If you're in the healthcare industry, you know how important it is that all systems you use are in compliance with HIPAA. Next to caring for patients, the most important thing a healthcare organization needs to do is protect their data. The best place to store this information is a CRM, but given how expensive subscription fees are, you may think acquiring such software is out of reach.
However, with the right tool, consultant, and infrastructure, you can have a complete, secure, user-friendly, HIPAA-compliant CRM without paying a dime in subscription fees.
Here's how I build my clients HIPAA-compliant, custom CRMs that cost $0 per month in CRM subscription fees.
Open Source Is the Way to Go for Cost-Conscious Healthcare Organizations
I decided to go the open source route for my client as they didn't have the budget for something like Salesforce Healthcare, which at the time ran $325 per user per month. This is billed annually, and they needed about 100 seats, which in total, not including implementation fees and other charges, came out to roughly $390k per year.
HubSpot, Creatio, and others were also too expensive for them, so I began looking at three of my favorite open source CRM applications:
- SuiteCRM
- vTiger
- Odoo
Though I preferred Odoo's programming language, Python, to the PHP-based application SuiteCRM, SuiteCRM was the superior choice given the client's needs, so it was selected. Once the tool was chosen, it was time to acquire the other pieces of the tech stack.
Tech Stack Needed to Run a HIPAA-Compliant Open Source CRM
SuiteCRM's tech stack, keeping with the open source theme, doesn't require any licenses with the right configuration. Here's what's needed:
- MySQL database
- Elasticsearch
- Apache
- Any OS that supports PHP, MySQL, and Apache
SuiteCRM recommends using Linux, so I chose Ubuntu. Other Linux flavors work as well, and Windows is also an option. However, Windows setups are more error-prone, less performant, and require additional licensure.
The cost for the underlying tech stack was $0 in total.
Hosting a HIPAA-Compliant CRM on AWS
Amazon Web Services provides a BAA (Business Associate Agreement) and flexible pricing for their servers that allows you to pay only for what you use. The BAA was free of charge, but the client did need to pay for backups, nightly snapshots, and other services related to data retention.
In total, roughly $15 to $35 USD was spent on ancillary services like backups, depending on usage and volume. The cost for hosting itself was around $50 to $75 per month.
EC2 Instance Configuration (Small Practice)
For a small to mid-sized practice (150 users or fewer), with up to 50 concurrent users, this is the EC2 configuration I've found to be the most cost-effective and reliable:
| Component | Specification |
|---|---|
| Instance Type | t3.medium (2 vCPU, 4 GB RAM) |
| Operating System | Amazon Linux 2023 or Ubuntu LTS (Security updates enabled) |
| Storage | 50 GB encrypted EBS (gp3) |
| Database | MySQL running locally with disk-level encryption |
| Network | HTTPS (TLS 1.2+), Restricted SSH, MFA on root account |
Configuring SuiteCRM for HIPAA Compliance
Your guiding light for HIPAA compliance as it relates to your CRM is the principle of least privilege. Ensuring that people only have the minimum access needed to complete their job functions is vital.
In SuiteCRM, this is accomplished via:
- Roles: Specific to the actions a user performs.
- Security Groups: Groupings of users with rights defined by attached roles.
For example, a Security Group could be called Patient Scheduling. The roles assigned to that group could include Patient Record Viewer and Practice Calendar Viewer to control access to sensitive information like DOB, SSN, and diagnoses. For a deep dive on this matter, check out my article on handling PHI in your CRM.
Training, Re-Training, and Optimization
One of the requirements for HIPAA compliance is ongoing training for staff. I created several videos along with a comprehensive guide on the modules and functions. As workflows and features changed, re-training had to occur to ensure the application continued to be used optimally and remained secure.
A HIPAA-Compliant CRM for $0 Per User Per Month Can Be Yours Too
You don't need to shell out hundreds of thousands of dollars for a subscription to Salesforce. With the right application, tech stack, and consultant, you can achieve compliance, widespread user adoption, and better patient outcomes without breaking the bank.
If you're interested in bringing a CRM into your healthcare organization, reach out via our contact form or drop me a DM on social media.
