The issue with de-identified data in healthcare lies in the fact that some Electronic Health Record (EHR) companies have crafted Business Associate Agreements (BAAs) that could potentially harm healthcare providers and their patients. While it is not entirely clear whether these companies are strictly adhering to the letter of the law, they certainly do not uphold the spirit of it. The original intention of a BAA, as outlined in the HITECH Act and further refined by the Omnibus Rule, is to serve as the company's commitment to understanding HIPAA privacy and security requirements. In cases where breaches are caused by the software, the company should take responsibility. However, when data is de-identified, companies gain significant latitude in its use. They are not obliged to seek permission or inform subscribers about how or when their patients' data is utilized, nor are they held accountable for software failures that result in data breaches.
EHRs can be a big help with HIPAA compliance. In fact, relying on stand-alone tools may make achieving HIPAA compliance difficult, if not impossible. The PSYBooks EHR & Portal is solidly based on HIPAA and has been since its inception.
HIPAA is a frightening thing to many behavioral health providers. Although it is something to take seriously, it need not be frightening . Nor do you need to pay big bucks to a company to set things up for you. A very simple thing that will help you become compliant is to get an EHR that is both integrated and features end-to-end encryption. This post explains why.
Behavioral health therapists have both legal and ethical guidelines pertaining to email. Some programs do an adequate job of one, but not the other. Even worse, some do neither and yet still claim to be HIPAA compliant. While that's probably a truthful statement, the part they're not telling you is that their programs aren't 100% end-to-end encrypted. In other words, they're not safe ALL the time. If you use those programs, your email and texts can be hacked.
Email could arguably be one of THE most misunderstood aspects of HIPAA. Part of the confusion stems from the fact that there is no ONE place in HIPAA that says "Do email like this." However, email is referenced - directly or indirectly - in a variety of places throughout the vast HIPAA documentation. What causes some of the misunderstanding is that people will find a guideline that pertains to email from ONE place in HIPAA and assume if they do that one thing, they're good. Unfortunately, that conclusion is not unlike what you get when several people with visual impairments are put in front of an elephant and asked to describe it. We may get a beautiful description of an elephant's trunk but to assume that's ALL an elephant is would be incorrect.
Not too long ago, I conducted a workshop on telehealth. During the Q & A period at the end, a woman said that she had been told she was exempt from HIPAA and wanted to check with me to see if that was true. I was caught off guard. I used to get that question a lot, but I hadn’t heard it for a while, so it took me a moment to gather my wits. Finally I said, “Do you only use landlines when talking with your patients?” She replied that she did. I continued, “And are they always only on landlines as well?” She assured me that they were. “And you’re not doing any video sessions, only in person?” That was true, too. My last question was, “And I assume you don’t take insurance at all, that you’re only private pay?” She was. I replied, “Ok, then yes, I guess you’re fine. No need to worry about HIPAA.”
She left relieved. I left unsure of my answer.
Think you're not doing telehealth? Think again. Although there's no one-size-fits-all definition that cuts across state and/or discipline lines, most agree that telehealth basically involves any electronic method you use to communicate with or about your clients. This can include common things like phones, email and electronic file storage, in addition to video sessions, which is what we typically think of with the term telehealth.
I sometimes hear therapists mention specific software programs they’re using in their practices for tasks like notes, calendar/schedulers, online file storage, billing, video sessions or email and then add something like, “They’re HIPAA compliant. They just don’t – you know – have Business Associate Agreements.”
There are no HIPAA compliant products or services, because by definition, only HIPAA covered entities (e.g., you) and business associates (e.g., PSYBooks) can be compliant. In other words, it’s not a product or service that’s compliant, it’s how you, as a covered entity, or we, as a business associate, write and implement our policies and procedures to utilize those products.
In addition to being able to store files for each client, you can also upload and store your own digital records in an area set aside just for you. It’s important to note that files are maintained separately. Client files are stored in their charts – separate from all other clients and also separate from your personal files. This is one of the ways PSYBooks adheres to HIPAA/HITECH guidelines.