Is QuickBooks HIPAA Compliant?
QuickBooks is not HIPAA compliant because it lacks the safeguards to protect individually identifiable health information from unauthorized uses and disclosures. In addition, QuickBooksโ parent company โ Intuit โ will not enter into a Business Associate Agreement with HIPAA covered entities and business associates.
QuickBooks is used by multiple healthcare organizations to support accounting, auditing, and financial management functions. The wide range of plans makes the accounting software suitable for organizations of all sizes; and, for those that need bespoke features and capabilities, the SaaS version of the software connects with hundreds of apps that can help manage workforces, analyze data, and conduct marketing activities.
In many cases, QuickBooks can be used without using or disclosing individually identifiable health information protected by HIPAA. However, when accounting functions or management activities involve the creation, collection, storage, or transmission of Protected Health Information (PHI), it is necessary for adequate safeguards to be in place to protect the privacy and security of individually identifiable health information.
QuickBooks Lacks HIPAA-Standard Safeguards
Despite meeting some standards for online security, QuickBooks lacks the necessary safeguards to be considered HIPAA compliant. Because of this, QuickBooks recommends healthcare organizations do not enter individually identifiable health information into the SaaS version of the software. Also, the EULA for the desktop version of the software (Clause #19) states that QuickBooks Desktop is neither HIPAA-ready nor HIPAA compliant.
This does not prohibit healthcare organizations from using โpersonally identifiable non-health informationโ in accounting functions. The issue with QuickBooks not being HIPAA compliant is that QuickBooks is able to access any individually identifiable health information stored on its servers; and, as there is no Business Associate Agreement in place to stipulate how QuickBooks can further use or disclose PHI, this would be considered a violation of HIPAA.
Can You Make QuickBooks HIPAA Compliant?
If a healthcare organization wants to use individually identifiable health information in accounting functions or management activities, it is possible to make QuickBooks HIPAA compliant. However, this is an expensive process that involves purchasing a software license for QuickBooks Desktop, deploying the software on a HIPAA compliant cloud hosting service, and configuring the cloud hosting service to prevent QuickBooks accessing individually identifiable health information.
Depending on the capabilities of the HIPAA compliant cloud hosting service, configuring the service to prevent QuickBooks accessing individually identifiable health information may involve encrypting data, using Virtual Private Networks, and adding additional access controls. ย In addition, it will be necessary to enter into a Business Associate Agreement with the vendor of the cloud hosting service and provide HIPAA training on how to use the service compliantly.
Is it Worth Making QuickBooks HIPAA Compliant?
For most healthcare organization, the costs and effort involved in making QuickBooks HIPAA compliant will not be worthwhile. An annual software license for QuickBooks Desktop costs just short of $2,000, plus it can cost several hundred dollars a month to rent a HIPAA compliant server in the cloud. Then there is the administrative overhead of configuring the cloud hosting service to support HIPAA compliance and training the workforce.
In conclusion, making QuickBooks HIPAA compliant may be an option for healthcare organizations that have already purchased a QuickBooks Desktop software license and have access to a HIPAA compliant cloud hosting service. Other healthcare organizations that want to use their accounting software to create, collect, store, or transmit PHI will likely find it more worthwhile to source a HIPAA compliant accounting software solution.