OK, gang, so we’ve been talking about HIPAA and disaster-thinking and what the truth is about using email and text in our practices. Roy Huggins, LPC is back with us today to continue the conversation by dismantling another myth and misuse of terminology related to HIPAA compliance.
(If you are interested in writing a guest post, check out the guidelines here.)
______________________
A Guest Post (series) by Roy Huggins, LPC
(This is the three of a 5-part series.
The series begins here.)
Today I’m really talking to you about a therapist’s personal responsibility as it relates to HIPAA and how to avoid getting suckered into purchasing things you don’t need.
MYTH #2: “I can only use ‘HIPAA compliant’ products and services.”
THE TRUTH: The term “HIPAA compliant” can only be applied to health care providers, insurance companies, and insurance clearinghouses.
(One could argue that HIPAA Business Associates should be added to this list, but that’s a potentially confusing rabbit hole.)
When a product vendor claims to be “HIPAA compliant,” that is marketing language only.
There is no HIPAA certification or approval process for products or services, nor are there likely to be any repercussions under HIPAA for failing to live up to such claims.
Does that mean that companies who put little “HIPAA compliant” logos on their websites are being false or misleading?
Not at all.
Supposedly, they’re signaling to you that their product will support your HIPAA compliance needs. There are two problems with that, however.
- First, I have seen many examples of companies that claim HIPAA compliance and then don’t provide health care clinicians with what they actually need for compliance (usually, that’s a HIPAA Business Associate contract.)
- Second, there are many, products we can use in a HIPAA compliant manner that never make claims of “HIPAA compliance.”
I have set up both my computer (a Mac) and my smart phone (an iPhone) with useful security features, and I have policies in place for using them securely — that help me be HIPAA compliant.
Apple never made any HIPAA-related claims, but I happily and compliantly use their products to keep a schedule, hold records, take credit cards, keep in touch with clients, and more.
So to be clear . . . I’m not saying that claims of “HIPAA compliance” are useless.
However, it’s up to you to verify that products meet your needs.
Also, don’t unnecessarily hamstring yourself or restrict your clients’ activity in the name of using exclusively “HIPAA compliant” products.
For further reading check out
Your Software and Devices Are Not HIPAA Compliant
How are you assessing and mitigating the security risks in your practice?
What’s causing you the most concern?
Here is where you can find part 4 of HIPAA Compliance Myth Busting – Emails, Texts, & Smart Phones (series).
_______________________________
About the Author: Roy Huggins, LPC NCC is Director of Person-Centered Tech, a consulting and continuing education firm that serves the mental health community. Roy is a programmer-turned-Counselor. He’s Tech Chair for the Oregon branch of ACA, on the Zur Institute advisory board, and teaches at Portland State University’s Counseling program.
Hey! I use mac products too and I am interested in how to make sure I use them securely. Especially when it comes to imessage because their texts may show up on my desktop if the client also has an iphone.
Hi Jill,
Yep, you need to log out of iMessage on your computer. I had a similar thing happen where a text message from my wife (who also uses an iPhone) popped up on the screen during a presentation! I don’t use my iPhone to text with clients, so there were no security risks there. It was still a bit embarrassing, however. 🙂
Here I have an article about security measures for iPhones and iPads: http://www.personcenteredtech.com/2013/08/iphones-ipads-and-hipaa-compliant-practice-locking-down-your-apple-device/
And here’s a Resources page (from my Zur Institute online course on Security and Privacy) that lays out the standard set of security measures you want to consider when you do a risk analysis involving your mobile devices (e.g. smart phones and tablet computers): http://zurinstitute.com/hipaasecurity_resources.html#mobile
Thank you so much for this series. It’s been very helpful!
One thing I’m unclear about is if HIPPA applies to all clients or just those who bill through insurance? A good portion of my clients are self-pay, and I’m wondering if I still need to have them sign a HIPPA consent and if HIPPA regs still apply to them? Thank you!
Hi, Sarah! You’re so welcome! HIPAA actually applies to providers, not clients.
Thanks for the reply! So to clarify, I need to have all clients sign a HIPPA acknowledgment, regardless of if they are private pay or use insurance?
Sorry, Sarah. I’m flying right now so have to make this quick.yes, IF you are required to be HIPAA compliant for just one client, you are required to be HIPAA- compliant for all.
Sarah, here is some information about HIPAA: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/notice.html . There are also model notices available from the link on the right. Most HIPAA agreements are the same except for putting in some information specific to your practice.
If you are a HIPAA covered entity (meaning you are legally required to comply with HIPAA), then you have to comply with it in all professional contexts. It wouldn’t vary from client-to-client.
It’s important to note that some things about HIPAA can change from client-to-client. For example, those self pay clients are empowered by HIPAA to tell you that you aren’t allowed to disclose information to their insurance companies. Your clients who use insurance would not be so empowered.
Hey, Roy, to clarify your last sentence, when clients choose to use insurance, they are almost always giving up their right to the same level of privacy i.e. most managed care companies require access to some / all of the clinical record and process. Is that what you are saying?
Actually, I’m just saying that the 2013 HIPAA Omnibus Final Rule declared that if a patient pays entirely out of pocket, they are empowered to forbid their health care provider from turning over any information to the patient’s insurance carrier. I’m actually a little fuzzy on how and when this issue comes up, but it seems like a good thing to me either way.
Thanks, Roy, for sharing where you info came from. My understanding is that while a client who pays (entirely) out of pocket has the right to forbid their health care provider from releasing info to their insurance carrier; that does not mean that every other client does not also have that right. It’s just like with everything else . . . there are consequences to the choices made. I think that’s a really important distinction that needs to be discussed with clients as part of the informed consent process.
Tamara, You make a good point when you say that all clients have the right to forbid sharing of that information, but my understanding is that this decision would usually mean that the insurance company would not pay for services. While it is still a decision they have the mental power to make, they may not have the financial capability to make that choice. I do see your point, though, that it is important that it is explained so the clients can make a well-informed choice.
Lauren, you are exactly right. There are systems and structures in place that give different clients differing amounts of power. That’s why I think it’s so important for therapists to be aware of not only our own differences in power as providers (for example, the monetary power and security that allows some of us to make the transition into private practice and prevents others from making that same transition) but also recognize and be willing to articulate the power differences that exist from client to client.
To think that we are all practicing or that our clients are all coming to us from the same (balanced) playing field is not accurate. There are significant differences in the choices our clients are able to make based on their economic and educational and social (as well as other) currencies. Whatever you call it, it’s important to recognize it and name it . . . systemic oppression, power imbalances, discrimination, the Haves and Have-Nots, multiple-identities, or whatever other language you choose.
And, at the same time, it’s also equally important for ethical therapists to initiate those often-awkward-and-difficult-to-have discussions with clients so that they (1) can begin to see, if they don’t already, the layers of challenges that may contribute to their struggles, (2) can see that there’s a therapist who recognizes that “life isn’t fair,” simple, or black & white, and (3) that ultimately, as much as possible, the clients hold the power to handle situations and make choices relevant to those situations.
Just because the choices are lousy, doesn’t mean that there still aren’t choices. The unfortunate truth is that we just don’t all have the same choices.
Tamara, You are quite right. I can’t begin to discuss how often I discuss choices in session. Granted, I’m talking about choices that are much broader than whether or not they are choosing to disclose information to their insurance companies, but you are absolutely correct. There are always choices.
I think for us to act as if (2) we know best and make choices for our clients or (2) fail to point those choices and consequences out to clients really keeps our clients unaware of their own power and autonomy.
Thanks, Lauren, for extending this conversation today! Hope your day is going well!
Tamara–thank you so much for your time! Have a great flight 🙂
Thanks for this series! Getting ready to do my risk analysis. Just a plug to take Roy’s training if you can. Very useful, enjoyable and calming.
You’re so welcome and I completely agree! It was practice-altering for me!
Thanks so much, Kate! 🙂