HIPAA Compliance for Mental Health Clinicians

Note: This blog post is not a substitute for legal advice. It’s just a blog post.

You’ve decided that you want to start using technology in your practice, whether it’s using an EHR, offering teletherapy, or even emailing with clients. Great! Your clients will thank you for it! But first, you need to be familiar with HIPAA, the Federal Law which establishes national standards for electronic health care transactions and identifiers for providers, health insurance plans, and employers.

FREQUENTLY ASKED QUESTIONS ABOUT HIPAA ANSWERED IN PLAIN ENGLISH

What is a Business Associate Agreement (BAA)?

The BAA is an assurance from a service provider (business associate) that they will safeguard your clients’ data in the same ways you as a clinician (covered entity) are required to. It also clarifies and limits how service providers use and disclose protected health information (PHI). Finally, it highlights the appropriate safeguards necessary to prevent unauthorized use or disclosure of PHI. If a company will not sign a BAA with your organization or practice, then you should not trust them with your clients’ PHI.

Why do I need a BAA?

Because HIPAA says so. Every covered entity must have a written agreement with each of its business associates, or else it is not compliant with HIPAA regulations. Your “business associates” are all the various service providers who interact (“create, receive, maintain, or transmit”) with your clients’ data: email, video, records, texts, etc.

Yeah but what will really happen if I’m not compliant? I’m just a small practice.

It’s not worth the risk, and your organization’s size doesn’t matter. The federal government has the latitude to impose both civil monetary fines and criminal punishments upon individuals and organizations that violate HIPAA. Under the current omnibus HIPAA rules, each violation can incur a penalty of up to $50,000, with repeat violations of the same provision costing as much as $1.5 million per year. In the first seven months of 2016 alone, HHS recorded close to $15 million in HIPAA violation settlement payments.

I don’t have a BAA with Google and use Gmail. Is it enough to simply ask my clients to not email me sensitive information?

Probably not. Even a simple emailed appointment reminder can be considered ePHI. In order to be in compliance, you’ll want to use a provider with whom you can sign a BAA, such as by using G Suite (Google). It’s important to note that in the case of G Suite, your data will be encrypted on Google’s servers, but may not be fully encrypted while in transit. Given that, it’s advisable to document that your clients have provided informed consent to communicate via email.

There are services that are designed to provide fully-encrypted email solutions to providers. Some examples are Hushmail, or Protonmail. Remember you NEED A BAA between yourself and the company to be compliant! Simply signing up for a service from a provider who claims to be HIPAA compliant is not enough.

Can’t I just use FaceTime or Skype for teletherapy? My client says they’re OK with it.

No. Your service provider must sign a BAA with you to be compliant. To the best of my knowledge, Apple currently does not sign BAAs with FaceTime users. Microsoft (who owns Skype) will enter BAAs, but not for Skype. What about Google Hangouts? No. Google will sign BAAs for email (see above re: G Suite), but not for Hangouts. It’s not enough for your client to be OK with using one of these services, and therapists would be well-advised to remember that just because a client says they’re not worried about the privacy of their data today doesn’t mean they won’t sue you in the future.

Can I use something like SurveyMonkey or Google Forms to administer assessments?

Yes, if you sign a BAA with either SurveyMonkey or G Suite (Google) to do this. 

So do I have to sign a whole bunch of BAAs to be HIPAA compliant?!?

Yes, if you are using multiple different types of services. Alternatively you could opt for the simplicity of having a provider that offers a number of services in one platform. Pacifica offers HIPAA-compliant teletherapy, assessments, and access to a large library of CBT- and mindfulness- based therapeutic content. Learn more here.