QBO is NOT HIPAA-compliant

HCHTech · Nov 23, 2022

I guess I'm not surprised, but I didn't know this before. We got a new Chiropractor client recently who (and this IS a surprise) seems to be pretty on top of the HIPAA game. One of the jobs early on our list for them is to convert back to Quickbooks desktop. A quick search finds this text from one of their KBs:

Currently, QuickBooks Online meets industry standards for online security, but is not compliant with the HIPAA standards for privacy. If you are a health care professional, it is not recommended that you enter "individually identifiable health information" into the QuickBooks Online program.

This isn't quite the same as saying "Don't use it", but the HIPAA consultant the client has didn't soft-pedal it at all - they very clearly said "Don't use it.".

Markverhyden · Nov 23, 2022

Great to know. But I think the real message is Intuit isn't willing, at this point, to provide a BAA. Which is the final step in being HIPAA compliant. But if they still want to avoid self-hosting cloud hosted is an option.

https://www.rightnetworks.com/wp-content/uploads/Security-Reliability-Fact-Sheet-Intuit.pdf

One of my customers use them but the are not HIPAA bound. I'm sure there's plenty of others.

britechguy · Nov 23, 2022

My question is what would ever be entered in Quickbooks that would be considered "individually identifiable health information." Name and the fact they had an appointment, for instance, is not protected (unless something has changed, radically). It's presumed that anyone's name is public knowledge and billing for an appointment should not contain diagnostic information.

But if the office is "sloppy" and actually enters diagnostic details, then all bets are off.

Markverhyden · Nov 23, 2022

britechguy said:
My question is what would ever be entered in Quickbooks that would be considered "individually identifiable health information." Name and the fact they had an appointment, for instance, is not protected (unless something has changed, radically). It's presumed that anyone's name is public knowledge and billing for an appointment should not contain diagnostic information.

But if the office is "sloppy" and actually enters diagnostic details, then all bets are off.

Medical bills are broken down with name, address, insurance info as well as medical procedure descriptions and costs. All of which need to be protected.

HCHTech · Nov 23, 2022

britechguy said:
My question is what would ever be entered in Quickbooks that would be considered "individually identifiable health information."

Yeah, that was my question as well - they have some sort of integration between QB and their practice management software, and apparently there is PHI somewhere. I'm just as happy to stay out of that decision tree and just do what their consultant says - haha.

Sky-Knight · Nov 23, 2022

QB Online's billing can't keep tabs on that billing anyway. I have contractors for clients that are using QB Enterprise on prem still because QB online sucks.

Intuit just doesn't care. They're getting a subscription either way now.

callthatgirl · Nov 24, 2022

But yet at the Dr's office, out loud they tell you everything in front of the waiting room full of people

QBO is NOT HIPAA-compliant

HCHTech

Well-Known Member

Markverhyden

Well-Known Member

britechguy

Well-Known Member

Markverhyden

Well-Known Member

HCHTech

Well-Known Member

Sky-Knight

Well-Known Member

callthatgirl

Well-Known Member

Similar threads