Skip to main content
All CollectionsGetting StartedFAQ
HIPAA Security Requirements for HIPAA Enabled Accounts
HIPAA Security Requirements for HIPAA Enabled Accounts
Training BLVD avatar
Written by Training BLVD
Updated over a week ago

Oct 2023

Boulevard and Customer have entered into a Business Associate Agreement (“BAA”) which requires Customer to implement and comply with the following steps for any and all HIPAA Enabled Account(s) before introducing any Protected Health Information ("PHI") into the Boulevard Services. All capitalized terms used in this document shall have the meanings given to them in the BAA.

Customer must implement and comply with all of the requirements listed below; failure to do so will relieve Boulevard and its employees, agents, and affiliates of any responsibility with respect to any unauthorized access to, or improper use or disclosure of, Customer’s Customer Data, including any PHI, that results from such failure by Customer.

Yes | What to do

Inside the Boulevard product

  • Ensure you have subscribed to Boulevard’s HIPAA Coverage Add-on (please contact Customer Support at support@joinblvd.com where unsure)

  • On the Security tab of Manage Business settings:

    • Complete the Business Associate Addendum

    • Adjust your automatic logout settings to ensure users get logged out after a period of inactivity (we recommend setting it for 15 minutes or less)

  • Set up privilege groups according to the appropriate level of access staff need in order to do their jobs. Examples include:

    • Viewing form and chart responses

    • Viewing client contact information

    • Viewing the client's last name

    • Restrict staff access to Boulevard to when they are on your business’ internet connection (Setup instructions) *Optional

  • Secure Socket Layer ("SSL") encryption on HIPAA Enabled Account(s) must remain enabled at all times.

  • Keep all protected health information in areas of the platform designed to store PHI (like forms and client profiles).

  • Keep PHI out of non-encrypted areas of the Boulevard Services, including contact center emails and text messages to Clients.

  • Force log out and deactivate staff accounts after employment terminates.

  • Turn off the ability to switch between profiles in the client portal - clients that have more than one profile associated with their contact information will be directed to reach out to your business. You can merge profiles and ensure that PHI is only available to the right person.

General business practices

  • Train all staff on HIPAA

  • Set up Account authentication by either:

    • Using a strong password (by using a reputable Password Manager or by selecting a password that is at least 10 characters long and contains a combination of capital and lowercase letters, and at least one number and symbol).

    • Utilizing an external Single Sign On (”SSO") solution with established requirements not less secure than those authentication requirements described in these Requirements. (Ex. Boulevard integrates with Okta)

  • Enforce a password-locked screensaver or startup screen on all workstations accessing a Boulevard Account (or any systems with PHI).

  • Ensure that Clients have received appropriate notice and Customer has obtained required consents from all Clients in order to collect, process, and transmit PHI.

  • Ensure the checkout process is kept compliant, the staff doesn’t mention details of any medical information in front of other clients at the front desk or checkout area

No | What not to do

  • Use the platform in a non-compliant manner (use common sense, and use the software as designed)

  • Store/communicate PHI in non-encrypted areas like contact center messages to Clients

    • In particular, Customer acknowledges that any email and text message functionality that is part of the Boulevard Services is underpinned by Boulevard’s SMS and email service providers, which may involve the unencrypted transmission of messages being sent into, or out of the Boulevard Service(s). As such, email and text message functionality should not include any PHI. Customer assumes all responsibility for the usage of such functionality

  • Store credit card information outside of the payment methods section of the client profile

  • Print out completed forms and leave where others may be able to see/not disposing of them correctly

  • Leave the Boulevard dashboard visible, or unattended where clients could see PHI of other clients (make sure devices are not visible in the waiting area, don’t leave devices unattended and unlocked in treatment rooms)

Related Articles
Logging Out, Removing, and Deactivating Users
Login Troubleshooting
Boulevard Academy Link & Learn
Medspa Add-On
Automatic Staff Logout
Did this answer your question?