Doing Telehealth? You Need a Portal.

Think you’re not doing telehealth? Think again. Although there’s no one-size-fits-all definition that cuts across state and/or discipline lines, most agree that telehealth basically involves any electronic method you use to communicate with or about your clients. This can include common things like phones, email and electronic file storage, in addition to video sessions, which is what we typically think of with the term telehealth.

Given that telehealth IS a lot more than just video, and given that the very breadth of the definition means that most of us are already doing some form of telehealth, we are tasked with finding ways to deliver these services that are easy to use, HIPAA-compliant, and within our budget. Therapists tend to obtain their telehealth apps in a somewhat piecemeal fashion. For example, they might decide they want appointment reminders, so they find a program that does that. If they later decide to put their calendar online, that might or might not be something that came with the appointment reminders, so the calendar/scheduling program could end up being a separate app. After that, they might see a need for doing some telehealth sessions, so they find a video program. Then they decide encrypted email would be really helpful . . . and online file storage . . . or maybe the ability to efax. The list – and the number of apps – could go on and on.

Although it’s understandable that therapists accumulate telehealth tools in this fashion, there are some inherent problems with doing it this way. One of the biggest issues is that none of your data is integrated with any of your other data. Information about your practice is scattered and nothing “talks” to anything else. If your client gets a new phone number or address, you will have to update each of your programs to keep all of the information about them current. Furthermore, each program you use has to be HIPAA-compliant – which also means that you have to have a Business Associate Agreement with that company. Additionally, since each program will have its own interface, you and/or your staff will have to spend time learning how to use each one. And finally, having a lot of different programs, even if they’re only $10 or $15 a month each, can become expensive as they add up. So what’s the solution?

Obtain a portal.
Preferably one that is integrated with an EHR.

The term portal, in this useage, simply means a software program where you, as the healthcare professional, can interface electronically with your clients. In other words, given our definition of telehealth as being any electronic method you use to communicate with or about your clients, portals contain tools for you to provide telehealth services. Portals are often part of other programs, usually EHRs (Electronic Health Records). The advantage of having your portal bundled with your EHR is that now ALL tools you use for your practice are in one place. This means, for example, that you can schedule a video appointment with a client and enter both your billing and payments for the session in that same app. You don’t need one app for video and another to keep track of your sessions and billing. If the app is user-friendly, you won’t have to search for the tools you need for billing or payments. They’ll be right there on your video interface.

What you can do within your portal depends on the features the portal offers. In a perfect world, this would include each and every telehealth tool you might want to use in your practice. However, currently, the most likely scenario is that you’ll be able to get some of what you want, but not all. Hopefully that will change in the near future.

Given the current status, then, what should you look for in a portal? Stay tuned for a series of posts on this topic: What to Look for in a Telehealth Portal.

Are We Becoming Outdated?

In the not too distant past, a therapist with some kind of note pad in hand was the norm. It was expected. We were doing our jobs and interested enough in the client to take notes on what they were saying. I was part of that crowd. Although I preferred to write my notes after the client left, I definitely felt that paper notes were the way to go and I burned through many legal pads in the early years of my career.

When we started hearing rumors about healthcare practitioners being mandated to switch to digital record keeping and EHRs, many of my colleagues, myself included, were secretly or not-so-secretly glad that mental health practitioners had not been included in the mandate. We had been running our businesses the same way for many years and felt it was the way to go. Some therapists were even quite critical of the whole digital/EHR movement, feeling that the use of electronic records dehumanized the therapist/client relationship, which we all knew was so critical to our work. Others feared that electronic records weren’t safe, i.e., that they wouldn’t be able to adequately protect their clients’ privacy if they digitized their practice.

However, whether we like it or not, times seem to be changing. Two recent anecdotes have driven that home to me.

The first was a casual comment made by a friend. For some reason, the conversation had drifted to talking about therapists and their note-keeping practices. She was quite surprised when I told her that many therapists still took notes by hand. Without knowing my thoughts or biases, she stated that she was so used to her physical health practitioners taking notes on their computers or tablets, that if she were to go to a mental health professional and discovered they were taking notes by hand, she would see them as a bit antiquated. Furthermore, she took a perhaps unfounded leap and also said that it would make her question that therapist’s treatment methods. Since their business practices seemed to be antiquated, she questioned whether they might also not be up to date on the latest treatment techniques and innovations.

The second incident was even more surprising. In an initial interview, a potential new client revealed to me that she had interviewed another therapist, but that she learned that that therapist didn’t have a client portal. The client really enjoyed being able to interact with her other doctors via their portals and wanted to be able to do the same with her therapist so she decided to keep looking. This stunned me. It was the first time I had heard of a client actually rejecting a therapist solely because that therapist didn’t have a portal. And if you’re wondering, this was a woman in her 50s, maybe early 60s – not someone who had grown up in the digital age.

The implications here are clear. Although our profession was NOT among those mandated to use EHRs, the rest of the healthcare profession, whether they liked it or not, was forced to digitize. In the beginning, there was a lot of kicking and screaming among those professionals who were under mandate. Meanwhile, we mental health professionals were able to somewhat smugly keep doing things the way we had always done them. However, it seems that the tide is steadily turning and now our profession may be the one coming up short. Regardless of what healthcare professionals think of digital practices, consumers seem to be beginning to accept them as the norm. Those of us who don’t keep up, may be unknowingly turning away some of the very clients we’re hoping to attract.

Encrypted Email:
Your Role in Keeping it Safe

Some people like to point out that encrypted email isn’t all it’s cracked up to be. “After all,” they warn, “as soon as someone has access to your username and password, it no longer matters whether your email is encrypted or not.” Well . . . yes. That’s an accurate statement. However, to use that line of reasoning would be like telling us not to bother locking our homes or cars. After all, as soon as someone gets access to your keys, those locks become useless.

Although we certainly COULD decide to throw caution to the wind, most of us see the value in at least taking reasonable precautions to protect our personal property. When it comes to client PHI (Protected Health Information) – whether it’s in email or in other types of documents – we’re mandated by HIPAA/HITECH to: 1) maintain written policies stating how we intend to keep PHI both private and secure and 2) to make sure we follow those policies.

The nice thing about the way the HIPAA laws are written is that the authors realize that each of us has our own unique situation. Our office setups are different (e.g., single practitioner, multi-practitioner, agency); we use different email clients (e.g., Outlook, Gmail, Yahoo, Hushmail, PSYBooks); we access it with different types of devices (e.g., computer, tablet, smartphone). Furthermore, technology changes so rapidly that the way we do our email this year may be totally different from what we do next year. This is why, rather than give us a strict set of rules we all have to follow, HIPAA wisely instructs us to write – and use – our own policies. In that spirit, this article will give you some general principals to use in developing your email safety plan.

Good email safety can be divided into two broad categories:

  1. Password Safety
  2. Computer/Device Safety

(For our purposes, the words “computer” or “device” are used interchangeably to refer to anything you might be using to access your email, e.g., a desktop or all-in-one computer, laptop, tablet or smartphone.)

In terms of Password Safety, the picture below pretty much sums up two of the most common problems:

Password Safety

In other words:

  • Don’t make your password something easy to guess – such as 123456, “password”, names of pets or family members.
  • Don’t leave your password in places others can easily see or discover.

Another good tip in the Password Safety category is:

  • Change your password frequently.

I call this the “Keep’em guessing” precaution. Actually, if your password never gets compromised, this really isn’t necessary. However, it’s a small thing to do, and may foil some unauthorized access attempts if it has.

For Computer/Device Safety, the suggestions below will go a long way in securing your email as well as any other client PHI you access on your device:

  • Don’t store any client emails or other PHI on your computer/device.
  • Don’t leave your screen accessible for others to see.
  • Don’t store your username and/or password in your browser.
  • Clear your browser history frequently.

We’ll discuss each separately:

Don’t Store Client Emails or Other PHI on Your Computer/Device

Coupled with password safety, this may be the #1 thing you can do to keep your devices secure. The good news here is that most of us – whether we realize it or not – are using web-based email programs these days, which pretty much takes care of this issue for you. Web-based email is NOT stored on your computer. Instead, your browser (e.g., Chrome, Firefox, Edge, Safari, IE) is used to access your email program (e.g., PSYBooks, Gmail, Hushmail, Outlook.com, Yahoo, Comcast) on the Web. The good news here is that once you log out of your browser, your email doesn’t remain on your computer. The exception is if you download attachments or save specific emails to some type of file. Those ARE stored on your computer or other device unless you saved them to a cloud-based storage system. Downloading them to your computer could leave you open for a PHI breach, should your device ever be lost or stolen.

If you are using a desktop application for your email (e.g., the original Outlook as opposed to the one you access through Outlook.com), it’s a whole different issue. With desktop apps, EVERYTHING is stored on your computer. This means that, unless you use encryption software to encrypt your entire device, anyone who gets their hands on your device automatically has access to your email.

Don’t Leave Your Screen Accessible for Others to See

If you want to be squeaky-clean here, you could shut down your computer each time you leave you office. However, that’s hard on computers and, in most cases, isn’t warranted. Other options are to simply log out of your email program or, in the case of web-based email, close your email program’s tab in your browser. If you’re not going to be gone long – turning off your monitor or locking your office door (assuming your screen can’t be seen through any office windows) might be other alternatives.

Don’t Store Your Username and/or Password in Your Browser

Browsers and other programs try to be helpful by asking us if we want them to remember our username and/or password. Depending on the site you’re visiting, it might be just fine to say yes and it CAN be a helpful feature. However, never, ever, EVER agree to that when client data is involved – which includes the email system you use with your clients. The reason is simple: if your browser has this information saved for you, a potential bad guy doesn’t even have to try to guess your password or hack into your system. You’re handing it to them on a silver platter and they can log in as easily as you can. And, as was mentioned in the opening paragraph of this article, the strongest encryption in the world can’t protect against someone who has access to your password.

Clear Your Browser History Frequently

This is another advantage of web-based email. Each browser has a way that you can clear your web-browsing history – often referred to as your “cache”. The advantage of doing this is that if someone gains access to your computer right after you cleared your cache, they’re not going to know which program you use for your email, much less how to get into it. How often you do this is up to you, although clearing your cache is also part of good computer care in general. You’ll be able to browse much faster with a recently cleared cache.

Summary

Remember, safe email consists of the following:

  • Data in motion encryption
  • Data at rest encryption
  • Safe email habits

When you use PSYBooks’ encrypted email, the first two are taken care of for you. Hopefully, this article will help you with your part of the equation, i.e., safe email habits.

Encrypted Email – Just How Safe Is It?



PSYBooks’ email not only meets but actually surpasses the HIPAA specifications for encrypted email. HIPAA’s rules for email encryption are broad, giving developers the maximum amount of freedom. This is as it should be. Those who are responsible for writing and maintaining HIPAA/HITECH laws cannot also be expected to keep up with rapid changes in the world of technology the way developers do. Therefore, although HIPAA wisely states that email containing client PHI (Protected Health Information) should be encrypted, it doesn’t specify exactly how that should be done.

If you compare email to snail mail, there are two possible times your mail is vulnerable: 1) when it’s on route to you and 2) after it’s been delivered. Most developers interpret the HIPAA specifications as meaning they should encrypt the first phase of mail delivery which, in computer terms, is called “data in motion”. Many encrypted email services stop there. They feel they’ve done their job. However, to date, there have been no breaches in the data in motion phase as long as 2048-Bit SSL encryption is used. In fact, experts feel that data in motion under 2048 encryption is uncrackable now and will be for many years yet to come. The implication here is that although data in motion encryption is certainly necessary, it is hardly sufficient.

Conversely, all PHI data breaches so far have occurred in the second stage, i.e., before it’s sent or after it’s been delivered. Computer parlance refers to this phase as “data at rest”. When you think about it, this second stage can include a lot of possibilities. Going back to the snail mail analogy, someone might steal your mail from your mailbox; you might lose or misplace it once you’ve brought it in; your home or office could have a fire or flood that would destroy not only your mail but everything else; your child could accidently scoop your mail into their backpack and lose it at school, your office manager could leave sensitive mail sitting out for other patients to see, someone might break into your home or office and steal or destroy your mail, etc. The possibilities are endless.

This is also true with email. There are numerous ways that data at rest can be compromised. The most frequent culprits, surprisingly enough, aren’t hackers, but rather, are theft and/or loss. For this reason, PSYBooks encrypts email both in motion and at rest. In fact, we even take it a step further in that we also encrypt any attachments you or your clients send via email. This means that, for example, you can now share any client data you want via PSYBooks email and be assured that even if our servers WERE hacked (which is an extremely remote possibility), your email would not be decipherable – it’s secure.

However, the email safety story doesn’t really stop there. Achieving 100% safety with email actually depends on three things:

  • Data in motion encryption
  • Data at rest encryption
  • Safe email habits

PSYBooks has you covered for the first two. The last one is up to you. Actually, you may be surprised to see how easy it is to have unsafe email habits. Most of us are probably guilty of at least a few on a fairly routine basis. We’ll give you some tips for practicing “safe email” in the next post.

Introduction to the PSYBooks Portal


The portal is the web-based interface between you and your clients. In a sense, it allows your clients (or anyone else you designate) to have their own “mini” version of PSYBooks that contains just their own data – no one else’s. You can view data they enter on your side and interact with the client about their data, all through the portal.

As a therapist, you access your version of the portal with a button on the right side on the top nav. The portal is set aside from all other buttons in that row because in many ways, the portal is a mini-application in its own right. It’s like an application within an application. The button to access the portal is here:

How to access the portal

Once you’re inside the portal, the interface will be familiar: it’s the same tabbed interface that’s used throughout PSYBooks, making it easy to use. Currently, there are two tabs – one for Portal Users and one for Email. However, the mockup below will give you a glimpse into what we’re planning for the future:

The Portal

  • The Portal Users tab is where you can send new invites to ask people to join your portal and also manage the Portal Users you have: change their permission levels (i.e., which portions of the portal they can access and what they can do there), help them reset their passwords, remove them from your portal, etc.
  • The Email tab is your interface for any encrypted email you want to send. Our email surpasses HIPAA standards for encryption. It also has many of the features you’re used to seeing in regular, non-encrypted email, such as the ability to create folders for each of your clients, the ability to move mail to various folders, etc.
  • The Scheduling tab will allow the therapist to release their entire schedule or just certain portions of it to all clients or just certain ones. In other words, if you don’t like the idea of posting your entire schedule online for all to see, you’ll be able to use the PSYBooks scheduler in specific cases, with specific clients. For example, when a client contacts you and asks to reschedule, you can release just the times you could see that person to them only. As with most scheduling apps, both parties can be notified of any changes made in appointments. However, you will have control over which notifications you receive so you don’t receive blanket notifications that just clog your inbox or phone.
  • The Conferencing tab will allow you to conduct HIPAA-compliant video sessions with clients who can’t make it into the office. If you plan to build a complete telementalhealth practice, you will have all the tools you need in PSYBooks. The advantage of using a video app that’s right in your EHR is that it’s already synced with your clients. That means that clients will be able to schedule video sessions with the scheduler and also, you’ll be able to invoice them for their sessions as soon as you finish. Insurance can also be billed – right from the conferencing app.
  • The Payments tab will allow clients to make online bill payments directly to the application. Since PSYBooks already has the encrypted email feature, this means that you’ll be able to invoice clients and receive payments on those invoices, all within the portal.

We are very excited about our portal! It fits right in with our commitment to work toward building all the tools a mental health therapist might need – all within one app. Sign up now and watch us grow!