Evan Dumas 

You’re listening to Group Practice Tech, a podcast by Person Centered Tech, where we help mental health group practice owners ethically and effectively leverage tech to improve their practices. I’m your co-host, Evan Dumas.

 

Liath Dalton 

And I’m Liath Dalton, and we are Person Centered Tech.

 

Liath Dalton 

This episode is brought to you by Therapy Notes. Therapy Notes is a robust online practice management and electronic health record system to support you in growing your thriving practice. Therapy Notes is a complete practice management system with all the functionality you need to manage client records, meet with clients remotely, create rich documentation, schedule appointments and bill insurance all right at your fingertips. To get two free months of Therapy Notes as a new Therapy Notes user go to therapynotes.com and use promo code PCT.

 

Evan Dumas 

Hello and welcome to Episode 607: HIPAA After Retirement–How to Close Your Practice the Right Way.

 

Liath Dalton 

This is a really important discussion, because while you may retire from clinical work, you don’t retire from your HIPAA responsibilities. And there are a lot of assumptions that clinicians understandably make, including “I’ve closed my practice so I can shut everything down once I stop seeing clients,” “I’m no longer a HIPAA covered entity” and and that “HIPAA is what defines how long I have to keep records, keep client records.”

 

Evan Dumas 

I see that too. Yeah.

 

Liath Dalton 

All three of those are incorrect. So today we are going to be talking about what actually continues after retirement, or closing your practice, because sometimes you’re going to stay practicing as a clinician, but close your practice as an entity. So while what we’re talking about primarily applies to retirement, it also applies to just closing of a practice entity.

 

Liath Dalton 

So then following that, what HIPAA actually requires and what it doesn’t, practical, affordable ways to stay compliant with those requirements, and then also include an outsourcing option that is kind of newer on the scene, but a really good option if you don’t want to manage all of this yourself. Which, totally understandable if you don’t.

 

Liath Dalton 

All right, Dumas, what is the big clarification that we want to make at the outset, since it’s pivotal?

 

Evan Dumas 

Yeah, HIPAA doesn’t determine your record retention length. That is determined by other factors, like state law, so like the length of adult records, how you handle record retention for minors, special rules if you handle Medicare, workers comp records, things like that. HIPAA instead governs how, how records are protected. They, they ask about the confidentiality, integrity and availability of records. Availability is a key piece we’re going to be talking about today, But HIPAA is the how, and the states are the how long.

 

Liath Dalton 

Exactly. So that’s a really important piece of information to know, is under the state law that you are subject to, which can be multiple states, in which case, then you’re going to be looking at the state with the longest retention requirements and following that, as well as any payer contracts. So it’s a standard for Medicare records that you must retain those records for 10 years from the last point of contact, right?

 

Evan Dumas 

Yeah, yeah.

 

Liath Dalton 

But you need to know what your record retention requirements are, and then be following whatever is the longest one.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

And then know that whatever it is that you are maintaining is subject to HIPAA. Which, as Evan said, means you have to safeguard confidentiality, integrity, and availability, and that those obligations don’t stop when you stop clinical practice.

 

Evan Dumas 

No.

 

Liath Dalton 

So following that is that you have to still be contactable.

 

Evan Dumas 

Mhm, yeah.

 

Liath Dalton 

This is a key area that can get missed.

 

Evan Dumas 

Yeah, sadly.

 

Liath Dalton 

I’ll say, I unfortunately have encountered this with a medical provider that became quite, quite a challenge to navigate as a patient. And so, from first hand experience, you don’t want your clients to be unable to contact you in order to request their records. HIPAA really has one of its central rights that are afforded to clients and patients, that they have rights of access to their healthcare information.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

And that is in part because having access to their healthcare information is part of what provides them ability to get adequate care going forward as well. So it becomes about access to care and quality of care, in addition to just sort of being a fundamental human rights piece, essentially. So in order for clients to be able to exercise that really important and central right, they have to be able to contact you to request their records. You need to be able to securely receive their release forms and be able to securely release the records themselves.

 

Liath Dalton 

And so this is a related question that comes up really frequently in regards to this, which is okay, so how long do I need to keep my practice phone number connected and active? What about my practice email and what about my practice website?

 

Evan Dumas  

Yeah.

 

Liath Dalton 

And interestingly, there are a lot of variations that we have seen in terms of guidance from professional associations about this, some ranging, specifically with regards to phone numbers, from 90 days to one year or longer than a year.

 

Liath Dalton 

Here’s the real takeaway, though, and this is specifically and explicitly from Eric Strom, who is a HIPAA and mental health law attorney as well as a practicing clinician, and that is that those points of contact, which need to be managed through HIPAA compliance compatible services, meaning that you have a BAA with them, need to be maintained as long as you are maintaining records.

 

Evan Dumas 

Yeah, yeah.

 

Liath Dalton 

Right? So that means a year is not going to cut it.

 

Evan Dumas 

Oh, no.

 

Liath Dalton 

90 days, most certainly is not going to cut it. But it really is logical, because the rationale behind this is that former clients might need to request their records years later. Their rights of access remain so long as you are maintaining their records, and you have to maintain them for, at minimum, the required amount of time under state law and any payer contracts, right?

 

Liath Dalton 

So in addition to that, insurance reimbursement issues can arise, legal proceedings can happen, there may be disability claims, right? So these are all really important pieces. And along with, just aside from those specific examples of why you might be getting records requests years down the road, is just a client simply exercising their HIPAA, right of access, right?

 

Evan Dumas 

Mhm, yeah. They just want their ROI, yeah.

 

Liath Dalton 

If you keep records for seven years, you need to keep your practice phone number and website up for those seven years.

 

Evan Dumas 

Yeah, you got to be contactable.

 

Liath Dalton 

Yeah, exactly. So then what does that really entail in, in practice? What are the sort of different key functionalities that you need, and what are the easiest and most economical ways to to meet those needs?

 

Liath Dalton  

So you’re still going to need secure record storage. For most people, you likely are maintaining electronic records, but in order to have secure record storage where you’re also meeting the backup standard, which pertains to availability, the easiest way to do that is going to be through HIPAA friendly cloud storage. That doesn’t mean that you have to keep your EHR active and keep paying for that.

 

Liath Dalton 

What most practices are going to do is export all of their client records from their EHR, if you’ve been using an EHR, and upload those into Google Drive under a Google Workspace account that is covered by a HIPAA Business Associate Agreement. So that ticks the box of secure record storage, where you’ve got encryption in place, the availability standard is being met because Google, as your business associate, is handling the secure backups. All of that is really great and really economical.

 

Liath Dalton 

The next piece that you need is a HIPAA friendly communication channel, where you have either HIPAA compliance compatible email, a method to receive secure forms, and to be able to securely transmit the records themselves. This also can be facilitated by a Google Workspace account. Because the HIPAA included functionality includes Google Forms, so you can have a Google Form with the ROI on your, very simple now just a “practice closed, but here’s how you get your records info” page on your practice website. Right?

 

Evan Dumas 

Mhm.

 

Liath Dalton 

And have that embedded right there, that’s a secure form, that’s a great means of being able to to get those requests.

 

Liath Dalton 

In addition to that, we would be remiss if we didn’t address that you need to have device security standards maintained.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

Right? In place on whatever device you are using to access your Google Workspace, in order to be monitoring for ROIs and performing records releases. That needs to be done from a secure device that has the necessary technical security measures in place. And then a couple other pieces that are important in terms of just your ongoing administrative capacity, which is the ability to respond to requests within the HIPAA timeframes for performing records releases or responding to the rights of access based requests from former clients. And you’ll need to have an identity verification procedure in place too, that you’re maintaining as part of responding to release requests.

 

Liath Dalton 

So again, we already said what is really, typically the most economical and practical DIY approach, which is Google Workspace with a BAA.

 

Evan Dumas 

Mhm, yeah.

 

Liath Dalton 

And then pairing that with a HIPAA compatible VoIP service.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

So if you – yeah, because we do have clarity that for phone communications that we do need to have a BAA in place with the service provider. By far and away, the most economical way of having that is to use a VoIP, or voice over internet protocol, service to manage that. You don’t need to be carrying two phones, or having another line, or business line with a classic mobile carrier, or anything like that, or maintaining a landline. VoIP is going to be your, your best bet there.

 

Liath Dalton 

So essentially, the the two services primary services that you would continue to pay for would be your VoIP service, Google Workspace, with the BAA. The most basic tier is sufficient for these needs, and that is the basic, Google Workspace basic. Which I think the current price is $7 per month, right Evan?

 

Evan Dumas 

About that, yeah, yeah.

 

Liath Dalton 

Used to be six, think it’s seven now, but still in the scheme of things, not, not too much, especially for all the functionality it provides. And then maintaining your domain for your practice website, which is super economical, right? And you just need very basic info there. So the website itself should have the release form embedded right on it. Your practice phone number should have a voicemail, like you’re not expected to answer calls that come through on it, but you need a clear voicemail that directs former clients on the process for requesting their records.

 

Liath Dalton 

And that’s really what you want, need in terms of maintaining the systems that are going to facilitate your meeting your HIPAA obligations with regards to record retention and records releases and communications related to those.

 

Liath Dalton 

There is an alternative to this DIY approach that we’ve just discussed, which is outsourcing to a professional executor service.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

For a long time, when people were coming to us with questions about this, the answer was, if you’re going to be outsourcing this, you’re outsourcing to a company that’s oriented to medical providers. And then that has a couple major caveats. One being that generally, they’re astronomically expensive by comparison,

 

Evan Dumas 

Oh yeah.

 

Liath Dalton 

Right? And that they don’t understand, typically, the nuances around handling higher sensitivity PHI, which is what is being handled when we’re talking about mental health and behavioral health records, right? Fortunately, there is a newer on the scene service called TheraClosure, which is founded by and run by therapists who were like, wait a minute, here is a real pain point for a lot of our colleagues., how can this be met? And so they created a service that does exactly that. So they have both a retirement retainer plan where you as a clinician, remain the Custodian of Records, but they’ll step in in the event of incapacity or death, or there’s a retirement executor plan where they assume custody of the records and manage security, access and transfer responsibilities, all that stuff. So there are kind of two different tiers. Both are $450 a year with a $200 setup fee. That’s their current pricing on their website. But so basically that is going to cost more than a VoIP service, Google Workspace basic tier, and a just keeping your website domain active.

 

Liath Dalton 

And so we just want to let you know that that is an option. Because in some instances, even though it’s a bit more expensive than the DIY approach, knowing that you don’t have to navigate any of of that may well be worth it.

 

Evan Dumas 

Oh, yeah, could be real nice.

 

Liath Dalton 

Yeah.

 

Liath Dalton 

So we’ll include a link to them. We have no relationship, I should mention, with them. It they actually got on our radar when a PCT client who was looking ahead to retirement asked us to evaluate their HIPAA appropriateness and their Business Associate Agreement and so on, and then to see if there were any other comparable services that they could do a compare and contrast with.

 

Evan Dumas 

Sure, true.

 

Liath Dalton 

We’re like, we are so glad that a service like this exists as an option.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

But it also is not the many 1000s of dollars that the medical oriented services are.

 

Evan Dumas 

Yeah. Yeah.

 

Liath Dalton 

So we’ll include a link there, and then just a sort of little checklist as well about things to consider and and have in place. But again, just want to kind of go over some of the common mistakes that can be made, which are shutting down your email immediately or shortly thereafter, like as soon as your paid for term expires, not maintaining your domain, not maintaining your practice phone number. This is a big one, and I’m going to let you expound on it. Evan, which is storing records on a personal hard drive without encryption.

 

Evan Dumas 

Yeah, yeah. That’s a classic mistake where people like, you know, I bought this drive. I have it on my shelf. I put my client records in there, and I just hope it’s fine. Those drives will probably fail in the next few years, and they’ll probably, you’ll probably only notice that failure when you go to plug it in someday.

 

Liath Dalton 

Mhm.

 

Evan Dumas 

They’re prone to being lost, they’re not kept off site, and it’s also not encrypted. So you know, if it gets lost or stolen, you’ve just had a probably very massive breach, and then you’ve got to go tell everybody, which is going to be hard to do, because all that information is on that drive. So you’re really, you’re really up a creek, so,

 

Evan Dumas 

Without a paddle.

 

Evan Dumas 

Without a paddle, and that creek ain’t made of water, so don’t, don’t do that. Don’t put anything on personal hard drives that have PHI. Don’t put anything on personal hard drives that you’re not totally comfortable losing, unless you have multiple copies of the personal hard drive. But just don’t. Don’t trust them.

 

Liath Dalton 

Yeah, and the the hard drive also isn’t giving you a mechanism for releasing the information to clients built in or being able to access from anywhere you may be. Like, if you’re traveling, for example, you don’t want to be taking the hard drive with you so that you can access it to perform a timely records release. But if everything’s on a HIPAA friendly, secure cloud storage service that you can access from anywhere, problem solved, right?

 

Evan Dumas 

Exactly, yeah.

 

Liath Dalton 

Again, just reiterating the mistake of assuming that no active clients means no HIPAA responsibilities. And if you’ve ever worked with minors, forgetting about the longer record retention timelines that are going to be in place for records of minors. Similarly, don’t, if you have insurance, if you’ve been paneled with insurance or worked with Medicaid, you need to be looking specifically at the record retention timelines in those contracts, not just the state default record retention requirement for working with adults, right?

 

Evan Dumas 

Yeah, yeah, yeah, different ones.

 

Liath Dalton 

And as always, we are going to bring all of this back to client care and client care continuity, right? These requirements aren’t just about legal compliance. This is about honoring client access rights, protecting their dignity, supporting their ongoing needs related to any insurance claims or disability claims. And we should really think about your retirement planning and practice closure planning as part of client care planning.

 

Liath Dalton 

So if you are looking at retirement being on the horizon, there are few practical action steps to take. Of course, start by reviewing your state’s record retention requirements, identify your youngest minor client, if you work with minors, or have worked with minors, and calculate that time frame, decide if you’re going to do the DIY retention or outsource. Then if you’re going the DIY route, make sure that you have the necessary functions in place through HIPAA compliance compatible services, that you’ve got your signed BAAs and then that both your voicemail and your website have the necessary information and sort of procedures outlined on them for clients to be able to request records.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

And last but not least, have a little initial policy update to reflect what your post retirement or practice closure operations are going to be, related to those identity verification checks, making sure that you’re performing any requested releases within the required time frames and so on. Doesn’t have to be onerous, but does need to be intentionally addressed.

 

Liath Dalton 

Yeah, so essentially, well, while you can retire from providing therapy, you can’t retire from safeguarding the care that you already provided. And so these steps and having the systems that facilitate them in place are just part of those ongoing responsibilities and the means through which you safeguard the care you already provided.

 

Evan Dumas 

Yeah, yeah, exactly.

 

Liath Dalton 

But we’re super glad that the guidance and what it actually entails to to manage all of this in practice is a lot easier and more economical than it was even five years ago, really?

 

Evan Dumas 

Yeah.

 

Liath Dalton 

Yes, which is wonderful. We love that there are are good options and that it doesn’t have to be too overwhelming. So we hope you found this helpful, and do check out the show notes for those additional resources, and we will chat with you good folks next week.

 

Liath Dalton 

Right?

 

Evan Dumas 

We’ve got some nice, easy systems to use.

 

Evan Dumas 

Yeah, talk to you next week, everybody.

 

Liath Dalton 

This has been Group Practice Tech. You can find us at personcenteredtech.com. For more podcast episodes, you can go to personcenteredtech.com/podcast or click podcast on the menu bar.