woman receiving a text

HIPAA compliance is always a topic that’s at the forefront of any healthcare provider’s mind.

Even simple services or conveniences that are designed to aid your patients can sometimes fall out of bounds of the strict privacy rules.

And there’s a lot at stake. Civil penalties for failing to comply with proper HIPAA violations can run up to $1.5 million, not to mention theHIPAA Compliant fallout from such a breach and its impact on your business.

So, you’re right to worry about data security practices and safeguarding your patient’s information — it should be a top priority for your practice.

But it also can’t interfere with the important work that you’re doing every day.

One way to worry less about HIPAA requirements is to work with vendors that have invested in providing fully compliant patient privacy. This will give you peace of mind that none of the services you use to communicate with patients or store records might compromise their information or put your business in danger.

Apptoto is one of a very small number of appointment messaging services that meets the requirements for full HIPAA compliance and patient privacy protection.

We’ve invested heavily in the necessary technology and certifications to ensure 100 percent protection, not just for patients but also for practitioners who worry about the stringent HIPAA regulations.

We know this is hugely important to our customers, because HIPAA compliance is especially pertinent when dealing with outbound communications from your practice. That’s why we’ve made it as simple as possible for you to provide compliant messages, without having to jump through a million hoops.

These are a few of the steps that go into making HIPAA-compliant messaging as simple as possible.

Relieve the security worries

At the forefront of providing absolute security is the technology that surrounds your patient’s sensitive information. If you work with a third-party vendor, it is ultimately your duty to make sure that they meet compliance standards and have rigorous security measures inPadlock cyber security place to protect that data.

If something is overlooked or not done properly, your practice could face the consequences.

Apptoto’s security includes a number of industry-standard protections that eliminate worries about intrusion or unauthorized access.

Our system has several layers of data security, including:

  • HITRUST Certified servers provided by Armor
  • At-rest data is always encrypted
  • In-transit data is encrypted (except for SMS or email messages)
  • Server-side logging disabled
  • SSL security

The peace of mind that comes from having this level of security is something that many of our customers enjoy. With data security being such an important topic and a central issue regarding HIPAA compliance and sensitive patient information, it’s important to feel 100 percent trust in the security of your tools and technology.

Ensure only the right people have access

Anyone who deals with sensitive information — including third-party vendors and their employees — should be fully trained on HIPAA compliance and have proper credentialing and background checks in place before being granted access to messages and technologies that contain patient information.

Depending on how your systems are set up, this may be difficult to achieve, especially if you have technology staff or vendors, for example, who come into contact with your sensitive data but do not have the proper training to deal with such records.

Part of the Apptoto HIPAA-compliance process is ensuring that all our employees have proper training and credentials for dealing with such data. No one without this certification will ever have access.

It’s also beneficial to have Apptoto work as a standalone system that runs outside of your other technology, so it’s easy to provide the right access to the right people at all times.

Ensure each message includes what it should — and not what it shouldn’t

Ultimately, all the technology and training doesn’t guarantee HIPAA compliance if you use the technology to send out incorrect or restricted information through unsecured channels (SMS, email, etc.).

This is why the most important part of HIPAA compliance is having strict guidelines as to the content of any outgoing messages. Because of the potentially sensitive nature of the information being transmitted, it’s important not to include any details regarding the patient’s diagnosis, treatment, or the specifics of their appointment.

Even small clues within a reminder message can sometimes relay details that should be left out of these communications.

In general, your messages should only include three specific pieces of information:

  1. Date and time of appointment
  2. Provider name and company
  3. Location of appointment

All of the message templates created by Apptoto include these details and can be easily customized for added discretion or to include additional, necessary details.

Comply with patient wishes

Apptoto contact preferences

Lastly, the amount, frequency, and channel of messages being delivered to patients should meet their needs and comply with their wishes.

This can be a major sticking point for off-the-shelf messaging solutions, which may not offer the ability to customize the delivery or channel of a message on a per-patient basis. This may mean creating an entirely new workflow for patients who choose to have messages delivered via alternate channels or who want to opt out of messaging altogether.

In other words, this creates much more work for your staff and opens you up to liabilities if mistakes are easily made.

Apptoto has complete flexibility in allowing patients to decide if, when, and how to receive reminder messages. Default sequences can be set with email, SMS, or phone reminders. Then, each patient can request changes that work best for their needs and schedule.

This feature alone may seem small, but it relieves much of the stress of having to remember, manage, and deliver reminders to individual patients. Not only is the entire system automated, but the messages will be delivered when and how the patient wants them. This reduces errors and also improves appointment attendance.


HIPAA compliance can seem like a daunting responsibility for many practices. And there’s no doubt that it adds additional complexity to the already stressful job of running a medical office.

But it doesn’t have to create extra challenges. With the smart use of technology, processes, and planning, your practice can deal with HIPAA requirements with minimal stress and stay focused on what truly matters: helping your patients.