Transcript
[Transcript] Episode 420: What You Need to Know about Notes Apps
Evan DumasÂ
You’re listening to Group Practice Tech, a podcast by Person Centered Tech, where we help mental health group practice owners ethically and effectively leverage tech to improve their practices. I’m your co host, Evan Dumas.
Â
Liath DaltonÂ
And I’m Liath Dalton and we are Person Centered Tech.
Â
Liath DaltonÂ
This episode is brought to you by Therapy Notes. Therapy Notes is a robust online Practice Management and Electronic Health Record system to support you in growing your thriving practice. Therapy Notes is a complete practice management system, with all the functionality you need to manage client records, meet with clients remotely, create rich documentation, schedule appointments, and bill insurance all right at your fingertips. To get two free months of Therapy Notes as a new Therapy Notes user, go to therapynotes.com and use promo code PCT.
Â
Evan DumasÂ
Hello, and welcome to Episode 420: What You Need to Know About Notes Apps.
Â
Liath DaltonÂ
Yes. So this has been a question that has been popping up more and more frequently in our group practice office hours and office hours direct support and consultation sessions around. Like if I’m just putting a little like scratch note down in my notes app, is that HIPAA acceptable? Is it HIPAA acceptable for my team to do that? What do I need to know and consider, all those good things?
Â
Liath DaltonÂ
So we thought this was a really relevant thing to be addressing right now since we’ve been getting more and more questions about it.
Â
Evan DumasÂ
Yeah.
Â
Liath DaltonÂ
And it’s something that Evan’s also been been looking into in order to support everyone in our community in navigating that. So Evan, take it away.
Â
Evan DumasÂ
Yeah, so this is a wonderful question because there’s a lot of aspects to it. So you know, there’s the oh, what device am I using? Is it Android? iPhone? Oh, what app am I using? Am I using it correctly? Is what I’m even using PHI?
Â
Evan DumasÂ
So for the purposes of this little podcast, I’m going to say that everything you put into this notes app is PHI. Because you may say, oh, but it didn’t have client name. And then we’ll counter with yeah, but you had the date and time, and you had client characteristics, or you had initials.
Â
Evan DumasÂ
Because, you know, as we talked about in the last episode, the PHI threshold is very, very low. So we’re going to assume everything you put into the Notes app, is pH I, for this purposes, so don’t –
Â
Liath DaltonÂ
Perfect.
Â
Evan DumasÂ
Can’t wiggle out that way.
Â
Liath DaltonÂ
Nope.
Â
Evan DumasÂ
No wiggling.
Â
Evan DumasÂ
And so another another sort of counter is someone saying, Oh, but Apple just told me that the notes are encrypted, or you can password protect them and all this other stuff, which is like, secure, and you’re like, Oh, yes. So I may say, yeah, oh, wow, that does sound secure in the way of keeping it confidential. But is it available? Is it, does it have its integrity? Do you have a BAA with them? And they’ll generally say no. And so you know, you got to use a service that you have a Business Associate Agreement with, because that’s the, that’s them saying that, hey, we’re not covered entity you are, but we know your stuff is healthcare info, and we’re going to treat it with the due diligence that HIPAA requires, which is great, which is what you need.
Â
Evan DumasÂ
So this is where I say, how, what apps do you use? And how do you use them? So,
Â
Liath DaltonÂ
Yes.
Â
Evan DumasÂ
iPhone first, because this is nice and simple. Sure, you could use the Notes app, if you turned off iCloud for it, you had it not sync. But if you were to do that, how are you going to get a copy of it to some safe place, so it’s not just living on your phone? Because you know, putting your notes just on your phone or your iPad, that’s super risky, because you will lose them if you lose the device or if the device breaks or something, because it’s not synced anywhere.
Â
Evan DumasÂ
So let’s skip that entirely. Let’s think about instead, an alternative. We really recommend Google Keep if you are going to put notes on your phone. This is speaking outside of EHRs and other things, just little notes apps.
Â
Liath DaltonÂ
Yes, we’re talking about the like, use application of keeping scratch notes.
Â
Evan DumasÂ
Mhm.
Â
Liath DaltonÂ
Like say you have a phone conversation with a client and you’re gonna put full, full note into their progress notes or their actual record. But you just need to jot some things down in the interim in order to be able to be sure that you’re putting in what you need to in that note.
Â
Evan DumasÂ
Yeah, just helping yourself out with another little place to jot things if you don’t do pen and paper. So Google Keep, we recommend for a few reasons. One Google’s BAA is great. And it covers Google Keep, which is nice, it’s an included functionality. And it works on both iPhones and Androids. So it’s a handy dandy little app. I also love it for grocery lists, it’s really great to sync that with people. And it’s fun to share.
Â
Evan DumasÂ
Now, if you’re saying, Oh, but I have an Android, and I’m not using Google, Google Keep what notes app do I use? This is weird, because every, every Android manufacturer has a different notes app, they put in.
Â
Liath DaltonÂ
Yep.
Â
Evan DumasÂ
Samsung’s got their own, LG’s got their own, and whatnot. And they all want to link it to their cloud. And I say don’t use it, don’t even use it because their clouds won’t give you BAAs. It’s a it’s a big ol pain. And so you may counter saying, Well, I don’t want to use Google and I can’t use Android phone, what what other option is there?
Â
Evan DumasÂ
Well, if you want to get Microsoft’s BAA and only use OneDrive and OneNote, not use their email, not use their other things, because that’s a bigger mess. You can get a BAA with the business tier. And you can use OneNote on your Android phone, because that’s a safe place to put notes, and you got your BAA, it’s synced up to the cloud service that has a BAA all that good stuff. So that is a really great option. Now, as I said, just to sum everything up, don’t use apps that sync to cloud services, you don’t have a BAA with. This rules out Apple notes syncing to iCloud. This rules out your Samsung notes syncing to Samsung. It’s a great easy way to say, no BAA – don’t even use it.
Â
Liath DaltonÂ
Yep. That’s,
Â
Evan DumasÂ
Um, yeah.
Â
Liath DaltonÂ
that is like the the default metric that we want to be evaluating services by. Do they provide a BAA? If yes, then we can evaluate further, and there of course, some additional questions that we want to be asking and answering before deciding to entrust them with PHI.
Â
Evan DumasÂ
Mhm.
Â
Liath DaltonÂ
But that’s the like, primary one, that’s our, if it’s not a yes, it’s do not pass go, do not collect $200.
Â
Evan DumasÂ
Yeah, yeah.
Â
Liath DaltonÂ
With with regards to that. And like Evan said, the whole consideration of using something like the Apple Notes app, where you can turn it off, so that it doesn’t sync to iCloud.
Â
Evan DumasÂ
Yeah.
Â
Liath DaltonÂ
So that’s why using dedicated systems that are just integrated with your whole tech stack and your HIPAA secure environment, is absolutely the best way to go. Particularly in a group practice context where you have all the different variables of, you know, just having more surface area of risk exposure, because of the number of team members that you have. And that’s where leveraging a system like Keep, like Google Keep,
Â
Liath DaltonÂ
So it’s not creating a HIPAA Business Associate relationship and necessitating a BAA that you cannot get in that instance. That makes the like, first part of the question answer a yes. But unfortunately, it’s still more complicated than that. Because like Evan said, the availability standard is still something that has to be met. And so that means that we have to be having secure HIPAA appropriate off site backups for that data, if it’s client PHI and unique client PHI.
Â
Evan DumasÂ
Yeah.
Â
Liath DaltonÂ
on something that’s already within your practice’s security circle, right, is going to be the most beneficial way to to address this need.
Â
Evan DumasÂ
Mhm, exactly. And if you’re ever thinking like, Oh, what about this, and you’re trying to find some like workaround or wiggle of like some exception to make it acceptable. That’s just a big red flag. If you think you’ve found a clever way around some requirements. That’s always usually a sign that it doesn’t exist, that you’re just holding out some hope, because we honestly haven’t seen a lot of those. So you know, when in doubt, just use the tried and true, great systems that we know and don’t think of a sneaky way to get around things because that that just won’t help.
Â
Liath DaltonÂ
Exactly. And honestly, I find that usually the reasons that practice owners will do those kinds of mental gymnastics are because of wanting to save on costs. Which,
Â
Evan DumasÂ
True.
Â
Liath DaltonÂ
But you know, I absolutely wholeheartedly understand that your judicious resource allocation is a really important component of appropriate business management.
Â
Evan DumasÂ
Mhm, yeah.
Â
Liath DaltonÂ
And paired with that, typically, it’s like if you’re in our listening community, you most likely are already using Google Workspace. Which means that there is already something that fills this functionality need and use application that’s already provided for within a system that you have, and that is HIPAA appropriate. And so you just need to leverage it appropriately and train and equip your team to utilize that resource effectively.
Â
Evan DumasÂ
Yeah. And if you’re looking for a very cheap solution for those little chicken scratches to catch you, between here and there, if you just need to jot something down, nothing’s cheaper than pencil and paper. So,
Â
Liath DaltonÂ
Right.
Â
Evan DumasÂ
That’s, you know, if people are saying I need a quick, cheap solution, yeah, nice pen, nice little journal.
Â
Liath DaltonÂ
Exactly.
Â
Evan DumasÂ
HIPAA doesn’t say that’s bad.
Â
Liath DaltonÂ
No, there, there is no problem with that. If your process and like policy and procedure that accompanies taking that chicken scratch is, I’m going to then within an X period of time, enter that into the client’s actual record.
Â
Evan DumasÂ
Yep, yep.
Â
Liath DaltonÂ
And then upon doing so I will appropriately destroy the the hard copy that that contains any of that info, that is totally acceptable. So whether you’re a solo provider, or a group practice that’s applicable. Now, in a group practice context, that’s something that does need to be managed by policy and procedure and training, and oversight, because it can be an area where, you know, things fall through the cracks, right?
Â
Liath DaltonÂ
Someone’s like, oh, well, I enter all of those, or maybe they enter the like, create the actual notes, in more short order than within a month’s time frame for for the client records. But they have a policy like personal policy of destroying the scratch notes only within every 30 days. They’re like, oh, it’s the last day of the month, I’m going to shred those those paper notes. In the interim of those notes being created and being destroyed, there’s risk exposure there, that is within the surface area of risk exposure for the practice.
Â
Liath DaltonÂ
Or rather, I should say, not just the surface area of risk exposure, but actually the like, within the realm of liability and responsibility for the practice, right?
Â
Evan DumasÂ
Yeah, totally.
Â
Liath DaltonÂ
So these are just the the sorts of considerations that we want to be having about how a sort of the intermediary or interstitial notes, scratch notes are being taken, recorded and secured. And oftentimes, you know, an app is going to be the most convenient way to manage that. And in that instance, that’s where you really want to lean into leveraging the tools that you already have at your disposal. So those of you that are using Google Workspace, Keep is is a fantastic option for that.
Â
Evan DumasÂ
Yeah, totally. Yeah.
Â
Liath DaltonÂ
Alrighty.
Â
Liath DaltonÂ
Anything else to add on this, Evan?
Â
Evan DumasÂ
No, it’s nice other than you may get notifications down the road of how certain features are added to apps that you like that use in your personal life, like people heard about security features added to Apple notes. But the only one to really keep your eyes out for if is if they started offering BAAs.
Â
Liath DaltonÂ
Right.
Â
Evan DumasÂ
So any other little features? Yeah, they’re nice, and they’re great, but they probably won’t create a conduit exception. So it’s, it’s like, just just not helpful until we get the full BAA.
Â
Liath DaltonÂ
Right. Yeah, that’s the importance. There is a difference between something that is excellent for general security and privacy practices, and something that’s sufficient for HIPAA security compliance.
Â
Liath DaltonÂ
And so I think we’re actually going to dive into this into our in our next podcast episode, but we’ll foreshadow a little here, which is the, you know, incredibly useful clarification from the OCR, the Office of Civil Rights, the HIPAA regulators in HHS, that if a cloud service provider handles your clients information or Protected Health Information, even if that information that they receive and are handling is encrypted, and they do not have the encryption key, meaning they cannot unencrypt it, they cannot view it, they cannot access it or use it in any way. If they are just handling it in its encrypted state that still creates and necessitates a Business Associate relationship and agreement. Right?
Â
Evan DumasÂ
Yeah.
Â
Evan DumasÂ
Mhm. Yeah.
Â
Liath DaltonÂ
Like that is hugely impactful clarification and guidance. It’s consistent with, with everything we’ve been saying all along. But it’s really excellent to have that crystallized from them in this this useful guidance document, because that just adds to what we describe as our North Star for just determining what’s within our HIPAA scope and what’s not and how we need to manage it.
Â
Evan DumasÂ
Mhm, mhm.
Â
Liath DaltonÂ
All right, so stay tuned for the next episode in which we get more into that sort of cloud service agreement
Â
Evan DumasÂ
Yeah.
Â
Liath DaltonÂ
consideration piece. But in the meantime, we hope all of you take good care, and we’ll look forward to connecting with you next time.
Â
Evan DumasÂ
Yeah, talk to you next time, everybody.
Â
Liath DaltonÂ
Bye.
Â
Liath DaltonÂ
This has been Group Practice Tech, you can find us at PersonCenteredTech.com. For more podcast episodes, you can go to personcentered tech.com/podcast or click podcast on the menu bar.
![liath](https://personcenteredtech.com/wp-content/uploads/2021/10/liath.png)
![evan evan](https://personcenteredtech.com/wp-content/uploads/2020/06/Untitled-design-1.png)
Your Hosts:
PCT’s Director Liath Dalton
Senior Consultant Evan Dumas
Welcome solo and group practice owners! We are Liath Dalton and Evan Dumas, your co-hosts of Group Practice Tech.
In our latest episode, we explain what you can and can’t use a notes app for in a group practice.
We discuss what’s permissible under HIPAA; different notes app options for iPhone and Android; notes and PHI; getting BAAs; cloud syncing; policies and procedures around scratch notes; and what the Office of Civil Rights (the HIPAA regulators) say about this topic.
Resources are available for all Group Practice Tech listeners below:
![proudly sponsored by](https://personcenteredtech.com/wp-content/uploads/2024/01/proudly-sponsored-by-e1706490067491.png)
Therapy Notes proudly sponsors Group Practice Tech!
TherapyNotes is a behavioral health EMR/EHR that helps you securely manage records, book appointments, write notes, bill, and more. We recommend it for use by mental health professionals. Learn more about TherapyNotes and use code “PCT” to get two months of free software.
*Please note that this offer only applies to brand-new TherapyNotes customers
Resources for Listeners
Resources & further information
PCT Resources:
- PCT’s free Group Practice Service Selection Workbook & Worksheets Step 1 of the PCT Way — support for selecting HIPAA-secure, effective, and economical services to meet your practice’s functionality and operational needs.
- Group Practice Care Premium
- weekly (live & recorded) direct support & consultation service, Group Practice Office Hours
- + assignable staff HIPAA Security Awareness: Bring Your Own Device training + access to Device Security Center with step-by-step device-specific tutorials & registration forms for securing and documenting all personally owned & practice-provided devices (for *all* team members at no per-person cost)
- + assignable staff HIPAA Security Awareness: Remote Workspaces training for all team members + access to Remote Workspace Center with step-by-step tutorials & registration forms for securing and documenting Remote Workspaces (for *all* team members at no per-person cost) + more
- HIPAA Risk Analysis & Risk Mitigation Planning service for mental health group practices — care for your practice using our supportive, shame-free risk analysis and mitigation planning service. You’ll have your Risk Analysis done within 2 hours, performed by a PCT consultant, using a tool built specifically for mental health group practice, and a mitigation checklist to help you reduce your risks.
Group Practices
Get more information about how PCT can help you reach HIPAA compliance while optimizing and streamlining your practice.
Solo Practitioners
Get more information about how PCT can help you reach HIPAA compliance while optimizing and streamlining your practice.