If you are using 10to8 for medical appointments in the US, you need to enable 10to8’s HIPAA security tools. These tools are there to help you use 10to8 in a fully compliant manner. You also need to have signed 10to8’s BAA before storing medical data in 10to8.

10to8 is built from the ground-up to protect your clients’ data security. Our HIPAA tools give you additional control over the data that you store about your clients and how you share this data with them and your staff.

10to8’s BAA

You must have a signed BAA (Business Associate Agreement) in place before storing sensitive patient data (Protected Health Information or ‘PHI’) in 10to8. The BAA provides the legal basis for 10to8 storing and processing data on your (the Covered Entity's) behalf. This can be requested by:

  1. Visiting "Set Up" > "GDPR & HIPAA"

  2. Enabling HIPAA Security Tools

  3. Clicking "Request Signed Business Associate Agreement"

10to8 does not accept ‘outside’ BAAs. 

Your responsibilities

Do not send any PHI (Protected Health Information) over email and SMS as these are third-party services not covered by the BAA. 10to8 reduces the information shared with your clients when HIPAA tools are enabled, however, 10to8 cannot take responsibility for messages written by yourself on our platform.

Ensure you have and can manage your clients’ consent, both to have their data stored with 10to8 and also to be reminded of their bookings via email and SMS. 10to8 has a set of tools that can help you with managing consent.

Respond in a reasonable time to your clients’ data requests under HIPAA. Failure to do so will result in your account being suspended.

10to8 automatic and custom communications

10to8’s HIPAA tools allow you to limit the amount of information sent via email and SMS communications. In the extreme, you can simply send reminders for an appointment that excludes all information about the appointment type, location, and your business name. Please make sure that you set an appropriate level of information for your business so as not to share PHI over automated communications.

To automatically exclude PHI, you can use the checklist provided under “Set Up” > “GDPR & HIPAA”. You can also edit the content of your email and SMS messages under “Messaging” > “Edit SMS Messages” or ”Edit Email Messages”.