Designed to combine contact data, communication history, and upcoming tasks into one intuitive dashboard, Nimble is a cloud-based customer relationship management (CRM) software that helps businesses stay organized, engage more effectively, and better manage the sales process. While CRMs can provide companies with the valuable tools they need to work smarter, it is crucial for covered entities to make HIPAA compliance a priority. Let’s find out if Nimble meets these important security standards.
SEE ALSO: HIPAA compliant email
Third-party vendors that store, access, or send protected health information (PHI) are considered business associates. When covered entities work with business associates, a business associate agreement (BAA) must be signed by both parties. This is a written document that covers the obligations of the business associate to keep PHI secure. Without a signed BAA, the vendor cannot be considered HIPAA compliant. In this particular case, Nimble is a business associate for a healthcare organization if it manages PHI within its platform. There is no mention of any willingness to sign a BAA on Nimble’s website or documentation.
Beyond the BAA, data protection is another key piece of maintaining HIPAA compliance. Since all security measures aren’t created equal, it is important for covered entities to carefully evaluate the specific protocols that a vendor has in place. According to Nimble’s privacy policy, sensitive information such as log-in credentials, geo-location data, and credit card numbers are encrypted using secure socket layer technology (SSL). However, the company’s Terms of Services notes that it is up to the customer to maintain the confidentiality of their account. The document states that “the customer is liable for all activities that occur under the customer’s username or password” and “Nimble is in no way responsible for any loss or damage incurred as a result of any unauthorized access.” This means that if a data breach occurs and PHI is exposed, it is the covered entity that is ultimately responsible.
No, the company does not appear to sign a BAA and their FAQ page further confirms that Nimble is “not currently HIPAA compliant.”
While choosing HIPAA compliant CRM software is a great place to start, healthcare providers should be taking extra steps to proactively safeguard PHI with better email security as well. Built to conveniently integrate with your existing email platform such as Google Workspace or Microsoft 365, Paubox Email Suite enables HIPAA compliant email by default by automatically encrypting every outbound message. This means you don’t have to spend time deciding which emails to encrypt and your patients can receive your messages right in their inboxes without having to navigate any additional passwords or portals. Paubox Email Suite’s Plus and Premium plan levels are also equipped with innovative inbound email security tools that provide an additional layer of protection. Our patent-pending Zero Trust Email feature uses email AI to confirm an email’s authenticity, while ExecProtect acts fast to intercept display name spoofing attempts.