HIPAA 101 for Therapists and Teletherapy

As therapists, we all know the importance of keeping patient information private as part of our duty to maintain patient trust and therapist-patient privilege. However, as more therapists embrace teletherapy practices whether out of an immediate need such as COVID-19 or a desire to expand their practices' reach, they need to consider the potential Health Insurance Portability and Accountability (HIPAA) concerns. Technology needs to be HIPAA compliant, and, unfortunately, therapists are ultimately responsible under the HIPAA Security Rule and Privacy Rule for ensuring the confidentiality, integrity, and availability of electronic protected health information (ePHI) that their technology stores, transmits, and collects. 

What do you need to know about HIPAA?

At the most basic level, HIPAA applies to healthcare practitioners, including therapists, as well as any third-party considered a business associate. Navigating HIPAA, particularly as a sole practitioner using technology for the first time, can be overwhelming, but by breaking down some of the definitions, we can make it more manageable. 

Electronic Protected Health Information (ePHI)

Protected health information (PHI), and by extension electronic protected health information (ePHI) falls into 18 distinct categories defined by the Department of Health and Human Services (HHS), but traditionally includes data such as:

• Name
• Dates (birthdate and treatment dates)
• Contact information (phone number, fax number)
• Location (street address, zip code)
• Web contact information (email, IP address)
• Identifying information (social security number, driver’s license information)
• Physical identification (pictures, fingerprints)

As you move into teletherapy, some of the more difficult information for therapists to protect might be things like IP addresses (the unique identifier of a patient’s internet connection). In this case, when choosing a teletherapy technology, you want to make sure that the vendor has controls to protect this information. 

Business Associate (BA) For Therapists 

You probably already have business associates (BAs) connected to your practice. A business associate is officially defined as a person or organization whose functions or activities involve the use or disclosure of PHI on your behalf. Some examples of business associates include:

• Healthcare providers
• Health plans
• Claims processing
• Data analysis
• Billing
• Practice management

Some traditional services that BAs provide include:

• Legal
• Actuarial
• Accounting
• Consulting
• Data aggregation
• Management
• Administrative Accreditation
• Financial

For example, if you’re using Quickbooks for accounting and storing it in the cloud rather than on your personal device, that application is considered a BA because it may include ePHI. Another example would be any scheduling tool you use, since you have that connected to your internal records and likely have the patient’s name and telephone number together. 

Grab your FREE Teletherapy Vendor HIPAA Checklist HERE

Privacy Rule For Therapists 

The HIPAA Privacy Rule addresses the need to balance sharing PHI and ePHI in order to provide the best possible care with the need to protect patient privacy. The most important part of the Privacy Rule is giving patients control over how you use their information, with whom you share it, and when you share it. 

You probably already provide patients with the Privacy Rule required notice to opt in or out of information sharing. However, some sharing is allowed regardless of the patient’s consent. These include:

• Treatment: any services that help provide, coordinate, or manage treatment including consultation between providers
• Payment: any data sharing required to obtain payment from patients or reimbursement from insurance carriers
• Healthcare operations: quality assessments such as case management, competency assurance activities, medical review, audits, or legal services, business management and general administrative activities.

In short, much of the practice and administrative work involved in caring for your patients allows you to share information, but while you can share it, you need to make sure that all people or organizations with whom you share it maintain the right privacy controls. 

For example, if you share patient information with a healthcare insurer, you are, at least theoretically, required to make sure that the insurer maintains data privacy. As you move into the teletherapy space, your teletherapy vendors need to also maintain privacy controls or else you can be considered part of the problem if a data breach occurs. 

Security Rule For Therapists 

The Security Rule differs from the Privacy Rule in that it focuses less on patients being able to control their data and more on how well you’re protecting it from cybercriminals. For many therapists, the Security Rule can feel more overwhelming than the Privacy Rule. 

When thinking about the differences, you want to focus your Privacy protections on who can see information and how they use it. When looking at Security, you want to focus on how well you’re preventing data theft. 

A good example from the beginning of the COVID-19 stay-at-home orders is the Zoom data breach risk story that broke in March 2019. When therapists needed a way to talk to their patients by video chat, they used the free version of Zoom because it’s easy to use. However, within a few weeks, cybercriminals and pranksters were interrupting calls because Zoom wasn’t ready for the rapid, large scale adoption of their platform. 

Choosing the Right HIPAA Compliant Teletherapy Tool for Your Practice

Whether you’re new to teletherapy or not, choosing a technology can be stressful when you’re trying to also keep pace with compliance requirements like HIPAA. As you work to bring new technologies into your practice, you want to think about the different HIPAA concerns that come with them. 

To help you work through your process, we’ve created the Teletherapy Technology Checklist and the Teletherapy Vendor HIPAA Due Diligence Checklist so that you can make sure you’re using the right technology while also protecting your patients to the best of your ability. 

To learn more about what technology therapists need, check out my blog that dives into what technology every therapist should have.

For more information about how to add to your teletherapy practice and have access to 180 therapeutic techniques, check out my book, Teletherapy Toolkit™

Looking for ways to engage children and teens in teletherapy? 

Watch my FREE webinar for therapists, school counselors and professionals, and psychologists, HERE.

For more information about how to add to your teletherapy practice and have access to 180 therapeutic techniques, check out my book, Teletherapy Toolkit™

GRAB YOUR HIPAA Vendor Checklist HERE

Looking for ways to engage children and teens in teletherapy? Watch my FREE webinar for therapists, school counselors and professionals, and psychologists, HERE.

“Changing the way we view and treat children’s mental health.” Dr. Roseann

Ⓒ Dr. Roseann Capanna-Hodge & The Global Institute of Children’s Mental Health

www.drroseann.com 

www.childrensmentalhealth.com

Are you a professional who wants more training from Dr. Roseann? 

Sign up for her Professional Webinars and CE-Based Courses or purchase her book, Teletherapy Toolkit™: Therapist Handbook for Treating Children and Teens. 

If you are a business or organization that needs proactive guidance to support employee mental health or an organization looking for a brand representative, check out Dr. Roseann’s professional speaking page to see how we can work together.