Imagine logging on to Facebook to find your clients being suggested to you as “friends” or having your laptop stolen and losing all of your client notes and information. These two examples are equally frightening to some and all too common to many.
Becoming HIPAA compliant not only prevents circumstances like these from happening, it also keeps you from going into panic mode the next time you accidentally send a client email from your personal email account.
Because of costs and the intimidating nature of the task, becoming fully HIPAA compliant becomes something most therapists aspire to but are not able to fully actualize among the other moving parts of opening and running a private practice. However, if one approaches HIPAA compliance as another aspect of patient care rather than an unattainable standard, it may feel less like a burden and more of an extension of work with clients.
Here are a few simple steps to ensure client privacy you can take today!
7 ways to stay HIPAA compliant
1. Sign Business Associate Agreements
Sign a Business Associate Agreement (BAA) with every third-party that handles your protected health information. This includes providers of email, document storage, video chat, and payment processing. The BAA assures you that the third-party is HIPAA compliant.
You can try Google searching “Business Associate Agreement” along with the name of your service provider, or email the third party with questions. If your third-party is not willing to sign a BAA, then you are not HIPAA compliant and it’s time to find a new provider.
2. Encrypt Your Hard-drive
Make sure your laptop and any hard-drives you use have full disk encryption. Any newer operating system will allow you to enable encryption without too much hassle. You do not need an engineering degree to achieve this! The company’s website will tell you how to enable encryption.
3. Secure Your WiFi
Securing your WiFi enables data to transfer between devices while remaining encrypted. The easiest way to do this is to start using WiFi Protected Access-2 (WPA2) on your router. Most new routers will give you this option during your WiFi Network setup.
4. Use Remote Backup
Start backing up your documents in the proverbial cloud. This tool helps prevent data loss should the hardware break down. Cloud storage varies for different companies both in price and space (see a full comparison here). Make sure they will sign a BAA with you to be fully HIPAA compliant.
5. Encrypt Your Email
Email encryption for healthcare providers gets a little fuzzy. The latest iteration of HIPAA in 2013 has been interpreted by some as indicating emails do not need to be encrypted as long as the provider explains the security risks involved and the client opts to receive emails anyway. However, using encryption is good practice and could protect you and your clients from a breach. You may wish to stop using Gmail and switch to G-Suite or another provider that is willing to provide a BAA for their encrypted email service (see a breakdown of encrypted email providers here).
For a list of pricing and other email services providing encryption, download the full HIPAA Guide.
6. Secure Credit Card Payments
If you accept credit card payments using a processing company such as Square, make sure that you have a BAA in place. Note that Square’s payment processing is HIPAA compliant and they will sign a BAA; however, their option for automated text messaging your clients’ receipts is not. Despite the convenience, you may wish to not use that option in order to remain HIPAA compliant.
7. Offer HIPAA Compliant Video Therapy
Video therapy is becoming increasingly common due to its ease of use and commuter time. Several companies provide free or low-cost video conferencing options, such as doxy.me and vsee.com. Note that the two major video service providers, Skype and FaceTime, are not HIPAA compliant. Although these companies use some of the correct technical safeguards, both Microsoft and Apple will not sign a BAA for their services and therefore it is not HIPAA compliant to use either one for remote therapy sessions.
3 steps you can take today to jumpstart your HIPAA compliance
1. Secure your mobile device
Secure your mobile device with a password to prevent unauthorized access and hide message previews from appearing on your phone’s lock screen.
2. Enable the remote wipe function on all your devices in case they are lost or stolen.
Make sure to do this after backing up your data. Consider getting a separate mobile device for professional use, as some apps installed on your personal phone may not be compliant.
3. Breathe!
You are not alone if you realized you are not fully HIPAA compliant. Start where you are, and begin to make a shift.
These tools are just the tip of the iceberg when it comes to remaining HIPAA compliant throughout the daily tasks of a therapist.
Many therapists are exposed to HIPAA while interning or earning their licensure hours through an agency. However, while agencies have the ability to hire expensive attorneys to draft their privacy notices and create HIPAA compliant policies and procedures, most therapists shifting to private practice do not have the same resources available to them.
The HIPAA guide I created helps bring the practical applications of HIPAA compliance to your practice, in order to simplify administrative items so you can focus on your work with clients. The guide outlines over 30 different HIPAA compliance solutions and pricing options.
To learn more about HIPAA and how it relates to your practice check out my website, LeanTowardsJoy.com.