Skip to main content
This article provides general guidance only and does not constitute legal advice. For complete details on rights and responsibilities, refer to your Business Associate Agreement (BAA) with Quo and consult your compliance or legal team.
Healthcare providers and entities managing patient communications, can now use Quo to communicate with patients in a HIPAA-compliant way. Quo provides the safeguards required under HIPAA’s Security Rule, but most importantly, HIPAA compliance is a shared responsibility between your organization and Quo. To use Quo in a HIPAA-compliant way, your organization must sign a Business Associate Agreement (BAA), which available for Business and Scale plans.

​
How to get a BAA with Quo

  • If you’re an existing Quo customer, you can request a  BAA here.
  • Not using Quo yet? Contact our team to learn how Quo can support your healthcare business and help you stay HIPAA-compliant.

​
Using Quo in a HIPAA-compliant way

Once your BAA is signed, you can use Quo in a way that supports HIPAA’s Privacy and Security Rules, as long as your internal policies and safeguards align with these requirements. The next sections explain how Quo handles secure vs. standard communication, what information is considered PHI, and the HIPAA considerations for SMS, call recordings, AI features, and integrations.

​
What counts as PHI?

Understanding what qualifies as Protected Health Information (PHI) helps you determine which channels and features are appropriate for your specific patient communications.
Always PHISometimes PHINever PHI
Patient name, phone number, date of birthAppointment reminders (if tied to a specific patient)Practice hours
Diagnosis, symptoms, conditionsRefill remindersOffice closures or holiday notices
Treatment plans, medical historiesCare coordination messages without clinical detailGeneral educational content
Test results, imaging, lab informationMessages that imply a patient–provider relationshipWebsite links or contact info
Medications or prescriptionsProvider requests to follow upMarketing not tied to an individual patient
Insurance informationAny info that becomes identifying in contextGeneral announcements
When in doubt, treat the information as Protected Health Information (PHI).

​
Messaging compliance: HIPAA & carrier rules

To use SMS with patients, they must provide consent to receive non-secure messages and can withdraw that consent at any time. We recommend consulting your organization’s compliance team or legal counsel to determine how to obtain and document patient consent in accordance with HIPAA guidelines. Even with a signed BAA, SMS messages must comply with A2P 10DLC carrier regulations in the US and Canada. These rules are designed to prevent spam and protect patients.

Be aware that A2P carrier regulations prohibit messages related to prescription drugs or offers for medications that cannot be sold over the counter in the US or Canada — even if sent by licensed professionals.
  • Avoid promotional or prescription-drug content. Carriers block messages that advertise or mention controlled substances.
  • Prescription refill alerts are allowed for existing patients who have opted in to SMS communication. Keep messages general and avoid mentioning sensitive details.
  • Keep messages focused on coordination and care. Do not use SMS for advertising or solicitation.
This helps you stay compliant with both HIPAA and A2P carrier requirements. Important: Text messaging (SMS/MMS) is not a Covered Service under the Quo BAA due to technical limitations that prevent full HIPAA compliance. Your organization may still use SMS/MMS in a manner consistent with HIPAA if you:
  • Get appropriate patient authorization for communication via SMS/MMS
  • Limit PHI transmitted via SMS/MMS to the minimum necessary
  • Document the decision to use SMS/MMS and associated risks in their HIPAA policies
  • Implement appropriate safeguards
Your organization assumes full responsibility and liability for any PHI transmitted via SMS/MMS.

​
AI-powered features and call recording

Your organization may choose to use AI-powered features in a HIPAA-compliant manner if all of the following are true:
  1. Patient notice: 
    • Patients are informed when AI tools are used during a call or interaction.
    • Patients are notified when a call is being recorded as required by applicable state, federal, and HIPAA Privacy Rule provisions.
  2. Patient authorization: You obtain authorization from the patient before communicating through an AI-assisted voice or messaging session.
  3. Minimum necessary use: You limit any PHI shared or processed by AI features to what is necessary for coordination or care.
  4. Documentation: Your organization documents the decision to use AI features and any associated risks in your internal HIPAA policies.
  5. Safeguards: You implement safeguards (including access controls, screen locks, employee training etc.)
Always consult your compliance or legal team to confirm how your organization should handle recordings, transcripts, and AI-powered features to meet HIPAA and notice requirements.
Your organization assumes full responsibility for any PHI processed through AI-powered features. Review your internal HIPAA policies and consult your compliance or legal team before enabling AI tools for patient communication.

​
Third-party integrations and analytics

Any third-party integrations or connected services (including CRM systems, email delivery services, messaging platforms, analytics tools, or similar integrations) are not Covered Services under the Quo BAA. Use of these services inherently involves transmitting user data beyond the control of OpenPhone Technologies, and any use of such integrations is the sole responsibility of your organization. Additionally, any analytics or reporting features that transmit data to third-party analytics platforms not covered under the Quo BAA are also excluded.

​
Session timeouts and automatic logouts

To help meet HIPAA Security Rule requirements for session management, Quo automatically logs users out after 15 days of inactivity. If your organization requires shorter timeouts, use your device-level security settings (for example, auto-lock or screen timeout controls on your computer or mobile OS) to enforce inactivity limits that align with your internal security policies.