I told you guys that in March, I attended the American Counseling Association’s annual conference in Hawaii. That’s where I had an opportunity to meet face-to-face (for the first time) my colleague and e-friend, Roy Huggins. You guys probably know him as the Licensed Professional Counselor behind Person-Centered Tech but I think of him as “My HIPAA and Security Guru.”
I actually showed up to his workshop at ACA out of respect and admiration for the work he has done in our field to make HIPAA rules more accessible rather than out of sheer interest in the topic. Dopey me!
Let’s just say . . . that never in my wildest dreams would I have expected My HIPAA and Security Guru to be warm, engaging, client-focused, and interesting when discussing HIPAA. And, I swear he really IS all of that and more!
That’s exactly why, I’ve invited this geek-turned-Licensed-Professional-Counselor to tackle some of the many ways that we mental health professionals put ourselves and our clients at risk by stumbling over HIPAA and security issues in our private practices.
It is my honor today, to formally introduce you to Roy Huggins, LPC as he begins to chip away at HIPAA myths.
(If you are interested in writing a guest post, check out the guidelines here.)
______________________
A Guest Post by Roy Huggins, LPC
(This is the first of a 5-part series.)
Let’s see some hands: who got into therapy because they love practicing risk management?
Anyone?
Hmm . . . doesn’t look like it.
Okay . . . I’ll try a different one.
Who enjoyed their graduate school class on information system security and HIPAA compliance?
Nobody had one?
Wait . . . . I didn’t either.
Well, I know that one thing we did all get, and that we all do pretty well, is professional ethics.
And, the ethical principles that guide anyone who is likely to be reading this post include not only the tried and true principle of nonmaleficence (“do no harm”), but also beneficence (“do good”).
And isn’t it strange that we learn in school that our ethics are oriented on caring for our clients i.e. don’t hurt them, make sure you’re helping them.
When we learn about risk management, however, a lot of the time we get a conflicting message i.e don’t get in trouble, say “no” to client requests (and your own ideas) that may bring trouble.
Disaster-oriented risk management (cousin to fear-based ethics) is most able to creep into our practices when we feel vulnerable and unsure.
In the time I’ve spent teaching technology / HIPAA and general counselor ethics, I’ve found that a lack of knowledge about information technology (because we didn’t attend computer science programs to become therapists) combined with conflicting information about HIPAA tends to drive mental health professionals towards that disaster-oriented risk management, sometimes causing us to unnecessarily misattune to our clients or even spend money we don’t need to spend.
That’s why I’m helping you break down 3 commonly held myths about HIPAA beginning with my next post. In the mean time, drop in below to let us know how you see technology, ethics, and HIPAA fitting into your own practice!
Here is where you can find part 2 of HIPAA Compliance Myth Busting – Emails, Texts, & Smart Phones (series).
_______________________
About the Author: Roy Huggins, LPC NCC is Director of Person-Centered Tech, a consulting and continuing education firm that serves the mental health community. Roy is a programmer-turned-Counselor. He’s Tech Chair for the Oregon branch of ACA, on the Zur Institute advisory board, and teaches at Portland State University’s Counseling program.
I’m anxious to see where this conversation goes. Sometimes I feel like I’m in the minority when it comes to understanding that most e-mail is not confidential (for anyone who hasn’t heard of this yet, Hushmail is confidential when it is sent to and from a Hushmail account). Okay, I’ll admit it: I like talking about HIPAA and I love it when new software becomes truly HIPAA compliant and willing to sign a Business Associate Agreement.
Ahhhh, Lauren! You’re going to love Roy, if you don’t know of his work already. I can say I HATE talking about HIPAA – or at least I did until Roy came along and started talking about it from a client-centered and more human approach. Can’t wait to hear your thoughts. And, stay tuned! He’s got a sweet little bonus at the end of this series!
Tamara, you make a very good point about needing to look at the human side of HIPAA compliance. I’m very fortunate that the supervisor I worked with for my LPC hours was linking EVERYTHING to ethics. Now, to be clear, I followed the ACA Code of Ethics before that. It’s amazing how many small ethical decisions we make every day. Before I started working with him, I knew that e-mail was not HIPAA compliant, but I didn’t understand why. A short discussion clarified that and I saw the enormity of the problem.
One of the things that helps me to stay interested in HIPAA compliance is the idea that I always like to know about the why and how rather than just “do this because this agreement says so.” It has always helped me to look at the big picture because it shows a lot about how HIPAA really does affect clients.
Lauren, it wasn’t me that originally tied HIPAA to ethics and therapists’ desires to do what is / was in the best interest of clients; I’m embarrassed to say that never even occurred to me! But, it was Roy – who spent 6 whole hours (!) connecting the dots in a very client-centered, non-apologetic, ethusiastic training he offers called Digital Confidentiality According to Professional Ethics and HIPAA: A Heart-Centered Approach.
You were lucky to have a supervisor who linked your work to ethics so consistently. That’s exactly what new professionals (and more seasoned professionals, too!) need because, of course, as you point out, we make judgement calls all day long every day.
Yay, I’m not the only one who likes to talk about HIPAA!
I also use Hushmail for secure email. In the next post you’ll see my take on normal old email, too. 🙂
Great, Roy! Now what I want to know is how do I respond to someone once they’ve used my nifty (hushmail) secure contact form?
–John
Hi, John! Welcome to Private Practice from the Inside Out! By your question, I take it that you’ve already started using Hushmail. What do you think so far? Was it easy to set up?
Yes, Tamara, I’ve started using Hushmail. It’s inexpensive. They’ll sign a Business Associate Agreement (BAA), which I’m sure Roy will be discussing. They provide a secure contact form that can be incorporated on your website. I found it relatively easy to set up with one quick phone consult with my site host. For clients it’s even easier and free, as long as they use their Hushmail account at least once per month.
Now the downside of the secure contact form is that messages to me are encrypted, but messages from me to their regular email address are not. I have some ideas to handle that, given the 2014 ACA Ethics Code and “prospective” clients. I’m anticipating Roy’s input as this series continues.
yes, I’ll be interested in hearing about this, too, John, because I was under the impression that clients also had to go to the trouble to unencrypt on their end, too. Have you, by chance, gotten feedback from any of your clients who use it? I’m curious about their experience and if they find it a hassle to use.
Tamara: John is talking about a form on his website that lets clients send secure messages to him. It looks like this: https://forms.hush.com/pct
The form is one-way. They send messages to us. It’s very handy, but doesn’t create any opportunity for secure reply. With current clients, this is easy to overcome. The challenge is with prospective clients, for whom the initial contact is your only contact. So you may not know their phone number and you certainly haven’t had a chance to discuss communication methods with them yet.
John: the challenge is to create the form so that it collects the phone number of the prospective client. I had such a form on my website for a long time, but it started to get an avalanche of comment spam. So I’ve temporarily switched to the form I linked above.
Thanks, Roy, for sharing your form and distinguishing between that and the one-way form. I’m betting that there are lots of us who were not aware of that difference.
Thanks, Roy, I think the customized form is the way to go. I’ve already received spam from the generic and free form.
I’ve just put the secure contact form up, Tamara, so there’s no data on that yet. Two clients I’ve sent an encrypted message to have not responded. Two colleagues have responded, going the required extra step for encryption. What I plan to do is give a one page handout to clients explaining the process. Then I’l be in a better position to assess. It’s not difficult but does require some extra time. My *guess* is that most clients won’t bother.
Thanks, John, for letting us know what your experience has been!
John, I’ve found that clients will go for it when we intentionally talk about using secure email to communicate about non-business stuff. People want to use “their” systems for logistical matters but are usually happy to use “my” system for matters that relate to care between appointments. We set up a password together and make it meaningful. We talk about the differences between checking in and doing online counseling. Etc.
That said, I’ve talked to colleagues who say their clients happily use the Hushmail rigamarole for all their little communications. So I’m also interested to hear how your experiment goes!
Roy, you make it sound as if you’ve had this same conversation with so many different clients that you now basically have almost a script of sorts to address these things.
Yep, I do. 🙂
Hi John!
Hushmail offers an affordable business level of service that allows you to customize a form and place it on your own web site. This provides the opportunity to not only collect a clients phone number, but a password that you can use to reply to them securely. I’ve helped several mental health providers implement this on their site. You can see it in action on my site: http://www.robreinhardtlpc.com/contact.html
Looking forward to your series, Roy!
Hi, Rob! It’s so nice to have you drop in here! Roy was just singing your praises to me a couple of weeks ago. I so appreciate you taking time to drop in and join the conversation!
Hey, I hear we may have an opportunity to meet in Orlando next March at the American Counseling Association’s 2015 annual conference. Hoping yours and Roy’s proposal gets accepted to present (and mine, too)!
Hi Tamara,
If you’ll be there, we can drop the “may” and make it happen. I’m pretty sure I’ll be there, presentation accepted or not. Obviously, it would be better to meet up as Presenters, but let’s plan to do so either way.
Excellent, Rob! That will be a treat! (And, who are you kidding?! Of course, your proposal is going to be accepted! As you can tell from the response to Roy’s post here, there’s a huge need for the info, and very few well-versed enough to provide it. I’m looking forward to it!
Hey, I noticed you don’t have a gravatar here:( Now, I know you are a geek so surely you know already . . . But just in case you forgot, here’s a little tutorial on how you can set up your own tiny little picture of you 🙂
Thanks, Rob. As I mentioned to Roy above, I think that’s the way to go. Even though I request folks to include their desired password at my site, they might not do that and I still don’t have their phone number.
John, I use an individual Hushmail account rather than a contact form, so I’m not familiar with exactly what you are asking, but I don’t know whether you have seen the information here: https://forms.hush.com/f/help/ . It doesn’t seem to specifically address your question, but maybe if you log in, you’ll get different information. I do know that the Hushmail customer service has always been helpful. I hope you’ll let us know how it all works out!
Thanks, Lauren! Then perhaps, you (and anyone else who uses it) can also share info about your clients” experience using Hushmail?
Tamara, I don’t really have a lot of clients who use it to communicate with me. I use it more to exchange information with the office when necessary. When I have offered it to clients, they have usually elected to continue using their own e-mail even though they understand that that is not confidential and I cannot respond to those messages. They choose to do that anyway just so I receive information.
While I know that this is not the subject of this post or series, I must also mention that offering availability to clients via confidential e-mail can be a wonderful way for them to ask for a resource or something, but it can also be something that would lead to a lot of therapeutic conversation that cannot be billed. There would need to be boundaries in place if it was to be used frequently.
Lauren, you make a good point. And, that whole issue of boundaries is, I think, one of the most difficult for new therapists, in particular, to get.
Lauren, that is a big topic of discourse around email, texting, etc — how much clinician time should it take. This is one of the reasons why a communications policy (often lumped in with a social media policy) is so useful and important. Set up with clients ahead of time how they can expect communications to go.
Hey, Roy, just want to jump in and say “thank you” so much for taking so much time to engage and interact with my community here! I know that you are crazy busy with both your counseling practice and your consulting practice. And, I also know that you really are quite passionate about making HIPAA more accessible to mental health professionals and also reframing the conversations around HIPAA to being, as they should be, client-centered.
Sure thing. 🙂
Thanks, Lauren, yes Hushmail support has been helpful.
I’m guessing that you encrypt the mail you send, which means clients either have to (a) have a hushmail account or (b) provide the right answer (password) to a question. I suppose that’s what I’ll have to do for an inquiry via my contact form. I might change the text on my site to request folks include a desired password in their inquiry.
How do you sign up for this website.
David
Hi, David! Welcome to Private Practice from the Inside Out! You can sign up to get updates by email right here.
I always get something from your blog Tamara – new ideas, clarifications, and chuckles (lots of the latter)! I am grateful that you have invited Roy to write a series on HIPPA (oops I mean HIPAA).
After working for agencies I am venturing out on my own and there are so many details that I have to sort out – fee structure, accepting insurance vs. not accepting insurance, credit card transactions, new client registration forms, forms, more forms, and oh-my-word-I-should-probably-have-a-form-for-that moments! So, this series comes at a perfect time to provide some much needed, rarely appreciated, down to earth info about a very serious topic.
Now that the ACA has updated our code of ethics to include social media and electronic communications, it is a great time to pair ethical standards and legal standards of “that H-word” so we can feel confident that clients are informed and protected, and we can dream of other things at night than the dreaded H-Police showing up at the office door (waving one of my inadequate, 10x revised, office forms!).
Signed, me the H-Hater therapist
Sorry, Roy and Lauren, “how does that make you feel?” 😉
Hi, Kathi! Thanks for dropping in to chat this morning and say such nice things! My clients say the same thing about the chuckles – and often at my expense! 🙂
Congrats to you on opening your private practice! If you put terms like “fees,” “insurance,” “managed care,” and “office policies” into the little (green and white) search box in the upper left corner of the sidebar on this page, you’ll pull up lots of resources and info to help you out. You are making me chuckle at those “10x revised office forms” because that’s exactly how most of us spent the first 10 years of our practices!
I notice that you are located in one of my most favorite parts of the country – those beautiful Appalachian Mountains of North Carolina! I hope to make it there next year to work with a bunch of you guys! In the mean time, I hope you’ll be dropping in to chat often with us. I look forward to supporting you on your journey!
Tamara,
I look forward to learning and sharing along the way. Thanks for the trail blazing you have already done. I have been reading your blog for several months and have avoided several pitfalls due to following your guidance.
The western mountains are nice almost any time of the year. You should put the Henderson County Apple Festival on your calendar it falls on the weekend of Labor Day. Lots are great things to see and do in Hvl, and very close to all the great things to do in Asheville. If you get this way, let me know!
Ooooh, Kathi! You’re making me homesick (for Avery County:)
I am so glad I’ve helped you avoid some of pitfalls. I’m curious . . . . Care to share? (And, “trail blazing!” I’m so loving that!)
Kathi, I couldn’t help but smile at your response. Believe it or not, paperwork is not my favorite part of my counseling career, by any means. Actually, what I am talking to kids who don’t want to do their homework, I usually use that as an example of having to do something I don’t particularly enjoy.
I also know that these forms with multiple revisions are there to protect us and our clients. Usually, when I revise a form, it’s because I have learned something new. To me, it’s pretty similar to how I’m always adding to my collection of psychoeducational handouts or checklists to use with clients. When I work on coping skills with clients, I’m giving them choices of tools to add to their toolbox. When I revise my forms, I’m adding to my toolbox.
Just in the interest of being totally transparent, while I have a lot of forms created that I hope to use in a private practice at some point in the future, I’m really happy with my other two counseling positions where I’m working right now and the hours are very fluid, so I haven’t done anything with my practice and I probably won’t for quite a while.
I know that you mentioned that you don’t really enjoy talking about this, I have to say that your participation in the discussion tells me that there might be some corner of your mind that thinks otherwise. 🙂 I wish for you a thriving practice.
Thanks! Lauren,
I look forward to hearing more from you and about you. (Secretly, you are right. I used to be a compliance officer in a former life!) ARRGH!! Don’t spread that around or it might ruin my ability to whine about following the rules. 😉
It makes me think of the question of why we would engage in security planning in our practices. One reason to do it is for compliance with HIPAA and our ethics codes. This is generally a stressful motivation for most therapists and a lot of people will become avoidant or even angry when faced with it.
What if we thought about security in our practices as something we do to keep safe our relationships with clients and to keep safe the clients themselves? In grad school, we still are not being taught about “security” as a general ethical, legal and practical concept. If HIPAA compliance is the only major motivator we feel to learn about and enact security in our practices, I don’t think we’ll get too far with it. 🙂 We need to think of security as something we do for our clients and ourselves first and as an issue of legal compliance second.
I suspect that’s how you’re addressing it in the classes that you teach at the Portland State University so at least some of the new therapists coming out are starting to understand HIPAA in a whole new light. I love this reframe!
Yes, I definitely present that model to them. It’s quite nice getting to them while they’re still learning the counseling ethics models fresh. 😉 All of them seemed to be able to grasp and use the concept just fine, regardless of age or tech savvy.
Thanks, Roy, what a great approach! I address HIPAA in the college classes I teach, including the new ACA requirement (2014) to treat “prospective” clients with the same level of privacy and security as established clients, something a number of my colleagues don’t mention. I like your approach of protecting the relationship rather than merely CYA.
Hey, John, where is it you teach?
Tamara, I teach at several satellite locations (Greater Cincinnati) of a small college in Columbia, KY, Lindsey Wilson College School of Professional Counseling.
John: nice to know some of us are spreading the word at the grad school level. 🙂 Don’t forget the ACA requirement that we “urge clients to be aware” of security risks in email, texting, etc. That’s a much higher threshold than what HIPAA requires.
I am new to private practice and I am trying to learn how to encrypt email content in order to keep material confidential. Any tips on programs to use or how to do that???
Hi, Brookes! Welcome to Private Practice from the Inside Out! I’m definitely not the one who can address this for you but perhaps Roy or others here can do so. It’s definitely a question that has been brought up before.
Hi Brookes.
You wouldn’t be able to encrypt your existing email service, but you can get an email service that’s capable of encryption. The problem is that your client has to also have an encrypted email service in order to easily and cleanly exchanged encrypted emails.
I have some info about encrypted email services here: http://zurinstitute.com/hipaasecurity_resources.html#email
Brookes, I began to explore this several months ago to develop a simple, teachable system for clients. My son and I both went to GPG Tools (Mac-based) and downloaded their tools. Still, it took us two fairly tech savvy guys a good half hour, texting back and forth, to get it operable. For the average client, forget it!
You and your clients could each set up Hushmail accounts, and they offer a free secure contact form for your website (at least if you’re a business client). I’d also check the services Roy mentions.
This is such a hot topic and is incredibly relevant for an increasing digital culture. I can appreciate the client centered approach, as I agree, everything to this point has been mostly fear governed and based. Excited to track with this series. Thanks Roy! And thanks Tamara for always touching on such relevant topics.
You’re so welcome, Erica! I so appreciate having your voice in the conversation!
Thanks for saying so, Erica. 🙂 I think the mental health professions need to “take ownership” of digital tech and security and find our own ways to conceptualize and use it well. We were pretty golden when HIPAA first came around because we’ve always done privacy better than any other health care field. I think we can do the same with security if we try.
That’s so true! I cringe when I go to my primary care doc and hear my name, finances, and prescription meds being talked about within earshot of others! It drives me CRAZY!
Tamara, you really brought this home for me. When I was a young married woman, I found out that my best friend was pregnant while I was waiting to “check-out” at my doctor’s office! As I stood at the window, the nurse was seated near the receptionist, and made 4 or 5 of these happy announcements. Can you imagine?
Oh, my goodness, Kathi! Well, the odd part of this for me is that in 54 years, I’ve never seen one physician’s office take half the care that we mental health professionals do with a client’s confidentiality! It’s shocking to me! I don’t know if physicians just don’t get trained in this aspect of care or if they simply fail to monitor and train their staff. I marvel at how rarely you hear (ever?!) that they have been sued for malpractice due to a lack of confidentiality. I don’t even think the general public is aware of that expectation!
Perhaps some of the psychiatrists and nurses that hang out in our community here can speak to this issue?
Tamara, you make a startlingly accurate point. I wonder if any of this has to do with the fact that receiving medical attention is still so much more socially accepted than seeing a therapist. I mean, it’s widely accepted that everyone goes to the doctor and there doesn’t seem to be any problem with anyone who goes to a specialist either. Perhaps it is related to the fact that most mental health concerns are invisible challenges, like we were discussing a week or so ago?
I don’t regularly discuss shame related to coming in to therapy, but if I took a poll about who would be okay with the idea that they were in therapy being mentioned in a public forum, I would be surprised if the number of affirmative responses was more than 15%.
I know what you mean, Lauren. I work with pockets of clients that I don’t think bat an eye at saying “I have a psychotherapist;” and, then I work with other pockets of clients that I think would cut off their tongue before they would publicly make such a declaration.
And this discussion is really relevant for part 2 of the series! 🙂
Those clients who wouldn’t bat an eye — would they be concerned about Internet interlopers intercepting an email talking about appointment times? Those who are concerned about the stigma may have a different view of that — or maybe not.
Hi there. I know I have a lot to learn on this issue. The things that I do so far is to use an encrypted email program and an encrypted cloud based EMR program. My files are double locked (file cabinet locked and office door locked) and whenever there is anything with a clients name or initials on it that I do not intend to keep, I shred it before leaving for the day. I think a problem for me is phone numbers in my phone. My phone is password protected and I do not put real names in my contacts, but I know there is more. Anyone have any hints on that one?
Linda, I love that you have thought beyond the cursory and common security considerations of emails and texts to actually assess the risks related to telephone numbers and more. Thank you! Roy’s class, that you’ll hear more about in the next two weeks, addresses this nicely.
I’m really looking forward to it, Tamara!
Tamara is right about my webinar (thanks, Tamara. 😉 In the meantime, there is a lot of great info on security for smart phones in the free resources page for one of my online courses here: http://zurinstitute.com/hipaasecurity_resources.html#mobile
That page is free and open, BTW. No need to buy anything or sign up for anything to use it.
Hey, Linda, I think we’ve discussed some of this in another forum. If I put a client in my personal schedule (which syncs desktop, laptop, iPad and phone) it’s first name only. I don’t put client info in my address book. It’s stored on my practices secure site. My portable devices can be wiped at a distance if necessary, and automatically wipe at 10 failed password attempts.
Hi John…you’re right! The only thing that concerns me, and I haven’t figured out what to do about, is that I was taught by a HIPAA specialist when I worked for an agency that we couldn’t even put an initial and a phone number into our cell phones. That seemed absurd to me, but I have been “very slightly” worried about it ever since. 🙂
Linda:
Interesting that the specialist said you “can’t” put them in your phone. HIPAA has very few “can” and “can’t” points.
If I put initials and phone numbers in my phone (which is exactly what I do 🙂 ), it simply means I have protected health information (PHI) on my phone, and I need to keep risks to that PHI at a reasonable and appropriate level. So I simply regard my phone as a device that needs to be kept secure. I include in my ongoing thoughts and considerations around risk analysis, and otherwise I do my job. 🙂
Hi Roy. My sentiments exactly. My phone is password protected and I use initials. I need to see if a client is calling me, especially after hours. The only way to do that is to have that contact in my phone. I think it’s a higher risk for a client if I am not answering my phone because I think it’s a telemarketing calling. LOL.
Hey, John, thanks so much for actually sharing some of these details. While this may be commonsensical to some of you guys, I think many therapists are so out of the loop on this level of security that we / they don’t even know where to begin. It’s helpful to have you (and others) spelling out your security practices and pointing out the risks that you are aware of.
Hey, gang! If you haven’t already signed up for Roy’s excellent newsletter for Person-Centered Tech, you really ought to! I just got his latest one this morning and he’s offering a great way to do a risk analysis for HIPAA. (And, THAT is Step #1 to protecting your clients and protecting yourself!)
Here’s where you can go to sign up for his newsletter – http://www.personcenteredtech.com/get-our-articles-and-updates-by-email/ .
Oh! That’s great! Already signed up!
Thanks, Tamara. 😉