More and more therapists are getting comfortable with the idea of using online therapy long-term, and more patients are willing to use these services. Online therapy allows therapists to meet clients where they are, which can improve patient engagement. But safety and security must be top priorities when offering services digitally.
Choosing to offer online therapy to your clients requires adequate planning to ensure you’re meeting HIPAA regulations. Follow these tips to set your practice up for success.
Want to help more clients? Share your expertise with Ravel Mental Health.
Importance of HIPAA in Online Therapy
Therapists understand the importance of HIPAA compliance. Complying with HIPAA, or the Health Insurance Portability and Accountability Act, ensures that therapists provide safe and secure care to their clients. HIPAA prevents clients’ private information from being disclosed without their consent or knowledge.
If a therapist fails to adhere to compliance standards while offering online therapy services, the consequences can be dire. For example, data breaches, hacked video calls, and more can result in inappropriately shared information that harms clients through identity theft, data extortion, and embarrassment. Not to mention the therapist could be subject to serious violations and government fines.
HIPAA Compliant Online Therapy
One of the main items that HIPAA guidelines address for online therapy is the channel of communication. HIPAA-compliant communication channels should:
- Only be accessible by authorized users
- Protect clients’ information through secure platforms
- Monitor for accidental or malicious breaches
Ultimately, HIPAA affects which electronic and digital mediums can be used when providing services. Under the HIPAA Omnibus Rule, therapists should only use technology vendors that have entered into HIPAA business associate agreements (BAAs) with them. A BAA is a legal document between a therapist and a vendor, such as GoToMeeting or Zoom for Healthcare.
The reason for BAAs is because digital vendors have access to sensitive client information. Therefore, if any of the digital products you use do not have you sign a BAA, they are not HIPAA compliant.
The COVID-19 Exception
The coronavirus pandemic has brought about some exceptions to these rules, and enforcement of HIPAA regulations has been relaxed, specifically relating to online therapy. This means that therapists won’t be penalized for using non-compliant services as long as they inform clients about the potential privacy risks and protect sensitive patient information.
It’s important to note that this exception won’t last, though, so popular applications such as FaceTime are not long-term solutions for online therapy. Therapists should look toward setting up HIPAA-compliant tools for offering online therapy services as soon as possible.
The Conduit Exception
Some recent thoughts are that digitals tools such as Facetime could be HIPAA compliant, even beyond the lax rules for COVID-19. There is an exception under HIPAA’s rules called the Conduit Exception. Basically, technologies such as FaceTime and Skype do not technically store client information the way other mediums such as text and email do. Instead, they merely carry information from one point to another. This means FaceTime and Skype could technically be considered conduits and not business associates.
Text Messages
SMS and iMessage are not HIPAA compliant. Instead, therapists can utilize vendors that offer built-in secure messaging solutions.
Emails
If a client emails their therapist, they are not adhering to HIPAA standards. However, once the therapist receives the email, they can store it using HIPAA-compliant methods. (It’s important to remember that therapists are the ones who must comply with HIPAA, not clients).
If a therapist needs to email a client, they should ensure that the email only contains the necessary information and that it is being sent securely to the right person. Therapists should never email sensitive personal information. One recommendation is to sign up for a HIPAA-compliant email service that offers a BAA and includes data encryption.
Video Chats
As discussed above, using HIPAA-compliant video chat software will be the best option in the long run. To meet the HIPAA regulations, the platform must be encrypted. Also, videos should never be recorded through the platform. There are many platforms that have built-in security measures to protect client information and will enter into a HIPAA BAA, including:
- Updox
- VSee
- Zoom for Healthcare
- Doxy.me
- Google G Suite
- WebEx Teams
- Amazon Chime
- GoToMeeting
- Spruce Health Care Messenger
- Skype for Business
Tips for Therapists to Stay HIPAA Compliant with Online Therapy
Keeping your online therapy sessions HIPAA compliant isn’t difficult when you’ve selected the right digital platform and secured your clients’ personal information. Here are five more things you can do to stay HIPAA compliant while still providing an ideal online therapy experience.
- Be Aware of the Surrounding Environment
HIPAA compliance is more than the digital platform you select for services. It also relates to the therapist’s physical surroundings during the session. Therapists must choose a secure and quiet location for sessions where no one can see or hear the client. Home offices should be private, or, if conducting a session elsewhere, extra steps should be taken to secure the environment. If a client needs an emergency session, therapists still need to find a location where the client cannot be overheard by others.
- Secure the Client’s Location
Ideally, the client is also in a private location where others cannot overhear the session. While this responsibility falls on the client, therapists can take some extra steps to meet regulations. This can include confirming the client’s address, phone number, and who else is in the home at the beginning of each session. This is also good practice in the case of emergency or if the therapist needs to attest that the client was located within state lines.
- Initiate Pre-Session Routines
A pre-session routine can reduce the burden on the therapist and free up time during the actual session. Before each session, a notification can be sent out that asks the client to verify their location, sign any necessary consent forms, secure their environment, and test their connection speed. This is also a good opportunity to send reminders on how to access the session and what is considered acceptable for the visit.
- Ensure a Private, Secure Connection
Public Wi-Fi connections are not secure. Therapists should use a secure, password-protected wireless connection to maintain safe, confidential communications with clients. It’s also important to turn off virtual assistant devices, such as Alexa, that are nearby as these devices may present a privacy concern. It’s also good practice to use a private browser because search history often prepopulates, which might reveal some of the therapeutic content from another session. Private browsing or incognito mode further protects client confidentiality.
- Use the Right Platform
The digital platform itself must encrypt the transmission during video chats without exhausting bandwidth. Therefore, therapists should select a HIPAA-compliant platform that is both secure and able to provide a consistent connection with low bandwidth requirements.
Online therapy can be an excellent way to reach isolated populations or those who prefer to have sessions virtually. However, some ethical and legal concerns become more complicated with offering online therapy services. It is a therapist’s responsibility to comply with HIPAA regulations as well as state and federal laws, and it is their duty to keep client information safe and secure.
Stay up to date on other useful tips for online therapy. Sign up for our newsletter.