Using Quo in a HIPAA-compliant way
This article provides general guidance on how to use Quo in a way that supports HIPAA compliance. It explains how HIPAA applies to calls, voicemails, transcripts, and SMS communication, as well as how Quo helps your organization meet security best practices like session timeouts and access control. Note: This article is for general guidance only and does not constitute legal advice.Quo provides HIPAA-supporting features once your Business Associate Agreement (BAA) is signed. How you use these features must comply with HIPAA requirements and your organization’s internal policies. Always follow your organization’s policies and consult your compliance team or legal counsel for guidance on consent procedures and message content to ensure you remain HIPAA compliant.
Messaging Compliance: HIPAA + Carrier Rules
To use SMS with patients, they must provide consent to receive non-secure messages and can withdraw that consent at any time. We recommend consulting your organization’s compliance team or legal counsel to determine how to obtain and document patient consent in accordance with HIPAA guidelines. Even with a signed BAA, SMS messages must comply with A2P 10DLC carrier regulations in the US and Canada. These rules are designed to prevent spam and protect patients.Be aware that A2P carrier regulations prohibit messages related to prescription drugs or offers for medications that cannot be sold over the counter in the US or Canada — even if sent by licensed professionals.
- Avoid promotional or prescription-drug content. Carriers block messages that advertise or mention controlled substances.
- Prescription refill alerts are allowed for existing patients who have opted in to SMS communication. Keep messages general and avoid mentioning sensitive details.
- Keep messages focused on coordination and care. Do not use SMS for advertising or solicitation.
- Get appropriate patient authorization for communication via SMS/MMS
- Limit PHI transmitted via SMS/MMS to the minimum necessary
- Document the decision to use SMS/MMS and associated risks in their HIPAA policies
- Implement appropriate safeguards
AI-powered features
Voice AI features such as:- Sona AI agent
- AI call summaries
- AI call tags
- AI-generated content or recommendations
- Provide appropriate patient notice
- Receive patient authorization for communication during the voice session
- Limit PHI transmitted to the minimum necessary
- Document the decision to use AI features and associated risks in their HIPAA policies
- Implement appropriate safeguards
Third-party integrations and analytics
Any third-party integrations or connected services (including CRM systems, email delivery services, messaging platforms, analytics tools, or similar integrations) are not Covered Services under the Quo BAA. Use of these services inherently involves transmitting user data beyond the control of OpenPhone Technologies, and any use of such integrations is the sole responsibility of your organization. Additionally, any analytics or reporting features that transmit data to third-party analytics platforms not covered under the Quo BAA are also excluded.Call recording, voicemail, and transcripts/summaries
Quo supports use of HIPAA-compliant call recordings, voicemails, and transcripts once your BAA is signed. These features can be used to record, store, or review patient communications in accordance with your organization’s HIPAA policies. To remain compliant, ensure that:- Recordings, voicemails, and transcripts are only accessible to authorized team members within your workspace.
- Patients are notified when a call is being recorded, as required by local, state, or federal law.
- You follow your organization’s internal retention and disclosure policies for any stored PHI, in addition to your local laws on call recording disclosures.
- As always, consult your compliance team or legal counsel to confirm how your organization should handle call recordings and transcripts to meet HIPAA and local notice requirements.