Doing Telehealth? You Need a Portal.

Think you’re not doing telehealth? Think again. Although there’s no one-size-fits-all definition that cuts across state and/or discipline lines, most agree that telehealth basically involves any electronic method you use to communicate with or about your clients. This can include common things like phones, email and electronic file storage, in addition to video sessions, which is what we typically think of with the term telehealth.

Given that telehealth IS a lot more than just video, and given that the very breadth of the definition means that most of us are already doing some form of telehealth, we are tasked with finding ways to deliver these services that are easy to use, HIPAA-compliant, and within our budget. Therapists tend to obtain their telehealth apps in a somewhat piecemeal fashion. For example, they might decide they want appointment reminders, so they find a program that does that. If they later decide to put their calendar online, that might or might not be something that came with the appointment reminders, so the calendar/scheduling program could end up being a separate app. After that, they might see a need for doing some telehealth sessions, so they find a video program. Then they decide encrypted email would be really helpful . . . and online file storage . . . or maybe the ability to efax. The list – and the number of apps – could go on and on.

Although it’s understandable that therapists accumulate telehealth tools in this fashion, there are some inherent problems with doing it this way. One of the biggest issues is that none of your data is integrated with any of your other data. Information about your practice is scattered and nothing “talks” to anything else. If your client gets a new phone number or address, you will have to update each of your programs to keep all of the information about them current. Furthermore, each program you use has to be HIPAA-compliant – which also means that you have to have a Business Associate Agreement with that company. Additionally, since each program will have its own interface, you and/or your staff will have to spend time learning how to use each one. And finally, having a lot of different programs, even if they’re only $10 or $15 a month each, can become expensive as they add up. So what’s the solution?

Obtain a portal.
Preferably one that is integrated with an EHR.

The term portal, in this useage, simply means a software program where you, as the healthcare professional, can interface electronically with your clients. In other words, given our definition of telehealth as being any electronic method you use to communicate with or about your clients, portals contain tools for you to provide telehealth services. Portals are often part of other programs, usually EHRs (Electronic Health Records). The advantage of having your portal bundled with your EHR is that now ALL tools you use for your practice are in one place. This means, for example, that you can schedule a video appointment with a client and enter both your billing and payments for the session in that same app. You don’t need one app for video and another to keep track of your sessions and billing. If the app is user-friendly, you won’t have to search for the tools you need for billing or payments. They’ll be right there on your video interface.

What you can do within your portal depends on the features the portal offers. In a perfect world, this would include each and every telehealth tool you might want to use in your practice. However, currently, the most likely scenario is that you’ll be able to get some of what you want, but not all. Hopefully that will change in the near future.

Given the current status, then, what should you look for in a portal? Stay tuned for a series of posts on this topic: What to Look for in a Telehealth Portal.

Business Associate Agreements:
Do We Really Need Them?

I sometimes hear therapists mention specific software programs they’re using in their practices for tasks like notes, calendar/schedulers, online file storage, billing, video sessions or email and then add something like, “They’re HIPAA compliant. They just don’t – you know – have Business Associate Agreements.”

This is not only wrong, it’s SCARY wrong. If you don’t have a Business Associate Agreement (BAA) with each software company that stores or transmits your clients’ PHI (Protected Health Information), that by itself is a HIPAA violation. This is true even if everything else you’re doing is in perfect compliance. If caught, you could be facing a “willful neglect” penalty and those start at $50K per violation. Claiming ignorance won’t exonerate you. As healthcare professionals, it is our responsibility to understand and implement HIPAA in our practices.

There’s another problem with the scenario above: products can’t be HIPAA Compliant. What determines compliance is a combination of using products that meet HIPAA’s standards PLUS enforcing the HIPAA policies and safeguards you have in place for your practice. Although products do need some way to let you know that, if used correctly, they can contribute to your overall compliance strategy, it would be more accurate for healthcare products to state “Can Be HIPAA-Compliant-If-Your-Policies-Are-Correct-And-Up-To-Date-And-You-Are-Enforcing-Them.” For obvious reasons, products tend to just say they are HIPAA compliant and leave it up to the healthcare professional to understand their role in the compliance equation. However, it’s important to realize that just using a product that advertises HIPAA compliance does NOT automatically make your practice HIPAA compliant. Furthermore, if the product you are using won’t either provide you with their BAA or sign yours, it will never be possible to use that particular product and be in compliance with HIPAA.

Ensuring HIPAA compliance consists of, at a minimum, the two factors below. If you have one but not the other, you are not in compliance:

  • SOFTWARE: Only use software that meets HIPAA’s standards (which includes, among other things, that if the software company stores or transmits PHI, you must have a BAA with them).
  • YOU: Make sure your own HIPAA policies accurately describe your practice, are current, and are enforced.

If you’re a PSYBooks subscriber, you were given a BAA when you first signed up. You can also access it from the program at any time. That means that whether you’re using PSYBooks for your notes, email, billing, scheduling, online file storage, video sessions or any other PSYBooks feature, you’re covered from our end. If you’re concerned about your practice’s HIPAA policies, a good resource is The HIPAA Survival Guide.

(Note: PSYBooks subscribers are eligible for discounts on HIPAA Survival Guide products.)

Types of EHRs: Introduction


Let’s face it. There are LOTS of EHRs on the market and most of us simply don’t have the time, energy, or frankly – interest – to put a lot of effort into researching them. Some therapists have told me that although they’d sort of like to explore EHRs, they begin looking at all the options, get overwhelmed, and decide to put the whole thing off. Although it doesn’t have to be overwhelming, it IS an important decision. An EHR that’s designed well, with attention paid to usability issues so it’s easy to use, can simplify your life enormously and save you a lot of time and money. On the other hand, an EHR that’s poorly designed will have you pulling your hair out and cursing EHRs in general – possibly not realizing that not all EHRs are the same and that there might be better options.

As a therapist, when I get a new referral, I often suggest the person make appointments with two or three different therapists to help them choose the one that’s the best fit. I explain that it’s too important a decision to be made lightly. Choosing an EHR is a bit the same. My suggestion is to sign up for free trials with two or three EHRs and play with them for a month or so – maybe use real client data or maybe just make up some fake clients but either way, take the EHRs through their paces. Perform the same kinds of tasks you’d be doing as a normal part of your daily routine in your office. After actually working with the EHRs for awhile, you’ll be in a much better position to choose the EHR that’s the best fit for the needs of your particular practice.

However, there’s still the question of how to narrow the field enough to know which two or three EHRs you want to test. The goal of this series of posts is to give you some pointers that should help you do just that. The table below groups EHRs into categories with “Scope” being listed across the top to form the columns and “Type of App” down the side to form the rows:

Types of EHRs

Notice that there are three categories for Scope:

  • Medical/Agency
  • Mental Health/Agency
  • Mental Health/Private Practice

Scope is not about how many people use the EHR; instead, it’s about the types of users for which the EHR was designed. Reading across the top:

  1. Medical/Agency types of EHRs were designed for medical facilities, i.e., hospitals, medical offices of the doctors who are associated with the hospital, labs, radiology, scheduling and billing departments and other types of ancillary services that all relate to the hospital.
  2. Mental Health/Agency EHRs were designed for – you guessed it – mental health agencies. A big difference between agency EHRs and ones made for private practice is that agency EHRs use a “shared chart model”. In other words, each client has one chart that belongs to the agency and any therapist who works at the agency will be using that same chart.
  3. Mental Health/Private Practice EHRs were specifically designed for those of us in the behavioral health field who are in private practice. They typically do NOT use a shared chart model, although the user can often choose to share charts with other professionals if they want. However, the important word here is “choose”. Most EHRs made just for private practice typically don’t share your client data with others in your practice unless you specifically give them permission.

As far as which type of scope is best, it depends on the nature of your particular job or practice. Since I’m in private practice, my personal preference is toward a Mental Health/Private Practice EHR. Using any other type of EHR would seem a bit like taking something that doesn’t really fit, and trying to “make it work” for how I run my business. It seems to make more sense to start off with an EHR that’s a good fit from the outset.

Once you decide what scope you want, it can be a bit challenging to tell which EHRs go into which categories. If you contact most any EHR/practice management company and ask them if their product is for behavioral health practitioners in private practice, they’ll give you an enthusiastic, “YES!” But the question is a bit like asking if you can wear snow boots on the beach. Yes, of course you can. But furry snow boots were designed for something entirely different – conditions that are much more challenging and demanding than a stroll along the beach. So although you CAN use medical and/or agency EHRs for private practice, you may not want to. They have many more layers to them than you really need, all of which makes them more complicated and cumbersome to learn and use. Perhaps a better question to ask is whether the EHR can be used by hospitals and/or agencies. If you get a “yes” answer to that, you know that you’re probably dealing with an EHR that falls into one of the first two categories.

So far, we’ve talked about Scope, i.e., the columns of the table. We’ll now discuss “Type of App” – the rows of the table. There are two categories for Type of App:

  • Desktop
  • Web

Previous posts have discussed the pros and cons of desktop apps vs. web apps and also, safety issues with web apps, so those topics won’t be covered in this post. However, we do need to finish examining the table. Considering both rows (Type of App) and columns (Scope), we have a total of six different categories of EHRs:

  • Medical/Agency – Desktop
  • Medical/Agency – Web
  • Mental Health/Agency – Desktop
  • Mental Health/Agency – Web
  • Mental Health/Private Practice – Desktop
  • Mental Health/Private Practice – Web

These days, almost all healthcare professionals are using the Internet in some way in their practices. Maybe they efile, maybe they store backup files on the Web, or maybe they use the Web to email their clients. Because of this, most EHRs – even those that are primarily desktop apps – offer some form of Web interactivity. Therefore, it may be difficult or impossible to find “pure” examples of some of the Desktop categories – especially the Medical/Agency and Mental Health/Agency types of EHRs. However, the main distinction is where the app itself actually lives – where it’s installed. If it’s on your computer – or the computer(s) at the hospital or agency where you work – it’s a desktop app. If it’s only accessible through a Web browser, it’s on the Web.

As covered in the previous posts, there are many advantages to Web-based applications and very few disadvantages. If you’re in private practice and in the market for an EHR, you may want to check out a few that fall in the last cell of the table, i.e., web-based EHRs that are designed just for mental health professionals in private practice:

Types of EHRs

More Info:

What is an EHR anyway?

The acronym EHR stands for Electronic Health Record. Originally the term EHR was supposed to mean a very specific thing. It was to be a type of digital (i.e., computerized) practice management system for health care professionals that could “talk to” (i.e., share data with) EHRs of other health care providers and organizations, such as laboratories, specialists, school and workplace clinics, medical imaging facilities, pharmacies, emergency facilities – essentially anyone that might be involved in a patient’s care. Similar products that did NOT automatically have the “talk to everyone” feature were to be referred to by other names, such as EMR (Electronic Medical Record) or simply, practice management system.

However, the talk-to-everyone concept is proving to be quite difficult to implement and although it has a strong contingency of proponents, there are also many people who are equally as strongly opposed to the idea. Mental health professionals, in particular, can see real disadvantages to making information they might enter about a client available to all healthcare professionals that client may have visited or may visit in the future.

Probably because of a combination of difficulty of implementation and the lack of overall support, distinctions that might once have existed between terms like EHR, EMR and practice management system have pretty much dissolved. Today, those terms are being used interchangeably – even within a single product. For example, mostly, I think of PSYBooks as a practice management system – because that’s what it’s designed to do, i.e., help you manage your practice. However, when I’m writing or speaking about PSYBooks, it’s easier and takes up less space to refer to it as an EHR or EMR so I often use one of those terms instead. However, PSYBooks is NOT a “talk-to-everyone” product. There is no across-the-board sharing of anything you don’t specifically request. You are solely in charge of who accesses your data (if anyone) and what portion of your data they access. For example, you might want some personnel to only be able to view certain data – not make any changes. Other personnel, in order to do their jobs, may need full administrative access both view and edit certain files.

There are other situations where you may want one or more colleagues to have full clinical access to your PSYBooks account. This can be helpful in supervisory relationships and/or if you’re going to be out of your office for awhile and want to arrange coverage. An important extension of this concept is that HIPAA-HITECH requires that we have a plan in place to allow for a smooth transition for our clients should we die or become disabled. Designating a colleague to take on this task for you can be as easy as giving them access to your PSYBooks files now. This will ensure that the person you designate will always have the latest version of your client charts should the need arise. Additionally, PSYBooks’ Activity Log feature allows you to track what each user does your account. Everything they do is recorded and available for you to view at any time.

More Info:

Types of EHRs: Scope


To begin this series of posts, let’s look at a concept I’m calling “scope”. In reference to EHRs, scope doesn’t refer to the number of users a particular EHR has, but rather, to the number of different roles for which it’s designed. For example, a large scale medical EHR needs different roles or tracks for each of the various personnel that might need to add something to a patient’s chart. That could mean, for example, different tracks for scheduling, billing, intake, nurses and other mid-levels, doctors, lab technicians, social workers, etc. Additionally, such EHRs are designed primarily for hospital settings. Doctors who are affiliated with the hospital can typically access the EHR from their office, but the EHR itself was developed with hospitals in mind.

Because they’re designed for hospitals, medical EHRs have a tremendous amount of complexity. Since each hospital has its own unique needs, these EHRs typically have to be installed on your system by a representative of the company. The advantage to this is that representatives are trained to listen carefully to the specific needs of your institution and will then customize the product to fit your exact needs. The disadvantages are that all of this is extremely costly, takes a long time to implement, and makes the EHR difficult to learn – typically requiring quite a bit of staff training.

In contrast, some EHRs are designed for a specific healthcare profession – in our case, behavioral health. This sounds like it might be a step in the right direction, but even here, some of the behavioral health EHRs are designed for community mental health settings and other types of agencies, which means that the model they use is actually very similar to the model used by large scale medical EHRs and thus, they have the same set of advantages and disadvantages. Before we look further at behavioral health EHRs, we need to understand a concept I call the “shared chart model”. That concept is discussed in the next post.

More Info:

Types of EHRs: The Shared Chart Model


There are several factors to consider when choosing an EHR. Previously, we discussed some of the disadvantages of behavioral health therapists using EHRs that are specifically designed for the medical profession. Eliminating the large group of medical EHRs helps narrow the field quite a bit. However, even within the category of behavioral health EHRs, there are other factors to consider. For example, one thing you may not be aware of is a concept I refer to as the “shared chart model”. In a nutshell, agencies tend to need and use shared chart models, while those of us in private practice typically don’t.

The best way to describe the shared chart concept is to think through the workflow in a typical behavioral health agency compared to that of private practice. In an agency, a patient’s chart typically belongs to the agency. Clinicians come and go; cases get transferred from one professional to the next; the same consumer is often seen by several different people within the agency (e.g., front office personnel, an intake worker, a psychiatrist, the individual therapist, possibly a group and/or family therapist, etc.) In such settings, it makes sense for each consumer to have ONE chart – either paper or digital – that anyone within the agency can access, i.e., a shared chart model.

In contrast, when you’re in private practice – even if you practice with a large number of other clinicians in the same building – your clients’ charts – paper or digital – typically belong to YOU. They are not shared with others in the practice unless you specifically make arrangements for that. If a client named John Doe sees me for individual therapy, Dr. Smith for medications, and Joe Green for group, each of us would maintain separate charts for John. We might (or might not) choose to share our charts with one another – or even to allow one another to make notations on John in our chart. But bottom line is that I “own” my chart for John, Dr. Smith owns her chart, and Joe Green owns his.

Now the question becomes, “Why do I care whether my EHR uses a shared chart model or not? I’m going to be the only one using it so it should be a moot point.” In some ways, you’re absolutely right. If you are currently using an EHR that has a shared chart model and you love it, GREAT! No need to change. However, if you don’t currently have an EHR and are considering getting one, the thing to consider about shared chart model EHRs is that they’re typically more complex and more difficult to learn. Because they’re specifically created for agencies, even though they may be just for the behavioral health profession, they actually more closely resemble large scale medical EHRs in complexity, price, and learning curve. If you’re just starting out, you’re probably going to be happiest with an EHR made just for private practice, rather than one that caters more to agencies.

You can learn more about some of the problems with medical/agency EHRs in the post below:

Types of EHRs: Desktop vs Web


Previous posts have discussed advantages of EHRs made specifically for behavioral health vs generic EHRs made for the entire medical profession and also, the differences between EHRs with a shared chart model vs those without. This post addresses another important issue to consider when choosing an EHR: whether to choose a desktop app or a web app.

Definitions

A desktop app “lives” on your computer. This means that you either purchased a CD or downloaded the program from the web. Either way, at some point you had to actually install the program on your computer. If you installed it on your office computer, you won’t be able to use it on your tablet or your home computer. You’d have to install separate applications on each device you plan to use.

In contrast, web apps “live” on the web. You access them with your web browser which means you can use them on any computer. Web applications are sometimes referred to as “on-demand” software or “SaaS” (Software as a Service). These terms imply that the software is a “service” on the web that you can access when you need it. Typically with these types of apps, you sign up via your web browser and start using them right away.

Pros & Cons

There is a growing trend away from desktop apps toward web apps. Many well-known applications that used to be available only as desktop apps are now on the web – some of them, exclusively so. Examples are Microsoft Office, Quicken, and the Adobe products. There are numerous reasons for this:

  • With desktop apps, there may be compatibility issues with your computer. For example, the program may have been written only for Windows or only for Mac. Or perhaps it only works on a version of Windows that is not what you’re running on your computer.
  • When an application lives on your computer, if your computer crashes, you’ve not only lost your computer, you’ve lost all of your client data unless you’ve been diligent about backing it up. Even if you’ve made daily back-ups on another device, if the computer with your program crashes, you no longer have a way to open the backups.
  • If your computer is stolen, you have the above issues and also a potential HIPAA breech because confidential client data is now in the hands of unauthorized individuals.
  • When there are bug fixes and/or upgrades to a desktop app, you have to download patches or, in some cases, buy an entirely new version of the product. Since making and releasing patches is sort of a big deal, developers of desktop apps tend to let fixes accumulate until they have enough to warrant releasing a patch. This means that bugs can go unfixed for weeks or months until the next patch is released. In contrast, web developers are able to constantly make improvements and fixes in their products because it all takes place behind the scenes. There’s never anything for you to download and install.

But What About . . .

When I talk to colleagues about the desktop vs web issue, there are two reservations I sometimes hear about web apps:

  • Some people feel that desktop apps are cheaper, i.e., a big one-time purchase as opposed to monthly subscription fees.
  • Many people have concerns about the safety of the web – they’re more comfortable with the thought of keeping client data on their own machines instead of “out there” somewhere that they can’t physically touch or see.

For the “desktop apps are cheaper” question, my answer would be “possibly”. It’s unrealistic to assume that your desktop app will be a one-time purchase because as the field changes, applications need to change. Over the course of your career, even if you stay with one company, you’ll more than likely have to buy a new version of the software at least every few years. Also, many companies are now requiring fairly lengthy and expensive service contracts for you to receive any type of support at all. This tends to be true more with desktop apps, whereas most web applications offer free support. When you add the price of the service contract with the price of the application, the price of desktop apps is probably in the same ballpark as a subscription to a web application.

The second issue – safety concerns about the web – requires a thorough explanation so will be covered in a separate post.

Are Web-Based EHRs Safe?


The most common reason people give for being reluctant to switch to a web-based EHR is safety. When we’re charged with protecting something – in this case, our clients’ records – most of us intuitively feel safer with something we can see and touch; something physical within our own office where we can maintain control of security ourselves. However, despite this subjective sense of safety, Hurricane Katrina taught us all a valuable lesson about the danger of keeping client records on paper. Floods, tornadoes, fires and other types of disasters can destroy paper records in a heartbeat. If you do maintain paper records, at the very least, you should have backup copies of everything – and those copies should be stored at a completely different location – preferably far away from where your paper records are stored.

The question then becomes, what kind of copies do you make and where do you store them? You can certainly use a copy machine and make paper copies of your records, but that’s both costly and cumbersome in terms of paper, ink, and additional space to store everything. Digital records, on the other hand require little to no room to store, although it can be time-consuming to scan all of your paper documents to get them into digital format. Once you have them in digital format, what do you do with them? All types of digital storage media (computers, external hard drives, thumb drives, CDs, etc.) degrade over time. This means if you choose to store your digital files on some type of physical media that you maintain yourself, you’ll have the task every few years of making copies of your copies to ensure that all of your client data is still good. All of this becomes rather daunting, no matter how you look at it.

An obvious solution is to just not generate paper documents. Keep all – or at least most – of your client records in digital format on the Web from the very beginning. This is a huge leap for many – it’s changing the way they’ve done things comfortably their entire careers and, intuitively, it just doesn’t feel safe. However, before just assuming that records kept on the web are less safe than records kept in your office, let’s look at some facts:

Data States on the Web: Data in Motion vs Data at Rest

There are two possible states for data on the web:

  • “Data in motion” is the term used to describe data as it travels back and forth between the computer issuing the request (e.g., you at your personal computer or tablet) and the server you’re trying to reach (e.g., a web-based EHR).
  • “Data at rest” is when the data is just sitting there on either your computer or the server.

Security Issues with Data in Motion

As long as the website you’re accessing starts with “https” instead of just “http”, data in motion is generally safe. The https protocol indicates that the website is working in conjunction with another protocol, Secure Sockets Layer (SSL), to transport data safely. Here are some facts about SSL:

It appears, then, that data in motion – as long as the website you’re using has SSL – is generally accepted as being secure. When we hear of data being hacked and/or of large data breaches, the culprit is with data at rest.

Security Issues with Data at Rest

To review, data at rest is when the data is just sitting on a computer or other device. The device might be your own personal computer, tablet or even your phone – or it might be the computer (i.e., server) where your web app lives. (Servers are just computers that have certain software on them that enable them to “serve” a web page to you when you request it. In other words, you type www.google.com into your web browser and one of Google’s servers opens that page, i.e., “serves” it to you.)

Consider this: if you’re storing client records on your computer, even if it’s in a desktop EHR (i.e., the program is actually installed on your computer), there are two possible places data at rest might be vulnerable: your computer and the server. However, if you’re using a web-based EHR – unless you specifically download files from the app or store other client records on your computer – NO client data is stored on your machine. All of your client data is on the web. This effectively eliminates 50% of the possible concerns for data at rest breaches. The initial implication here is that, contrary to popular belief, web apps may actually be SAFER ways to store client records. But let’s dig a little deeper.

Most of us fear hackers. We hear about them in the news, they’ve successfully hacked into some pretty scary – and presumably secure – websites, so we assume they’re the major worry with data breaches on the web. However, this is not the case. Hacking actually accounts for a very small percentage of reported healthcare data breaches. One author who has analyzed healthcare breach data notes that the media most often involved in breach incidents are laptops and paper, i.e., NOT servers.

The HITECH Act requires the Secretary of HHS to post a list of breaches of unsecured protected health information affecting 500 or more individuals. To make it easier to see trends, I downloaded the entire list into an Excel sheet so I could group breaches by type and came up with the following table (this data was collected from 2009-2013):

Notice that theft and loss account for 72% of the reported breaches. The thing that most people fear – hacking and/or IT incidents – only accounted for 2% of the breaches. Also, although I didn’t include the “Location of Breach” column in the table, glancing at the original data seems to confirm what the above author concluded, i.e., that the largest percentage of these thefts or losses are from either paper records or laptops.

Furthermore, as of mid 2015, none of the EHRs made specifically for behavioral health practitioners in private practice had ever reported a breach of any kind, nor had any of the clearinghouses used by EHRs reported breaches. This certainly isn’t meant to imply that it couldn’t happen. However, as you can tell from the data presented so far, most breaches are caused by people – people stealing or misplacing client files or data, people disposing of records improperly, people missending emails, people leaving records in public view and failing to secure them properly. It makes sense then, that companies with larger number of employees will be more likely to have breaches. Companies that specialize in behavioral health EHRs tend to be small, which, in some ways may serve to minimize their risk.

Also, even though the data shows that hacking incidents are fairly uncommon, if I were a hacker and I wanted to obtain healthcare data, I’d choose a target where I stood to garner the most records – insurance companies, large hospital complexes, etc. Even IF, for some reason, I wanted to target EHRs, I’d go after the large scale medical EHRs. I wouldn’t waste my time with EHRs that are specifically made for behavioral health. Could it happen? Yes. Is it likely? No.

What We’ve Covered So Far:

  • Data in motion is secure. Data breaches, when they occur, happen with data that’s just sitting on either your computer or a server.
  • If you use a web-based EHR as opposed to a desktop application, that eliminates your computer, i.e., 50% of the security risk.
  • Most healthcare data breaches occur as a result of either theft or loss. The most common items that are lost or stolen are laptops and paper records.
  • As of mid-2015, no behavioral health EHR made just for private practice had reported breaches of any type.
  • Hacking or other IT incidents only account for about 2% of all breaches. Furthermore, there’s some reason to think that behavioral health EHRs made just for private practice might be unlikely targets for hackers.

Summary

Nothing is 100% safe. If you store your client records in your office – either as paper records or on your computer – your office could catch fire and burn. If you had gone to the trouble to keep backup copies of everything in your home, a tornado or other natural disaster could destroy both your home and your office. The same can be said for digital records stored by EHR companies.

However, EHRs that use reputable web server companies have built-in protections provided by the companies themselves, that are difficult to replicate by individuals. For example, PSYBooks is stored on servers that are provided by Amazon. AWS (Amazon Web Server) data centers have military grade perimeter control as well as other natural boundary protection. Physical access is strictly controlled by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication no fewer than three times to access data center floors. All visitors and contractors are required to present identification and are signed in and monitored. Furthermore, Amazon offers backup servers at “redundant co-location facilities the are geographically dispersed” to help ensure that even if a catastrophic event happened in one part of the country, you would have a backup available in another part of the country. It’s pretty unlikely that any of us in private practice would be able to match Amazon’s level of security for the computers we maintain in our homes or offices.

It seems reasonable to conclude that despite the fact that nothing is 100% safe, using web-based EHRs made just for behavioral health providers in private practice may well be the safest option you can choose.

Why Not Use a Free EHR?


There are a handful of free EHRs and who doesn’t like free? However, before you jump in with both feet, you may want to know some facts. First I don’t personally know of any behavioral health EHRs for private practice that are free. So if you want to use a free EHR, you’re probably going to have to be OK with a medical product that’s been designed for agency use. The cost factor of these types of EHRs has been eliminated, but there are still some reasons you may not want to use them.

User Testimonial

“I have tried other free EHRs which were difficult to use, had very limited (if any) technical support, were geared toward the medical community and were not well informed about HIPAA compliance. I’ve returned to PSYBooks!”

Second, it costs a LOT of money to produce a good EHR. Lots and lots, actually. So you have to ask yourself, “Who would offer that kind of product for free?” The broadest form of the answer is simple; someone who wants something different from you – something other than your money. This means that to stay in business, they have to be getting their money elsewhere and that’s where problems can arise.

Within this broad category, there are at least three different sub-categories – possibly more. The three main ones are:

  • Companies who want to use your clients’ data. Specifically, they de-identify it and sell it to willing buyers.
  • Billing companies who want you to sign up for their services (for a fee) and who offer to “give” you a free EHR to do so.
  • Companies who are paid per claim fees by insurance companies and are hoping to make money when you efile or possibly on other types of interactions you may engage in with insurance companies.

The first one is, in my mind, the most problematic. What these companies are doing is legal because they list their intentions in the fine print you have to agree to in order to use their products. You might be thinking, “I support research. As long as they de-identify my clients’ data (which they claim to do) that might be ok.” However, they don’t only sell your client data for research purposes. What you sign pretty much gives them carte blanche to sell the data to any willing buyer. Possibly the worst example of this is that one company solicited the patients of their subscribers. The PATIENTS, not the doctors or therapists themselves. To make matters worse, what they asked the patients to do was to rate their doctor for something that was later published online. However, when you read some of the reviews, it’s obvious that the patients did NOT understand that their reviews were not going to be anonymous or that they would be seen by anyone but their own doctor. The doctors, on the other hand, did not know they were being reviewed – nor had they knowingly given their consent. Needless to say, this was not received well by the patients whose reviews were published, nor by the therapists and physicians who had been using that particular EHR.

Furthermore, even though such companies de-identify client data (which is how they get around the HIPAA privacy laws), there are some cases where data that’s been de-identified has been “re-identified”, exposing PHI and other vulnerable information about your client to people for whom it was never intended. For these reasons, you may well be unknowingly compromising your client’s privacy and/or your own just by using these types of EHRs.

The second category – billing companies who want your business – may be ok if you don’t want to do any of your own billing. However, compare the costs. It’s often quite a bit more expensive to hire someone to do your billing than to pay the subscription fee for a good EHR. Also, if the EHR is built to be user-friendly, billing is usually extremely easy to do – typically just requiring a few clicks. Personally, if I were interested in hiring someone to help me with billing, I wouldn’t want to pay them to do it all. I might want to hire them for an hour a week – maybe just an hour a month – to make any phone calls to insurance companies that need some follow-up. That’s really the only time-consuming part of billing. Also, if you do decide to go the billing-company-disguised-as-free-EHR route, before you sign up, make sure and ask them what happens if you decide to not use their service anymore. Do you get to keep the EHR? Your data? Do you have to sign a contract to use their services for a certain period amount of time? What are their policies around using de-identified client data?

EHRs in the third category – those that are paid by insurance companies – are typically built by clearinghouses, or in some cases, by a specific insurance company serving as a clearinghouse. The problem with these EHRs tends to be that they’re difficult to learn, even among experienced users. Once again, they were created as large scale medical/agency EHRs that use a shared chart model. Both of these things add layers of complexity to the product that those of us in private practice don’t need. Also, since they’re not specifically made for behavioral health, they don’t usually offer some of the things we DO need, such as a way to enter personal psychotherapy notes that we don’t want to be included in the client’s medical record.

Bottom line: if you want to try a free EHR, be prepared to read the fine print so you know exactly what you’re agreeing to. Also, you might do yourself a favor and sign up for a free trial of a web-based EHR that’s been made just for behavioral health practitioners in private practice while you’re also trying the free EHR. You may be amazed at the difference in simplicity and ease of learning of the subscription-based EHR and decide that the price is well worth it.

More info: