For many therapists and counselors the term “HIPAA Compliance” just has a way of bringing up some anxiety. We have this tendency to think of HIPAA as that “big brother” that is watching us if we fail to follow the rules around our record keeping and communications with clients. And it is true that if you were to blatantly or even accidentally have client information shared with someone that is not supposed to have it, you could get fined. Even if you were to lose some client information without any proof of protecting it, you could get fined. But is all that something to really lose sleep over or worry about? After all, our professions have been protecting client confidentiality for years.
It’s About the Client
I remember when I was going through the last stages of getting licensed in my state and had one more hoop to jump through. Back then, the final leg of the journey was to take an “oral exam” with the state board. What it involved was sitting down with two of the board members and then them asking questions, mostly about state laws and legal and ethical issues.
There was one question they asked that stumped me a bit. It was something along the lines of, “Who does confidentiality belong to?” Of course now the answer is blatantly obvious. Confidentiality belongs to the client. Their information belongs to them and we are to keep that information private and not share it with anyone.
The way I like to think about all this is to remember that our clients have entrusted us with one of their most valuable possessions; their personal information. Our job is to protect it and then always communicate with the client about how we use or store that information. We would never ever share or communicate what a client has told us without first having written, documented permission from that client (AKA authorization for release). So everything we do is first done with permission and they have signed-off on it. So in a nutshell, that is the intent and purpose of HIPAA. But just as important, our various ethical guidelines dictate that we do all this too.
What is HIPAA really?
First of all, it is important to understand what HIPAA is and what it isn’t. HIPAA is the acronym for the Health Insurance Portability and Accountability Act. So one of the things to notice first is that this Federal Act in the United States has the word “insurance” in it. So does that mean that if you do not take insurance, you don’t have to worry about this? The short answer is maybe…Here’s why.
As we have moved into a fully electronic world that absolutely depends on sharing information via the internet and other electronic means, access to information has become very easy. In 1996, the US Government recognized that with this switch in the way we share and receive information, there needed to be some rules in place around how personal information should be kept secure and shared. In particular, personal health information (PHI). And with the majority of our health care in the United States being funded by insurance providers, our legislators wanted to make sure our PHI is protected.
“The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information” As a result, HHS developed and published two rules. The “HIPAA Privacy Rule” and the “HIPAA Security Rule”. (Source: http://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/)
The Privacy Rule establishes national standards for protecting certain individually identifiable health information. The Security Rule establishes national standards for transmitting electronic health records. These two rules are interconnected in that the Security Rule puts into operation the standards needed to ensure that the Privacy Rule is followed.
Roy Huggins at Person Centered Tech adds, “The Security Rule covers data both at rest and in motion. The Privacy rule covers privacy, while the security rule covers security. Also, the Security Rule only covers electronic info while the Privacy Rule covers all info. Here’s a pretty good discussion of the difference between ‘security’ and ‘privacy’: https://blog.eiqnetworks.com/blog/bid/313892/the-difference-between-data-privacy-and-data-security“
Key points of the “rules”
- Applies to any health plans, healthcare clearinghouses, and healthcare providers (aka- “Covered Entities”) that transmits health information electronically.
- Applies to any business associates or auxiliary staff that would handle or have access to health information.
- Protected information is essentially any information that identifies a person and connects that individual to a specific health condition or diagnosis. This includes, name, address, date of birth, Social Security Number, etc..
- Any past, present or future physical or mental health conditions is information that needs to be protected.
- Providers need to have written policies in place and disclosure statements that tell clients/patients how their PHI is being protected.
- Providers must also have a written Business Associate Agreements (BAA) with any entity or individual outside their organization that tells how PHI is going to be handled and protected when they have access to it.
- Requires covered entities to “maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI”.
- Providers need to ensure that PHI is kept confidential and the integrity of the information is maintained.
- Providers must also put measures in place to anticipate any threats to the security of PHI and ensure compliance of these measures with their workforce.
- Providers need to review and update things as technology and environments change.
- Providers need to designate a person to oversee that the security rule is implemented
The problem for us in private practice is that the HIPAA rules tell what we are supposed to do, but does NOT tell HOW to do it. And that is where most people feel the angst.
Protecting PHI was pretty simple back in the days when all we used were paper records. You simply put the records in a file folder, locked them in a file cabinet that was also in a locked closet. It was a two step process to get to the records. And only people that were supposed to get to the records had a key. In our electronic world, you really do things the same way. You have a double locked system. AKA “2-Factor Authentication”.
The first thing to consider is to have at least a double password sequence for accessing and getting to any PHI. This is also referred to as “2-Step Authentication”. Just like with the standard for paper records being double-locked, electronic records need to be the same. One password to unlock your computer. A second, different password to open the files that contain PHI.
The other thing about passwords is to make them unique and complex. In other words, at the very least 8 characters long with a mixture of lowercase, uppercase, numbers and special characters (#,$,&, etc.). It is also a good idea to change your passwords frequently.
Another tip for passwords is to use an application that stores and also generates passwords randomly. Two that come recommended are LastPass and 1Password. With these, you create one complicated password for the app, then it generates random passwords for all your other applications.
Even better though is to have “2-Factor Authentication“. Again Roy Huggins, describes it this way:
“Having ‘2-factor’ means that one’s authentication method uses two of three possible authentication factors: Something You Know (passwords), Something You Are (fingerprint, retina scan, etc), and Something You Have (your mobile phone, a key fob, etc.). When services like Google require both a password and a special code sent by SMS or found in your Google Authenticator app, they are requiring Something You Know (your password) and Something You Have (your mobile device.) So there are 2 different authentication factors in use. Having two passwords is a good idea, for sure. But it’s only one authentication factor used twice, and is far less powerful than having two authentication factors. And having two factors is the NIST standard that is becoming a best practice for HIPAA covered entities when it’s available to them.”
Encryption of Data
Password protection is a good first-line protection. But passwords are really only the “front door” protection when it comes to protecting PHI. In other words, if someone were to try to open your computer or get to files while on your computer or other devices, passwords are your defense. But what if someone were to try and get into your computer through the “back door” or through a window? In other words what if someone were to “hack” your computer through an internet connection?
This is where encryption comes into play. Without going into a lot of a whole lot of technical details, encryption basically makes your data unreadable (a scrambled bunch of characters) to anyone without the encryption key or password. So with encryption, anyone that is not supposed to have access to the data or information could not read it.
With encryption, you can encrypt individual files or folders. Nonetheless, what is recommended is what is called “full disk or full device encryption” This can be easily done within the setup of your computer. Roy Huggins at “Person Centered Tech” has some great tutorials and articles about this and how to implement full disk encryption on your device, so we will not go into the details about that here. (I can truly recommend https://personcenteredtech.com for much more in depth information on HIPAA complicance and security)
Store on the Cloud
Even though it might sound counter-intuitive, a good way to store PHI is “in the cloud” IF you take the right steps to protect it there. These are services like Google Drive, Dropbox or iCloud. Others would be with practice management or electronic health record (EHR) systems you might be using. But before you store anything on the cloud, be sure to have a Business Associate Agreement (BAA) with any service you might be using. This will assure you are following HIPAA guidelines and also assure that client information is protected.
As of the writing of this post, iCloud does not offer a BAA, so I would not recommend it for storing any PHI. Google Drive, Dropbox, and Microsoft OneDrive all offer BAAs for their premium services. Google Drive (through G-suite) is my first recommendation, because of the encryption it provides, prices and all the other services and applications. You do this by signing up for G-Suite which only costs $5 per month per user.
Why Cloud Storage is Better
When PHI is stored on your own laptop or computer, you put yourself and your client at risk for that information getting into the wrong hands. Or just as bad, the information getting lost. (Which HIPAA standards require that we not only keep information safe but also to not lose it.) Personal or business computers are at risk for getting lost, stolen or crashing. When this happens you as a practitioner would be liable. Especially if that computer or device gets into the wrong hands.
The other reason is that cloud storage is more secure because of the encryption it offers. Data is stored on large servers that are heavily guarded and secure. Businesses like Google absolutely depend on data being secure. You will also find this with practice management systems. But all of these are not the same. Do you research and make sure they do in fact follow the best security practices. Again, Roy Huggins’ Person Centered Tech has great information on this. The other resource is Rob Reinhart’s Tame Your Practice is one of best places to get complete reviews on EHR and practice management systems.
Obviously, you should regularly back up data. This is another advantage to storing information “in the cloud”. By storing data on the cloud is that is keeps your data backed-up should anything happen to your computer.
Certainly storing in “the cloud” is a good option for people. But it is not necessarily the only way to go. Again Roy Huggins says, “the security tools available for computers and mobiles make it entirely feasible for a low-tech savvy therapist to securely keep records on their own stuff. It’s also unavoidable that some PHI will end up on our devices, so we need to think about how to secure them regardless of how we’re using cloud services.”
Communication with clients
Finally, one of the things that is an important part of the HIPAA rules is how you communicate with clients. Going back to what I said in the beginning, remember that confidentiality belongs to the client. So they have the final say in how they want their information shared or not shared. Our job is to do everything we can to protect their information.
Communication by phone, texting or email can be precarious. The problems lies in making sure what is getting communicated gets into the right hands and ears. So for example, you send a reminder text to a client and their spouse sees the text about the reminder. It would be a big problem and breach of confidentiality if the client did not want their spouse to know they were seeing you for therapy. That is just one small example.
The first line of defense though is to simply get releases from your client around how they want to be communicated with for appointment reminders. In that release let them know the risks involved and how you handle communications outside of session. For example, I have a policy that they only thing I communicate with clients about in email or text is appointment times and changes. I might have them send insurance information or other things like that, but will never discuss clinical issues by email or text. And if you do any of this, get them to sign-off on it!
If you do want to communicate more detailed information or clinical issues, you probably will want to use an encrypted email to do that. You can do this with some various services, like Hushmail and Protonmail. Both are free services, but you will probably need to get their premium services to get the BAA. For texting, the Signal App by Open Whisper Systems is comes highly recommended. (I did not see though that they have a BAA available.)
With emails, it is also a good idea to include privacy notice in the footer of your emails. This does not make the email “HIPAA Compliant”, but it does add a layer of intent to keep things private. Something like this:
Confidentiality Notice: The information contained in this transmission may contain privileged and confidential information, including patient information protected by federal and state privacy laws. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution, or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.
Certainly, HIPAA and all that it encompasses can bring up some anxiety. It feels and sometimes actually is complicated. As you build your practice and start its growth, it will be important to keep all these things in mind. But don’t stress yourself over it. The good news is that once you put the right things in place, you protect your clients and also protect yourself.
Do check out Roy Huggins, Person Centered Tech for some really great courses and information on this whole topic. Also take some time to listen to the Podcast at Practice of the Practice where Joe Sanok interviews Roy about all this. (It’s a great podcast anyway and Joe is friend and great guy)
So don’t let yourself suffer! End “HIPAA Anxiety Disorder”!
An Acknowledgment: Many, many thanks to Roy Huggins for his input on this article. I very much appreciate all that he is doing to educate, inform and share his expertise when it comes to technology and HIPAA. He reviewed this article and gave me the feedback that you see quoted. Do check out Person Centered Tech at https://personcenteredtech.com and the great courses and resources offered there. Thanks Roy!
By L. Gordon Brewer, Jr., MEd. LMFT – Gordon is the President and Founder of Kingsport Counseling Associates, PLLC. He is also a consultant and business mentor at The Practice of Therapy. Follow us on Twitter @therapistlearn and Facebook @practiceoftherapy