Behavioral health therapists have both legal and ethical guidelines pertaining to email. Some programs do an adequate job of one, but not the other. Even worse, some do neither and yet still claim to be HIPAA compliant. While that's probably a truthful statement, the part they're not telling you is that their programs aren't 100% end-to-end encrypted. In other words, they're not safe ALL the time. If you use those programs, your email and texts can be hacked.
Email could arguably be one of THE most misunderstood aspects of HIPAA. Part of the confusion stems from the fact that there is no ONE place in HIPAA that says "Do email like this." However, email is referenced - directly or indirectly - in a variety of places throughout the vast HIPAA documentation. What causes some of the misunderstanding is that people will find a guideline that pertains to email from ONE place in HIPAA and assume if they do that one thing, they're good. Unfortunately, that conclusion is not unlike what you get when several people with visual impairments are put in front of an elephant and asked to describe it. We may get a beautiful description of an elephant's trunk but to assume that's ALL an elephant is would be incorrect.
Not too long ago, I conducted a workshop on telehealth. During the Q & A period at the end, a woman said that she had been told she was exempt from HIPAA and wanted to check with me to see if that was true. I was caught off guard. I used to get that question a lot, but I hadn’t heard it for a while, so it took me a moment to gather my wits. Finally I said, “Do you only use landlines when talking with your patients?” She replied that she did. I continued, “And are they always only on landlines as well?” She assured me that they were. “And you’re not doing any video sessions, only in person?” That was true, too. My last question was, “And I assume you don’t take insurance at all, that you’re only private pay?” She was. I replied, “Ok, then yes, I guess you’re fine. No need to worry about HIPAA.”
She left relieved. I left unsure of my answer.
Think you're not doing telehealth? Think again. Although there's no one-size-fits-all definition that cuts across state and/or discipline lines, most agree that telehealth basically involves any electronic method you use to communicate with or about your clients. This can include common things like phones, email and electronic file storage, in addition to video sessions, which is what we typically think of with the term telehealth.
I sometimes hear therapists mention specific software programs they’re using in their practices for tasks like notes, calendar/schedulers, online file storage, billing, video sessions or email and then add something like, “They’re HIPAA compliant. They just don’t – you know – have Business Associate Agreements.”
There are no HIPAA compliant products or services, because by definition, only HIPAA covered entities (e.g., you) and business associates (e.g., PSYBooks) can be compliant. In other words, it’s not a product or service that’s compliant, it’s how you, as a covered entity, or we, as a business associate, write and implement our policies and procedures to utilize those products.
In addition to being able to store files for each client, you can also upload and store your own digital records in an area set aside just for you. It’s important to note that files are maintained separately. Client files are stored in their charts – separate from all other clients and also separate from your personal files. This is one of the ways PSYBooks adheres to HIPAA/HITECH guidelines.
Each of your charts in PSYBooks has a Files tab where you can upload files specifically to that client’s chart. For example, initially you might want to upload scanned copies of their intake forms, insurance cards and/or driver’s license. Later on, you may want to upload copies of releases and consents, EOBs, reports or testing results. If you want, you can also keep copies of routine things you generate such as statements, insurance claims or receipts. Should your client request a PHI report, you can also upload that to their chart so you’ll have a record of what you gave them. There are several advantage to storing these kinds of documents in PSYBooks:
User Accounts can be established for anyone you need to grant access to some or all of your PSYBooks records. For example, you might want to create User Accounts for billing personnel, scheduling personnel, supervisees or a colleague who is covering for you. You can allow the user to access the records of all of your clients or just certain ones.
The Activity Log is designed to meet HIPAA/HITECH specifications for tracking PHI. PSYBooks logs almost everything that takes place within the app and displays it for you in the Activity Log. The filter section of the Activity Log report looks like this: