Is GoGoMeds HIPAA Compliant? How to Check (2024 Update)

Last updated: February 2024

GoGoMeds states on their official website that they are a HIPAA compliant Pharmacy  software suitable for use in healthcare.

GoGoMeds.com is powered by Specialty Medical Drugstore and retains a Digital Pharmacy Accreditation through the National Association of Boards of Pharmacy, proving their commitment to the highest quality medications and practices in the pharmaceutical arena.

They state on their website that GoGoMeds is HIPAA compliant which is clearly a positive sign, but the Health Insurance Portability and Accountability Act (HIPAA) legislation states that you can’t stop here and you need to thoroughly vet the vendor.

According to the HIPAA rules for Covered Entities and Business Associates:

'If a covered entity engages a business associate to help it carry out its health care activities and functions, the covered entity must have a written business associate contract or other arrangement with the business associate that establishes specifically what the business associate has been engaged to do and requires the business associate to comply with the Rules’ requirements to protect the privacy and security of protected health information. In addition to these contractual obligations, business associates are directly liable for compliance with certain provisions of the HIPAA Rules.'

Source: https://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html

Below we provide some general guidelines on how to first quickly screen this vendor for the HIPAA compliance fundamentals, and if all initial checks pass successfully, then to proceed and do your own in-depth audit to ensure that this vendor will qualify as your HIPAA-compliant Business Associate.

Keragon

HIPAA-compliant healthcare automation platform
Learn More

Quick Check on HIPAA Compliance Fundamentals for GoGoMeds

A. Does GoGoMeds claim to be HIPAA compliant?

✅ They communicate they are HIPAA compliant which is a positive sign, as they legally commit from their side using such public statements.

' Specialty Medical Drugstore is required by law to provide you with this Notice so that you will understand how we may use or share your “Protected Health Information” (“PHI”) or simply “health information.”'
Source: HIPAA Compliance with GogoMeds

B. Does GoGoMeds sign a Business Associate Agreement (BAA)?

✅ They state they will sign their standard BAA with covered entities/business associates, which is again a good sign because if they don’t sign a BAA then it’s a deal-breaker for HIPAA compliance.

'We may contract with third parties to perform certain services for us, such as billing services, copy services or consulting services. These third party service providers, referred to as Business Associates, may need to access your PHI to perform services for us. They are required by contract and law to protect your PHI and only use and disclose it as necessary to perform their services for us.'
Source: GogoMeds' Business Associate Agreement (BAA)

C. Does GoGoMeds claim they take measures to keep patient data private & secure?

✅ They publicly outline various of the privacy & security safeguards they have in place, but these can be very broad statements and you need to check the low level details here.

'Specialty Medical Drugstore is committed to maintaining your privacy and we take our responsibility for safeguarding this information very seriously.'
Source: GoGoMeds Privacy and HIPAA Policy HIPAA Compliance

Vendor Audit for Checking if GoGoMeds is HIPAA Compliant

There is no one-size-fits-all set of requirements when selecting a 3rd party vendor as one of your HIPAA-compliant Business Associates, but here are some general guidelines:

1. Eligible Plan

First, you need to determine on which plans they offer HIPAA compliance and whether pricing makes sense for you:

You need to contact the vendor directly about which plans are eligible for HIPAA compliance.
Source: GoGoMeds Signup Page

2. Legal Contracts

Then, you need to carefully review & sign their legal contracts, especially their Business Associate Agreement and Terms of Service (ask them for the latest versions - in some cases, you might need to sign an NDA):

GoGoMeds’s Business Associate Agreement
GoGoMeds's Terms of Service
GoGoMeds's Privacy Policy

3. HIPAA Safeguards

After that, you need to determine if they have implemented appropriate HIPAA safeguards in order to comply with the 3 HIPAA rules:

  • HIPAA Privacy Rule: Ensure patient confidentiality, keep track of disclosures, disclose minimum amount of information, notify individuals of the use of their ePHI etc.
  • HIPAA Security Rule: Implement & maintain administrative, physical & technical safeguards to protect patient ePHI such as having a disaster recovery plan, annual penetration tests etc.
  • HIPAA Breach Notification Rule: Report on data breaches within the required timeframe & to the appropriate regulating body/affected individuals/media, as applicable.

    • In order to make this determination, you can:

  • ask them for any externally-audited security certification they might have (i.e. SOC2 Type 2, HITRUST, ISO 27001 etc)
  • review any publicly-shared security & privacy statements and ask them questions
  • send them a Vendor Security Questionnaire

    • 4. PHI Access

    At the same time, you need to also review their auditing/logging capabilities for all activity related to electronic Protected Health Information (ePHI) access.

    5. Re-assessment

    Finally, at least once a year, reassess whether or not the vendor is still in compliance with HIPAA.

    Source 1: U.S. Department of Health & Human Services HIPAA Privacy Rule Guidance Material
    Source 2: U.S. Department of Health & Human Services HIPAA Security Rule Guidance Material

    Final Remarks on GoGoMeds’s HIPAA Compliance Status

    HIPAA compliance has no one-size-fits-all vendor assessment methodology but we have covered here various best practices on how to thoroughly evaluate GoGoMeds for HIPAA compliance, so that they can be eventually trusted to process or store your sensitive patient data.

    Regardless of the above, for all your 3rd party vendors, you need to follow the fundamental HIPAA principle and always disclose to them the 'minimum necessary' information, which means only disclosing the amount of PHI you absolutely have to.

    If you follow the 'minimum necessary' principle and you regularly evaluate your 3rd party vendors for their commitment to the HIPAA standards while having solid Business Associate Agreements with them in place, then you can minimize the risk of a potential HIPAA violation and decrease the probability of a damaging data breach happening in the first place.

    DISCLAIMER:

    The above is provided for informational purposes only and in order to help encourage adoption of security & privacy best practices for handling sensitive patient data. It does NOT constitute legal or healthcare advice in any way. The information presented here has been collected either from publicly available information or through direct email communication with the company, and everyone needs to perform their own independent HIPAA compliance audit before selecting any 3rd party vendor as their Business Associate that will process any type of their Protected Health Information (PHI). Keragon Inc is not liable for any damage or liabilities arising out of or connected in any manner with information found on this page.

    HIPAA Checker

    See other checks for HIPAA Compliance
    Free trial account
    Cancel anytime

    Start building your
    healthcare automations

    Contact Sales
    Company
    PricingSecuritySystem StatusAboutLegal
    Popular Integrations
    Athenahealth EHRModMed EHRElation Health EHRHealthie EHRDrChrono EHRAll integrationsPopular integrations
    Resources
    BlogCase StudiesHIPAA Compliant CheckerBest HIPAA Compliant SoftwareHIPAA Explained
    Comparisons
    HIPAA Compliant Zapier AlternativeHIPAA Compliant Make.com AlternativeHIPAA Compliant Workato AlternativeHIPAA Compliant Pabbly Connect Alternative
    © 2024 Keragon Inc. All rights reserved.
    Privacy Policy
    Terms of Service