[Transcript] Episode 515: Syncing Safely: How to Integrate your EHR Calendar with Third-Party Calendars

 

Evan Dumas 

You’re listening to Group Practice Tech, a podcast by Person Centered Tech, where we help mental health group practice owners ethically and effectively leverage tech to improve their practices. I’m your co-host, Evan Dumas.

 

Liath Dalton 

And I’m Liath Dalton, and we are Person Centered Tech.

 

Liath Dalton 

This episode is brought to you by Therapy Notes. Therapy Notes is a robust online practice management and electronic health record system to support you in growing your thriving practice. Therapy Notes is a complete practice management system with all the functionality you need to manage client records, meet with clients remotely, create rich documentation, schedule appointments and bill insurance all right at your fingertips. To get two free months of Therapy Notes as a new Therapy Notes user go to therapynotes.com and use promo code PCT.

 

Evan Dumas 

Hello and welcome to Episode 515: Syncing Safely: How to Integrate Your EHR Calendar with Third-Party Calendars.

 

Liath Dalton 

Oh, Evan, I just adore the way that you stated that title, and the inflection, because it contains the affection for how to manage this aspect of practice operations in a you know, productive way, and something that can really be supportive to a clinician or a practice, right?

 

Evan Dumas 

Yeah, yeah.

 

Liath Dalton 

So it’s, oftentimes when you are performing HIPAA Security Risk Analyses and Risk Mitigation Planning Sessions, the concept of maintaining availability of information in the instance that things go awry and the EHR is offline, etc, come up. And what do you talk to folks about? Give us your little overview here.

 

Evan Dumas 

Yeah, well, I talk to folks about how, you know, data is often feared for its confidentiality. People are very worried about just keeping things in one place and keeping it safe. And I bring up the fact of, oh, availability is really important. Like, if things go wrong, you don’t want to be out of luck. So how can you keep things, you know, have some sense of redundancy, and still be prepared for those, like, worst case scenarios?

 

Liath Dalton 

Exactly. So then, in that context, what is our like number one solution for how to manage that piece of things?

 

Evan Dumas 

Yeah, and thankfully, this solution is baked into a lot of services out there, which can be a risk we’ll speak to later, but sync your critical business data to another service, like your calendar and the contact information. Today we’re focusing on calendars.

 

Liath Dalton 

So one of the many benefits of having an integrated calendar is not just this availability of critical operational information that you need access to to maintain practice operations or default to a contingency plan in the event that your normal systems go offline.

 

Liath Dalton 

But in addition to that, it can provide for just ease of facilitating your ability to schedule and manage your busy life and for your team members to manage their busy lives and not have scheduling conflicts. So there are a couple ways that calendar syncs can function, and there are some really critical points about how to manage utilizing calendar sync without running afoul of HIPAA compliance requirements.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

So, first and foremost, one option oftentimes, is to, and we’re talking about the generic EHR that offers calendar sync, right?

 

Evan Dumas 

Mhm.

 

Liath Dalton 

One option is to do a one way sync. So what that means is that it populates the information from your EHR client schedule to whatever calendar you designate it to sync to. But that’s a one way sync. So it’s just showing whatever is scheduled in the EHR calendar, on that personal calendar or other third party calendar that you’ve designated it to populate to. Typically, with a one way sync you have the option of, or sometimes it’s by default, that the information that’s being synced is really minimized. So oftentimes it’ll just show initials.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

But Evan, lightness here.

 

Evan Dumas 

Yeah, initials, sadly, are not de identified. That means initials are still identifying. Because if you can look at it, know which client it is, pretty sure your client could look at it and say, hey, that’s me, which means it’s still identified. Now I was, I was taught, initials are just fine. But yes, it obscures the data. It makes it a little bit less like, at a glance, who it is, but it still means any place that you have initials you want to have a BAA with.

 

Liath Dalton 

Exactly, because anytime that Protected Health Information is being handled by anyone or any third party service provider, that means that it is within HIPAA scope, right?

 

Evan Dumas 

Yup.

 

Liath Dalton 

So if it’s within HIPAA scope and a third party service provider is handling that info, that means the BAA is required. BAA being a HIPAA compliant Business Associate Agreement.

 

Liath Dalton 

So in the instance of doing a one way sync, you still need a HIPAA Business Associate Agreement with the service provider of the calendar that you are syncing that data to.So what does that mean in practical terms, Evan?

 

Evan Dumas 

Yeah, that means that when you say, hey, sync my calendar, the source where it comes from your EHR, you need a Business Associate Agreement, and where it goes to. You, say, Apple, Microsoft, Google, you need a Business Associate Agreement. I started with Apple because they won’t give one. So don’t sync it to Apple. But if you have one with your Microsoft 365 business account, if you have one with your Google Workspace, with BAA, then that’s gonna be

 

Liath Dalton 

Tha’ts hunky-dory.

 

Evan Dumas 

Yeah, it’s gonna be much better.

 

Liath Dalton 

Exactly. So never, ever, under any circumstances, sync your EHR calendar to your iCal.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

You may sync it to Google Workspace or to a Microsoft 365 or business account when you have a BAA, but basically the formula that we want to apply here is that you can absolutely sync your calendar, and we highly recommend that you do, but you only want to, and can be syncing it to a service that you have a Business Associate Agreement within. And basically, think of this in the context of your practice’s HIPAA Security Circle, right?

 

Evan Dumas 

No.

 

Liath Dalton 

You can sync it with Google or with Microsoft. But the requirement for what makes that HIPAA hunky dory or HIPPA copacetic is that you have a BAA in place with that service provider.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

Your security circle is all of the systems that are HIPAA appropriate for handling client info. So we want to make sure that when you’re syncing, it’s contained within your security circle. It’s not breaking open your security circle or making it porous. So don’t sync it with iCal ever.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

So if you’re a solo practitioner, this is something you’re self managing. If you are in a group practice, you need to be overseeing this aspect of things very intentionally, and making sure that it’s being complied with in in practice. So you can do the one way sync, but really what’s most useful is going to be the two way sync. And a lot of practice management systems, or EHRs, offer that. And Evan, what are some of the benefits of a two way sync?

 

Speaker 1 

Yeah, so syncing one way syncing means it comes from your EHR, it goes to your calendar, and if you made any edits on your local Google Calendar, your EHR wouldn’t know about it. But two way means it goes both ways, like a two way street, so that any changes you make on your EHR are reflected in your, say, Google Calendar. And if you needed a quick update to move an appointment half an hour this way or that on your Google Calendar, your EHR would see that and go, Oh, okay, I’ll mark it on this source as well. So it goes both ways, which is really nice.

 

Liath Dalton 

Exactly. And there are so many practical benefits to having that in place, right?

 

Evan Dumas 

Mhm.

 

Liath Dalton 

Not just the in contingency plan deployment situations, but also when you’re just wanting to manage your day to day schedule and not worry about scheduling conflicts or like being in an inadvertently double booked for something occurring.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

So, this is a phenomenal feature to deploy, but again, the devil is in the details. And what by what we mean by that is that your usage and appropriate usage of the system is what makes it HIPAA compliant or not. So if you are doing any sort of calendar sync, it must, must be with a third party service that you have a HIPAA Business Associate Agreement with. So personal Gmail accounts, not a go.

 

Evan Dumas 

No.

 

Liath Dalton 

iCal accounts, not a go.

 

Liath Dalton 

And I just want to emphasize this because I’m seeing like, as the sort of compliance awareness landscape shifts, meaning people’s learning curves, or, you know, reflecting new information and how best to manage things in practice, we’re seeing certain areas that used to be the like largest risk exposure pieces change.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

And so now a lot of folks have a lot more awareness about device security and network security and so on. But this aspect is, unfortunately, kind of a gap that we’re identifying. And I want to say, to those of you who are like, Oh, wait, I’ve done this and I didn’t mean to, or I let my clinicians on my team sync their calendars, and wasn’t overseeing whether or not it was to a personal Gmail account or not, or, you know, a personal Microsoft account or whatnot. The, the whole thing there is that most of the, most, of the practice management systems, just make the calendar sync functionality available, but don’t really give guidance on how to use it appropriately.

 

Evan Dumas 

No.

 

Liath Dalton 

They’ll have big disclaimers about HIPAA compliance, and you taking responsibility for making sure this is all HIPAA compliant. I’ll say there’s one, that still has a how to page for syncing to iCal, which, in my view, Evan should, no practice management system that it is serving mental health professionals or any healthcare entity should be providing. But they still like have this how to page and then, paired with that is, but you take all responsibility for HIPAA compliance, etc, etc.

 

Liath Dalton 

So there, there are a lot of reasons why folks may be syncing inappropriately and not thinking that it’s an issue, right?

 

Evan Dumas 

Mhm.

 

Liath Dalton 

Because they just haven’t been given the information and guidance that they need. So, this is why we’re coming in and giving this little PSA of: if you’re syncing a calendar, which we highly recommend you do, just make sure that it is synced with the appropriate system that is part of your HIPAA Security Circle. Meaning, at bare minimum, that you have a HIPAA Business Associate Agreement in place.

 

Liath Dalton 

And so those of you with group practices, this is something that is going to be addressed in your workforce training processes as well, and something that your Security Officer wants to oversee and ensure is taking place correctly.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

Any last parting words of wisdom, Evan?

 

Evan Dumas 

Hmm. I think it’s that, you know, we see people do these things like sync to iCal and whatnot, because they’ve thought, oh, it’ll make my life easier, etc.

 

Liath Dalton 

Yeah.

 

Evan Dumas 

It’s kind of hard to make a risk assessment if you’re just not educated, if you don’t know all the details, and we’re here to provide that education so you can make your own risk assessment and make your own choices. And we just want to let you know, like, hey, it’s you could always learn more, and it’s no shame that you didn’t know before. But we’re just, we’re just happy to educate you.

 

Liath Dalton 

Exactly. Well, thanks folks for joining us, and we look forward to chatting with you next week.

 

Evan Dumas 

Yeah, talk to you next week everybody.

 

Liath Dalton 

This has been Group Practice Tech. You can find us at personcenteredtech.com. For more podcast episodes, you can go to personcenteredtech.com/podcast, or click podcast on the menu bar.