Telehealth for the Mental Health Professions

1. Introduction Show/Hide

   I consider myself a bit of an odd duck. I’ve been a practicing clinical psychologist since 1985 and still love and am humbled by being allowed to witness and participate in the healing process of another human being. I also like technology. A lot. Enough that I went back to school several years ago and got a degree in it. Enough that I run a healthcare software company in addition to continuing to see patients. Being a therapist feeds my soul. Playing around with technology is fun for my inner child.I find that many therapists are, at best, lukewarm about technology. Some are almost phobic about it, especially when it comes to thinking about using it with their patients. Technology is often viewed as unsafe, impersonal, and/or a pain to use. Not so long ago, that was fine. Mental health practitioners could continue using the paper/pencil methods they were taught in graduate school and had little incentive to change. COVID-19 changed all of that. If we wanted to maintain our practices, we were thrown into technology headlong, whether we liked it or not.The goal of this book is to help teach you some of what I know about using technology in mental health. Hopefully, I’ll be able to convince you that it’s not quite as difficult or unsafe as you might have thought. On the other hand, I’ll show you those things that can truly be problematic and teach you how to avoid them. When you finish this book, you should be able to display competence in the standards and care of telehealth as it applies to your profession, including, but not limited to, topics such as:

   • Security and transmission of digital data and information
   • Telehealth standards of care
   • Informed consent requirements for telehealth
   • Interjurisdictional practice issues (primarily within the U.S. but touching on issues in other countries)
   • Confidentiality as it applies to telehealth
   • Issues around disposal of data and information
   • Performing assessments with telehealth
   • Diversity issues in telehealth

   Since technology changes rapidly, chances are that some of what I say in this book may be outdated by the time you read it. However, mostly I’ll be teaching concepts. Once you understand the concepts, you’ll be able to make wise choices for using technology in your practice with whatever new thing comes along. Also, we’ll focus on solutions, not just abstract concepts. I want you to come away with action-oriented plans you can begin to implement right away.

   Last but not least, since combining technology and mental health is fun for me, I’ll do what I can to make it fun for you, too. It may not work, but I’ll try. Ready? Let’s go!

   Listen to the author read a modified version of the intro

2. What Exactly is Telehealth? Show/Hide

   Pre-COVID, we tended to define telehealth quite broadly—saying that it included any kind of technology or digital method that allowed us to provide behavioral health services at a distance. Technically, “distance” could be you and your patient sitting across from each other in your office using your phones or tablets to share documents. The key component was the fact that digital methods were being used either directly with or in communication about our patients. However, since COVID, the term telehealth is popularly used to mean conducting sessions (therapy, assessments, consultations, etc.) via video as opposed to in an office setting. Although that’s certainly a big part of what telehealth includes, it’s not all. Given that the laws and ethics that guide our professions apply to all aspects of telehealth as opposed to just video, this book will use the broader definition.
3. HIPAA Compliance

   1. HIPAA-Compliant Software? Show/Hide

      Some therapists mistakenly believe that if they use “HIPAA-compliant software” they’re in compliance with HIPAA. This notion is wrong for more than one reason.

   2. Encryption Show/Hide

      HIPAA does not require us to use encrypted email. Many therapists think it does, but it doesn’t. However, the zinger is that if we don’t use encrypted email and our email is hacked or compromised in some other way, the OCR can—and does—fine us.
   3. Business Associate Agreements (BAA)
   4. What is a Business Associate?

   5. Why Bother? Show/Hide

      A Business Associate Agreement generally has two important functions:

      • It makes the software company—not you—responsible for any breaches that occur as result of a problem with the software.
      • It forms a legal contract with you about how the company will manage your client’s data.
   6. You Might Want to Read Your BAAs
4. Telehealth: Video

   1. Do I Really Need HIPAA-Compliant Video? Show/Hide

      Some healthcare video platforms claim their products fall within HIPAA’s “conduit exception” which applies to entities that transmit Protected Health Information (PHI) but do not have access to these data.

      (…)

      [However, when] a company has given you a BAA, since they are on the hook if something should fail, they are much more likely to go the extra mile to make sure topnotch, end-to-end encryption in motion is used, as well as encryption at rest when feasible. Without a BAA, the company may not be as conscientious. Inferior encryption in a video platform can mean that unauthorized people may be able to view the video sessions you have with your patients. Using a product that’s not secure is a bit like conducting your session in a restaurant. Maybe no one else will see the two of you together, overhear the conversation and realize it’s a therapy session . . . but what if they do? Is that a risk you’re willing to take?

   2. Types of Video Software
      1. WebRTC
      2. Native Apps
      3. Best Practices for Achieving Good Quality Video Sessions
   3. User-Friendly vs. Safe
   4. Other Considerations When Choosing a Video Product
   5. Video Software Summary
5. Your Virtual Presence
   1. Lighting, Lighting, Lighting!
   2. Background
   3. Virtual Backgrounds
6. Practice Management Software
   1. Online vs. Desktop
      1. What is Cloud/Online Computing?
      2. Advantages of Online Applications
      3. Advantages of Desktop Applications

      4. Safety of Online Applications Show/Hide

         [Data] pulled in 2014 from the HHS Breach database indicated that 75% [of the breaches were] caused by either theft or loss. Only 7% listed the cause of the breach as an incident caused by Hacking/IT.

         In contrast, data pulled from the same database on Aug 6, 2020, indicated that the Hacking/IT category had risen dramatically to almost 87%. (…) 82% of email breaches were reported by healthcare providers.

   2. Setting Up a Telehealth Office
      1. Your Equipment
      2. Presession Considerations
         1. How Do You Want Your Patients to Contact You?
         2. Phones and Telehealth
         3. Encrypted Email

         4. Are We Shooting Ourselves in the Foot by Not Using Portals? Show/Hide

            When therapists first began getting portals 5 or 6 years ago, some clients were onboard right away, but others complained—they didn’t want to bother remembering a password and having to log in. Many therapists felt the same way. They preferred to just use regular email. However, since then, almost all physical healthcare professionals are using portals. People are getting used to portal communications as being the way to communicate with their doctors. In fact, a recent study of 433 American adults found that 93% of respondents said they prefer doctors who will respond to email (Wike, 2014). Anecdotally, I’ve known of cases where patients shopping for a therapist have chosen a therapist who has a portal over one who doesn’t—citing the fact that since their medical practitioners all use portals, they felt more comfortable if their mental health practitioners did, also. One client even extrapolated that since therapists not using portals didn’t seem to be keeping up with the latest technology, perhaps they also weren’t up to date in the latest treatment practices. Of course, this line of reasoning is certainly flawed. I personally know a lot of therapists who still prefer paper/pencil methods whom I feel are excellent clinicians. However, it does behoove us to consider the impression we’re making on our patients and prospective new patients and the conclusions they may draw. Personally, I would not feel comfortable if one of my physicians emailed me through regular email. Holding ourselves to a different standard than we hold our physical health colleagues may not be wise.
         5. Online Scheduling/Calendars
         6. Appointment Reminders
         7. Your Office Forms
         8. Presession Crisis Preparation
      3. The Session
      4. Postsession Tasks
         1. Writing Notes

         2. Efiling Show/Hide

            Even if you’re strictly a private pay therapist, there may still be times when you want to file out-of-network claims for your clients. Although some insurance companies still allow providers to mail or fax paper claims, doing so means that you must print out your claims. This can be costly, time-consuming, is not environmentally friendly, and, over time, can present storage problems. For these reasons, many therapists have switched to efiling for both in-office and telehealth visits.
            1. Efiling at the Insurance Company’s Website or Portal
            2. Efiling at a Clearinghouse
            3. Efiling with an EHR

         3. Processing Payments Show/Hide

            When considering payment processing, it is important to think about how to best streamline your workflow. For example, some therapists have one app for processing payments, something different to keep track of their clients’ balances, and maybe even a third app to gather the financial information they need at tax time. Although there’s nothing technically wrong with this, it means that you’ll have to enter the same data several times—once in each application or other system you use. This not only costs you in terms of time, but it also makes it more likely that you’ll make errors. Each time you enter the data in another place, whether it’s another software program or something you enter by hand, the probability of errors increases.
            1. Client Payment Processing
            2. Insurance Payment Processing
         4. Taxes and Other Financial Accounting
         5. Sending Digital Statements and Receipts

      5. Online File Storage Show/Hide

         Online file storage is a great addition to any healthcare practice, whether you are doing in-person appointments or telehealth. In most cases, online file storage can allow you to go completely or almost completely paperless, which means you can ditch your filing cabinets. With telehealth, online file storage becomes almost a must, in that most materials you get from your patients will be digital. It doesn’t make sense to print them to add them to the patient’s paper chart and destroy the digital version. That takes more time and money. It’s much better to have some kind of digital chart or folder for the patient that can hold all of their records in secure, online storage.However, it’s extremely important to get a file storage company that is HIPAA compliant and also that encrypts your files both in transit and at rest. This will make your patient files virtually unhackable and is generally considered to be safer than either paper records or any type of personal storage devices or drives you might use.
      6. Notes and Dictation
      7. Efax
   3. EHRs and Portals
      1. A Backward Look: Meaningful Use
      2. ONC Health IT Certified EHRs vs. Non-ONC Certified EHRs
      3. So . . . What is an EHR Really?
      4. The ONC’s Cures Act Rule, aka “OpenNotes”
      5. Some Hopeful New Directions

      6. A Deeper Dive into Non-ONC Certified Behavioral Health EHRs Show/Hide

         There are tons of advantages to bundling as much of your software as you can in one product, as is possible with EHRs:

         • All tools are encrypted and HIPAA compliant, plus you have one BAA for the whole thing.
         • There is less data entry because of dropdown interfaces, plus previous entries being “remembered”
           for the next time you do the same task.
         • Tools are synced (i.e., if your patient moves or gets a new phone number, you enter it once and all
           tools update).
         • Getting bundled tools in an EHR is typically less expensive than procuring each tool separately.
         • With an EHR, you only have one program to learn.
         • There is better risk management since everything’s in one place.
         • For similar reasons, writing up your HIPAA Security Policy is easier (we’ll discuss this later in the HIPAA Security Rule section).
      7. The State HIE Cooperative Agreement Program
7. Insurance and Billing
8. Legal and Ethical Issues
   1. Risk Management
      1. Telehealth Informed Consent
   2. Originating Sites and Interjurisdictional Practice Issues
   3. Performing Assessments With Telehealth
   4. Diversity Issues in Telehealth
   5. General Ethical Issues
      1. Resolving/Reporting Ethical Violations
      2. Competence
      3. Retention of Records
      4. Recording Video (or Phone) Sessions
      5. Interruption of Services
      6. Security and Transmission of Data
   6. Implementing HIPAA

      1. Intro Show/Hide

         A common misperception is that if your client says they don’t care whether you use HIPAA-compliant video/email/texting/file storage, and so on, then it’s ok not to. This is not true. Only the governing body that made the law in question can suspend it. (…) An analogy would be if you’re driving your car and your passenger says you don’t have to stop for red lights. You would know that’s not true. Following the rules of HIPAA is the same. Your patient might not care, but the federal government does.

         (…)

         [T]o help you get into compliance, start by developing your story (i.e., if you get audited, what would you say? What’s your story?). If there are holes—places where you are not yet compliant—include that in your story with an explanation (i.e., “I haven’t yet instituted x because of y, but here is my plan for how to do so and I anticipate having it finished by x date”). That story—though admittedly not 100% compliant—is a lot better than things like:

         “Oh. I didn’t know I was required to do that.”

         or

         “I knew I was supposed to do that but I just haven’t.”

         Either of the last two answers above will risk getting you fined for noncompliance. It’s important to realize that not knowing HIPAA is not an excuse. Part of what HIPAA requires is for us to know and understand the HIPAA law as it applies to us.

      2. State and Local Laws

      3. The HIPAA Privacy Rule Show/Hide

         The list below will serve as our “Privacy Rule To-Do List.” We will consider each of these separately.

         • Create a Compliance Repository
         • Implement Privacy Policies and Procedures
         • Appoint a Privacy Officer
         • Provide a Notice of Privacy Practices
         • Train Your Workforce
         • Implement a Compliant Process
         • Document Compliance Procedures
         • Possess and Apply Sanctions

      4. The HIPAA Security Rule Show/Hide

         The purpose of the Security Rule is for us to think through and document exactly how we intend to secure each item of PHI with which we come in contact. Just as we did for the Privacy Rule, we’ll create a “Security Rule To-Do List:”

         • Perform a Risk Assessment
         • Create a PHI map for your office
         • Inventory Your Equipment
         • Develop a Plan to Secure Each Piece of Equipment
         • Develop a Plan to Secure any Paper Records You May Have
         • Implement Your Plans
         • Make Sure You Have Backups
         • Develop a Contingency Plan for Emergencies
         • Create a Security Policy for Your Practice

9. Summary
10. References