So, we were going to write a big retrospective article back in January, but too much was happening! We had to take things one piece at a time.
(As one of our favorite memes read: “January was a long year, but it’s finally over!”)
Now that we’ve got most of the exciting stuff largely sorted, though, we are happy to present our listicle of things to know about texting, HIPAA changes, and choosing your therapy tech in 2019. Enjoy!
1) Conventional texting (SMS) is becoming even less private after an FCC decision from December, 2018
Last December, the Federal Communications Commission changed the classification for SMS and MMS messages (the conventional text messaging protocols we’re used to.)
Previously, their classification gave SMS and MMS messages some protection from being monitored or blocked by phone companies. The new classification allows phone companies to monitor messages and even block them.
The FCC states that this was done to stop automated text messaging spam. Whatever the reason for their decision, one impact is that SMS and MMS messages are now more vulnerable to monitoring and even blocking by phone companies. Fortunately, there are alternatives…
2) Affordable and free secure texting options have been available to us for a couple of years now
There are several secure and reliable ways to accomplish the same objective as using SMS texting with clients.
“Texting” essentially means to use one’s mobile device (i.e. “phone”) to exchange quick messages with other people (who are probably also on their phones.) When therapist and client both possess smartphones, some secure alternatives to SMS texting include:
- Signal. We like Signal for solo providers as a simple and secure medium for texting. (Note: we don’t always recommend it with groups, for reasons that are beyond the scope of this article.) Please read and understand our review of Signal before you use it, however!
- Secure client messaging apps like Spruce Health.
- The messaging feature of some practice management systems’ smartphone apps.
3) While we’re at it: don’t forget to make sure your email is appropriate for clients, too
I never pass up a chance to remind people that no matter how you arrange to use email with clients, you should have a Business Associate Agreement with your email provider. Getting into the details of how and why that works generally takes a whole article. So if you want to read one, here is our article on the types of email security.
4) The OCR (The HIPAA People) are gearing up for changes to HIPAA’s Privacy Rule
As we stated before, the OCR put out a Request for Input on some of their ideas around changes to HIPAA’s Privacy Rule. So this does mean that HIPAA changes are coming down the pike, but we only have general ideas of what they’ll look like. We discussed this at length in our 2019 Therapists’ Security and Privacy Update presentation for Person Centered Tech’s members.
Two things I really want to make sure you all know are: 1) they directly proposed no changes to the Security Rule, which is concerned with the security of electronic information, and 2) they proposed nothing new regarding enforcement. In other words, they said nothing about new audits. So if anyone starts saying that you need to get scared about new HIPAA audits, it ain’t related to the OCR’s recent Request for Input!
5) It could be useful to start re-thinking how you manage records releases
One thing is clear both from the OCR’s statements over the past couples of years and from their recent Request for Input: they want records to flow between providers and clients/patients much more freely.
We submitted input to them regarding the potential dangers of requiring clinicians to release information to other clinicians and agencies. However, they definitely want records of all kinds to flow more freely. We mental health pros tend to be resistant to releasing records (or at least releasing them verbatim), even though clients have a right to them. If you aren’t already prepared for records releases to clients becoming a norm, it could be good to start preparing for that.
6) Be wary of the growing number of companies who want your business but don’t want your security and privacy responsibilities
Even though mental health private practices are financially small potatoes next to hospitals, we are still a big market with a big need for software services that help us run our practices and manage things like client scheduling, payments, and more.
Because of this, we are seeing a lot more companies that normally serve non-clinical businesses trying to get mental health practices (and massage, physical therapy, etc practices) onto their client rosters.
Sometimes these companies do their due diligence and create products that serve our legal-ethical needs around security. Increasingly, we’re seeing companies that don’t do that.
When choosing online services to help manage your practice, please keep at least these things in mind:
- Information about scheduling client appointments, communicating with clients about logistics, and just about anything that links clients to their therapist is personally-identifying health information and, therefore, meets the definition of protected health information under HIPAA. If a potential vendor handles these kinds of information and claims that they do not handle protected health information, they are likely to be mistaken on that point.
- If a vendor handles your protected health information, HIPAA requires that they execute a HIPAA-compliant Business Associate Agreement with you. If a vendor claims that such an agreement is not necessary because they are a “conduit,” then they are on shaky ground in our opinions. Besides that, we recommend against trusting your client information to any vendor who is unwilling to take responsibility for your information by entering into a HIPAA-compliant Business Associate Agreement.
If you’re unsure about a product that you’re considering using, you can see if we have reviewed it for appropriateness in our HIPAApropriateness Reviews. Use them in good health!