[Transcript] Episode 420: What You Need to Know about Notes Apps

 

Evan Dumas 

You’re listening to Group Practice Tech, a podcast by Person Centered Tech, where we help mental health group practice owners ethically and effectively leverage tech to improve their practices. I’m your co host, Evan Dumas.

 

Liath Dalton 

And I’m Liath Dalton and we are Person Centered Tech.

 

Liath Dalton 

This episode is brought to you by Therapy Notes. Therapy Notes is a robust online Practice Management and Electronic Health Record system to support you in growing your thriving practice. Therapy Notes is a complete practice management system, with all the functionality you need to manage client records, meet with clients remotely, create rich documentation, schedule appointments, and bill insurance all right at your fingertips. To get two free months of Therapy Notes as a new Therapy Notes user, go to therapynotes.com and use promo code PCT.

 

Evan Dumas 

Hello, and welcome to Episode 420: What You Need to Know About Notes Apps.

 

Liath Dalton 

Yes. So this has been a question that has been popping up more and more frequently in our group practice office hours and office hours direct support and consultation sessions around. Like if I’m just putting a little like scratch note down in my notes app, is that HIPAA acceptable? Is it HIPAA acceptable for my team to do that? What do I need to know and consider, all those good things?

 

Liath Dalton 

So we thought this was a really relevant thing to be addressing right now since we’ve been getting more and more questions about it.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

And it’s something that Evan’s also been been looking into in order to support everyone in our community in navigating that. So Evan, take it away.

 

Evan Dumas 

Yeah, so this is a wonderful question because there’s a lot of aspects to it. So you know, there’s the oh, what device am I using? Is it Android? iPhone? Oh, what app am I using? Am I using it correctly? Is what I’m even using PHI?

 

Evan Dumas 

So for the purposes of this little podcast, I’m going to say that everything you put into this notes app is PHI. Because you may say, oh, but it didn’t have client name. And then we’ll counter with yeah, but you had the date and time, and you had client characteristics, or you had initials.

 

Evan Dumas 

Because, you know, as we talked about in the last episode, the PHI threshold is very, very low. So we’re going to assume everything you put into the Notes app, is pH I, for this purposes, so don’t –

 

Liath Dalton 

Perfect.

 

Evan Dumas 

Can’t wiggle out that way.

 

Liath Dalton 

Nope.

 

Evan Dumas 

No wiggling.

 

Evan Dumas 

And so another another sort of counter is someone saying, Oh, but Apple just told me that the notes are encrypted, or you can password protect them and all this other stuff, which is like, secure, and you’re like, Oh, yes. So I may say, yeah, oh, wow, that does sound secure in the way of keeping it confidential. But is it available? Is it, does it have its integrity? Do you have a BAA with them? And they’ll generally say no. And so you know, you got to use a service that you have a Business Associate Agreement with, because that’s the, that’s them saying that, hey, we’re not covered entity you are, but we know your stuff is healthcare info, and we’re going to treat it with the due diligence that HIPAA requires, which is great, which is what you need.

 

Evan Dumas 

So this is where I say, how, what apps do you use? And how do you use them? So,

 

Liath Dalton 

Yes.

 

Evan Dumas 

iPhone first, because this is nice and simple. Sure, you could use the Notes app, if you turned off iCloud for it, you had it not sync. But if you were to do that, how are you going to get a copy of it to some safe place, so it’s not just living on your phone? Because you know, putting your notes just on your phone or your iPad, that’s super risky, because you will lose them if you lose the device or if the device breaks or something, because it’s not synced anywhere.

 

Evan Dumas 

So let’s skip that entirely. Let’s think about instead, an alternative. We really recommend Google Keep if you are going to put notes on your phone. This is speaking outside of EHRs and other things, just little notes apps.

 

Liath Dalton 

Yes, we’re talking about the like, use application of keeping scratch notes.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

Like say you have a phone conversation with a client and you’re gonna put full, full note into their progress notes or their actual record. But you just need to jot some things down in the interim in order to be able to be sure that you’re putting in what you need to in that note.

 

Evan Dumas 

Yeah, just helping yourself out with another little place to jot things if you don’t do pen and paper. So Google Keep, we recommend for a few reasons. One Google’s BAA is great. And it covers Google Keep, which is nice, it’s an included functionality. And it works on both iPhones and Androids. So it’s a handy dandy little app. I also love it for grocery lists, it’s really great to sync that with people. And it’s fun to share.

 

Evan Dumas 

Now, if you’re saying, Oh, but I have an Android, and I’m not using Google, Google Keep what notes app do I use? This is weird, because every, every Android manufacturer has a different notes app, they put in.

 

Liath Dalton 

Yep.

 

Evan Dumas 

Samsung’s got their own, LG’s got their own, and whatnot. And they all want to link it to their cloud. And I say don’t use it, don’t even use it because their clouds won’t give you BAAs. It’s a it’s a big ol pain. And so you may counter saying, Well, I don’t want to use Google and I can’t use Android phone, what what other option is there?

 

Evan Dumas 

Well, if you want to get Microsoft’s BAA and only use OneDrive and OneNote, not use their email, not use their other things, because that’s a bigger mess. You can get a BAA with the business tier. And you can use OneNote on your Android phone, because that’s a safe place to put notes, and you got your BAA, it’s synced up to the cloud service that has a BAA all that good stuff. So that is a really great option. Now, as I said, just to sum everything up, don’t use apps that sync to cloud services, you don’t have a BAA with. This rules out Apple notes syncing to iCloud. This rules out your Samsung notes syncing to Samsung. It’s a great easy way to say, no BAA – don’t even use it.

 

Liath Dalton 

Yep. That’s,

 

Evan Dumas 

Um, yeah.

 

Liath Dalton 

that is like the the default metric that we want to be evaluating services by. Do they provide a BAA? If yes, then we can evaluate further, and there of course, some additional questions that we want to be asking and answering before deciding to entrust them with PHI.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

But that’s the like, primary one, that’s our, if it’s not a yes, it’s do not pass go, do not collect $200.

 

Evan Dumas 

Yeah, yeah.

 

Liath Dalton 

With with regards to that. And like Evan said, the whole consideration of using something like the Apple Notes app, where you can turn it off, so that it doesn’t sync to iCloud.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

So that’s why using dedicated systems that are just integrated with your whole tech stack and your HIPAA secure environment, is absolutely the best way to go. Particularly in a group practice context where you have all the different variables of, you know, just having more surface area of risk exposure, because of the number of team members that you have. And that’s where leveraging a system like Keep, like Google Keep,

 

Liath Dalton 

So it’s not creating a HIPAA Business Associate relationship and necessitating a BAA that you cannot get in that instance. That makes the like, first part of the question answer a yes. But unfortunately, it’s still more complicated than that. Because like Evan said, the availability standard is still something that has to be met. And so that means that we have to be having secure HIPAA appropriate off site backups for that data, if it’s client PHI and unique client PHI.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

on something that’s already within your practice’s security circle, right, is going to be the most beneficial way to to address this need.

 

Evan Dumas 

Mhm, exactly. And if you’re ever thinking like, Oh, what about this, and you’re trying to find some like workaround or wiggle of like some exception to make it acceptable. That’s just a big red flag. If you think you’ve found a clever way around some requirements. That’s always usually a sign that it doesn’t exist, that you’re just holding out some hope, because we honestly haven’t seen a lot of those. So you know, when in doubt, just use the tried and true, great systems that we know and don’t think of a sneaky way to get around things because that that just won’t help.

 

Liath Dalton 

Exactly. And honestly, I find that usually the reasons that practice owners will do those kinds of mental gymnastics are because of wanting to save on costs. Which,

 

Evan Dumas 

True.

 

Liath Dalton 

But you know, I absolutely wholeheartedly understand that your judicious resource allocation is a really important component of appropriate business management.

 

Evan Dumas 

Mhm, yeah.

 

Liath Dalton 

And paired with that, typically, it’s like if you’re in our listening community, you most likely are already using Google Workspace. Which means that there is already something that fills this functionality need and use application that’s already provided for within a system that you have, and that is HIPAA appropriate. And so you just need to leverage it appropriately and train and equip your team to utilize that resource effectively.

 

Evan Dumas 

Yeah. And if you’re looking for a very cheap solution for those little chicken scratches to catch you, between here and there, if you just need to jot something down, nothing’s cheaper than pencil and paper. So,

 

Liath Dalton 

Right.

 

Evan Dumas 

That’s, you know, if people are saying I need a quick, cheap solution, yeah, nice pen, nice little journal.

 

Liath Dalton 

Exactly.

 

Evan Dumas 

HIPAA doesn’t say that’s bad.

 

Liath Dalton 

No, there, there is no problem with that. If your process and like policy and procedure that accompanies taking that chicken scratch is, I’m going to then within an X period of time, enter that into the client’s actual record.

 

Evan Dumas 

Yep, yep.

 

Liath Dalton 

And then upon doing so I will appropriately destroy the the hard copy that that contains any of that info, that is totally acceptable. So whether you’re a solo provider, or a group practice that’s applicable. Now, in a group practice context, that’s something that does need to be managed by policy and procedure and training, and oversight, because it can be an area where, you know, things fall through the cracks, right?

 

Liath Dalton 

Someone’s like, oh, well, I enter all of those, or maybe they enter the like, create the actual notes, in more short order than within a month’s time frame for for the client records. But they have a policy like personal policy of destroying the scratch notes only within every 30 days. They’re like, oh, it’s the last day of the month, I’m going to shred those those paper notes. In the interim of those notes being created and being destroyed, there’s risk exposure there, that is within the surface area of risk exposure for the practice.

 

Liath Dalton 

Or rather, I should say, not just the surface area of risk exposure, but actually the like, within the realm of liability and responsibility for the practice, right?

 

Evan Dumas 

Yeah, totally.

 

Liath Dalton 

So these are just the the sorts of considerations that we want to be having about how a sort of the intermediary or interstitial notes, scratch notes are being taken, recorded and secured. And oftentimes, you know, an app is going to be the most convenient way to manage that. And in that instance, that’s where you really want to lean into leveraging the tools that you already have at your disposal. So those of you that are using Google Workspace, Keep is is a fantastic option for that.

 

Evan Dumas 

Yeah, totally. Yeah.

 

Liath Dalton 

Alrighty.

 

Liath Dalton 

Anything else to add on this, Evan?

 

Evan Dumas 

No, it’s nice other than you may get notifications down the road of how certain features are added to apps that you like that use in your personal life, like people heard about security features added to Apple notes. But the only one to really keep your eyes out for if is if they started offering BAAs.

 

Liath Dalton 

Right.

 

Evan Dumas 

So any other little features? Yeah, they’re nice, and they’re great, but they probably won’t create a conduit exception. So it’s, it’s like, just just not helpful until we get the full BAA.

 

Liath Dalton 

Right. Yeah, that’s the importance. There is a difference between something that is excellent for general security and privacy practices, and something that’s sufficient for HIPAA security compliance.

 

Liath Dalton 

And so I think we’re actually going to dive into this into our in our next podcast episode, but we’ll foreshadow a little here, which is the, you know, incredibly useful clarification from the OCR, the Office of Civil Rights, the HIPAA regulators in HHS, that if a cloud service provider handles your clients information or Protected Health Information, even if that information that they receive and are handling is encrypted, and they do not have the encryption key, meaning they cannot unencrypt it, they cannot view it, they cannot access it or use it in any way. If they are just handling it in its encrypted state that still creates and necessitates a Business Associate relationship and agreement. Right?

 

Evan Dumas 

Yeah.

 

Evan Dumas 

Mhm. Yeah.

 

Liath Dalton 

Like that is hugely impactful clarification and guidance. It’s consistent with, with everything we’ve been saying all along. But it’s really excellent to have that crystallized from them in this this useful guidance document, because that just adds to what we describe as our North Star for just determining what’s within our HIPAA scope and what’s not and how we need to manage it.

 

Evan Dumas 

Mhm, mhm.

 

Liath Dalton 

All right, so stay tuned for the next episode in which we get more into that sort of cloud service agreement

 

Evan Dumas 

Yeah.

 

Liath Dalton 

consideration piece. But in the meantime, we hope all of you take good care, and we’ll look forward to connecting with you next time.

 

Evan Dumas 

Yeah, talk to you next time, everybody.

 

Liath Dalton 

Bye.

 

Liath Dalton 

This has been Group Practice Tech, you can find us at PersonCenteredTech.com. For more podcast episodes, you can go to personcentered tech.com/podcast or click podcast on the menu bar.