will happily provide them on request. Roy’s thoughts are: “This is not unexpected for a software company; they want to prioritize their time and effort so if customers aren’t asking for easily-accessible access logs then the company may choose to prioritize their resources elsewhere.”

If you are not a HIPAA-covered entity, then this may not be a concern for you.

Notes

Notes cover points where the product can’t ensure compliance or ethical action for you. These help you know what your part of the compliance puzzle looks like when using this product. A high note count usually correlates with a feature-rich product, and not necessarily with a product that has problems.

1) Be sure to request, sign, and submit your BAA

RingRx does not automatically execute a Business Associate Agreement with you. In order to agree to the BAA, you must request one as part of the new account creation process. You will need to sign it and submit it. You can request this from your assigned customer service representative. The BAA does apply to the free trial period, once executed.

2) Do not opt in to receiving voicemails via email

RingRx does offer the availability to receive voicemails via email, as a sound file attachment, however this is not automatic and RingRx — as does Person Centered Tech — advise against it because of potential exposure of PHI. Be sure to only receive notifications of voicemails via email; you will then retrieve and listen to the voicemail via the secure message portal.

If for some reason you decide to enable the transmission of the sound files of your voice mails via e-mail, be sure that your own e-mail provider offers a BAA and can be used in a HIPAA-compatible way.

3) Caller ID and Contacts

The RingRx apps on Android, iPhones, and iPads will ask to be granted access to your contacts, but it is not required. There isn’t anything wrong with granting access, but it means that clients who use your RingRx number to contact you will appear as their full name if you have them stored as a contact. This means that you may want to be mindful of who might be able to see your phone or notifications, and what clients’ names are in your phone.

It’s always important to also be sure your phone is hardened. For a how-to checklist for hardening practice devices, take our CE Course, How to Protect Clients and Comply with HIPAA’s Device Security Standards in One Afternoon. Our Device Security Instruction Center has step-by-step tutorials on how to secure smartphones, computers, and tablets for proper use within your practice.

4) Get Consent to Record Calls

If for some reason you need or want to record calls with your clients, which RingRx can do, be sure you obtain their consent and are doing so in accordance with your state’s laws. Also, be aware that the recording function plays a beep sound every 10 seconds or so that only the other party can hear.

5) Be aware of data usage

RingRx, like most VOIP providers, uses your cellphone’s data connection rather than the normal phone connection. That means if you make or take a phone call with RingRx outside of your home or office – anywhere you don’t have a WiFi connection – you’ll be using data against your cellphone plan’s data plan limit. This won’t be a lot of data, but it could potentially cost some money if you have a low data plan and weren’t expecting it.