Most HIPAA exposure in a small practice does not come from the EHR. It comes from the everyday tools around it: the email suite, the scheduler, the e-signature app, the CRM. A tool is only safe for Protected Health Information if the vendor signs a Business Associate Agreement and you configure it correctly. Below is a plain-English verdict for each tool, with the source and the setup steps. Cobrix configures and documents these for California healthcare, legal, and accounting practices.
Yes, but only after a BAA and the right plan or add-on is in place.
NoNo. The vendor will not sign a BAA, so PHI does not belong here.
ConditionalYes, but only after a BAA and the right plan or add-on is in place.
ConditionalYes, but only after a BAA and the right plan or add-on is in place.
ConditionalYes, but only after a BAA and the right plan or add-on is in place.
ConditionalYes, but only after a BAA and the right plan or add-on is in place.
Yes, with BAAYes. The BAA is extended by default. The work is configuring it right.
Yes, with BAAYes. The BAA is extended by default. The work is configuring it right.
ConditionalYes, but only after a BAA and the right plan or add-on is in place.
ConditionalYes, but only after a BAA and the right plan or add-on is in place.