Today, we have the pleasure of an interview with Roy Huggins, LPC NCC, Director of Person-Centered Tech, a consulting and continuing education firm that serves the mental health community. He is a programmer-turned-Counselor who is Tech Chair for the Oregon branch of ACA (American Counseling Association). He also sits on the advisory board of the Zur Institute and teaches at Portland State University’s Counseling program. Roy will kindly provide us with an introduction to applying HIPAA tech security in private practice.
As per the Office of the National Coordinator for Health Information Technology, HIPAA Privacy, Security, and Breach Notification Rules, indicate “how certain entities, including most health care providers, must protect and secure patient information. They also address the responsibilities of Business Associates (BAs), which include EHR developers working with health care providers.”
Now, without further ado, Roy, Could you give us a bit of your background?
In undergrad, I majored in Music. So of course I ended up becoming a Web developer after graduation. I did that for several years, even though it wasn’t my calling. Eventually I discovered Counseling and decided not to look back.
But it’s hard to escape being a techie. While working on the board of the Oregon Mental Health Counselors Association, I did a little CE presentation on email. I was shocked to discover how various agencies and clinicians were using email, so I started to write and present about it. I studied HIPAA and cross-disciplinary ethics codes to be sure I knew the rules, and it was all downhill from there.
What are best practices in terms of email and texting with clients (ensuring HIPAA compliance)?
I would say you need to discuss the use of email and texting with clients. It’s not something you want to do without clear ideas of what to expect in place with clients. At Person Centered Tech, we offer a sample communications policy for our newsletter subscribers to help out with this.
You also should have a secure email or texting option available. Clients can’t really consent to nonsecure options if a secure one isn’t even available, right?
Clinicians should have a good level of competence with the software they choose. This often means practicing with it a bit before using it with clients. Clinicians who have good success with secure email and texting practice using their new email or texting service with colleagues, family, etc. before offering it to clients.
Expectations regarding email and texting should include a clear idea of boundaries and the clinician’s capabilities. What kinds of communication are email or texting for? When will the clinician be available? What is the expected turnaround time? What contact info should the client use? Does the therapist have any special programs or apps for this kind of communication? What will happen if the client doesn’t use that special program or app? Will the therapist be able to respond?
Using secure software services that provide Business Associate Agreements would support one’s HIPAA compliance, such as Hushmail for email and Signal for texting. However, the process of compliance is much more than just making software choices.
What are best practices with regard to collecting payments from clients? Also, with respect to storing credit card information on file to address last minute session cancellations…
I’d say that of all the major issues in therapy tech, collecting payments is often one of the most straightforward. Most systems for running credit cards, for example, are fine by HIPAA so long as you’re just running cards and not also doing things like invoicing or scheduling appointments – that is, of course, unless you have the needed Business Associate Agreements and the invoicing and scheduling services don’t do anything that violates or pushes the boundaries of your HIPAA compliance.
We have to be very careful about storing client credit cards. The payment card industry regulations are extremely tight on that point. It’s far better to use a service that stores cards for you. Quite a few practice management systems will do this.
I use Square frequently in my practice. Many clinicians use Stripe in connection with their practice management system.
Aside from limiting your practice to the state(s) you are licensed to practice in, what are best practices in terms of providing online therapy?
Best practices in online therapy is an interesting topic, because I find that most clinicians who are new to the medium approach it as a functional equivalent to in-person therapy. And that isn’t quite right.
Of course, most therapists are looking for a way to accommodate in-person clients who are travelling or moving some distance away. That is a reasonable way to ease oneself into the practice and I usually recommend it as a starter method for getting into telemental health.
If you imagine forming a therapeutic relationship and performing intake entirely through video, you can start to see how certain competencies become necessary for effective practice. All research indicates that telemental health is as effective as in-person therapy, but that it is also different.
For online therapy, we need to learn how to use video well. That includes an understanding of how things like lighting, camera angles, distance from the camera, and video resolution/screen size affect therapeutic interventions, assessment of the client’s current state, and other clinical factors.
We also need to know how to set up our tech environments to ensure a clear Internet connection, and how to help clients do the same.
An often-overlooked aspect of working online, unfortunately, is the need to develop protocols with clients for what to do in the case of technology failure and/or client crisis. And online therapists need to have a solid and earnest understanding of their level of skill around managing client crises remotely.
The number of video services available for telemental health has become huge. I personally use VSee, but free and paid options are both plentiful these days. Here is a review of free and HIPAA-friendly video options.
What are best practices in terms of electronic client record keeping?
I think the first practice to consider with electronic record keeping is to only do it if you find value in it or have some requirement to do it.
Many mental health pros have been told that electronic record-keeping is legally required. That is generally not the case for mental health clinicians besides psychiatric medical providers. Some of us have work situations where we have to adopt electronic records, as well. Group practices in Minnesota have to use them, too. Besides that, however, it’s all about whether or not it works for you.
There are a couple ways to keep electronic records: on your own computer or online.
If you keep records on your own computer(s), you absolutely, positively should full-device encrypt every single gizmo that stores any kinds of info about clients. These days, this is far easier to do than it may sound. You also need to keep those devices backed up (and the backups need to be full-device encrypted, too.)
Macintosh computers can be encrypted using the built-in FileVault 2 software [go to your security settings and activate]. Windows computers can encrypted using BitLocker, but you’ll need to upgrade to the Pro edition of Windows to get BitLocker. There are other considerations to using encryption to protect a computer or mobile device.
If you keep records online, it is essential that you have excellent password practices and great antimalware software for your devices. You also need to keep away from WiFi networks that you haven’t vetted as secure. (These practices are also essential if you keep records on your own gear, but they’re the main piece of your security puzzle when you use cloud services to handle client info.)
There’s more to the practice of electronic records, but I think these are the main points that everyone needs to consider from the get-go.
Moving onto one’s website, what would be the main considerations in terms of HIPAA compliance?
Websites are, for the most part, just brochures that we keep online. So there are only a few issues that most therapists need to consider.
For HIPAA covered entities who have a website, HIPAA requires you to post your Notice of Privacy Practices (“the HIPAA form”) on your website. That’s easy enough.
The less obvious issues are with “contact me” pages and with email services provided by your web hosting service.
Low-cost web hosting services are not prepared to handle protected health information. The basic “contact me” page will send info to your web host and then the web host sends it to you through an unsecured email. It’s a HIPAA hot mess. Fortunately, you can achieve the same goal with great security through “secure form” services from companies like Hushmail and LuxSci. You can set up the contact me page to look exactly the same as it did before, but under the hood your potential client’s information is sent directly to Hushmail or LuxSci using strong security.
Email service through your web hosting provider needs to be avoided in health care practice. Have the web host just manage your website while you get your email from a service that will do HIPAA Business Associate Agreements, e.g. GSuite, MS 365, Hushmail, LuxSci, Paubox, and the list goes on and on.
How do you recommend providing online intake and other forms for clients to fill out?
The main issue is that the client shouldn’t send the filled out forms by conventional email or other nonsecure means. This is another place where the secure forms service you can get from companies like Hushmail or LuxSci, or the client portals provided by several practice management systems, can come in handy. Clients can use these services to simply and easily send the filled out forms to their therapist in a secure manner.
As far as getting the forms to a prospective clients goes, it works best to post them on your website so clients can download them. This is easy for clients and minimizes the need to do things like send them to new clients by conventional, unsecured email.
Lastly, what trainings or books do you recommend to keep up-to-date on the various HIPAA technological requirements?
At Person Centered Tech, we have APA-approved and NBCC-approved CE courses on HIPAA security, ethics and tech, and telemental health. Our core course series, called the Digital Confidentiality series, is the best one to take for getting up to speed.
For those short on time, we also have our 1-hr “HIPAA Investigation Repellent” course which is meant to help clinicians “pick the low-hanging fruit” of good security practices and keep the HIPAA people at bay.
We also offer 5 free article series on HIPAA Security, Email and Texting, Online Therapy, Money and Credit Cards in Practice, and Web Presence. Anyone can simply visit personcenteredtech.com and click on “Articles” in the menu to find those free course series!
Thanks so much, Roy, for providing us with this valuable tech overview!
Like this post? Please share it!