How YAPI Helps Your Practice Stay HIPAA-Compliant
At YAPI, we know that protecting patient information is important to upholding federal guidelines and fostering trust between you and your patients. This is why we've put safeguards in place both as a business and through the YAPI application to keep your patient's information safe. Below, you'll learn about the ways we've made YAPI HIPAA-compliant.
Table of Contents
- General Safeguards
- Protections in the Practice Dashboard
- Protections for iPads
- Protections for Paperless Forms
- Protections for Email & Text Communication
- Protections in the Practice Online Portal (POP)
- Protections for Online Scheduling
- Protections for Patient Payments
- Related Articles
General Safeguards
Business Associate Addendums - Within our Terms of Use, we have a Business Associate Addendum that creates an agreement between us and your practice to safeguard your patient's Protected Health Information (PHI). This applies to all employees that have contact with PHI and makes it possible for our teams to help and guide you while keeping your patients' information protected. All our employees are trained annually on HIPAA laws and their responsibilities to patients, just like we were an extension of your practice.
Upon your request, we can also send you a signed Business Associate Agreement, naming your practice as a Covered Entity and YAPI as a Business Associate. Just send your request to our Billing Team via email at billing@yapicentral.com.
Most Patient Information Is Stored on Your Server - For added protection, YAPI is installed directly on your server and your patients' information is kept there in your own database so it's physically held within the confines of your office.
We Protect All Cached Data on Secure Servers - In some circumstances, we cache data for features in the Practice Online Portal and our new Web App so it's easily available to you when you need it. This data is stored securely through our partner AWS and we have a Business Associate Agreement in place to ensure they're taking appropriate measures to safely store any and all PHI data. For more information on what is stored, see the Protections in the Practice Online Portal (POP) and Protections for Patient Payments sections below.
Protections in the Practice Dashboard
Control Over What's Displayed on Workstations - YAPI's settings allow you to choose what types of patient information display on each workstation including patient last names, provider names, and patient ages. You also have options for which in-office messages display and can send messages using a Private option, just in case there's sensitive information you need to send to a computer where a patient is nearby.
Set Your Own Dashboard Password - Within Global Setup, you can set a password for your Dashboard that only our team knows.
Dashboard Privacy Screen - If you need to step away from your workstation, the YAPI Dashboard also has a privacy screen that masks the entire Dashboard with one click, keeping patient information hidden when you're not able to monitor it.
Protections for iPads
iPads Connect Over Your Own Secure WiFi - To connect with the rest of YAPI, YAPI's iPad app requires a password-protected, private WiFi connection on the same subnetwork as your server. This means the app can't connect outside of your own secure WiFi, keeping your patients' information in office.
Password Protection - With the YAPI app's password protection enabled, patients can sign and review forms without having access to any other part of the app. That means they can't see the Dashboard with patient information and can't access your messages, settings, Huddle, or KPI reports. For added protection, you can also set a shared secret that must be entered both on the desktop application and each of your office iPads to connect them securely.
Control Over What's Displayed on Workstations - The YAPI app's Configuration settings allow you to choose what types of patient information display on each iPad Dashboard including patient last names, patient details, and in-office messages.
Protections for Paperless Forms
iPad Forms Save Directly to Your Server - Once a patient saves their signed form on an iPad, the form is transferred to your server via your practice's password-protected WiFI connection. It's never stored on the iPad and stays in your office.
Online Forms Are Encrypted in Transit - When a patient submits their forms online, YAPI encrypts them on their way to you. As soon as they land securely on your practice's office server YAPI unencrypts they for you automatically so you can view them in the Dashboard's Document Queue.
Paperless HIPAA Forms - We even have forms to help you inform your patients about HIPAA! Our Notice of Privacy Practices Acknowledgement (which comes pre-installed with YAPI) gives patients an opportunity to read about HIPAA and sign that they've received that information, either online or on an iPad. And if you hail from Canada, you can create your own PEPIDA form in YAPI's Form Builder or request a custom one from us.
Protections for Email & Text Communication
We Comply with HIPAA Laws for Sending Automated Texts & Emails - Unencrypted appointment reminders and general communication between providers and patients are permitted under HIPAA guidelines. You'll want to make sure, though, that you always obtain consent to communicate electronically with patients and maintain the correct patient contact information in your practice management software. We also strongly recommend purchasing a 3rd-party encryption service if you need to send PHI (like a copy of a patient's signed form) via text or email.
We Can Connect Your 3rd-Party Encryption Service to YAPI - If you choose to use the added protection of an outside encryption service, we can help you link that to YAPI in your Global Settings.
Tip: For more recommendations on maintaining HIPAA-compliant communication with your patients, check out Optimizing YAPI for HIPAA Compliance.
Protections in the Practice Online Portal (POP)
Using Yapi Leap (our new web app) instead of POP? 🤔 Go to the corresponding topic in our Leap Help Center to learn about protections in Leap:
POP Requires Individual Logins - We require each POP user to create an individual login and password for POP, giving you the freedom to choose who can (and can't) use the Practice Online Portal. This also allows you to assign Admin access to some team members and more limited User access to others. And if a staff member leaves your practice, you can deactivate their login without affecting the rest of your team.
Two-Factor Authentication & Automatic Logout - Upon login, POP requires a two-factor authentication from each user, requiring them to enter a 6-digit code sent to their mobile phone. Users are also logged out automatically after two hours of inactivity.
PHI Is Encrypted - When patient information is pulled from your practice server to be displayed on your screen in the Practice Online Portal, YAPI encrypts it on its way there. Once it reaches the Practice Online Portal, YAPI then decrypts it automatically for you to view.
Any Information We Cache is Stored Securely - To best serve you, we store some information for POP features like your practice's schedule, Smart Scheduling, and YAPI Pay, which does include patient names. All information we do cache, though, is stored securely through our partner AWS and is protected by HIPAA law through our Business Associate Agreement with them.
Protections for Online Scheduling
Authentication for Existing Patients - To verify the identity of existing patients in your system, Smart Scheduling requires patients to enter their correct birth date to schedule appointments online. Existing patients must also schedule via a unique link sent directly by YAPI's automated system.
Appointment Details are Stored Securely - Patient appointment information is cached via HIPAA-protected services (see Protections in the Practice Online Portal above) and we only cache the amount of appointment information needed to best serve you.
Protections for Patient Payments
We Have Business Agreements with Our Payment Partners - For YAPI Pay, our merchant processor QorCommerce and its affiliates are all bound by Business Associate Agreements that safeguard your patients' PHI under HIPAA law, just like they were an extension of your practice.
We Cache YAPI Payment Requests but No Payment Details - To better serve you, we cache small amounts of data from YAPI Pay requests that doesn't include any payment details like patient credit card information. All the data we do cache, though, is stored with HIPAA-protected services (see Protections in the Practice Online Portal above) and we have a Business Associate Agreement in place to ensure the storage of that information is in compliance with HIPAA regulations.
Related Articles
- Optimizing YAPI for HIPAA Compliance
- Changing Your YAPI Dashboard Password
- Setting Up Basic Security for the YAPI iPad App
- Resetting Your Practice Online Portal Account Password
Please note, the content above is not legal advice. We recommend always consulting your practice's HIPAA officer when making decisions related to HIPAA and patients' Protected Health Information.