Your O.A.O Account and HIPAA Compliance
To support the needs of our Business and Platinum account customers who are subject to HIPAA, O.A.O service and security mechanisms follow the standards required by HIPAA regulations for electronic Patient Health Information (ePHI). More details about our HIPAA compliance are available upon request.
Your responsibilities for using O.A.O to manage your business involve carefully selecting the amount and types of ePHI that appear in components of your account and using your account in a manner that satisfies your own HIPAA obligations for how you create, receive, transmit, use, disclose and store ePHI. You must also access and download O.A.O Business Associate Agreement (BAA). This will signify your agreement to the BAA terms and will be the only way O.A.O will know that you are subject to HIPAA and that the BAA applies to the services.
Make sure that you have accessed and downloaded the BAA before processing any ePHI in connection with your account. If you have more than one O.A.O account, a separate BAA must be accessed and downloaded for each account.
You can download the BAA at the bottom of this page..
As noted above, HIPAA-compliant services are not available to customers who do not hold a Business or Platinum account, and therefore Essentials account holders may not use O.A.O services in any manner that involves the creation, receipt, transmission, use or storage of ePHI.
Configuring Your O.A.O Account
While the privacy and security practices you undertake are solely your responsibility, the following sections offer some tips and suggestions for setting up your account to help maintain maximum levels of client privacy.
Email and SMS Communications
Client name, appointment type, and appointment time are included by default in emails and text messages. The default content of these messages may also contain some ePHI.
You can customize the information sent in messages by updating the structure of your Email Templates. Another alternative is to disable emails and/or SMS entirely.
A calendar file (ICS invite) containing the client's name, appointment type, and appointment time is attached to initial confirmation and rescheduling messages. If you would like to disable this feature, please contact O.A.O Support.
If email messages are not disabled, the “From” and “Reply-To” fields of emails sent to you by O.A.O will display the relevant client’s name and email address.
Third Party Integrations
If you connect your O.A.O account to any 3rd party applications (such as Google Calendar, Stripe, Zapier, etc.), it is your sole decision and responsibility whether to maintain or disable these applications. It is also your sole responsibility to ensure that any integrated applications meet the privacy and security standards for your business and that appropriate contractual or other safeguards are in place as you deem appropriate.
Managing Your Team
We suggest that you create separate accounts for each of your staff members, with unique credentials and account permissions. This will help you keep track of the actions performed in each account and prevent unauthorized access to sensitive information.
Assign each of your staff members to an appropriate role, and ensure that they have access to the minimum information needed according to their role.