What Is This Product?
VCita is a customer managment system that allows appointment scheduling, marketing, and payment processing. Despite an article on their website saying they are “HIPAA Complaint” VCita neither offers nor will execute a BAA.
The company maintains that they do not handle PHI — which they define as chart notes and dx codes — so they state that they do not have to be compliant or execute a BAA. A friendly reminder that a HIPAA compliant Business Associate Agreement is a non-negotiable aspect of HIPAA compliance for any HIPAA covered entity: if a Business Associate Relationship exists, a Business Associate Agreement is required. Full stop.
Wow! Roy and Liath would like to remind you that ePHI most certainly includes client names, contact info, appointment times, and payment information — all of which is the very framework of VCita’s platform. For a deep dive into what constitutes PHI, and how to protect PHI, please see our CE for OH course — access included in membership — “How to Identify HIPAA Protected Health Information: Finding Your Clients’ Sensitive Information Wherever It Goes.”
VCita is, indeed, a third party service provider that is handling, transmitting, and storing protected health information on your behalf — which means they are a Business Associate and a Business Associate Agreement is necessary for any HIPAA covered entity utilizing their service. If you are not a HIPAA covered entity and are evaluating VCita for appropriateness on the basis of ethical and risk management needs, we would advise against selecting a third party service provider who lacks an understanding of what constitutes protected health information as that is a strong indicator that lack of understanding will result in them not following the necessary steps for securing protected health information, or be your partner in taking responsibility for the security of such information.
VCita maintains that their security levels, by default, make them “HIPAA Complaint” — which we find to be misleading and potentially damaging to those in the healthcare industry using their product. The company was unwilling to further engage with us regarding this misinformation gap on their part.
Another friendly reminder, compliance is a process not a product — but when utilizing a service/product, it is essential that the provider of the service/product understands and is willing to be held accountable for performing their responsibilities under HIPAA as a Business Associate.