Guest blogger and My HIPAA and Security Guru, Roy Huggins, LPC kicked off this series on Thursday by pointing out some of the mixed messages we get when discussing our need for HIPAA compliance. Today, he’s back to continue the conversation by pointing out some of our mis-steps around technology, ethics, security, and mental health.
______________________
A Guest Post by Roy Huggins, LPC
(This is the second of a 5-part series.
The series begins here.)
Obviously, your state may have its own rules [related to security and technology] that you are required to follow. And, of course, these security issues are more complicated than a couple of paragraphs can fully cover. Still . . . there are things you need to know about HIPAA.
MYTH #1: “HIPAA says I cannot send emails to clients (unless they’re encrypted)”
THE TRUTH: The only time any of the HIPAA-related laws directly address email is in the 2013 HIPAA Omnibus Rule, where the authors “clarify” that clients can opt to receive emails from us if we first inform them of the risks of email and they still want them.
This speaks to two important things about HIPAA:
-
First, it doesn’t prohibit or endorse any specific technology or communications medium.
Rather, it states that security risks in the tech that we do use need to be reduced to “reasonable and appropriate” levels, and provides some relatively broad guidelines for doing so.
-
Second, HIPAA is strongly in favor of client autonomy. In fact, our codes of ethics (and, sometimes, state laws) are much stricter than HIPAA about asking clinicians to question their clients’ decisions regarding their own confidentiality.
What if your client decides that the confidentiality risks involved in email are low enough to be acceptable?
That federal law we call HIPAA gives them the power to make that decision.
There are caveats and processes involved here, of course. (Is that ever not true?) For further reading check out:
- Clients Have the Right to Receive Unencrypted Emails Under HIPAA
- To Encrypt Email or Not to Encrypt Email? Practical Answers to a Question That is Surprisingly Complex
- Emailing and Texting Security vs. The ACA 2014 Code of Ethics
And, when you finish reading these posts, I hope you’ll drop back in here to tell us how you’re feeling and what you’re thinking about emailing and texting in your own practice. Let’s get this conversation started!
Here is where you can find part 3 of HIPAA Compliance Myth Busting – Emails, Texts, & Smart Phones (series).
_______________________________
About the Author: Roy Huggins, LPC NCC is Director of Person-Centered Tech, a consulting and continuing education firm that serves the mental health community. Roy is a programmer-turned-Counselor. He’s Tech Chair for the Oregon branch of ACA, on the Zur Institute advisory board, and teaches at Portland State University’s Counseling program.
Thanks for this information. I didn’t know that most counselors had the choice to explain the risks to clients and let them make the decision. At the same time, I’m looking at the NBCC Provision of Distance Professional Services document, which states “NCCs still using Scripture and security for all digital technology communications of a therapeutic type.” Now, I know that this is in a document that applies to individuals doing distant counseling, although, it states that it applies to NCCs, and does not mention that it applies to just Distance Credentialed Counselors (DCCs). For those of us with a certification in distance counseling, it still seems best to use encryption for therapeutically sensitive messages, even if the client elects not to do so.
I do also agree with your idea of replying to a message by deleting client-sensitive contact if you have no other choice. I have done that before as well.
Lauren,
Yep, that’s one of those caveats. My licensing board has the same restriction. So I only use ordinary texting and email for administrative matters.
I have a lot to say about overarching bodies like NBCC and licensing boards removing those decisions from clients, but I think it’s all part of the process of our professions’ development.
That’s funny that you say that, Roy, because that’s part of what I hate about HIPAA – asking clients to sign a blanket form giving permission to share their health care info rather than getting permission each time they want info released to another health care professional. I still request my clients to give written permission each time they want records shared.
Well, HIPAA is happy to have you do it that way, too. 🙂 “Authorization” for release of information as defined by HIPAA has the client specify exactly what is authorized to be released, to who, and for how long. You can design release forms using that formula that assume the client will need to release every time you need to communicate with someone else about their care.
Hey, Lauren, thanks so much for noting that different credentials may require different thresholds of security practices. Wen in doubt, opt for the more conservative standard (but know that when Codes of Ethics differ substantially, you may need to relinquish a credential and / or membership in order to stay out of trouble with one of the organizations. I’m not thinking about security issues here so much as other standards.)
By the way, what in the world does “. . . still using Scripture . . . ” relate to? Are they referencing Biblical scripture or something else?
Yikes! I use voice recognition software to operate the computer and was in a hurry this morning and didn’t proofread. What I said was “NCCs shall use encryption security for all digital technology communications of a therapeutic type.” Had nothing to do with Scripture and everything to do with encryption. Sorry!
[Snort!] Oh, my goodness, Lauren! I was thinking “Since when does NCC talk about ‘scripture?'” Hahaha – so funny! And, it never even occurred to me that you might have meant “encrytion!”
Too funny! Thanks for getting the clarification, Tamara – I was sooo confused. But of course now everything makes sense. 🙂
I have a question about what constitutes “therapeutic nature” for emails; would appointment scheduling fall into that category? This is one that I struggle with. I use hushmail and always have the option to encrypt, but is that needed if the only content in the message is of a scheduling nature?
I also wanted to ask you, Lauren, about the DCC training/credential. It seems it is not being offered anymore? Do you know what’s up with that? You seemed to indicate that there is a different set of ethical guidelines for a DCC than an NCC; is that correct? Don’t the distance counseling ethical guidelines apply regardless of whether you’re certified?
Thanks! – and thanks for this discussion – great topic!
“Therapeutic” communications vs “administrative” ones is an emerging distinction that can be difficult to differentiate. Generally, administrative would mean discussions of scheduling, billing, and perhaps things like arranging for forms to be filled out and submitted — in others words, items that directly relate to “health care operations.”
For us, the distinction is fuzzy because we see all communications we have with clients as being clinically relevant.
Oooooh, that’s interesting! For the life of me, Roy, where in the world would one find such conversations “emerging?” (Can you tell I’m laughing at you right now?) I assure you, I’m a bit of a talker and I have yet to hear this one emerging! But, I so glad that you know about it and you’re keeping us up-to-the-minute current on “therapeutic” vs. “administrative” debates! 🙂 Priceless!
;p
Well, it’s emerging in the places where I hang out, I guess. 🙂
The Oregon Counseling board distinguishes between communications of a therapeutic nature and other more administrative communications in the law on distance counseling. Therapeutic interactions need to use technical security measures (e.g. encryption.) It’s basically the same for the NBCC guideline on distance professional services. The Louisiana Social Work board outright bans therapeutic communications done by textual media (email, texting, etc.) They sent out info to licensees seemingly indicating that administrative communications could be acceptable, however.
So I do see this as an emerging distinction. I’m not sure if it’s a necessary one, but we’ll see as time goes, I suppose.
Thanks for the info, Roy! I will “listen” for more of those emerging conversations. 😉 Actually, I agree with you. I think it is difficult for the licensing boards and ethics committees to keep abreast of all the technological details involved in these issues, and thus to create effective (and enforceable) guidelines.
Camile,
I am a DCC having just earned the credential earlier this year. The training for the DCC has been moved from ReadyMinds to CCE who will then begin to offer training after August 31, 2014. I would recommend going to their website, http://www.cce-global.org, for more information.
Like you, I always use Hushmail with encryption when talking to clients. To help keep myself in compliance, I use encryption for any email regardless of topic (scheduling, checking in, etc.). I think it is good practice to have the routine of encrypting email. Out of curiosity, did you sign a HIPAA Business Services Agreement with Hushmail? Sometimes we overlook that important piece.
David Ross, LMHC, NCC, DCC
rosscounselingllc.com
Camille, you make several good points. In terms of the “therapeutic nature,” I would think that would be related to something that is similar to session content, however I am no expert. I recently had a client who wanted to communicate via e-mail and I offered to do so with my Hushmail account and I explained that they could get a free one (Hushmail is free if it is checked every three weeks or so). The client elected not to get the account, so I did state that he could still send information to me if he wanted to – he is not concerned about the possibility of broken confidentiality – but that I would not respond.
In the interest of being perfectly clear, all my clients know that if there is a crisis situation, they are not to call me when I’m out of the office, but they have an alternate 24-hour crisis number (as in accordance with agency policy). The ethics for a DCC are pretty clear, as I mentioned above, so I have to go with those restrictions.
As for the DCC credential, it is available through CCE (a subsidiary of NBCC, if I understand correctly) here: http://cce-global.org/DCC . As a DCC, we have to follow both NBCC’s ethics and the NBCC Provision of Distance Professional Services (which used to be called Ethics for Internet Counseling and is still listed that way on the DCC page – I will write to someone about that). Both of those documents can be found here: http://www.nbcc.org/ServiceCenter/Ethics
As for who needs to follow them, the way that the distance ethics are worded, NCCs must follow the guidelines as well.
If you have any other questions, let me know.
I agree that NCCs need to heed the distance professional services guidelines, as well. I’m one, too! 🙂
thanks for these posts …. really helpful information. I’m glad there is someone out there who can sort through the HIPPA maze and give us some practical guidelines…
Good, afternoon, Mary! I so appreciate you taking time to let us know that this is helpful. Thank YOU for following my blog so faithfully!
Hi Tamara,
Awesome topic and info. So very relevant to my needs. I noticed that if there is supposed to be a link at the words “(This is the second of a 5-part series.
The series begins here.)”, it doesn’t work.
Shulamit
Ah! You are life-saver! Thanks, Shulamit! And, where is that gravatar of yours?! Are you really that shy? It’s certainly not how I think of you!
Here’s a sticky one I’ve just brought up with my private practice colleagues. Our Panasonic voice mail system, sends unencrypted emails to therapists containing a recording of our voice mail message. Our salesman says the system is secure. I counter that the system itself may be, but sending unencrypted emails containing client messages (prospective or current) is not. What’s the brain trust here think?
Ohhh! Great question, John! Thanks for asking it!
This is a great question. My thought is first to ask whether the clinician has to enter a password to gain access to the voicemail content (other than entering a password to enter their e-mail, but I password specific to access the voicemail). If so, that might be okay. One of the agencies I work for sends e-mail about schedule changes. The e-mail content only includes the date range for the schedule. The actual schedule changes are in a password locked PDF that cannot be opened from anywhere without entering the password.
I’m curious to hear if Roy has ever gotten clarifications on this. My understanding is that this gets into a grey area as far as HIPAA goes. HIPAA/HITECH excludes data that originated as analog. So, a traditional fax machine is excluded since the original is a piece of paper and “regular” voice mail is excluded since it originated as a human voice. I’ve never seen a clear answer/interpretation, however about what happens when something is digitized and THEN transmitted (i.e. in your example, the voice is recorded and then the digitized recording is sent to an email).
The prudent approach would be to treat the digitized data as ePHI and take appropriate measures which could even include having a BAA with your email provider (since they are storing the digitized voice mail on their servers). This would depend on your type of email account and the provider, etc.
I take an extra prudent approach and use a virtual phone system that reports HIPAA compliance. They also have features like voice to email, however, you can have it encrypted.
Rob, what is the name of this phone service? I’m interested to look into it further.
Rob, I appreciate you differentiating between HPAA/HITECH standards and your own higher level of standards. That’s also really helpful to those here who are trying to determine what level of security they wan to abide by. Thank you thank you!
As usual, I agree with Rob. I think when the voicemail is digitized and re-transmitted, it’s hard to argue that it is “not electronic” because it’s “just voice” (the whole “voice calls and paper FAXes are not electronic” thing is a weird quirk of HIPAA, but a handy one that lets us use phones and classic FAX machines with a lot more ease.)
I also don’t see how the salesman justifies calling that “secure.” It clearly isn’t, right? It’s sending voicemails over the Internet without any encryption?
In this case, secure or not, I’d be asking for a Business Associate Agreement. (if you don’t know what that is: http://www.personcenteredtech.com/2012/08/what-is-a-hipaa-business-associate-agreement/)
The rule from Hippa stating if you get permission to send non-encrypted emails it’s OK. I think before everyone jumps up and down and gives each other high fives may want to think about potential consciences. If an issue does arise will the provider be able to provide proof they accepted the non-encrypted email. All the recipient has to say is I did not understand I thought the information was safe. My guess is the provider will be liable for damages. Please don’t miss understand the article is good. I think providers should consider spending a little more time on the issue and find stronger solutions. Short term solutions never work out in the long run. just my two cents.
Ron,
If I have a client who would prefer to use non-confidential e-mail to e-mail to my confidential address, I have them sign quite a lengthy consent form that says that they understand that they have the right to create a free confidential address (hushmail does that). The consent form is very clear that if they are choosing to use their own e-mail three non-confidential provider, there is a chance that the message could be intercepted and they are accepting that risk. Personally, I would prefer that they all had free hushmail accounts, but 98% or so of the clients who have mentioned wanting to use e-mail don’t want anything to do with that. For what it’s worth, I also include that the e-mail is not for emergencies and not for lengthy therapeutic content, but rather for linking to resources or occasionally asking a short question. I also use my e-mail signature as a place to include many local crisis lines.
Thanks, Ron and Lauren for continuing this discussion. I missed your comments until today. Ron, I do think that it’s important for therapists to consider the risks of using email and to inform clients of those as much as possible. Lauren offers a good solution when clients want to assume that level of risk while working with his / her therapist.
I can’t tell from your comment if you are a professional counselor, psychologist, social worker, or addictions professional. However, I know that professional counselors are mandated to balance our own risk and that of our clients with our clients’ autonomy over their lives and, in particular, over their mental health care. I wonder if your training might differ from that and thus the difference in approaching this issue?
Hello Roy, Tamara, and readers,
I am trying to locate affordable HIPAA compliant voice dictation software or or programming capability for my computer. I believe this would need to include a BAA agreement? The purpose of this voice dictation program would be to make narration of counseling notes much faster. I did not know such a request would be so difficult to research!!
–Terrie Towle, LCPC, RN
Boise, Idaho
Hi, Terrie! Thanks for dropping in to ask this!
I’m hoping Roy might be able to provide more direction than I can.
I do not use dictation software.
However, I’m pretty sure he would remind us that software and programs are not “HIPAA-compliant” – only people are . . . .
To clarify . . . Are you wanting to use a dictation program to actually transcribe your entire counseling session?
Or are you wanting to use a dictation program to dictate your own documentation?