Hi all! Thanks for the requests re. Zapier.
Zapier is a tricky one for us to navigate. Cliniko stores some very sensitive information, and across the world, there are different protections and regulations that either we are already meeting and adhering to, or plan to meet and adhere to. These deal variously with protection of personally identifiable information or PII (names, contact details, etc.), personal health information or PHI (treatment notes, medical history, etc.), privacy of that information, how it may be used, and for what purposes.
At the end of the day, it is going to be up to you how you use that data, and we do offer integrations to Xero and Mailchimp for example, and data exports… but we also offer controls to help you manage what goes into those services. Zapier on the other hand, is a different kind of service (an internet glue of sorts) and while the app that you’re using on the other side of your Zaps may be appropriate for healthcare data, Zapier is not. Zapier makes such a statement itself about HIPAA compliance (being a US company, that’s relevant to them, and in part, also to us - in fact, we’ll use the acronym HIPAA to generally mean ‘any sensitive data that requires extra privacy’):
Zapier can not claim HIPAA compliance.
There are two primary reasons they can not do so:
- processing of healthcare data - whether you’re adhering to GDPR, HIPAA or APPs in Aus - requires additional safe guards in its handling. Zapier doesn’t necessarily know what data it is processing, and meeting these would require this kind of categorisation. Zapier (understandably) isn’t prepared to either (a) treat all data like healthcare data, or (b) go to lengths to know what kind of data a Zap is using.
- Zapier logs (i.e. data coming in, being transformed, and going out) are visible to their staff, for the purposes of troubleshooting. That’s pretty common in many software companies. But that’s problematic for us and you, as your patient data should not be visible to anyone not authorised to view and/or manage it.
That last point is also listed in the web page linked above:
All Zapier employees have access to raw HTTP logs as a part of daily support - we censor access tokens/secrets to the best of our ability. All debug logs censor account credentials (API keys, tokens, etc.) so they are not viewable in raw request logs.
Last year we made a big push to get Cliniko GDPR compliant. That is perhaps not so important for our Australian customers, but important nonetheless - anything that offers or enforces greater privacy is good in our view. A considerable component of GDPR compliance is offering our customers, and their patients, the right to erasure (to be forgotten). In essence, this means Cliniko needed a means to allow purging a patient from our systems, upon request. That becomes very difficult to do once a patient’s data has been spread through Zapier and the various other apps it connects to. We could certainly work around this to an extent, but the end result would unlikely be workable, given how we expect you want to use Zapier. From the Zapier website, to be GDPR compliant and use Zapier, you need to:
Be thinking about how you’ll handle consent. You should configure your Zaps and integrations to not trigger or work with [patients’] data without proper consent.
The implementation of that, when you have hundreds or thousands of patients, is going to be… err, tricky. We do have a check box currently so you may opt patients out of marketing. The simplest interpretation of the above statement would be a checkbox for every such integration you have with Zapier, for every patient. You may then also need to set up Zaps that respond to deleting a patient - then triggering deletion/removal of their data in all your Zapier-integrated apps.
Touching on a previous point made by @julian, re. HIPAA compliant apps integrating with Zapier, there are a handful of HIPAA compliant apps out there that integrate with Zapier. They offer this integration with a caveat though. We’ll take one such example: JotForm (if there are others, let us know!). JotForm do offer HIPAA compliant accounts - i.e. accounts where users are building forms that collect PII or PHI. They also offer integrations to many services - one of those being Zapier. JotForm state:
If you need integration with Zapier, you should use it only for the forms that don’t contain PHI. It is really crucial not to send any PHI to Zapier which doesn’t claim to be HIPAA compliant and protect PHI in the right way. If you pass PHI, then you may end up with a HIPAA violation.
Essentially, they leave it up to you, to only use Zapier on forms that do not contain private/sensitive data. That makes perfect sense. Where Cliniko is concerned, that poses a bit of a problem though - all our data is sensitive!
(I’m using the term HIPAA, but the core principals of privacy are reflected in that).
So, with all of that said, hopefully this kick-starts a discussion around it. We’re certainly keen to hear your feedback and thoughts. Integrations are of enormous value to many these days, and we know that. But we do also want to be clear that from a privacy perspective, Zapier poses a real challenge.