The issue with de-identified data in healthcare lies in the fact that some Electronic Health Record (EHR) companies have crafted Business Associate Agreements (BAAs) that could potentially harm healthcare providers and their patients. While it is not entirely clear whether these companies are strictly adhering to the letter of the law, they certainly do not uphold the spirit of it. The original intention of a BAA, as outlined in the HITECH Act and further refined by the Omnibus Rule, is to serve as the company's commitment to understanding HIPAA privacy and security requirements. In cases where breaches are caused by the software, the company should take responsibility. However, when data is de-identified, companies gain significant latitude in its use. They are not obliged to seek permission or inform subscribers about how or when their patients' data is utilized, nor are they held accountable for software failures that result in data breaches.
EHRs can be a big help with HIPAA compliance. In fact, relying on stand-alone tools may make achieving HIPAA compliance difficult, if not impossible. The PSYBooks EHR & Portal is solidly based on HIPAA and has been since its inception.
HIPAA is a frightening thing to many behavioral health providers. Although it is something to take seriously, it need not be frightening . Nor do you need to pay big bucks to a company to set things up for you. A very simple thing that will help you become compliant is to get an EHR that is both integrated and features end-to-end encryption. This post explains why.
The current "must have" feature on many therapists' wish list is customizable forms. If you're not familiar with the concept of a customizable form, it's an app, or a section of a larger app, that allows the therapist to create online forms to replace the paper forms they normally use in their practice: their intake forms, informed consents, HIPAA agreements, Good Faith Estimates, Depression Inventories - whatever they typically use. Once the digitized forms are created, they can be securely sent to their patients, who fill them out, esign them (if requested), and send them back to the therapist.
Behavioral health therapists have both legal and ethical guidelines pertaining to email. Some programs do an adequate job of one, but not the other. Even worse, some do neither and yet still claim to be HIPAA compliant. While that's probably a truthful statement, the part they're not telling you is that their programs aren't 100% end-to-end encrypted. In other words, they're not safe ALL the time. If you use those programs, your email and texts can be hacked.
PSYBooks now offers a patient onboarding tool that makes transferring your patient accounts to PSYBooks very easy. This works for first-time users of EHRs and also for those transferring from another EHR/EMR or practice management system.
Email could arguably be one of THE most misunderstood aspects of HIPAA. Part of the confusion stems from the fact that there is no ONE place in HIPAA that says "Do email like this." However, email is referenced - directly or indirectly - in a variety of places throughout the vast HIPAA documentation. What causes some of the misunderstanding is that people will find a guideline that pertains to email from ONE place in HIPAA and assume if they do that one thing, they're good. Unfortunately, that conclusion is not unlike what you get when several people with visual impairments are put in front of an elephant and asked to describe it. We may get a beautiful description of an elephant's trunk but to assume that's ALL an elephant is would be incorrect.
Were you surprised when you first heard about the "No Surprises Act"? We were. I'd like to be able to tell you that we had been actively tracking and planning for this legislation since it was first issued on October 7, 2021. Unfortunately, that's not the case. However, we got lucky because we were already working on a new tool called Custom Forms which, when it launches (est. Feb 2022), will work beautifully in helping you comply with this bill in ways that are easy, HIPAA compliant, and give you a significant amount of automatic documentation and tracking.
Not too long ago, I conducted a workshop on telehealth. During the Q & A period at the end, a woman said that she had been told she was exempt from HIPAA and wanted to check with me to see if that was true. I was caught off guard. I used to get that question a lot, but I hadn’t heard it for a while, so it took me a moment to gather my wits. Finally I said, “Do you only use landlines when talking with your patients?” She replied that she did. I continued, “And are they always only on landlines as well?” She assured me that they were. “And you’re not doing any video sessions, only in person?” That was true, too. My last question was, “And I assume you don’t take insurance at all, that you’re only private pay?” She was. I replied, “Ok, then yes, I guess you’re fine. No need to worry about HIPAA.”
She left relieved. I left unsure of my answer.
Mental health therapists are beginning to talk about wanting “integrated products” to help manage their practice tasks. But what do they mean by “integrated product?” More importantly, if you wanted to look at some, how would you go about finding them? Googling “integrated product” isn’t likely to produce the results you want.
One of the problems is that these types of products go by more than one name, which may be why people have begun referring to them as “integrated products.” Common names are Electronic Health Record (EHR), Electronic Medical Record (EMR) or Practice Management System. To complicate matters, just being called one of those titles doesn’t automatically mean the product is well-integrated.