Doing Telehealth? You Need a Portal.

Think you’re not doing telehealth? Think again. Although there’s no one-size-fits-all definition that cuts across state and/or discipline lines, most agree that telehealth basically involves any electronic method you use to communicate with or about your clients. This can include common things like phones, email and electronic file storage, in addition to video sessions, which is what we typically think of with the term telehealth.

Given that telehealth IS a lot more than just video, and given that the very breadth of the definition means that most of us are already doing some form of telehealth, we are tasked with finding ways to deliver these services that are easy to use, HIPAA-compliant, and within our budget. Therapists tend to obtain their telehealth apps in a somewhat piecemeal fashion. For example, they might decide they want appointment reminders, so they find a program that does that. If they later decide to put their calendar online, that might or might not be something that came with the appointment reminders, so the calendar/scheduling program could end up being a separate app. After that, they might see a need for doing some telehealth sessions, so they find a video program. Then they decide encrypted email would be really helpful . . . and online file storage . . . or maybe the ability to efax. The list – and the number of apps – could go on and on.

Although it’s understandable that therapists accumulate telehealth tools in this fashion, there are some inherent problems with doing it this way. One of the biggest issues is that none of your data is integrated with any of your other data. Information about your practice is scattered and nothing “talks” to anything else. If your client gets a new phone number or address, you will have to update each of your programs to keep all of the information about them current. Furthermore, each program you use has to be HIPAA-compliant – which also means that you have to have a Business Associate Agreement with that company. Additionally, since each program will have its own interface, you and/or your staff will have to spend time learning how to use each one. And finally, having a lot of different programs, even if they’re only $10 or $15 a month each, can become expensive as they add up. So what’s the solution?

Obtain a portal.
Preferably one that is integrated with an EHR.

The term portal, in this useage, simply means a software program where you, as the healthcare professional, can interface electronically with your clients. In other words, given our definition of telehealth as being any electronic method you use to communicate with or about your clients, portals contain tools for you to provide telehealth services. Portals are often part of other programs, usually EHRs (Electronic Health Records). The advantage of having your portal bundled with your EHR is that now ALL tools you use for your practice are in one place. This means, for example, that you can schedule a video appointment with a client and enter both your billing and payments for the session in that same app. You don’t need one app for video and another to keep track of your sessions and billing. If the app is user-friendly, you won’t have to search for the tools you need for billing or payments. They’ll be right there on your video interface.

What you can do within your portal depends on the features the portal offers. In a perfect world, this would include each and every telehealth tool you might want to use in your practice. However, currently, the most likely scenario is that you’ll be able to get some of what you want, but not all. Hopefully that will change in the near future.

Given the current status, then, what should you look for in a portal? Stay tuned for a series of posts on this topic: What to Look for in a Telehealth Portal.

Business Associate Agreements:
Do We Really Need Them?

I sometimes hear therapists mention specific software programs they’re using in their practices for tasks like notes, calendar/schedulers, online file storage, billing, video sessions or email and then add something like, “They’re HIPAA compliant. They just don’t – you know – have Business Associate Agreements.”

This is not only wrong, it’s SCARY wrong. If you don’t have a Business Associate Agreement (BAA) with each software company that stores or transmits your clients’ PHI (Protected Health Information), that by itself is a HIPAA violation. This is true even if everything else you’re doing is in perfect compliance. If caught, you could be facing a “willful neglect” penalty and those start at $50K per violation. Claiming ignorance won’t exonerate you. As healthcare professionals, it is our responsibility to understand and implement HIPAA in our practices.

There’s another problem with the scenario above: products can’t be HIPAA Compliant. What determines compliance is a combination of using products that meet HIPAA’s standards PLUS enforcing the HIPAA policies and safeguards you have in place for your practice. Although products do need some way to let you know that, if used correctly, they can contribute to your overall compliance strategy, it would be more accurate for healthcare products to state “Can Be HIPAA-Compliant-If-Your-Policies-Are-Correct-And-Up-To-Date-And-You-Are-Enforcing-Them.” For obvious reasons, products tend to just say they are HIPAA compliant and leave it up to the healthcare professional to understand their role in the compliance equation. However, it’s important to realize that just using a product that advertises HIPAA compliance does NOT automatically make your practice HIPAA compliant. Furthermore, if the product you are using won’t either provide you with their BAA or sign yours, it will never be possible to use that particular product and be in compliance with HIPAA.

Ensuring HIPAA compliance consists of, at a minimum, the two factors below. If you have one but not the other, you are not in compliance:

  • SOFTWARE: Only use software that meets HIPAA’s standards (which includes, among other things, that if the software company stores or transmits PHI, you must have a BAA with them).
  • YOU: Make sure your own HIPAA policies accurately describe your practice, are current, and are enforced.

If you’re a PSYBooks subscriber, you were given a BAA when you first signed up. You can also access it from the program at any time. That means that whether you’re using PSYBooks for your notes, email, billing, scheduling, online file storage, video sessions or any other PSYBooks feature, you’re covered from our end. If you’re concerned about your practice’s HIPAA policies, a good resource is The HIPAA Survival Guide.

(Note: PSYBooks subscribers are eligible for discounts on HIPAA Survival Guide products.)

Are We Becoming Outdated?

In the not too distant past, a therapist with some kind of note pad in hand was the norm. It was expected. We were doing our jobs and interested enough in the client to take notes on what they were saying. I was part of that crowd. Although I preferred to write my notes after the client left, I definitely felt that paper notes were the way to go and I burned through many legal pads in the early years of my career.

When we started hearing rumors about healthcare practitioners being mandated to switch to digital record keeping and EHRs, many of my colleagues, myself included, were secretly or not-so-secretly glad that mental health practitioners had not been included in the mandate. We had been running our businesses the same way for many years and felt it was the way to go. Some therapists were even quite critical of the whole digital/EHR movement, feeling that the use of electronic records dehumanized the therapist/client relationship, which we all knew was so critical to our work. Others feared that electronic records weren’t safe, i.e., that they wouldn’t be able to adequately protect their clients’ privacy if they digitized their practice.

However, whether we like it or not, times seem to be changing. Two recent anecdotes have driven that home to me.

The first was a casual comment made by a friend. For some reason, the conversation had drifted to talking about therapists and their note-keeping practices. She was quite surprised when I told her that many therapists still took notes by hand. Without knowing my thoughts or biases, she stated that she was so used to her physical health practitioners taking notes on their computers or tablets, that if she were to go to a mental health professional and discovered they were taking notes by hand, she would see them as a bit antiquated. Furthermore, she took a perhaps unfounded leap and also said that it would make her question that therapist’s treatment methods. Since their business practices seemed to be antiquated, she questioned whether they might also not be up to date on the latest treatment techniques and innovations.

The second incident was even more surprising. In an initial interview, a potential new client revealed to me that she had interviewed another therapist, but that she learned that that therapist didn’t have a client portal. The client really enjoyed being able to interact with her other doctors via their portals and wanted to be able to do the same with her therapist so she decided to keep looking. This stunned me. It was the first time I had heard of a client actually rejecting a therapist solely because that therapist didn’t have a portal. And if you’re wondering, this was a woman in her 50s, maybe early 60s – not someone who had grown up in the digital age.

The implications here are clear. Although our profession was NOT among those mandated to use EHRs, the rest of the healthcare profession, whether they liked it or not, was forced to digitize. In the beginning, there was a lot of kicking and screaming among those professionals who were under mandate. Meanwhile, we mental health professionals were able to somewhat smugly keep doing things the way we had always done them. However, it seems that the tide is steadily turning and now our profession may be the one coming up short. Regardless of what healthcare professionals think of digital practices, consumers seem to be beginning to accept them as the norm. Those of us who don’t keep up, may be unknowingly turning away some of the very clients we’re hoping to attract.

What Will Happen to Your Clients?

Most of us have documents like a will, power of attorney and other estate planning instruments either already in place or at least on our “I’ll get to that eventually” list. Far fewer have given much thought to how we would want our clients to be taken care of in the case of our demise or anything else that would cause a sudden interruption in our ability to provide services.

I attended an ethics workshop recently where the presenter related a story of a colleague who had died suddenly. Several of the remaining office partners went into his office to try to determine which clients needed to be notified. According to the presenter, the deceased therapist’s records were “a mess.” They found a paper appointment book that looked like what the therapist had been using for scheduling. However, entries just said, “Joe” or “A.G.” – mostly likely as a HIPAA privacy precaution. Although nice for confidentiality, the colleagues had no way of knowing which calendar entries might be clients and which might be other types of appointments. Furthermore, since no contact information was listed in the calendar, they had no way of contacting anyone. They saw evidence of some charts, but they were scattered. A few were sitting out in a pile on the desk – but were these current clients or ones who had recently terminated? There were two locked filing cabinets that they suspected held additional charts, but none of the colleagues knew where to find the keys. Financial records were found in an online accounting program, but again, there was no way to know which entries were clients and specifically, which ones were current clients who would need to be contacted.

As therapists, in addition to HIPAA’s privacy and security laws, we also have ethical mandates. Although ethical guidelines vary a bit depending on your state and also your discipline, most require us to have some sort of plan for the appropriate transfer of records in situations that would otherwise result in an interruption of service for our clients. The therapist in the example above appears to have been making some attempts to comply with HIPAA (with the possible exception of the charts that were sitting out) but seems to have given no thought to the ethical obligations he also had to his clients. Imagine how traumatic it must have been for those clients who couldn’t be notified to show up for their appointments and then find out that their therapist had died.

EHRs offer a perfect solution to this problem. With an EHR, all data pertaining to all clients can be stored in one place. Although it’s typically not wise to share your username and password with others, better EHRs will have the ability for you to add users to your account. A user would have their own username and password, and you would have a record of when they access your account and what they do there. Making one or more colleagues users on your account would allow them to access your records in emergency situations and see both your calendar and all client charts. In the situation described above, the colleagues would have been able to see at a glance which clients were scheduled for the next few weeks and have a way to contact them. Although learning that their therapist had died would still most likely be difficult, hearing the news in a personal way from someone who knew their therapist and who might be in a position to offer to see them is certainly better than just having a note on the door when they arrive for their appointment.

Can’t I Just Efile at Insurance Websites and Not Bother with an EHR?


Short answer? Yes. You can. However, here are some reasons why you may not want to:

  • It takes more time and work.

    There are some universal tasks almost all private practitioners in mental health have to do. For example, we all need some way to keep track of each day’s case load: which clients we see, what we charge, what diagnoses and CPT codes we use, how much each client pays. Some of us also need to be able to give our clients receipts and/or statements for their portion of the bill, either at the session or at some point in the future. Many of us need a way to determine which clients still have outstanding balances after 30, 60 or 90 days. At tax time, we need a way to calculate our total income for the year, including payments from clients, insurance companies, or other payees. We also all need some way to produce a client’s medical record or PHI (Protected Health Information) if we’re required to do so.

    In addition to these tasks being responsibilities we all have, the tasks themselves have something in common: they all use data routinely entered when efiling. In other words, if you do your efiling at an insurance company’s website, you’re more than likely going to have to duplicate your efforts in your office and record the same information again, either with paper and pencil and/or with at least one different kind of software, possibly more, to keep your office records up to date.

    In contrast, when you have your own EHR, you enter the information once. There’s no duplication of efforts. PSYBooks takes the data you used to efile and re-aggregates it behind the scenes to enable you to use the same data for accounting tasks, to calculate and print statements or receipts, and to produce medical records for any client who needs them.

  • The learning curve is greater.

    Let’s say you have five clients and each of them has a different insurance company. That means that to efile, you essentially have five different EHRs to learn – not just one. That’s five different URLs and logins to keep track of, five completely different systems to learn. In contrast, when you have your own EHR, you learn it once and that’s it. You have a single URL and you login to a system that you use routinely so it stays fresh in your memory.

    Also, most insurance company EHRs are intended for all medical professionals, not just those in mental health. Typically, large scale medical EHRs are more difficult to learn than an EHR made just for behavioral health. Going back to the five insurance EHRs example, we can now add that they’re probably not just any five EHRs – more than likely, they’re five fairly difficult EHRs to learn. Many people throw in the towel at this point, feeling that EHRs are just way over their head – not realizing that there are simpler solutions.

  • Client records are scattered and may be difficult to retrieve.

    When you’ve been in practice for at least a handful of years, you’ve probably noticed that clients change insurance companies. They get new jobs, their old jobs offer different plans, etc. If I see client Jane Doe on and off in my practice for ten years, she changes insurance companies several times, and I efile at her insurance companies’ websites, Jane could end up with records scattered all over the place. Also, looking up her older records can be problematic. For example, perhaps Jane requests a copy of her medical record for three years ago when she saw me. If she’s no longer with the insurance company she had three years ago, I may or may not be able to retrieve those records for her. I don’t have any control over how the insurance company manages inactive clients. If you consider that in that same ten year period, I may have encountered 500 clients – many of whom may have switched back and forth among the handful of insurance companies for which I’m a provider, the whole thing starts feeling a little chaotic and out of control.

    In comparison, PSYBooks not only keeps all of your client records in one place, it also makes it easy to archive clients you’re no longer seeing and to reactivate them if they return for a few additional sessions. The video below illustrates these features:

    Video Managing Client Files: Digital vs Paper (Video duration: 1:55)

    Also, although it’s not shown in the video, when a client changes insurance companies, making the old company inactive and assigning the new company is equally easy. And you ALWAYS have access to older records. They’re right there in your EHR when you need them. When you have your own EHR, unlike filing at insurance company websites, you maintain control of your own records.

Are Digital Records Better Than Paper?

The Original EHR Prototype

Video Managing Client Files: Digital vs Paper (Video duration: 1:55)

At it’s simplest, digital record-keeping could simply mean a Word doc, Excel sheet or PDF that you’ve saved on your computer, tablet, phone, thumb drive or other type of digital storage device. There are advantages to digital record-keeping even at this elementary level. For example, with digital records, you no longer have to contend with bulging filing cabinets, finding adequate long-term storage, or shredding – all of which are factors with paper health records. Additionally, it’s relatively easy to make backup copies of digital files to guard against some type of disaster, whereas making copies of paper records is costly, both in terms of time and money and also, effectively doubles the number of filing cabinets or other physical storage space you need.

However, if you move beyond the Word doc level of digital record-keeping and start exploring practice management systems, the advantages become even more apparent. What gives practice management systems (also called EHRs or EMRs) their oomph is that they’re built using relational databases, which gives you the ability to filter. This means, as the cartoon suggests, that these kinds of programs are interactive. You can click a button and find out how many sessions you conducted in a certain time frame, how much you made, which clients still owe you money (including how much and for how long), which insurance payments are outstanding, which ones may have gotten hung up at the clearinghouse and why – the possibilities are endless.

Additionally, most (but not all) practice management systems have the ability to connect to insurance companies. This means, you can do all of your efiling in one place – you don’t have to go to each insurance company’s site to file. Depending on the particular system, you may also be able to get detailed information about where an insurance claim is in the payment process, retrieve ERAs and perform other time-consuming tasks you might normally do with the insurance company either over the phone or at their website.

All in all, maintaining digitial records, especially within a practice management system or EHR can save you both time and money and also tend to be safer than maintaining paper files.

Are Web-Based EHRs Safe?


The most common reason people give for being reluctant to switch to a web-based EHR is safety. When we’re charged with protecting something – in this case, our clients’ records – most of us intuitively feel safer with something we can see and touch; something physical within our own office where we can maintain control of security ourselves. However, despite this subjective sense of safety, Hurricane Katrina taught us all a valuable lesson about the danger of keeping client records on paper. Floods, tornadoes, fires and other types of disasters can destroy paper records in a heartbeat. If you do maintain paper records, at the very least, you should have backup copies of everything – and those copies should be stored at a completely different location – preferably far away from where your paper records are stored.

The question then becomes, what kind of copies do you make and where do you store them? You can certainly use a copy machine and make paper copies of your records, but that’s both costly and cumbersome in terms of paper, ink, and additional space to store everything. Digital records, on the other hand require little to no room to store, although it can be time-consuming to scan all of your paper documents to get them into digital format. Once you have them in digital format, what do you do with them? All types of digital storage media (computers, external hard drives, thumb drives, CDs, etc.) degrade over time. This means if you choose to store your digital files on some type of physical media that you maintain yourself, you’ll have the task every few years of making copies of your copies to ensure that all of your client data is still good. All of this becomes rather daunting, no matter how you look at it.

An obvious solution is to just not generate paper documents. Keep all – or at least most – of your client records in digital format on the Web from the very beginning. This is a huge leap for many – it’s changing the way they’ve done things comfortably their entire careers and, intuitively, it just doesn’t feel safe. However, before just assuming that records kept on the web are less safe than records kept in your office, let’s look at some facts:

Data States on the Web: Data in Motion vs Data at Rest

There are two possible states for data on the web:

  • “Data in motion” is the term used to describe data as it travels back and forth between the computer issuing the request (e.g., you at your personal computer or tablet) and the server you’re trying to reach (e.g., a web-based EHR).
  • “Data at rest” is when the data is just sitting there on either your computer or the server.

Security Issues with Data in Motion

As long as the website you’re accessing starts with “https” instead of just “http”, data in motion is generally safe. The https protocol indicates that the website is working in conjunction with another protocol, Secure Sockets Layer (SSL), to transport data safely. Here are some facts about SSL:

It appears, then, that data in motion – as long as the website you’re using has SSL – is generally accepted as being secure. When we hear of data being hacked and/or of large data breaches, the culprit is with data at rest.

Security Issues with Data at Rest

To review, data at rest is when the data is just sitting on a computer or other device. The device might be your own personal computer, tablet or even your phone – or it might be the computer (i.e., server) where your web app lives. (Servers are just computers that have certain software on them that enable them to “serve” a web page to you when you request it. In other words, you type www.google.com into your web browser and one of Google’s servers opens that page, i.e., “serves” it to you.)

Consider this: if you’re storing client records on your computer, even if it’s in a desktop EHR (i.e., the program is actually installed on your computer), there are two possible places data at rest might be vulnerable: your computer and the server. However, if you’re using a web-based EHR – unless you specifically download files from the app or store other client records on your computer – NO client data is stored on your machine. All of your client data is on the web. This effectively eliminates 50% of the possible concerns for data at rest breaches. The initial implication here is that, contrary to popular belief, web apps may actually be SAFER ways to store client records. But let’s dig a little deeper.

Most of us fear hackers. We hear about them in the news, they’ve successfully hacked into some pretty scary – and presumably secure – websites, so we assume they’re the major worry with data breaches on the web. However, this is not the case. Hacking actually accounts for a very small percentage of reported healthcare data breaches. One author who has analyzed healthcare breach data notes that the media most often involved in breach incidents are laptops and paper, i.e., NOT servers.

The HITECH Act requires the Secretary of HHS to post a list of breaches of unsecured protected health information affecting 500 or more individuals. To make it easier to see trends, I downloaded the entire list into an Excel sheet so I could group breaches by type and came up with the following table (this data was collected from 2009-2013):

Notice that theft and loss account for 72% of the reported breaches. The thing that most people fear – hacking and/or IT incidents – only accounted for 2% of the breaches. Also, although I didn’t include the “Location of Breach” column in the table, glancing at the original data seems to confirm what the above author concluded, i.e., that the largest percentage of these thefts or losses are from either paper records or laptops.

Furthermore, as of mid 2015, none of the EHRs made specifically for behavioral health practitioners in private practice had ever reported a breach of any kind, nor had any of the clearinghouses used by EHRs reported breaches. This certainly isn’t meant to imply that it couldn’t happen. However, as you can tell from the data presented so far, most breaches are caused by people – people stealing or misplacing client files or data, people disposing of records improperly, people missending emails, people leaving records in public view and failing to secure them properly. It makes sense then, that companies with larger number of employees will be more likely to have breaches. Companies that specialize in behavioral health EHRs tend to be small, which, in some ways may serve to minimize their risk.

Also, even though the data shows that hacking incidents are fairly uncommon, if I were a hacker and I wanted to obtain healthcare data, I’d choose a target where I stood to garner the most records – insurance companies, large hospital complexes, etc. Even IF, for some reason, I wanted to target EHRs, I’d go after the large scale medical EHRs. I wouldn’t waste my time with EHRs that are specifically made for behavioral health. Could it happen? Yes. Is it likely? No.

What We’ve Covered So Far:

  • Data in motion is secure. Data breaches, when they occur, happen with data that’s just sitting on either your computer or a server.
  • If you use a web-based EHR as opposed to a desktop application, that eliminates your computer, i.e., 50% of the security risk.
  • Most healthcare data breaches occur as a result of either theft or loss. The most common items that are lost or stolen are laptops and paper records.
  • As of mid-2015, no behavioral health EHR made just for private practice had reported breaches of any type.
  • Hacking or other IT incidents only account for about 2% of all breaches. Furthermore, there’s some reason to think that behavioral health EHRs made just for private practice might be unlikely targets for hackers.

Summary

Nothing is 100% safe. If you store your client records in your office – either as paper records or on your computer – your office could catch fire and burn. If you had gone to the trouble to keep backup copies of everything in your home, a tornado or other natural disaster could destroy both your home and your office. The same can be said for digital records stored by EHR companies.

However, EHRs that use reputable web server companies have built-in protections provided by the companies themselves, that are difficult to replicate by individuals. For example, PSYBooks is stored on servers that are provided by Amazon. AWS (Amazon Web Server) data centers have military grade perimeter control as well as other natural boundary protection. Physical access is strictly controlled by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication no fewer than three times to access data center floors. All visitors and contractors are required to present identification and are signed in and monitored. Furthermore, Amazon offers backup servers at “redundant co-location facilities the are geographically dispersed” to help ensure that even if a catastrophic event happened in one part of the country, you would have a backup available in another part of the country. It’s pretty unlikely that any of us in private practice would be able to match Amazon’s level of security for the computers we maintain in our homes or offices.

It seems reasonable to conclude that despite the fact that nothing is 100% safe, using web-based EHRs made just for behavioral health providers in private practice may well be the safest option you can choose.