HIPAA is a tricky subject for clinicians. It covers any digital transmission of personal healthcare information (PHI). It’s complex. And it’s easy to violate: sending a text message to a patient can violate HIPAA. So can an e-mail. Putting those disclaimer footers at the bottom of your e-mail? Nope, definitely not sufficient to protect yourself if you violate HIPAA. And those fines are steep.
Trust Liability Insurance recommends that all mental health professionals follow HIPAA guidelines, even in the very remote chance that you’re not bound by HIPAA. Trust’s FAQ is a good place to start building your understanding of these regulations.
I can help set up your HIPAA-compliant workflow. You don’t have to pay a ton of money for a “practice management” app — that’s a really nice all-in-one option, but it’s not necessary for HIPAA-compliance. Using a paid Google Workspace account gets you a ton of HIPAA-compliant apps; there are free secure messaging services like OhMD; and HSS.gov has model NPP forms that you can customize for your practice.
Also be aware that there are numerous great apps that are not HIPAA-compliant. FaceTime? Awesome for communications, but not compliant. Quickbooks? Industry-standard accounting software, but not compliant. Signal? Extremely secure for messaging, but not compliant. It’s not just about whether the app is popular, effective, or secure; it’s about whether it’s compliant with HIPAA regulations. Most free apps won’t give you a Business Associate Agreement, and that’s just step 1 for HIPAA compliance.
Here’s the bottom line: make sure any app or service you want to use for your practice can provide you a BAA if any PHI is involved, and check their privacy practices carefully to ensure patient information will be secure. Just because it’s “good” doesn’t mean it’s compliant.