Security Issues: Website CRM Vendors/Services

/ Rants & Raves (Blog) / By

Security Issues: Website CRM Vendors/Services

Quick Reference:  Security Issues with CRM Vendors/Services

 You are ultimately responsible for security breaches by any vendor you share your data with, so do your due diligence before giving any vendor your data!

Customer Relationship Management (CRM):

  • Customer data that you use in your marketing efforts
  • Companies/Vendors who are soliciting PTs to use them for CRM management and automated marketing messages: EMR Vendors???, Rehab CEOs, Breakthrough Physical Therapy, Aaron Lebauer, Go High Level, VEV, and many, many more!

How to evaluate a CRM Company:

  • Read their Privacy and Terms of Use Policies!!!
  • Ask if the data that they will have in their possession will be encrypted in their database.
  • Ask if they have gone through any security audits.
  • Do they have security policies and procedures that comply with HIPAA?
  • Is there a Business Associate Agreement (BAA) included in your Service Agreement?
  • Does your service agreement/BAA require the vendor to timely report a security breach and pay for security breach notification costs if a breach occurs on their platform?

What client information should be (or not be) included in your CRM?

  • As little information as necessary for what you intend to use it for!
  • Avoid entering diagnosis or any medical information whatsoever!
  • Try to avoid using Tags that are diagnosis related. If you must use Tags to customize your marketing messages, set up very broad categories of Tags – like “back” (instead of back pain), “women’s health” (instead of pelvic floor), “knee” (not ACL, or total knee replacement), etc….
  • Don’t include financial, medical or sensitive personal information (SS#, driver’s license #) in your CRM. Having this information linked to a name, email, address and/or phone number will make a breach reportable.

Caution about spam and automated marketing emails:

  • Spam laws apply to marketing emails
  • Does HIPAA apply? If so, does your automated marketing campaign require a HIPAA authorization?

What to do if you are informed of a breach:

  • Contact your lawyer
  • Contact your insurance company to see if you have cyber security coverage
  • Determine what information was accessed and what happened
  • Determine whether you need to do your own investigation into the breach
  • Determine whether the data has been secured or there is any ongoing threat
  • Determine what laws apply based on what information was accessed
  • Determine whether there is potential for financial, reputational or medical harm to the individuals whose records were accessed
  • Find the Security Breach Notification laws for your state to determine what your state laws require
  • Determine whether a HIPAA Security Breach occurred (see reference below to HIPAA Security Breach Notification Rule)
  • If you are not required to report the breach because no sensitive information or medical information was accessed, decide if you want to notify individuals anyway.
  • ©Your state laws may require you to report the breach to government authorities even if you do not have to notify individuals

Resources:

HIPAA Breach Notification Rule:  Breach Notification Rule | HHS.gov

Security Breach Notification Laws for Each State 

Shopping Cart