Doing Telehealth? You Need a Portal.

Think you’re not doing telehealth? Think again. Although there’s no one-size-fits-all definition that cuts across state and/or discipline lines, most agree that telehealth basically involves any electronic method you use to communicate with or about your clients. This can include common things like phones, email and electronic file storage, in addition to video sessions, which is what we typically think of with the term telehealth.

Given that telehealth IS a lot more than just video, and given that the very breadth of the definition means that most of us are already doing some form of telehealth, we are tasked with finding ways to deliver these services that are easy to use, HIPAA-compliant, and within our budget. Therapists tend to obtain their telehealth apps in a somewhat piecemeal fashion. For example, they might decide they want appointment reminders, so they find a program that does that. If they later decide to put their calendar online, that might or might not be something that came with the appointment reminders, so the calendar/scheduling program could end up being a separate app. After that, they might see a need for doing some telehealth sessions, so they find a video program. Then they decide encrypted email would be really helpful . . . and online file storage . . . or maybe the ability to efax. The list – and the number of apps – could go on and on.

Although it’s understandable that therapists accumulate telehealth tools in this fashion, there are some inherent problems with doing it this way. One of the biggest issues is that none of your data is integrated with any of your other data. Information about your practice is scattered and nothing “talks” to anything else. If your client gets a new phone number or address, you will have to update each of your programs to keep all of the information about them current. Furthermore, each program you use has to be HIPAA-compliant – which also means that you have to have a Business Associate Agreement with that company. Additionally, since each program will have its own interface, you and/or your staff will have to spend time learning how to use each one. And finally, having a lot of different programs, even if they’re only $10 or $15 a month each, can become expensive as they add up. So what’s the solution?

Obtain a portal.
Preferably one that is integrated with an EHR.

The term portal, in this useage, simply means a software program where you, as the healthcare professional, can interface electronically with your clients. In other words, given our definition of telehealth as being any electronic method you use to communicate with or about your clients, portals contain tools for you to provide telehealth services. Portals are often part of other programs, usually EHRs (Electronic Health Records). The advantage of having your portal bundled with your EHR is that now ALL tools you use for your practice are in one place. This means, for example, that you can schedule a video appointment with a client and enter both your billing and payments for the session in that same app. You don’t need one app for video and another to keep track of your sessions and billing. If the app is user-friendly, you won’t have to search for the tools you need for billing or payments. They’ll be right there on your video interface.

What you can do within your portal depends on the features the portal offers. In a perfect world, this would include each and every telehealth tool you might want to use in your practice. However, currently, the most likely scenario is that you’ll be able to get some of what you want, but not all. Hopefully that will change in the near future.

Given the current status, then, what should you look for in a portal? Stay tuned for a series of posts on this topic: What to Look for in a Telehealth Portal.

Business Associate Agreements:
Do We Really Need Them?

I sometimes hear therapists mention specific software programs they’re using in their practices for tasks like notes, calendar/schedulers, online file storage, billing, video sessions or email and then add something like, “They’re HIPAA compliant. They just don’t – you know – have Business Associate Agreements.”

This is not only wrong, it’s SCARY wrong. If you don’t have a Business Associate Agreement (BAA) with each software company that stores or transmits your clients’ PHI (Protected Health Information), that by itself is a HIPAA violation. This is true even if everything else you’re doing is in perfect compliance. If caught, you could be facing a “willful neglect” penalty and those start at $50K per violation. Claiming ignorance won’t exonerate you. As healthcare professionals, it is our responsibility to understand and implement HIPAA in our practices.

There’s another problem with the scenario above: products can’t be HIPAA Compliant. What determines compliance is a combination of using products that meet HIPAA’s standards PLUS enforcing the HIPAA policies and safeguards you have in place for your practice. Although products do need some way to let you know that, if used correctly, they can contribute to your overall compliance strategy, it would be more accurate for healthcare products to state “Can Be HIPAA-Compliant-If-Your-Policies-Are-Correct-And-Up-To-Date-And-You-Are-Enforcing-Them.” For obvious reasons, products tend to just say they are HIPAA compliant and leave it up to the healthcare professional to understand their role in the compliance equation. However, it’s important to realize that just using a product that advertises HIPAA compliance does NOT automatically make your practice HIPAA compliant. Furthermore, if the product you are using won’t either provide you with their BAA or sign yours, it will never be possible to use that particular product and be in compliance with HIPAA.

Ensuring HIPAA compliance consists of, at a minimum, the two factors below. If you have one but not the other, you are not in compliance:

  • SOFTWARE: Only use software that meets HIPAA’s standards (which includes, among other things, that if the software company stores or transmits PHI, you must have a BAA with them).
  • YOU: Make sure your own HIPAA policies accurately describe your practice, are current, and are enforced.

If you’re a PSYBooks subscriber, you were given a BAA when you first signed up. You can also access it from the program at any time. That means that whether you’re using PSYBooks for your notes, email, billing, scheduling, online file storage, video sessions or any other PSYBooks feature, you’re covered from our end. If you’re concerned about your practice’s HIPAA policies, a good resource is The HIPAA Survival Guide.

(Note: PSYBooks subscribers are eligible for discounts on HIPAA Survival Guide products.)


There are no HIPAA compliant products or services, because by definition, only HIPAA covered entities (e.g., you) and business associates (e.g., PSYBooks) can be compliant. In other words, it’s not a product or service that’s compliant, it’s how you, as a covered entity, or we, as a business associate, write and implement our policies and procedures to utilize those products.

That being said, if your practice management system doesn’t provide you with the proper tools, it may make your compliance difficult, if not impossible. PSYBooks works diligently to assure that we are in compliance with HIPAA and also, that we provide the necessary technical features and functions for you to use to facilitate your own compliance. For example:

  • PSYBooks logs all activities that take place in your account so you’ll be able to easily give an accurate accounting of who has accessed your clients’ PHI and what actions they took. Activity Log Activity Log

  • PSYBooks provides you with flexible, easy-to-use PHI Reports and ways to keep track of when you created one. PHI Report Very Easy PHI Report

  • PSYBooks gives you 5GB of free file storage that is encrypted both in transmission (i.e., when you upload your files) and also at rest (when your files are being stored). You can, for example, maintain your entire HIPAA/HITECH compliance repository as well as all other files you need in your practice within PSYBooks and know that the files are being maintained in ways that meet HIPAA/HITECH standards. File Storage for Each Client File Storage for Each Client Your Personal File Storage Your Personal File Storage

  • PSYBooks allows you to create user accounts and limit the user’s access to the specific tasks and/or clients they need to perform their duties. User Accounts User Accounts

Your Personal File Storage

VIDEO: File Storage

In addition to being able to store files for each client, you can also upload and store your own digital records in an area set aside just for you. It’s important to note that files are maintained separately. Client files are stored in their charts – separate from all other clients and also separate from your personal files. This is one of the ways PSYBooks adheres to HIPAA/HITECH guidelines.

Client file storage is separate from therapist file storage

PSYBooks allows you to store files in various categories for better organization. You can use the default categories or create your own. The default category list looks like this:

Add/Edit File Categories

However, you are free to add new categories and also to reorder, edit or delete the existing ones. You may want to store things such as your HIPAA policies and documentation, any forms you use in your practice, statements you send to clients, as well as your policies and testing materials. In addition, you could also create categories to store materials for books, articles or other publications you’re writing, images and other files you use on your website – pretty much anything you want. It’s your area to customize to fit your personal needs.

File Storage for Each Client

VIDEO: File Storage

Each of your charts in PSYBooks has a Files tab where you can upload files specifically to that client’s chart. For example, initially you might want to upload scanned copies of their intake forms, insurance cards and/or driver’s license. Later on, you may want to upload copies of releases and consents, EOBs, reports or testing results. If you want, you can also keep copies of routine things you generate such as statements, insurance claims or receipts. Should your client request a PHI report, you can also upload that to their chart so you’ll have a record of what you gave them. There are several advantage to storing these kinds of documents in PSYBooks:

  • Everything pertaining your client files can be stored in one place with one login. You don’t have to maintain separate storage either on your own computer (unless you want to) or with another company for documents pertaining to you clients.
  • PSYBooks has a built-in organizational system in that each client already has a chart with it’s own Files tab. You can create as many different categories within that Files tab as you need to customize file storage to meet the needs of your practice.
  • You have the peace of mind of knowing that your documents are being stored in a way that’s HIPAA/HITECH compliant and that meets HIPAA encryption standards.
  • You can go completely paperless if you choose. Once your files have been converted to digital and stored securely on PSYBooks, there is no need to maintain copies of the corresponding paper documents unless you want to.

PSYBooks’ Add File Form looks like this:

Add File Form

The first line lets you browse your computer for the file you want. Once you find your file, PSYBooks will automatically populate the Document Name field with the name of your existing file. However, you can change the name to anything you want. The next line allows you to select a category for your file. This is an optional tool to help you keep your files organized. The last line allows you to set a permission level for the file, thereby specifying which types of users are allowed to view the file.

User Accounts

User Accounts can be established for anyone you need to grant access to some or all of your PSYBooks records. For example, you might want to create User Accounts for billing personnel, scheduling personnel, supervisees or a colleague who is covering for you. You can allow the user to access the records of all of your clients or just certain ones.

PSYBooks gives you an enormous amount of control over the User Accounts you create. This allows you limit the user’s access to the specific tasks they need to perform their duties, in compliance with HIPAA/HITECH. There are four broad account types you can assign: Clinical, Clinical View Only, Admin and Admin View Only. Within each of these categories, you can refine the permissions. For example, users with Admin rights can view and execute almost everything in your account except your personal psychotherapy notes. However, when you assign Admin rights to a user, you are given the following list of exceptions which allows you to further limit their access:

Do NOT let this user:

  • View notes that are in the Clinical section of the client’s medical record
  • Edit notes that are in the Clinical section of the client’s medical record
  • View notes that are in the Admin section of the client’s medical record
  • Edit notes that are in the Admin section of the client’s medical record
  • Delete clients
  • Delete sessions
  • Delete payments
  • View a client’s medications
  • Discontinue a client medication
  • Delete a client medication
  • Edit a client medication
  • Add or edit appointments in my calendar
  • Change calendar settings
  • Edit balance customizations
  • View “Manage Subscription”
  • Edit “Manage Subscription”
  • Edit therapist profiles

You can prevent your Admin user from doing any or all of the things above, just by checking checkboxes on the Add User form. You can also change permission levels and/or exclusions at any time with the Edit User tool.

You will have a full record of everything a user does in your account in the Activity Log report. The Activity Log shows all activity that takes place in your account and specifies who did it.

Activity Log

The Activity Log is designed to meet HIPAA/HITECH specifications for tracking PHI. PSYBooks logs almost everything that takes place within the app and displays it for you in the Activity Log. The filter section of the Activity Log report looks like this:

Activity Log

As you can see, you can specify the users, clients and actions you want to view, in addition to the specific dates you want covered. Once you click Submit, the Activity Log will show you the date and time someone accessed your account, what they did, who they were, what account they acted on (usually yours or a client’s) and a description of what they did. A sample report might look something like this:

Activity Log

The Activity Log is also the place to find a record of deleted items. PSYBooks allows deletions (even from a client’s chart) so you can correct your mistakes and keep your charts neater and easier to read. However, records of all deleted items can be viewed in the Activity Log at any time.

When You Have to Produce a Medical Record

Before I started using practice management systems, being required to produce a client’s medical record was a bit scary for two reasons:

  1. First, I typically only received those requests when something important was going on, i.e., a legal proceeding of some sort, a disability or worker’s comp situation, or maybe something having to do with insurance. They were the kinds of things where I felt that a lot might be at stake for my client (and/or for me) so I wanted to make sure I “did it right”.
  2. Second, although I had my own system for organizing client files, the reality is that my records were scattered everywhere. I kept files on current clients in one filing cabinet – unless a certain file got too big, in which case I moved older portions of it to another filing cabinet, unless there was also large artwork in the file, in which case it had to go in the lateral filing cabinet. When a client terminated, files got moved to a storage area in my basement at home. If the client later returned and their file had been especially large, part of it would be brought back to my office, but older parts remained in my basement at home. Then, of course, some documents were on my computer – a smattering of various Word docs and Excel sheets I had pieced together for special notes I had written on clients, letters I had written on their behalf, and various attempts at coming up with THE perfect method for determining how much a client owed me when insurance was involved. I had also tried efiling for awhile at various insurance company’s websites, so some of my records were on various sites on the Internet, too. Somehow, when I was asked to produce a medical record, even though I knew I had everything I needed, finding it all and pulling it all together into some type of meaningful report was a daunting task.

These days, another wrinkle has been added to the mix: HIPAA/HITECH specifies that clients have a right to request a copy of their PHI at any time. (PHI stands for “Protected Health Information”, which is another way of saying “medical record”.) When a client requests a PHI report, we’re mandated to provide it for them in some type of timely fashion. Clearly, an easier way of producing medical records/PHI reports than a system like the one I used is needed. Rummaging through filing cabinets in my basement and trying to remember WHICH digital backup device might have that exact client file I need just doesn’t cut it anymore.

The increased requirements around producing PHI on demand is just one fairly compelling reason for using practice management systems. All of the information you need for the medical record/PHI report should already be stored in the system. You just specify the parameters you want for this particular report, click a button, and there it is. If your practice management system also has a HIPAA-compliant email system, you can produce the report, attach it to an email, and send it to wherever it needs to go in probably under 5 minutes. That’s a far, far cry from the hours I used to spend to produce and deliver one.

PSYBooks’ PHI Report is not only extremely easy to use, but it also allows you to keep track of when you’ve granted such a request. The PHI Report is found at Tools > Reports > HIPAA/HITECH Reports > PHI Report:

PHI Report

When you click the PHI Report link, the filters that appear on the right side of the page look like this:

PHI Report filters

Notice that the PHI Report has one section where you can specify the PHI you want (the box in the screenshot with the gold background) and a dropdown box below that where you can specify the notes you want to include. Choices in the notes dropdown box are:

PHI Report filters

An important thing to notice here is that “Personal Psychotherapy Notes” does NOT appear in this dropdown box. Your psychotherapy notes are not considered part of the client’s medical record so they will never be included with the PHI report.

If you choose “Specific notes in the medical record”, you’re presented with a way to make additional choices about which notes you want to include:

PHI Report filters

Notice that you can choose all Clinical note types, all Admin note types or pick and choose the specific note types you want to include.

When you click Submit, the PHI Report will display below the filter section. You can create a PDF of the report to print and/or save a digital copy to the Saved Files & Reports section of PSYBooks. The whole process takes less than five minutes.