The phrase “HIPAA-compliant” has gone the way of overloaded English words like “literally,” “inflammable,” and “awesome” to become nigh-meaningless in its vernacular use. And like middle school English teachers everywhere, I’m on a mission to correct its misuse with some proper HIPAA grammar: “HIPAA-secure.”
My mission is not based in pedantry, though. The way we use the term “HIPAA compliant” in our industry profoundly damages our ability to choose technology for our practices and leaves us, in reality, HIPAA non-compliant. It also puts us in danger of causing ourselves and our clients some real hurt.
We need to use the term only when it applies to us and our ongoing legal-ethical efforts, and use a more appropriate term when we talk about products and services.
How Are We Using “HIPAA-Compliant” Wrong?
“HIPAA-compliant” is a term that can describe a person or group of people. To get technical, it can only describe a HIPAA Covered Entity or a HIPAA Business Associate. For more information, see our article “Mental Health Pros’ 3 Steps to (Actually) Be HIPAA Security Compliant.”
We also offer a 2 free CE hours, both self-study, on the topic of proper HIPAA compliance. You need only subscribe to our (also free) newsletter to access the courses and get CE credit for your time. Click here for more→
A product or service cannot be described as “HIPAA-compliant,” despite the fact that countless experts (including some representatives of professional organizations, unfortunately) will tell clinicians to seek out “HIPAA-compliant” products and services. This also despite the fact that hundreds of tech companies loudly display the term, often in some kind of official-looking logo-esque graphic, on their websites.
Most of those companies are not to blame for the misuse of language, however. Companies that specifically build products to help us meet our HIPAA needs have to have some way of signaling to us that they are serving our needs. Because clinicians are erroneously taught that HIPAA compliance is accomplished by buying products that proclaim HIPAA compliance, these companies will use the term. Not using it would likely mean business death.
Industry leaders and experts have played around with an alternate epithet that describes a product which meets clinicians’ HIPAA needs. The emerging winner seems to be, “HIPAA-secure.” A product that claims to be “HIPAA-secure” is claiming to do the things you need it to do to so you can remain HIPAA compliant while using it.
At Person-Centered Tech, we have yet another epithet with a slightly different meaning: “HIPAApropriate.” “HIPAApropriate” describes your own relationship with a product. A certain email service, for example, could be HIPAApropriate for one clinician and not for another. It all depends on your practice’s risk management needs.
We regularly review products for HIPAApropriateness. Only our paid Person-Centered Tech Support subscribers can read the full reviews, but everyone can see our information-packed review summaries. Check out our HIPAApropriateness Reviews here.
You’re Just Arguing Semantics, Roy. I’m Sure Of It.
I assure you, dear colleague, that I am not. The difference in terminology has very real impacts on our habits and on client safety. Take the following vignettes as reason to attend to the difference in terms.
We’ll start with a very ham-fisted example, to help set the scene:
The “False Advertising” Vignette:
Ima Therapist is setting up her private practice, and she realizes that she needs to be able to send and receive FAXes. She searches Google for “HIPAA-compliant FAX” and quickly finds “Supercool FAX,” a (fictional) company that’s inexpensive and has an obviously official logo that says “HIPAA Compliant” in big green letters. So she subscribes to the service and starts using it.
After a while, Ima learns from a panicked client that his insurance policy information was somehow leaked to hackers, who used it to create a fraudulent insurance claim. Ima becomes concerned that she may have somehow contributed to this mysterious confidentiality breach, and brings the story to a tech-savvy colleague. After talking to her about her practice management setup, the colleague informs her that Supercool FAX actually sends their “FAXes” as ordinary emails, which have a risk of being picked up by criminal interlopers on the Internet. Because Ima sent so many insurance claims via Supercool FAX, one of those emails probably got picked up by bad guys who used it for criminal gain — at the client’s expense.
This is a very ham-fisted example and rarely happens these days, but has happened before. The lesson is that there is no certification for HIPAA compliance, nor are there self-assessments or even simple checklists that a company could use to check if their product is somehow “compliant.” The “HIPAA-compliant” logo is made up for marketing purposes and there is no legal prohibition against making the claim.
If Ima confronts the company about their advertising, they likely would make some claim about being a “conduit” for information and therefore not subject to the HIPAA Business Associate rule. They are almost certainly wrong about this claim, but they still have Ima’s money. They may see the profits that come from claiming “HIPAA compliance” to be greater than their predicted monetary losses from getting sued or prosecuted for misleading claims.
Once again, this is a highly ham-fisted example meant to illustrate an extreme case where misusing the term “HIPAA-compliant” can cause harm. This example sets groundwork for other, more subtle examples.
The “What Could Possibly Go Wrong?” Vignette:
Early in 2016, Square started executing HIPAA Business Associate Agreements (“BAAs”) in their seller agreements. Ima already uses Square for taking credit cards, but she knows that Square also offers invoicing services. Ima knows that the BAA is necessary for HIPAA compliance if she uses Square for anything other than just running credit cards. That means that before Square offered a BAA, she could not legally use Square’s invoicing services in her practice.
Now that she has the BAA from Square, she is excited to start using the invoicing services. Now instead of swiping client credit cards in session, she simply sends the client a Square invoice after the session is over and the client can pay it with their card on their own time. No more handling payment in-session!
Ima decides that with the BAA, Square is now “HIPAA-compliant.” So because Square is supposedly HIPAA complaint, she can just use any of Square’s services and not worry about it! What could possibly go wrong, right?
Later, Ima gets a call from the hospital. A client of hers was rushed there after being beaten by her abusive spouse. Ima is careful about contacting the client, because she doesn’t want to accidentally tip off the spouse to the fact that her client is in therapy. After looking into it, however, Ima discovers that ship has sailed. Square’s invoicing service uses emails and text messages to send invoices and receipts to both client and therapist. The controlling spouse forced Ima’s client to let him see all her emails and texts. After seeing an invoice for Ima’s services in the client’s inbox, he became enraged.
Ima endangered her clients by leaning on the false idea that Square is “HIPAA compliant” in a blanket sense, and that she can simply use all of Square’s services in any fashion without extra thought or concern.
Here we see the most meaty reason why it is dangerous for us to refer to products as “HIPAA compliant.” Actual HIPAA compliance requires performing a risk analysis of one’s whole practice and to keep that risk analysis ongoing. Before Ima started using the new feature from Square, her own HIPAA compliance would have hinged on performing an assessment of the security risks posed by the new software and coming up with a plan for mitigating those risks.
A simple, almost cursory analysis would have shown Ima that the emails used by Square’s invoicing service pose a real security risk to her clients and that she needs to be cautious with it in the same ways she is cautious with her own email and texting service. If she had done this assessment, which is a basic requirement for Ima’s own HIPAA compliance, this particular harm would likely not have befallen her client.
Okay, one more vignette:
The “But It Isn’t HIPAA Compliant” Vignette
Ima starts work with an adolescent client who is reticent to talk about her issues in Ima’s office. Ima goes walking in the park with the youngster, which helps a bit. After their first session, though, Ima receives a long and rambling text message from the client in which she finally answers the deeper questions Ima was trying to address during their session.
Before doing anything, Ima does the professional thing and asks colleagues about legal and ethical issues in text messaging. Unfortunately, the urgent response she gets is, “Texting isn’t HIPAA-compliant.” Ima has been taught that HIPAA compliance means only using products or services that are labeled as “HIPAA-compliant.” So she comes to believe that responding to the client’s text message is forbidden regardless of circumstance, and that she should not allow the client to send her text messages at all.
Ima seeks out a secure texting option and decides on one. She then contacts the client by phone (because someone told her that voice calling is “HIPAA-compliant”) and suggests that the client download the same app so they can use it together. The client states she can’t use this app because she doesn’t have a smartphone. Ima, thinking that products and services must be “HIPAA compliant” before you can use them, tells the client that she can’t ever send Ima text messages without a proper smartphone app. “Okay, then I’ll just call you if I need to,” the kid says.
Sessions 2 and 3 with the adolescent feel to Ima like they lack traction, and the client no-shows for session 4. Ima calls to ask what’s going on, and gets no call back nor any attempt to make another appointment.
A better way to respond to Ima’s consultation request about texting would have been to say that the basic texting services that we all use are not “HIPAA-secure.” That statement would have been accurate and much more helpful than the misleading statement that basic texting is “not HIPAA-compliant.”
However, it is possible for Ima, in the right circumstances, to use classic texting services and be HIPAA-compliant. Given there is a compelling clinical reason to do so, Ima could have started a process of collaboration with the young client around using texting in a way that protects the client’s confidentiality to the extent that she needs.
Performing such an exceptional intervention has the potential to be perfectly HIPAA-compliant for Ima, even though basic text messaging is not HIPAA-secure. Because Ima stuck to the erroneous idea that she can only use “HIPAA-compliant products and services,” she lost essential rapport with the client and was unable to help her.
Got It! So From Now On, We’ll Ignore Any Companies Who Claim Their Products Are “HIPAA-Compliant”
I think there’s an intermediate step we have to take before we go there!
Imagine two companies: TechCo A and TechCo B. Both companies produce an online service that allows you and your clients to make counseling appointments online.
TechCo A has a logo on their site that says “HIPAA-compliant” in big, friendly letters. TechCo B instead says that their product is “HIPAA-Secure,” and they include some text explaining what that means. Here we see an important business lesson: if you have to explain why your product is appropriate for a prospective customer but your competitor doesn’t bother doing so, the competitor will win the sale.
Ironically, TechCo B may very well be much more HIPAA-savvy and willing to own their responsibility to the clinicians they serve than TechCo A is. This is evidenced by the fact that TechCo B is reticent to make nonsensical claims like saying their product is “HIPAA-compliant.” TechCo A is going to win the sale, though, and TechCo B will probably go out of business.
Because of this, every company who exists to serve health care pros will claim their products are “HIPAA-compliant.” They can only safely stop this practice after we, the community who they serve, start to recognize what HIPAA compliance is and act accordingly.
If I Can’t Lean On Companies’ Claims of “HIPAA-Compliance,” What Can I Lean On?
That is a fair question. Often, you will need advice from tech-savvy and HIPAA-savvy folks as to which products work and how well they work for your HIPAA compliance.
This is why we release these article here at Person-Centered Tech. It is also one of many reasons why we offer our Person-Centered Tech Support service, which includes our deeply investigated HIPAApropriateness Reviews.
We aren’t the only helpful ones out there, though. Rob Reinhardt publishes on tech products and especially on cloud-based practice management systems. It would be wise to follow his writings or search his site, in addition to this one, when you’re evaluating a new product.
You can also talk to colleagues who have the tech savvy to understand what they’re looking for in a company’s materials. Many tech helpers have used articles here on Person-Centered Tech to guide their investigations of potential products for the practices they serve.
To get 2 free, self-study, CE hours on the topic from us, you need only subscribe to our (also free) newsletter. Click here for more→
So the final lesson is to simply make sure you understand how HIPAA compliance actually works. When you inevitably need to seek consultation from colleagues about HIPAA or digital ethics issues, make sure the colleagues you consult with also understand it. Once the whole community has the concepts well in hand, we’ll all be much better off.