Important: We Are Not Your HIPAA Compliance Officer
Podiatry Boost is a marketing agency, not a healthcare compliance firm. The information on this page describes our practices and approach. Your practice's HIPAA compliance obligations are your responsibility, and we strongly recommend consulting a qualified HIPAA compliance consultant or healthcare attorney for authoritative guidance.
Our Commitments
How We Protect Your Practice
Six specific commitments to HIPAA-considerate marketing operations.
No PHI in Marketing Systems
We configure all CRM and marketing automation tools to handle leads, appointments, and communications only — never clinical records, diagnoses, or treatment notes. Protected Health Information stays in your EHR/PMS, not your marketing stack.
BAA Available for CRM Clients
For practices using our Smart CRM service, we provide a Business Associate Agreement (BAA) covering our handling of any incidental PHI. GoHighLevel (the underlying platform) also offers BAA execution for HIPAA-considerate operations.
Secure Data Handling
Contact forms on your website use SSL/TLS encryption. All data transmitted through our systems uses encrypted connections. We follow the principle of minimum necessary access — team members access only what is needed for their specific role.
Patient Communication Compliance
SMS and email automation sequences we configure for patient communications are designed to exclude clinical content. Review requests, appointment reminders, and re-engagement messages reference scheduling only — not conditions or treatments.
Compliant Review Requests
Automated review request messages never reference clinical details. They are neutral post-appointment messages requesting feedback — fully compliant with Google's review policies and HIPAA communications guidelines.
Breach Response Protocol
In the unlikely event of a security incident affecting data we manage, we have a defined response protocol including immediate notification to affected clients, root cause analysis, and documentation for HIPAA breach reporting requirements.
What Falls Outside Our Scope
Clinical record systems
We do not integrate with or access your EHR or practice management software. Patient records, clinical notes, billing codes, and insurance information stay in your PMS.
Patient consent documentation
We help configure consent language for SMS and email marketing communications, but patient consent for treatment, HIPAA authorization forms, and Notice of Privacy Practices are your responsibility.
Telehealth platforms
We do not advise on the HIPAA compliance of telehealth or video conferencing platforms used for patient care.
Security risk assessments
HIPAA requires covered entities to conduct formal security risk assessments. We do not perform these. Consult a dedicated healthcare IT security firm for your annual assessment.