The Client Centered Tech and my HIPAA guru, Roy Huggins, LPC is back with us again today continuing to chip away at some of our commonly held myths around HIPAA and tech security. Today, he’s talking to us about the use of smart phones.
(If you are interested in writing a guest post, check out the guidelines here.)
______________________
A Guest Post by Roy Huggins, LPC
(This is the fourth of a 5-part series.
The series begins here.)
It’s frustrating, I know, to have so much technology available to make our lives easier and yet feel constrained in the ways that we can use it because of rules related to our profession. That’s why I think you are going to like what I have to say about Myth #3.
MYTH #3: “I can’t use my smart phone to take payments from clients because smart phones are not HIPAA compliant. “
THE TRUTH: You’re probably getting my gist that HIPAA generally doesn’t address any specific technology, and that compliance means reducing security risks to “reasonable and appropriate levels.”
So there are many ways to use smart phones and to secure smart phones that keep risks at acceptable levels.
You simply need to take stock of what risks to confidentiality lie on your phone and take steps to reduce those risks.
It’s also important to note that institutions that provide financial services have a special relationship to HIPAA.
Generally, you are able to use these [financial] services to get paid for your time and HIPAA doesn’t stand in the way.
However, any features, services, or functions over and beyond simple processing of payments can bring up HIPAA issues.
You can find more details here:
- Banks and HIPAA: Checks & Credit Cards vs. Receipts & Invoices
- Is Square HIPAA Compliant? How About PCI Compliant?
What risks have you identified with the use of your smart phone and what steps are you taking to mitigate those risks?
Here is where you can find part 5 of HIPAA Compliance Myth Busting – Emails, Texts, & Smart Phones (series).
_______________________________
About the Author: Roy Huggins, LPC NCC is Director of Person-Centered Tech, a consulting and continuing education firm that serves the mental health community. Roy is a programmer-turned-Counselor. He’s Tech Chair for the Oregon branch of ACA, on the Zur Institute advisory board, and teaches at Portland State University’s Counseling program.
This was interesting Roy. I do use Square, and have emailed the client the receipt (with their permission), but I assumed that because the receipt does not contain their name I was fine. Thanks for providing such great information!
Hi Linda,
Don’t forget that it also contains their email address, which is personally identifying. That’s a gotcha that catches a lot of people.
-Roy
Linda, I’m afraid you are not alone in this! As we learn better, we do better.
Thanks for this series, Tamara and Roy. It’s been very enlightening.
Just a note: It seems your two links above both go to the same place. I’d like to follow the Square one if you can fix it.
Thanks!
Thanks, Anne, for the heads up! I so appreciate it when you take the time to let me know something is wrong or not working on my site. It’s fixed now.:)
Oh, thank you, Anne. That was probably my fault!
I’ve always been slightly amused about all HIPPA precautions taken with my clients, yet then I take their personal checks to our local bank! I live in a small rural area where people know each other. Any suggestions? (I also hope that the plumber who just had to walk through my very disorganized basement mess is bound by some sort of confidentiality requirement!)
Hi Mary,
HIPAA gives a pass to depositing checks. Remember that banks have pretty tight laws, too. Also, it wouldn’t help health care consumers if we weren’t able to get paid because of HIPAA restrictions.
But don’t just take my word for it. My article on the subject has references: http://www.personcenteredtech.com/2014/01/banks-and-hipaa-checks-credit-cards-vs-receipts-invoices/
Hey, Roy, with all the discussion that you have generated and the questions that have come up, maybe now you see why I broke this up into (bite-sized) pieces in a series:). You are a wealth of information and resources and most of us could not possibly digest all of the info that you have provided all at once! And, you’re still coming up with more great resources! Thank you, thank you!
Tamara — yes, yes I do. 🙂 I even thought about how I might try the same approach. I’m not sure how to make that fit in to my usual MO, but I’m inspired!
Feel free to call me, Roy if you want help figuring it out. That’s what I do with therapists all day long – help them see the many ways to package their services so that clients understand they want and need them to achieve their goals.
I was just telling a colleague here in Colorado the other day . . . if I had your body of knowledge, I would be packaging that up in 52 different ways. Everyone needs what you have and once they meet or engage with you, even the most resistant of us actually want what you have:) You already are so incredibly generous with the info you share on your website and your LinkedIn group (Can you please let folks know how to find you there?) but there is still so many more possibilities in front of you!
Now that’s an offer I can’t pass up. I’ll do so!
Excited about the possibilities and looking forward to it!
Oh, right. Here’s how to find my other social media presences:
* LinkedIn (lots of info and enlightening discussion there): https://www.linkedin.com/groups?gid=4203297
* Facebook: https://www.facebook.com/pages/Person-Centered-Tech/254167491309793
* Twitter: https://twitter.com/royhugginsms
And, Mary, there are so many variations on this dilemma, aren’t there?! I knew Roy would know the definitive answer for the banking issue. But there are so many other dual relationships and possible opportunities for breaching confidentiality in rural communities and in a million different subcultures, too! I think of those therapists who are active in 12 Step groups for their own recovery who also practice within this niche, and the GLBT communities, and the Christian counselors who practice in fairly closed Christian communities, and . . . and . . . and the list just goes on and on!
Wow! It never crossed my mind that allowing Square to send a receipt by email or text message could be a problem with HIPAA. Back to the old receipt book, then….. (I do hate that thing. Can we legally make up our own receipt forms in bigger print with spaces for date, client’s [or payor’s] name, time, and signature and have other things (e.g., Individual therapy, location) already in place to simplify the process?)
Hi Susan,
I don’t see why you couldn’t! 🙂
Hi, Susan! Welcome back! Here’s an easy way to get your receipts made for your professional services!
Roy,
Thanks for this morning’s “H-word heart attack.” I have just begun using a merchant service that processes payments over the internet. I have to sign into my account and enter the credit card info via my MacBook. I have only done this two times, but each time in the info window I put the billing code (908**). There was no diagnosis or diagnosis code, only this billing code (for the client’s records when they apply for insurance reimbursement). I refrained from writing a note in the comments section! Would it be smarter to put some other tracking code that I create on this electronic transaction, and just give the client a Super Bill to attach this receipt?
Also, I just found out that I am approved to accept Medicaid clients and I am having a “stroke” about how to incorporate all of that HIPAA compliance into my already over loaded frontal cortex.
Thanks for sharing your expertise! (Pardon the vascular references, its just one of those mornings 🙂 )
Kathi
Kathi, One of the agencies I work for takes Medicaid exclusively. If you have certain questions about documentation, let me know. I’m not a lawyer, but I have been filling up Medicaid paperwork for years now.
Thanks, Lauren.
Even though I have worked for agencies who bill Medicaid, I have never done it for myself. I am very impressed with the training tools that NC Medicaid has made available. BUT the HIPAA stuff is not a part of that training. As always, it seems to have a “h-life” of its own. 😉
Thanks, Lauren, for offering your support here! That’s one of the best things about you guys! This community is always stepping up to offer support and inspiration to each other. I so appreciate the culture that you have created here!
Hi Kathi: Ya, I would keep the CPT code out of that transaction. You want to supply the minimum necessary information for the basic processing.
Giving the client your own superbill and removing the CPT code from the billing transaction details would be a good risk management measure, I think.
Thanks! this has been extremely useful information and all before the H-police show up at my front door.
Oh, Kathi! You’re so welcome and I know you are not the only one feeling this way. Still . . . you’re killing me here! “H-word heart attack,” “the H-police,” and an “H-life of it’s own!” Girl, we are so going to have to get you some support! You’re going to implode if we don’t help you decompress quickly!
This is doable. HIPAA is not a monster. I’m not a fan either but it is doable. Just you wait! Roy is going to show you how to cut this up into teeny tiny bites before you know it!
Hmm… with the mention of the “H-Police” (aka “the Office of Civil Rights” — how’s that for an interesting naming convention?), I feel compelled to say that the likelihood of a solo mental health clinician being randomly audited by the Feds for HIPAA compliance is astronomically low.
Run-ins with the OCR (those h-police) would likely occur following a client complaint or a security breach which you dutifully reported according to the Breach Notification Rule.
In other words, focusing on keeping your clients’ info safe and your therapeutic relationships solid is the best protection from liability, IMHO. 😉
Roy, I appreciate you continuing to help us re-focus away from being disaster-focused and fear-based in our view of HIPAA. Admittedly, I need help in reframing that and so does Kathi and many others. Your fabulous class really did drive that home for me for the very first time . . . . I think that it’s still easy for me to slip into that fear-based mentality because for years that’s how I’ve viewed this area of practice.
But I am reminded again that your very first post in this series was really an act of advocacy on your part and a call to action to all of us to not only not “go there” but to initiate and engage in conversations that more realistically address the client safety and therapeutic benefits of complying with HIPAA – whether we are mandated to be HIPAA compliant or not.
Right you are, Tamara. I should’ve been more thorough with my post.
Fear of liability will drive most of us to fight or run, and to become distracted from the main point of holding our clients — and their sensitive information — in a safe space. That’s why I think it’s important to keep in mind that random compliance checks are unlikely to be a reasonable motivator for us to do HIPAA compliance work. The better motivator would be protecting our clients and our relationships with them.
The part I left out is that HIPAA does a pretty good job of providing guidance and boundaries that help us do that relationship-preserving work. Also, we need to look beyond just HIPAA compliance when we do it.
Hey, Roy, I know we’re taking up oodles of your time with this series, Roy, but could you please say a little more about what you mean by “looking beyond just HIPAA compliance?”
(And, can I just say that I’m so EXCITED about your little gift that posts here tomorrow?! THANK YOU!!!)
Sure, I’d be happy to. And I’m really glad you’re excited! 🙂
HIPAA compliance is a stick and carrot (almost entirely stick, these days) motivation system meant to get us thinking about security and privacy and enacting those things for our clients/patients. This ends up being necessary because “security and privacy,” as a singular concept, is not something the health care industry has much conceptualization of.
Mental health has always been good with *privacy*, of course. This is why we didn’t have much to worry about with HIPAA back in 2003 when it was first a going concern.
As digital tech has blossomed, however, and we start to use it in our practices, *security* becomes more and more of an issue. To date, the closest our professional training comes to preparing us for security issues is to discuss “confidentiality,” which is more a professional duty than an actionable system of thinking about protecting clients and their information.
When I say “going beyond HIPAA compliance,” I mean incorporating the concepts of security into the ways we practice professionally. I.e. I see a future where we don’t just put passwords on our phones because “HIPAA said so,” but rather because we have ingrained in ourselves a basic sense of how security works and why it’s important to our clients and their health, and we’ve gotten just enough training and have just enough consulting resources at our fingertips to make it happen on a day-to-day basis.
Thank goodness for IT-security-geeks-turned-therapists! I assure you that I would never have had the foresight (because I do not have had the basic understanding of security as it relates to technology) to look a bit further down the road to see the need or the path for this type of security.
As you talk about it, I get it . . . at least next steps. Thanks so much!
Hi, Kathi! This is the first time, I think, that I’ve found your voice here on Private Practice from the Inside Out so welcome! And, thank you for taking time to spell out these situations so clearly. I’m definitely in line with Roy’s thinking about less being more when we’re communicating online.
I also want to address your overwhelm because there are many of us feeling the overwhelm. This is as good a time as any to say, “Stay tuned!” Roy has a sweet offer for you guys coming up tomorrow and, I promise you, it was a game changer for me. Just hang on . . . . Solutions are coming!
A related question for the group: I am about to start accepting credit card payments through Square in my private practice. These posts have been very helpful in understanding how to be HIPPA compliant with this technology.
My question is about the fees for using credit cards. Do other therapists out there just “eat” the fees associated with accepting credit cards, or charge the client a small processing fee for using a credit card. I know other vendors who commonly do that. Thanks for any input.
Hi Lynette,
Many private practice consultants recommend eating the fees. However, my experience is that the “right” way depends on your practice and the culture of cash vs cards in your area.
Passing on fees is fraught with issues to consider either way, however. I have a whole article about it, as you might expect. 🙂 http://www.personcenteredtech.com/2013/04/passing-credit-card-fees-on-to-clients-is-it-ethical-legal-or-good-business-practice/
Lynette, welcome to Private Practice from the Inside Out! I don’t think I’ve seen your voice here before.
I completely understand why you would be asking this question and, yes, there are therapists who “just eat” the fees associated with accepting credit cards. Roy’s response and the link to his blog post are 100% on target.
However, I would encourage you to refrain from passing those costs on to your client even if they not technically beyond the parameters of professional ethics for different reasons.
First, we are also bound by the standards of care in our local community. These are more difficult to identify and certainly can vary from locale to locale. However, until it is common practice for mental health professionals to pass this cost on to clients, you are inviting unnecessary risk to your practice.
And, second, you do not want to be perceived by potential clients or referral sources as being greedy or selfish in any way.
I would encourage you to take a close look at your own relationship to money and consider raising your fees if you are concerned about incurring this additional expense. It is most often considered one of the “hidden costs” of doing business in our field. And, if you want to provide an incentive for those paying cash by offering a reduced fee to those clients, then go for it!
Tamara, I thought I heard somewhere that we weren’t allowed to charge different fees to different clients unless we offered a sliding scale to everyone. Can you speak to that?
Sure, Lauren. To be ethical and fair a therapist needs to make her services available to all under the same conditions. That means rather than choosing those clients that you want to give a reduced fee to, you need to apply the same criteria (income, number of dependents, or whatever) to all your clients and let those that qualify have those reduced fees.
Likewise, if you are going to offer an incentive to pay cash by offering a reduced rate, you should offer it to all of your clients – including those who have insurance. (And, don’t be surprised if you have some clients that choose to pay cash rather than access their insurance benefits.)
Okay, I’m understanding now. As long as we offer the lower rate to all of our clients, they then have the right to choose whether they want to pay cash or use their insurance. So we are being fair to all and they are giving the discount if they so choose. Sounds like the best of both worlds. Thanks for clarifying.
You’re so welcome, Lauren!
Thank you Roy and Tamara for your feedback. It is very helpful! I knew there must be information on this very topic and I want to be consistent with ethics and current practices. I appreciate you providing a venue for me to get these answers so easily.