The Practice of Therapy

Being transparent: Some of the links below are affiliate links.  This simply means that we receive a comission, at no extra cost to you,  if you make a purchase using one of the links.  So thanks in advance for using the links! This post was updated 4/29/20 to reflect the changes to G-Suites from Google Apps for Work

There is no doubt that Google has changed the world. The word Google is not only a noun, but it has become a verb.  When someone says, “I Googled it” we know exactly what they mean.  And in the last 10 years, the Apps that Google has produced have become some of the most used and go-to tools for business.  But for those of us in the mental health and counseling fields, we have to proceed with a bit of caution.  There is this thing called HIPAA and taking the steps we need to take to protect people’s personal health information(PHI).  After all, the cornerstone for ethical treatment in therapy is confidentiality,

There is no way to get around the fact that we have to communicate and share information electronically.  On one hand, it has absolutely made life easier. For counselors in private practice, or any therapist that is in practice for that matter, electronic media and record keeping has become how we document and keep our records. We also have to be able to respond and communicate with clients via email and sometimes by text messages.. But with the internet and the threat of hackers, we have to take extra steps to protect all of this data and information.  The Health Information Portability and Accountability Act (HIPAA) was created for this very reason.

Gmail can be HIPAA Compliant…

I have used Gmail for my personal email for years now. And when I went into private practice as a therapist, I really wanted to keep using it.  However, I really just couldn’t use my personal Gmail account for communicating with clients.  It just crossed all sorts of ethical boundaries.  So I started using a service called “Hushmail” which was secure and HIPAA compliant. But I really did not like the difficulty of using it. It just did not fit with my workflow.

Then a few years ago, I discovered that there really was a way to use G-Suite (formerly known as Google Apps) and Gmail for my counseling business.  Enter Google Cloud and G-Suite!

Google Drive, Gmail, and the other G-Suite Apps can be some of the most useful tools in your toolbelt as a counselor and therapists. Nonetheless, there are steps that you will need to take to make the apps and storage of Personal Health Information (PHI) secure and be Health Insurance Portability and Accountability Act (HIPAA) compliant.  This will require that you use the G-Suite which is a paid service from Google.  The good news is that it is very inexpensive. Just $6-$12 per month per user within your business.

G-Suite is an incredible value not only from a security standpoint but from a marketing and business standpoint.  For example, G-Suite gives you the ability to use Gmail but with your own domain name.  In other words instead of your email address being “something@gmail.com” you can use your own domain name; “something@yourdomain.com”.  It just adds a greater sense of professionalism to your practice.  The other thing that happens on the back end with the Gmail App is that you get the encryption standards that are needed for HIPAA compliance.

Want to learn how to use the tools of G-Suite for Private Practice?

>>Check out the full “G-Suite for Therapists” Course Here<<

Business Associate Agreement

The main reason though for using the paid G-Suite is that you can then get a Business Associate Agreement (BAA) from Google, which is a key ingredient to making the services HIPAA compliant.

More information on this can be found here:

https://www.google.com/work/apps/terms/2015/1/hipaa_baa.html and here: https://static.googleusercontent.com/media/www.google.com/en/us/work/apps/terms/2015/1/hipaa_implementation_guide.pdf

Nonetheless, just having a BAA by itself does not keep PHI secure and confidential. Nor does it make your use of Google Drive and Gmail or any other service for that matter HIPAA compliant.  The BAA with Google just ensures that any information used on their core services (Gmail, Google Drive; including Docs, Sheets, Slides, and Forms; Google Calendar, Google Sites, and Google Apps Vault) meet HIPAA requirements as long as the health service provider configures it correctly.

The Tools You Can Use

• Gmail– email of course!  Gmail provides a ton of functions to help you keep your inbox sorted and organized.
• Google Drive– is a cloud storage application.  With the paid Google Apps for Work, you have up to 30 GB of storage capability
• Sheets– is a spreadsheet application comparable to Microsoft Excel.  Again tons of functionality.
• Google Docs– is the word processing application. Comparable to Microsoft Word or Apple Pages with just about as much functionality
• Google Calendar– it’s a calendar that can be synced with your devices and set-up to send reminders
• Google Sites – is a way to set up an “intranet” for your business
• Google Forms- a very powerful application to create forms and surveys that saves data into Sheets.

Steps to Protect Your Clients

So here are some steps you can take to make use of G-Suite to keep your client’s PHI protected and make them HIPAA compliant.

1. Download and read the “HIPAA Compliance & Data Protection with Google Apps” booklet from Google here.  It goes into detail about how to set up G-Suite.
2. Sign up for G-Suites for Business (click here) As mentioned already, this is a paid service from Google that currently only costs $6-$12 a month per user depending on the plan you choose. The main difference in plans is the amount of storage you get. (It really is a bargain for all that you get!)
3. Make sure your password is unique and not easy figure out.  DO NOT use “password” or “1234”.
4. Go through the set-up steps outlined in the Google HIPAA guide mentioned above.  Particularly the set-up on the administrator side of G-Suite for Gmail.
5. Only use the Core Services that Google agrees to protect under the BAA for any client information.
6. Limit the number of devices that you access the account from.  I know we are very mobile dependent but do not store any patient records on your phone or tablet. In other words, do not use the Google Drive App which allows you to store what is on your Google Drive in your device. You can still read and access files if you have an internet connection.  
7. If you are using a HIPAA compliant Practice Management Service, (Like TherapyNotes, SimplePractice, etc.) you can still create documents, such as writing progress notes using the Google Docs app.  You simply cut and paste the note into your Practice Management application.  I would suggest that you then delete the note from Google Docs just as a precaution. If you are not using a Practice Management Service you can save or print your notes and other documents in Google Drive.  Just make sure you have all of the sharing options turned off. Again, use the set-up recommendations given by Google.
8. Make sure you are using a “2-step verification”.  This simply means having a password for your devices in addition to requiring a second login step to get into your applications. And, never let your browser save your passwords for you.
9. For your Gmail, I would also suggest that you add a confidentiality statement to your signature.  This does not, of course, guarantee any sort of protection by itself, but it does communicate your intentions to keep information from getting into the wrong hands.  Here is a sample of the one that I use on my emails:

“CONFIDENTIALITY NOTICE: This email/fax may contain information that is privileged, confidential or otherwise protected from disclosure. It is intended only for the use of the authorized individual as indicated in the email/fax.  If you are not the intended recipient of this email, please notify the sender immediately by return e-mail or fax, purge it and do not disseminate or copy it.”

The tools that Google provides through Google Drive and G-Suite can be so valuable for counselors and therapists in private practice. This is especially true when you are starting out and need to “bootstrap”.  By following some of these steps you can help ensure that your client’s personal information is secure.

Disclaimer:  The information in this blog post is written to provide accurate and authoritative information in regard to the subject matter covered.  It is provided with the understanding that the author is not engaged in rendering legal, accounting or other professional services. If legal advice or other expert assistance is needed, the services of a competent professional person should be sought. Google, Gmail, Google Docs and the other applications mentioned are trademarks of Google are used for clarifying purposes only.

Get the full “G-Suite for Therapists” Course!

Meet Gordon Brewer

Gordon is the person behind The Practice of Therapy Podcast & Blog. He is also President and Founder of Kingsport Counseling Associates, PLLC. He is a therapist, consultant, business mentor, trainer and writer.  PLEASE Subscribe to The Practice of Therapy Podcast on iTunes, Stitcher and Google Play. Follow us on Twitter @therapistlearn and Pinterest “Like” us on Facebook.