Is Avochato HIPAA Compliant?

Yes! Click here to learn more about HIPAA and PHI.

The short answer is, YES! Read on to learn about all of the specifics.


What is HIPAA?

If you are reading this, you likely are familiar with HIPAA. HIPAA stands for Health Insurance Portability and Accountability Act, and is a federal law that sets national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.


Is SMS a HIPAA-compliant channel?

SMS is not inherently secure as a channel, because messages can be unencrypted and exchanged on personal devices.

However, there are ways to use SMS in a HIPAA-compliant manner. To do so, healthcare providers need to a) make sure patients give consent to use SMS as a communication channel and b) use a business solution that has the right security guardrails in place to protect PHI (Personal Health Information).


How do we protect PHI?

Avochato stores all PHI in a secure HIPAA-compliant cloud environment and we follow standard encryption protocol to protect your data every step of the way.


How to get started?

  1. Have a conversation with an Avochato representative to go over our platform and your business requirements
  1. Pick the best plan for your business needs
  1. Review and complete our Business Associate Agreement (BAA)
  1. Set up user permissions, auto-responses, and patient consent opt-in
  1. Go live!

What are the costs?

The cost for HIPAA Compliant messaging depends on many factors. Please reach out to your Avochato representative or contact sales at 415-214-8977 to discuss further.


Is MMS (pictures, media, etc.) messages covered?

Yes! MMS or multimedia messaging is HIPAA eligible. Outbound MMS sent by customers who sign a BAA with Avochato for HIPAA compliant use cases will be covered.


Is Live Chat HIPAA compliant?

Yes, you can use our website widget to have SMS or Live Chat conversations with your patients.


Is WhatsApp HIPAA compliant?

No, WhatsApp, a subsidiary of Facebook, does not sign BAAs and the Avochato for WhatsApp integration cannot be used with a HIPAA compliant use-case at this time.


Is the Avochato API HIPAA compliant?

Yes. The Avochato API allows your team to programmatically send Avochato messages, as well as manage contact information including ePHI securely.

In order to securely use the Avochato API, you must make API requests using HTTPS to, and you must protect the security of the responses and any logs or copies of responses of privileged data you receive via the Avochato API.

However, optionally integrating the Avochato API into third party services (such as Zapier) or using our webhook features to securely send information to third-party services will require a BAA with any vendors involved, and will require diligence to limit the ePHI transmitted to any third-parties using the principle of least privilege.

Note: the above is not official legal advice from Avochato. We recommend consulting with legal counsel when setting up SMS communications at your practice.


Our 2023 HIPAA report is available upon request. Please contact or text us at (415) 214-8977 for a copy.

Did this answer your question?