Zapier integration?

Would it be possible for Cliniko to set up Zapier integration?
There are so many other web apps that have it, some of them are HIPAA compliant, so that shouldn’t be a problem.
I can think of 4 or 5 apps I’d like to link with Cliniko data:

Gmail - communicating with clients and referrers
Mailchimp - marketing to either or both of the above
Facebook, Instagram, LinkedIn - “” “” “” “”
Saasu or other accounting products - synchronizing invoices and payments, more finegrained financial reporting
Google Sheets - segmented analysis of data beyond what Cliniko can provide

You can probably think of other use cases quite easily. I’m surprised this has never been asked before!

I second this. Right now I’m having to hack through the cliniko - mail chimp integration to ‘drip’ which is my preferred email management software…

And now I’m looking at hacking clinko to xero to zapier to quickbooks for my accounting software. That specific workaround cost includes setting up a dummy xero account just so I can send invoices to it ($30) to plus premium Zapier (which is $20 per month) over to my quickbooks. The workaround is $50 same cost as my monthly clinko plan. Seems more simple to some just to activate Clinko on zapier.

Second this. Zapier would be the primary integration request as this one integration will allow integration for hundreds more apps.

I also would like to see this! It would be great to link it with TYPEFORM and SHEETS.

I really want to see this!!! Posting once more!
I want to connect Cliniko with Convertkit and many other interfaces. Without Zapier I am feeling that cliniko is a huge stumbling block to my effective automations, it’s becoming archaic without this.

This would save me so much time!! Please can you integrate with zapier! Thanks

Hi all! Thanks for the requests re. Zapier.

Zapier is a tricky one for us to navigate. Cliniko stores some very sensitive information, and across the world, there are different protections and regulations that either we are already meeting and adhering to, or plan to meet and adhere to. These deal variously with protection of personally identifiable information or PII (names, contact details, etc.), personal health information or PHI (treatment notes, medical history, etc.), privacy of that information, how it may be used, and for what purposes.

At the end of the day, it is going to be up to you how you use that data, and we do offer integrations to Xero and Mailchimp for example, and data exports… but we also offer controls to help you manage what goes into those services. Zapier on the other hand, is a different kind of service (an internet glue of sorts) and while the app that you’re using on the other side of your Zaps may be appropriate for healthcare data, Zapier is not. Zapier makes such a statement itself about HIPAA compliance (being a US company, that’s relevant to them, and in part, also to us - in fact, we’ll use the acronym HIPAA to generally mean ‘any sensitive data that requires extra privacy’):

Zapier can not claim HIPAA compliance.
(https://zapier.com/help/data-privacy/#hipaa-compliance)

There are two primary reasons they can not do so:

1. processing of healthcare data - whether you’re adhering to GDPR, HIPAA or APPs in Aus - requires additional safe guards in its handling. Zapier doesn’t necessarily know what data it is processing, and meeting these would require this kind of categorisation. Zapier (understandably) isn’t prepared to either (a) treat all data like healthcare data, or (b) go to lengths to know what kind of data a Zap is using.
2. Zapier logs (i.e. data coming in, being transformed, and going out) are visible to their staff, for the purposes of troubleshooting. That’s pretty common in many software companies. But that’s problematic for us and you, as your patient data should not be visible to anyone not authorised to view and/or manage it.

That last point is also listed in the web page linked above:

All Zapier employees have access to raw HTTP logs as a part of daily support - we censor access tokens/secrets to the best of our ability. All debug logs censor account credentials (API keys, tokens, etc.) so they are not viewable in raw request logs.

Last year we made a big push to get Cliniko GDPR compliant. That is perhaps not so important for our Australian customers, but important nonetheless - anything that offers or enforces greater privacy is good in our view. A considerable component of GDPR compliance is offering our customers, and their patients, the right to erasure (to be forgotten). In essence, this means Cliniko needed a means to allow purging a patient from our systems, upon request. That becomes very difficult to do once a patient’s data has been spread through Zapier and the various other apps it connects to. We could certainly work around this to an extent, but the end result would unlikely be workable, given how we expect you want to use Zapier. From the Zapier website, to be GDPR compliant and use Zapier, you need to:

Be thinking about how you’ll handle consent. You should configure your Zaps and integrations to not trigger or work with [patients’] data without proper consent.
(https://zapier.com/help/gdpr/#customers-and-partners-role-in-gdpr-compliance)

The implementation of that, when you have hundreds or thousands of patients, is going to be… err, tricky. We do have a check box currently so you may opt patients out of marketing. The simplest interpretation of the above statement would be a checkbox for every such integration you have with Zapier, for every patient. You may then also need to set up Zaps that respond to deleting a patient - then triggering deletion/removal of their data in all your Zapier-integrated apps.

Touching on a previous point made by @julian, re. HIPAA compliant apps integrating with Zapier, there are a handful of HIPAA compliant apps out there that integrate with Zapier. They offer this integration with a caveat though. We’ll take one such example: JotForm (if there are others, let us know!). JotForm do offer HIPAA compliant accounts - i.e. accounts where users are building forms that collect PII or PHI. They also offer integrations to many services - one of those being Zapier. JotForm state:

If you need integration with Zapier, you should use it only for the forms that don’t contain PHI. It is really crucial not to send any PHI to Zapier which doesn’t claim to be HIPAA compliant and protect PHI in the right way. If you pass PHI, then you may end up with a HIPAA violation.

Essentially, they leave it up to you, to only use Zapier on forms that do not contain private/sensitive data. That makes perfect sense. Where Cliniko is concerned, that poses a bit of a problem though - all our data is sensitive!

(I’m using the term HIPAA, but the core principals of privacy are reflected in that).

So, with all of that said, hopefully this kick-starts a discussion around it. We’re certainly keen to hear your feedback and thoughts. Integrations are of enormous value to many these days, and we know that. But we do also want to be clear that from a privacy perspective, Zapier poses a real challenge.

@hagen - Fair enough, but what about PieSync? They talk about being GDPR compliant and have a full data processing annex/agreement as to their commitments to maintaining full confidentiality of data they process through their system -. https://help.piesync.com/faq/piesync-and-gdpr

They mention the only data they use are client’s email addresses and a hash’s to help identify the client to ensure syncing work properly without problems between the 2 systems.

They also mention that data processed by them passes through AWS Services, which is what Cliniko uses too, which is good.

I think with an integrator like PieSync, Cliniko could quickly support a lot of connectors with a lot the other systems we all use, including 2 way syncing which would change my life and cut back all the extra hours I do. I’m sure there’s some other practice owner’s who feel me on this one.

Maybe you guys could reach out to the team at PieSync and chat with them about how they would process Cliniko client data, I think the collaboration would benefit the whole community greatly.

Thanks for the reply @joshdcam!

There are certainly a few such services out there. I guess one concern with attempting to support multiple different integration tools like Zapier, PieSync, Integromat, Automate.io, Tray.io and so on, is that we’re then stuck supporting all of them.

From what I could see, PieSync doesn’t have the same integration creds as Zapier, but does appear to work in a different manner. That is, Syncing, as opposed to Eventing. At this point, the difference isn’t immediately obvious, but when it comes time to get work done, we’d see that these services fulfil different needs… and likely we’d need both types

Were we to go down this path, we’d probably look at supporting the most common/largest integration services - otherwise we could find ourselves spending a lot of time building for integration services, instead of building for Cliniko.

As it stands, GDPR is only one aspect of privacy for us, but certainly, PieSync may be able to support us in other privacy capacities too.

My final concern is that we probably don’t want to be hand-picking integration options, and pushing our users towards them. That sort of infers our support and preference for these service, where none exists. It’s also an additional cost to be borne, where if Cliniko had the integration itself, there’d be no ‘connectivity’ cost (granted there are costs for other services, but the cost to integrate that service is what I’m referring to).

We don’t have an immediate way forward, but I’m definitely keen on further exploring integration options. I do think there’s more to it than meets the eye though! I’ll contact PieSync and see what the service is all about.

Thanks for taking so much interest in integrations! I do hope to keep the conversation going!

Has there been an update on this subject as of yet please?

Hi @Tim_Jackson, thank you so much for reaching out. In regards to updates on Zapier, we are not actively looking into integrating with their software. As of 8 January, 2020 Zapier’s data privacy policies still have not changed in regards to employee access and they do not have HIPAA compliancy.

As @hagen previously mentioned, currently:

All Zapier employees have access to raw HTTP logs as a part of daily support - we censor access tokens/secrets to the best of our ability. All debug logs censor account credentials (API keys, tokens, etc.) so they are not viewable in raw request logs

Since Zapier is not set up to handle protected health information, we are unlikely to create a Zapier integration. Other integrations are still possible but again Zapier is not being considered at this time.

Ultimately though the responsibility for protection of patient data rests with the health provider, not the platform. So if the health provider decides to use something like zapier and ends up with an issue it is on them, not the platform.
Having access to these services and integrations would make things easier for your platform users, as long as it is used with the knowledge of HIPAA issues.
I have looked at trying to set up a custom zapier app as you offer access to the cliniko API, but I am perhaps not smart enough to get it to authenticate and work properly (would love some guidance if you wanted to provide it!).

Hi there, thanks for this conversation. I am stuck with this exact problem at the moment. The challenge is Cliniko doesn’t speak to Active Campaign. Whilst I am reading here that zapier is not the most secure platform of making the two speak to each other what are the other options? Did you end up looking at Piesync? was that a possibility… if not what are my options? What hacks can I do to get around this… doing it manually is killing me slowly. Regards, Sarah

Hi @Jason_Chong & @nurturedbirth,

thanks for sharing!

@Jason_Chong It’s absolutely reasonable to take the approach that Cliniko should leave it up to you to decide what services to integrate with. We do understand that.

So if the health provider decides to use something like zapier and ends up with an issue it is on them, not the platform.

But where we can, we also want to help ensure that scenario can’t arise. We don’t want to see our customers getting ‘caught out’.

You can, right now, export all your Cliniko data and use it where or how you want. Or with development assistance, connect to Cliniko’s API to build your own integrated app. So there are options, but I acknowledge that they’re not straightforward like built-in integrations.

We want to continue improving Cliniko, including making it more functional/integrated. And we’ll continue thinking through, and working on, ways to keep that happening.

As for using the Cliniko API, we absolutely can offer advice! We have a Cliniko API Developers Group here: https://groups.google.com/a/redguava.com.au/forum/#!forum/cliniko-api and the Cliniko API is documented here: https://github.com/redguava/cliniko-api. A message to the Google Group will likely net you a response from one of our dev team, or from another dev working with Cliniko’s API!

@nurturedbirth, thank you for checking in! PieSync appears to have the same data handling approach as Zapier - i.e. they do not treat health data in a manner that would ensure patient privacy. We’re eager to ensure that services we integrate with in the future offer the same levels of privacy and protection Cliniko does.

Have you found a way to authenticate? @Jason_Chong @hagen
Or is there any article from which I can refer to?

Thanks!