Transcript – Episode 415: [Tech Tips] VPNs, Password Managers, and HIPAA

Evan Dumas 

You’re listening to Group Practice Tech, a podcast by Person Centered Tech, where we help mental health group practice owners ethically and effectively leverage tech to improve their practices. I’m your co host Evan Dumas.

 

Liath Dalton 

And I’m Liath Dalton and we are Person Centered Tech. This episode is brought to you by Therapy Notes. Therapy Notes is a robust online Practice Management and Electronic Health Record system to support you in growing your thriving practice. Therapy Notes is a complete practice management system, with all the functionality you need to manage client records. Meet with clients remotely, create rich documentation, schedule appointments, and bill insurance all right at your fingertips. To get two free months of Therapy Notes as a new Therapy Notes user, go to therapynotes.com and use promo code PCT.

 

Evan Dumas 

Hello, and welcome to Episode 415: [Tech Tips] VPNs, Password Managers and HIPAA.

 

Liath Dalton 

So we are often talking about all the different options for services that provide functionality that helps secure your practice or just make things work better. And in that category are VPNs, or virtual private networks,

 

Evan Dumas 

Mhmm.

 

Liath Dalton 

and password managers. But there are some interesting considerations for how they fit into your HIPAA compliance activities and questions that come up around them often.

 

Evan Dumas 

Mhmm.

 

Liath Dalton 

Evan, what is one of the number one questions that we get about VPNs and password managers?

 

Evan Dumas 

Yeah, we just got this one today, which spurred this episode, is “Do I need a BAA and who provides a BAA for for a VPN or a password manager?”

 

Liath Dalton 

Exactly. And the that’s a absolutely reasonable question because we are always talking about the importance of having a HIPAA Business Associate Agreement with service providers that provide functionality that touches Protected Health Information or client info.

 

Liath Dalton 

And, you know, understandably the thought is, well, a VPN that’s giving me a secured internet connection tunnel that allows me to use otherwise untrusted networks, that’s handling all the information and traffic of my connection, including PHI. So that would be subject to HIPAA’s Business Associate Rule, right?

 

Evan Dumas 

Mhmm.

 

Liath Dalton 

Well, in this instance, no. Just like your Internet Service Provider, or ISP, does not constitute a Business Associate, because of the way they are handling information. You want to describe that in the kind of technical terms, Evan?

 

Evan Dumas 

Yeah, sure. It’s called the conduit exception. And just as the term conduit implies, is really something that connects one thing to another thing, and in this case, doesn’t know what its transporting.

 

Evan Dumas 

So in that way, the data that goes from point A to point B is effectively de identified because it’s just tiny little packets of information, they’re not reading it, they’re not looking at it scanning, you’re not looking at whatever data gets passed between these two points. And so in that way, VPNs and ISPs fall into this lovely conduit exception, so you don’t need BAAs with them.

 

Liath Dalton 

Exactly. And they do not store the packets of data that they are handling,

 

Evan Dumas 

Nope.

 

Liath Dalton 

right, when we’re talking about a VPN or an Internet Service Provider. Because to get into the kind of geeky part of HIPAA, when we’re talking about a Business Associate, or a service provider that handles Protected Health Information, when they are storing it and holding on to it, even if it’s encrypted and they don’t have the encryption key, so they couldn’t unencrypt it under any circumstances. If they’re storing it, then it is subject to the Business Associate Rule and doesn’t meet the conduit exception criteria.

 

Evan Dumas 

Mhmm.

 

Liath Dalton 

But ISPs and VPNs aren’t holding on to any of that data, so that’s why they actually qualify udner the conduit exception. Which is great because that opens things up in a couple of really useful ways, particularly in the group practice context.

 

Liath Dalton 

Because you’ve heard us no doubt, talk about the prohibition on personal service use for any services that handle Protected Health Information. And so, you know, this applies to a prohibition on your team members using personal phone service for client communication, and so on and so forth. But when it comes to a VPN, not only does the conduit exception apply, but in part because it applies, and it’s not actually holding PHI that you need to have control over and access to, it means that clinicians can and team members can actually use their own VPN service.

 

Evan Dumas 

Yeah. Uh-huh.

 

Liath Dalton 

It doesn’t have to be a practice provided service.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

So the in a nutshell about VPNs is they are not subject to HIPAA’s Business Associate Rule, you don’t need a BAA with the service provider. And in part because of that, it also means that it is one of the few services that relates to keeping client info safe that is possible to be used as a personal service and not a practice provided service.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

Which segues to how password managers work as well.

 

Evan Dumas 

Mhmm.

 

Liath Dalton 

Password managers are one of the most helpful and supportive tools

 

Evan Dumas 

Oh yeah.

 

Liath Dalton 

that you can have in place in in your practice, because they’re so supportive of being able to manage a lot of the security requirements for keeping accounts safe.

 

Evan Dumas 

Yeah, yep.

 

Liath Dalton 

And that is, through having complex, unique passwords and login credentials for every system and service that is utilized.

 

Evan Dumas 

Yup.

 

Liath Dalton 

 And that can get almost impossible, really to manage, especially with the number of services that folks utilize both personally and professionally, if you are just trying to manage it manually. So password management programs are an excellent tool that can really help us manage security and good security practices.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

But even though they are holding the keys that unlock systems containing client information, the login credentials themselves, so the username and passcode or passwords that a password management program are holding on to and securing for you. That’s not PHI.

 

Evan Dumas 

Nope.

 

Liath Dalton 

So, a password management program is not qualified as a HIPAA Business Associate because they aren’t holding Protected Health Information on your behalf.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

So again, the great news there is no BAA is necessary. And it also means the same thing as we

 

Evan Dumas 

Yeah.

 

Liath Dalton 

just expressed for VPNs, that you don’t need to have a prohibition on team members using a personal service, like their own password management program. It doesn’t have to be a practice provided

 

Evan Dumas 

No.

 

Liath Dalton 

password management program.

 

Evan Dumas 

Yep.

 

Liath Dalton 

That said, we do think that because the security benefits a password management program offers are so significant, especially in a group practice context, and because they’re really affordable as well, that it makes good sense to consider having a password management program be one of the practice provided resources.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

Rather than relying on team members to have their their own password management program or making that optional.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

So now let’s make some specific product recommendations,

 

Evan Dumas 

Haha, yeah.

 

Liath Dalton 

what password management program we like best, and why, and same for VPN service.

 

Evan Dumas 

Yeah. All right. We really like 1Password. It’s the number 1 followed by the word Password. And they’re great. They’re based in Canada. They have a non data extradition clause even, which is really, really nice. They have no history of any intrusions or anything like that. And it’s also just really easy to use, and kind of pretty, which I find helps any bit of software makes it just calmer and more soothing for me. So I really enjoy them.

 

Evan Dumas 

It is paid. So they don’t have a free tier, but they do have a free trial for a couple of weeks, give it a shot. It’s more economical, if you buy, their sort of like, family version so that you can have a lot of other family members on your plan. So that means you can set them up with password managers. And has lots of options for like, Oh, what, what passwords are unique, which passwords are shared, etc, for like, you know, for your Netflix or things versus you know, you want to keep your business ones separate. But it’s it’s very lovely, it’s great.

 

Liath Dalton 

Absolutely. And you can set up different password vaults as well. And one great sort of benefit of that is that for providers who have a custodian of record in the event that they become unavailable, incapacitated or deceased, that the custodian of record is going to need to be able to access client info in order to fulfill their duties and responsibilities. And, that gets really challenging if you don’t have a mechanism of making sure that they have access to the systems that contain the information that they need,

 

Evan Dumas 

Mhm.

 

Liath Dalton 

through having updated login credentials. But you don’t want to be sending those back and forth, or having to remember to tell them every time you updated them, and don’t want them using those passwords, of course, unless it’s under the circumstances that the custodian of record agreement and situation is intended for. And so having a password vault that is shared with them, and has a kind of break the glass setup for providing access is another great perk.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

So 1Password is our top password management program recommendation. It used to be that we would say that there were kind of three good contenders.

 

Evan Dumas 

Yep.

 

Liath Dalton 

The other two being LastPass and Dashlane, though we’ve always had, among the three, a strong preference for 1Password.

 

Evan Dumas 

Yep.

 

Liath Dalton 

But over the last couple of years, there have been a number of incidents with LastPass, in particular, that were were pretty problematic.

 

Evan Dumas 

Yeah totally.

 

Liath Dalton 

So because of that, we now do have the clear cut preference for for 1Password, and in part because the way 1Password is set up, is such that the issues that impacted LastPass are not in the realm of possibility for impacting 1Password because of the way they’re managing data.

 

Liath Dalton 

So that’s our top recommendation there.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

And then in terms of a VPN service, we also do have a

 

Evan Dumas 

Yeah.

 

Liath Dalton 

clear winner in that category as well.

 

Evan Dumas 

Yeah,

 

Liath Dalton 

You’ve you’ve played around with more VPNs as well.

 

Evan Dumas 

I have.

 

Liath Dalton 

So you can speak with direct experience as to why we have a preference for Nord VPN.

 

Evan Dumas 

Yeah, so there’s a ton of VPNs out there, it seems like every bit of software has bundled in some of their own, like white labeled VPN. Like who knows who runs it but they’re like, we’ll toss it in a VPN, like through McAfee or Norton or what others, will just like throw it in. Just like some of them are now throwing it password managers.

 

Liath Dalton 

Mhm.

 

Evan Dumas 

Our, also general recommendation is, get software from people who know what how it works and what they’ve made it for. Purpose built. Not like software as an accessory. You know, like the free little doodad you get when you buy something else, is never as good as the thing you actually bought. So in this case, VPNs that may come through your ISP or other people, just aren’t as full featured, well made, or well supported, as one from an actual VPN company. And Nord VPN is, that’s what they’re mostly known for. It’s in their name.

 

Liath Dalton 

Exactly, and it has the feature of a kill switch, as well.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

Which is necessary when we are using a VPN for HIPAA security purposes. Which basically means means that if the VPN ceases functioning, it just closes off the connection to the internet, as well, until the VPN connection is reestablished. So that you aren’t connected to the internet without the protection of the VPN.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

Which is when, you know bad guys can get in to your computer and wreak havoc. So that’s why a kill switch is important functionality there. And it’s really easy to configure and set up.

 

Liath Dalton 

And then one of the other benefits of Nord VPN, which is particularly relevant for folks who may be needing to use a VPN to secure their network connection, specifically, when they are going to be doing a teletherapy session.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

And that is that Nord has a lot of different server locations and allows you to pick the one that you are connecting to. So the benefit there is that you can pick one that is as close to your actual physical location as possible, which then means that there are less jumps that your connection has to make, and therefore much less likelihood of there being lag, which can impact video quality.

 

Liath Dalton 

Oh quite a bit.

 

Liath Dalton 

And that’s really something we don’t want happening in a teletherapy session.

 

Evan Dumas 

No, no, no.

 

Liath Dalton 

So, Nord is great at managing that aspect of things, too.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

So there you have it! A couple specific product recommendations, and the important answer to “Do I need a BAA with these service providers?”, and the rationale for why not. So hopefully that helps you make some good choices about how to employ these tools within your practice.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

Stay tuned for next time and more tech tips and HIPAA help.

 

Evan Dumas 

Yeah, see you next time, everybody.

 

Liath Dalton 

This has been Group Practice Tech, you can find us at personcenteredtech.com. For more podcast episodes, you can go to personcenteredtech.com/podcast or click podcast on the menu bar.