Is QuickBooks HIPAA Compliant?
QuickBooks is not HIPAA compliant and cannot be used to create, collect, store, or transmit Protected Health Information unless the desktop version of the software is used via a third party hosting service that supports HIPAA compliance. However, due to the cost of deploying QuickBooks Desktop on a third party hosting service, it may be better for healthcare providers to use a HIPAA compliant QuickBooks alternative.
QuickBooks by Intuit is a popular accounting software solution – available as an online SaaS solution or a downloadable desktop solution – that offers a range of financial management packages for small and medium sized businesses. In addition to its own capabilities, QuickBooks Online integrates with hundreds of third party apps to increase payment options, accelerate payment processing, simplify tax reporting, and better analyze data.
For businesses in the healthcare industry, QuickBooks can be used for budgeting, payroll management, financial reporting, and auditing. Time-tracking add-ons exist to support compliance with the Fair Labor Standards Act (FLSA) and some packages enable healthcare providers to comply with state and federal 1099 e-filing requirements. It is also possible to integrate marketing apps such as Mailchimp and inventory management apps such as Shopify.
Can QuickBooks be Used in Compliance with HIPAA?
By default, QuickBooks cannot be used in compliance with HIPAA because it lacks the necessary privacy and security controls. The company states on its website: “Currently, QuickBooks Online meets industry standards for online security, but is not compliant with the HIPAA standards for privacy. If you are a health care professional, it is not recommended that you enter individually identifiable health information into the QuickBooks Online program.”
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
In addition, Clause #19 of the EULA for QuickBooks Desktop states: “If you intend to use the Software […] in conjunction with the medical or health information of particular individuals, you acknowledge and agree that Intuit makes no representations or warranties of any kind with respect to HIPAA compliance, that none of the Software or other offerings (products or services) provided by Intuit under this Agreement are HIPAA-ready or HIPAA-compliant.”
Healthcare providers can use QuickBooks to create, collect, store, or transmit individually identifiable non-health information (i.e., names, dates, payment amounts, etc.), but cannot combine non-health information with health information as the non-health information would then assume protected status. This makes it impossible to use QuickBooks in compliance with HIPAA for activities such as invoicing insurance companies and submitting claims to Medicare.
Is it Possible to Make QuickBooks HIPAA Compliant?
It is possible to make QuickBooks HIPAA compliant by deploying the desktop version of the software on a HIPAA compliant hosting service that has the necessary privacy and security controls to support HIPAA compliance. This not only makes it possible to use QuickBooks in compliance with HIPAA, but also has the advantage of authorized users being able to access QuickBooks Desktop remotely using the login credentials for the hosting service.
However, this solution for making HIPAA QuickBooks HIPAA compliant is expensive. Healthcare organizations must purchase a QuickBooks Desktop software license (currently $1,922 per year before add-ons) plus pay for the hosting service. Healthcare organizations must also configure the hosting service to prevent QuickBooks’ servers being able to access PHI (i.e., encryption, VPNs, etc.) and train users on how to use the hosted version of QuickBooks compliantly.
Conclusion: Is QuickBooks HIPAA Compliant? No
By default, QuickBooks is not HIPAA compliant and the service’s owner – Intuit – will not enter into a Business Associate Agreement with covered entities and business associates. There is a way in which it is possible to make QuickBooks HIPAA compliant, but this solution is only justifiable for healthcare providers that have already purchased a QuickBooks Desktop software license and want to use the service to create, collect, store, or transmit Protected Health Information.
For all other healthcare providers, it is possible to use QuickBooks’ budgeting, payroll management, financial reporting, and auditing capabilities provided PHI is not used in any accounting, marketing, or management activity. Healthcare providers that want to use accounting software to create, collect, store, or transmit PHI – and that have not already purchased a QuickBooks Desktop software license – are advised to evaluate a HIPAA compliant QuickBooks alternative.
