The 2 Ways to Handle HIPAA Compliance

Why this matters #

HIPAA compliance isn’t about “marketing vs. not marketing.” It’s about whether PHI (Protected Health Information) could be created, received, stored, or transmitted in a system.

Even a message like:

“I’m looking for therapy for anxiety”
paired with a name/phone/email can become PHI once it relates to seeking care.

Because of that, there are two safe ways to use Xtreme Automator® with healthcare providers.

Option 1: PHI-Free Marketing Mode (Use Xtreme Automator® for lead gen only) #

Best for: Practices that want marketing automation, but want all sensitive details kept inside their EHR/patient portal.

What this looks like #

You use Xtreme Automator® for:

• Website lead capture (safe fields only)

• Automated follow-ups (general)

• Appointment request routing

• Marketing emails/SMS that do not contain PHI

• Tracking and reporting (non-clinical)

Rules to keep it PHI-free #

✅ Allowed data to collect:

• First name / last name

• Phone / email

• Preferred day/time

• “How did you hear about us?”

🚫 Avoid collecting:

• Symptoms, diagnosis, medications, trauma history, therapy goals, etc.

• Any “What are you seeking services for?” open text box

• Notes that describe clinical needs

• Uploads/attachments

The best practice workflow (recommended) #

1. Capture basic contact info only in Xtreme Automator®.

2. Immediately send a confirmation message that directs clients to the secure EHR/patient portal for details.

3. If you need details before scheduling, link to the portal intake form.

Suggested “privacy-first” form language #

Add a short line under the message box (or remove it entirely):

For your privacy, please do not include medical or clinical details here.
We will ask for details through our secure patient portal.

Suggested follow-up template (email/SMS) #

Thanks for reaching out! For your privacy, please share any personal or clinical details only through our secure patient portal. Here is the link: [PORTAL LINK].
What day/time works best for you?

Important note: Even with a disclaimer, people may still type sensitive details. That’s why removing the open text box (or keeping it extremely limited) is the safest route.

Option 2: HIPAA-Enabled Mode (Use Xtreme Automator® when PHI may be present) #

Best for: Practices that want to use Xtreme Automator® for workflows where PHI could appear, such as:

• Two-way texting with clients/patients

• Intake forms & surveys

• Storing notes about client needs

• Emailing content that could include PHI

• Appointment reminders linked to treatment context

• Files/attachments and ongoing communication

What this requires #

• HIPAA Compliance Add-On enabled

• Business Associate Agreement (BAA) in place

This mode is recommended anytime the practice wants to use Xtreme Automator® for anything beyond PHI-free lead gen.

Quick decision guide #

Choose PHI-Free Marketing Mode if:

• You only want new leads + generic follow-ups

• All sensitive details go into the EHR/portal

• You do not want patient communications stored in Xtreme Automator®

Choose HIPAA-Enabled Mode if:

• You want intake, notes, messaging, reminders, email bodies/attachments, or other workflows where PHI could be stored/sent in the platform

FAQ #

Is a BAA the same as a confidentiality/NDA agreement?
No. A BAA is a HIPAA-specific agreement that governs permitted uses of PHI, required safeguards, breach reporting, and more. An NDA is general confidentiality and does not replace a BAA.

Can we start PHI-free and upgrade later?
Yes. Many practices begin with PHI-free marketing mode and later add HIPAA safeguards as their automation needs expand.

What's your Reaction?

You have reacted on"The 2 Ways to Handle HIPAA Compliance"


A few seconds ago