1) We have more time with each client and thus we use clinician-client collaboration more than other professions.
Most of us spend a “therapy hour” or more with each client, usually every week when we start working with them.
Some other health care professions have similar contact, but very few professions have the time, the one-on-one energy investment and the level of collaboration around care to get as close to clients as we do and work with them on a case-by-case basis to meet their needs.
This client-centeredness and collaborative working relationship is not only in clinical work, but in ethical and legal work, as well.
Also, HIPAA is written broadly — especially the Security Rule. I get many questions from colleagues who have been told things like, “HIPAA requires that we encrypt every email” or other similarly specific “rules.”
The truth is that HIPAA doesn’t specify things like if you must encrypt every email or how often you must change your passwords. It does say that you must create a manual of policies and procedures* wherein you decide how your practice will comply with the broader guidelines that HIPAA does specify.
Different clinics adopt policies around encrypted email, password changes, etc. in order to comply with HIPAA’s broader requirements and to meet certain industry standards and guidelines.
Different practices may have different needs in order to comply with HIPAA’s requirements, however. In other words, our policies can change according to what is best for our security needs.
Because we mental health clinicians use client collaboration and knowledge of client needs and habits to inform our clinical decisions, we have greater room to use those relationships to inform security needs, as well. We have more room to work with clients on what will be secure for them.
This client-centeredness can be perfectly HIPAA compliant and also good for our relationships with clients. And we have more space and deeper skills to enact it than most other health care professions.
2) We are more likely to use consumer electronics and consumer Cloud services in our practices than big clinics and hospitals are.
There is a whole field of services out there aimed at the health care market: phone systems, special email systems, clinician-to-clinician secure texting, telemedicine video conferencing platforms, etc.
In mental health, we definitely use these. However, we don’t have nearly the use for them that medical clinics often do.
We are more likely to be in a position where we’d rather use more popular products like Square, PayPal, and Gmail.
While it is certainly not impossible to be HIPAA compliant using consumer-level products, it does introduce wrinkles into our risk management plans.
The federal agency in charge of HIPAA, the Office of Civil Rights (OCR), generally seems to me to be unaware of a world within health care where using popular products is seen as normal, reasonable, and desirable.
Additionally, there are some genuine pitfalls when using these products in that the product developers are not aware of our unique ethical and legal needs.
As such, we need to be aware of how HIPAA interacts with popular products like Square and Gmail and take action accordingly.
Often this means taking steps to make sure we don’t use certain features of the service. E.g. we don’t use the customer invoicing services offered by Square and PayPal but we happily use the credit card processing services.
This website is full of articles relating to these particular HIPAA gotchas of a variety of products, including information about ways to manage them.
3) We don’t follow a typical medical model, which means we sometimes have a different idea of what constitutes “health information.”
The definition of “health information” provided in the HIPAA Administrative Simplification is quite broad and certainly includes mental health counseling and therapy services.
However, not all of us limit ourselves to such services.
For many of us, our activities really are limited to things that are clearly “health care,” such as “mental health counseling,” “behavioral health therapy,” “marriage and family therapy,” etc.
However, how do the following things fit into the definition of “health care?”
- Career counseling
- Mediation services
- Life coaching
A quick Google search will reveal a lot of discourse and debate on these questions.
In HIPAA’s case, the answer can be quite important. HIPAA requires that our documented risk analyses and risk management plans include in their scope all of the “electronic protected health information” that we create, receive, maintain or transmit.
If I do career counseling, and I give a client a strengths assessment or interest inventory, are the results of those instruments “protected health information?” More to the point: do I need a Business Associate Agreement with the companies that provide those instruments? (most such instruments are provided through handy websites.) Or do I need to administer those instruments myself with pencil-and-paper so as to avoid HIPAA complications?
Career counselors generally regard their work as clinical, and as a part of their work as professional counselors providing health care. The companies that make career coaching-related instruments generally don’t see their services as “health care,” however. Physicians rarely run into this kind of snag.
Mental health pros who provide mediation, coaching, or other services I haven’t thought of may find themselves running into similar questions when working on their documented HIPAA compliance.
At Person-Centered Tech, we strive to fill in the gaps between “popular HIPAA” and “mental health HIPAA.” Stay tuned — or get involved in our programs — for more.
Person-Centered Tech offers positive, approachable, live interactive CE programs on security and HIPAA specifically tailored to mental health professionals: