Intuit QuickBooks is not HIPAA compliant unless the downloadable version of the software is deployed in a HIPAA compliant hosting service that prevents Intuit from accessing Protected Health Information (PHI) used in accounting and management activities. As this option is rarely cost-effective, it is recommended healthcare providers that want to use PHI with accounting and management software look for a QuickBooks HIPAA compliant alternative.
Intuit QuickBooks is a popular accounting and financial management software solution. Although most often used as a subscription-based Software-as-a-Service (SaaS), Intuit QuickBooks for Desktop also has a download option subject to organizations purchasing a software license. However, whereas the subscription SaaS service has four subscription levels, the only Desktop option currently available is the Enterprise version.
Healthcare providers can use either the SaaS or the Desktop version of Intuit QuickBooks for invoicing, accepting payments, bill management, and auditing provided PHI is not included in any accounting or financial management activity. This is because although Intuit has good privacy and security controls, they are not sufficient to meet the standards required by HIPAA. Because of this, Intuit will not enter into a Business Associate Agreement.
What Intuit Has To Say About HIPAA Compliance
Intuit references HIPAA compliance in two areas of its website. With regards to the SaaS “QuickBooks Online” service Intuit states: “Currently, QuickBooks Online meets industry standards for online security, but is not compliant with the HIPAA standards for privacy. If you are a health care professional, it is not recommended that you enter individually identifiable health information into the QuickBooks Online program.”
With regards to the QuickBooks Desktop software, the Intuit EULA states: “If you intend to use the Software […] in conjunction with the medical or health information of particular individuals, you acknowledge and agree that Intuit makes no representations or warranties of any kind with respect to HIPAA compliance, that none of the Software or other offerings (products or services) provided by Intuit under this Agreement are HIPAA-ready or HIPAA-compliant.”
These statements do not mean that healthcare providers cannot use the software. Provided no PHI is created or collected by, maintained on, or transmitted to/from the software, it is still permissible to enter names, dates, payment amounts, etc. into the software. Healthcare providers unsure about the distinction between PHI and permissible uses and disclosures of individually identifiable non-health information should seek HIPAA compliance advice.
Making Intuit QuickBooks HIPAA Compliant
The process for making Intuit QuickBooks HIPAA compliant involves purchasing a software license for the downloadable Desktop version of Intuit QuickBooks, subscribing to a HIPAA compliant cloud hosting service, entering into a Business Associate Agreement with the vendor of the cloud hosting service, and downloading the Desktop version of Intuit QuickBooks onto a secure server in the cloud hosting service.
Provided the cloud hosting service is configured to support HIPAA compliance (i.e., encryption, VPNs, access controls, etc.), this has the effect of preventing Intuit from accessing PHI used in accounting and management activities. It also means that Intuit QuickBooks can be accessed remotely by authorized users – similar to the way in which authorized users would be able to access the QuickBooks SaaS service.
However, it is an expensive way to make Intuit QuickBooks HIPAA compliant. The current price of a software license for the Enterprise version of QuickBooks Desktop is $1,922 per year, while subscribing to a HIPAA compliant cloud hosting service could add a further $2,000 or more per year. Therefore, making Intuit QuickBooks HIPAA compliant may only be cost-effective for healthcare providers that have already purchased a software license and/or have access to a HIPAA compliant cloud hosting service.
Other healthcare providers that want to use PHI with accounting and management software are advised to look for a QuickBooks HIPAA compliant alternative.