Do you need to be HIPAA compliant?

As the effort to fight the COVID-19 pandemic continues around the world, behavioral health professionals have predominantly switched to telehealth to provide care to their clients. Relaxed HIPAA requirements in March allowed the use of video applications such as Google Hangouts, Zoom, or Skype. Yet, accounts of data mining and breaches in the following months have prompted us to recall the purpose of the HIPAA requirements in the first place – to protect your clients. 

In light of the new, online environment, we thought it would be a good time to publish a reminder of what it means to be HIPAA compliant. We hope this post will help you answer the following questions: 

• What does it mean to be HIPAA compliant?
• Do my online communications need to be HIPAA compliant (from regulatory and ethical standpoints)? 
• What can I do to ensure that all my online communications are compliant and I’m not caught unaware by hidden vulnerabilities?

What does it mean to be HIPAA compliant? 

When the Health Insurance Portability and Accountability Act (HIPAA) of 1996 was signed into law in the United States, its primary purpose was to ensure that people could keep their insurance coverage during job and life transitions. A portion of HIPAA, the Administrative Simplification Act, focused on becoming more efficient in handling patient information by using electronic means to transmit and store patient data. The HIPAA Privacy and Security rules were written so patients could feel confident that their information would be kept private when it was transmitted online. 

While the Privacy Rule concerns protecting health information both online and offline, the Security Rule was written particularly to protect electronic health information. As a HIPAA-compliant email and web form provider, this is the rule that particularly concerns us at Hushmail. 

Online communication of any sort comes with myriad vulnerabilities that are troublesome for anyone, but especially for those managing a healthcare practice. Today, as the majority of us are adapting to the COVID-19 pandemic with some kind of remote office that requires most if not all of our work to take place online, these vulnerabilities are an even greater threat to the safety of our data. If your work is in the healthcare field, that means the safety of your clients’ and patients’ most sensitive information is at risk. Understanding and complying with the Security Rule is more important than ever, even if HIPAA doesn’t technically apply to you (more about that later).

What types of data do you need to protect?

The information you need to protect online is any protected health information (PHI), defined as any "individually identifiable health information.” 

As stated in the HHS’s Summary of the HIPAA Privacy Rule, “Individually identifiable health information” is information, including demographic data, that relates to:

• the individual’s past, present or future physical or mental health or condition,
• the provision of health care to the individual, or
• the past, present, or future payment for the provision of health care to the individual

Here are some examples of PHI:

• Acknowledgment that a person is your client
• Client notes from a telehealth session
• Diagnoses
• Recommendations to join support groups

Who needs to be compliant?

Technically speaking, not all healthcare practitioners are required to comply with HIPAA rules. The primary distinction is whether or not you accept insurance. If you don’t, in most cases, you’re not considered a “covered entity” and not required by law to comply with HIPAA. Here’s a detailed explanation of what defines a “covered entity.”  

That said, even if you aren’t a covered entity, securing your online communications with your clients when they contain information of a sensitive and personal nature is important from a professional, ethical standpoint. Thus, the HIPAA guidelines for handling protected health information online can and, many would say, should be followed by anyone providing care to their clients.

Make sure your online communications are HIPAA compliant 

HIPAA rules can seem confusing at first, mainly because they strive to offer practitioners some flexibility in how they protect PHI. For example, the requirement to implement “technical safeguards” doesn’t specify what those safeguards should be. This flexibility can lead to some frustration when choosing services. Here are a few tips that will help you choose reliable, secure communication services and maintain your HIPAA compliance as a covered entity. 

• Look for encryption that encrypts data when it’s sent, received, and stored. Encryption scrambles a message so that it’s unreadable to anyone who can’t access the key needed to unscramble it. There are many different types of encryption. Although HIPAA guidelines only ask that you implement technical safeguards and doesn’t specify any type of encryption, using a combination of TLS encryption and Open PGP encryption secures data throughout its journey from sender to receiver to storage, providing the most consistent protection for your clients’ information. 
• Archive your messages in a secure manner. This allows you to demonstrate compliance if you’re audited. The HIPAA Security Rule requires the retention of electronic communications that contain PHI for at least six years, but even if you’re not a covered entity, a secure archive maintains a history of your client messages and protects it from theft.
• Report breaches if they occur. If you’re a HIPAA covered entity, this means a report to the affected individuals, HHS, and, in some cases, the media. If you’re not a covered entity, a breach should at least prompt the notification of affected individuals with details of the breach.
• Get a BAA. You should obtain a Business Associate Agreement (BAA) from any service or vendor you contract with that handles your clients’ protected information. A signed BAA essentially declares that the third party is responsible for protecting your clients’ information when it’s in their care. 

Don’t get caught unaware

For the most part, the guidelines above will ensure you’re adequately protecting your clients’ information and being HIPAA compliant. However, providing care in the online space can be a tricky endeavor, especially when you need to distinguish yourself with savvy marketing from other practitioners. These marketing efforts must be carefully managed so you don’t inadvertently expose PHI. Here are a few examples of where you could be vulnerable.

Psychology Today profile. Earlier this year, we wrote about the contact form on your Psychology Today profile. It’s not encrypted. You might wonder why this is an issue if a prospective client is only initiating contact.The problem is that the contact form on the site is not secured, thus PHI is potentially vulnerable.The solution is to disable the contact form and provide a link to your personal, encrypted contact form instead. 

Review sites like Yelp and Google reviews. Not only can you get in trouble for making recommendations or addressing complaints – you can’t even acknowledge that you’ve ever had a relationship with that person as a healthcare practitioner. That’s because the fact that the reviewer is a client of yours is PHI in and of itself. Even if the reviewer has of their own accord revealed the information, you can’t confirm it. Instead, just like with your Psychology Today profile, direct them to an encrypted form of communication, be it email or web form, where you can converse with them privately about the situation.  You can read more about The right and wrong way to respond to patient reviews on our blog.

The details of your emails and web forms. As mentioned earlier, getting an encrypted email and web form service comes first. But even with that built-in security, you still have to mind your PHI, so to speak. Here are a few tips:

• Make sure you’re not including PHI in your email subject lines, which are often not encrypted.
• Be mindful of your web form email subject line as well. When a web form is filled out and submitted, the completed form arrives in your email inbox with a subject line. Often that subject line is the same as the title of the form. If there’s information in the title of the form that shouldn’t be tied to your client, then make sure you change the subject line of the email. In Hush Secure Forms, you can do this in your form’s setting. 
• Encrypt! Encryption might not be automatic. If you need to enable an encryption switch, make sure you do so before hitting send.

Making your HIPAA compliance as easy as possible

Hushmail provides secure, HIPAA-compliant email, web forms, and e-signatures that work seamlessly together, taking the guesswork out of your HIPAA compliance.