Evan Dumas 

You’re listening to Group Practice Tech, a podcast by Person Centered Tech, where we help mental health group practice owners ethically and effectively leverage tech to improve their practices. I’m your co-host, Evan Dumas.

 

Liath Dalton 

And I’m Liath Dalton, and we are Person Centered Tech.

 

Liath Dalton 

This episode is brought to you by Therapy Notes. Therapy Notes is a robust online practice management and electronic health record system to support you in growing your thriving practice. Therapy Notes is a complete practice management system with all the functionality you need to manage client records, meet with clients remotely, create rich documentation, schedule appointments and bill insurance all right at your fingertips. To get two free months of Therapy Notes as a new Therapy Notes user go to therapynotes.com and use promo code PCT.

 

Evan Dumas 

Hello and welcome to Episode 537: Sharing Apple Notes When Convenience Turns Into a Breach.

 

Liath Dalton 

Yes, welcome everyone, thanks for joining us. We wanted to share a sort of PSA regarding a question and sort of set of circumstances that recently got brought to us, which led us to realizing that this might be something that is occurring for other folks, or could potentially occur. And so, wanted to just kind of as usual, equip you with the information to make informed and secure choices that protect you and your clients.

 

Liath Dalton 

So the context that precipitated this episode and discussion was a clinician had a note in their Apple Notes app related to services that their practice offered, which they then shared but shared individually, just tapping the little up arrow within it, with a handful of clients. They sent it to each client individually, like they didn’t add all of the names at once, and so thought it was just being sent individually, and that the note itself that was being shared wasn’t any clinical information or high sensitivity PHI, just about service offerings.

 

Liath Dalton 

And then one of the clients informed them that they could see the other recipients of the message, and not just the first name, last initial, which is how the clinician had the recipients contact info stored in their phone, but their full name and contact info, which of course, then caused immense distress and concern of, How did this happen? I shared it individually, I don’t have the full names listed, how was that visible? And so we had to kind of unpack how all of that works under the hood, in terms of Apple Notes and Apple Note sharing and collaboration.

 

Liath Dalton 

Unfortunately for the clinician, in the circumstance, they had to do breach notification with clients, and will have to do a small breach report as well to the to the OCR. It’s, in this the scheme of things, especially given the nature of info shared, like a very low impact sort of breach (and again, where breach just means violation of HIPAA standards or unauthorized disclosure of client info) where the client info here was, you know, name and contact info. But we wanted to share this so that the circumstance could be avoided for any other practitioners that are listening.

 

Liath Dalton 

So Evan, should we unpack how Apple Note sharing actually works?

 

Evan Dumas 

Yeah.

 

Liath Dalton 

Because it works in multiple ways. And technically speaking, there is a way that it can be done that is HIPAA compliance compatible.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

But it depends on a lot of things, like what other services you use, what you choose to connect it to, and how you use it to share things. So let’s, let’s unpack that.

 

Evan Dumas 

Yeah, I can speak to that, and I have a similar analogy.

 

Evan Dumas 

So for those of you that use Google, you know that you can add collaborators to a document. You can share a document with folks with the internal like, add, share thing. Now, you also might know is that if you anyone clicks that little share button, you see who the other collaborators are. You see who has viewing permissions, editing, commenting, things like that. So like, you’re all working together on a document. And unfortunately, that’s how iCloud note sharing, like notes, Apple Notes sharing works. You’re not just giving a document to one person, you’re adding a collaborator.

 

Evan Dumas 

And in this case, if they all have, you know, iCloud accounts, if they have an iPhone, pretty much, all their names show up. All their identities show up. Because they’re like, Oh, you’re all working together, great, you want to know each other.

 

Evan Dumas 

So sharing. You know, every app wants to send its own type of email, or message, or DMs, or things like that, and it all works differently, and not all HIPPA hunky dorily. So that’s, that’s the way it’s currently working. Liath, you want me to tell you about the way to do it safely?

 

Liath Dalton 

Yes. I also just have to say you made my day by saying, HIPAA hunky dorily. So thank you for that.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

And yes. Let’s talk about the way that you can do it correctly, and how it all depends on the sending method.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

And then we’ll talk about what you know what we recommend, just to ensure that things don’t accidentally go awry.

 

Evan Dumas 

Oh, yeah, totally. So Notes, not a bad service for just taking notes and not having any PHI in it. Like you want a grocery list, you got some brainstorming? Sure, great. Keep it in there. It’s fine. Don’t put any PHI in there. But if you have ideas on, you know, services you want to provide, or other sort of, you know, business adjacent things that aren’t PHI, okay, yeah, Notes is great. But if you want to send something, just use Notes as the writing platform.

 

Evan Dumas 

And, like we say, only use services that you have a BAA with. Like, use your regular services. Otherwise your clients are going to get confused, because, oh, they get an email from you, they get a private message on the EHR, oh, they get a note share, like, this is all very confusing to folks.

 

Evan Dumas 

So just use your HIPAA compliant email system. Take the text of the note, copy it and paste it into say, Hushmail or BAA covered Google Workspace, or Paubox or whatever you got, your your EHR secure messaging system. And so just don’t use services you don’t have a BAA with.

 

Liath Dalton 

Exactly.

 

Liath Dalton 

And one thing I will say as well, is that I think, particularly in a group practice context, this is a good thing to do a little security reminder about with regards to both iPhone and Android users, right?

 

Liath Dalton 

Because the particular scenario that we’ve just shared is related to Apple Notes. But like Evan said, there is a perfectly analogous scenario for Google. With Google it’s Keep, right, Evan?

 

Evan Dumas 

Yeah, totally.

 

Liath Dalton 

And Keep is HIPAA friendly and covered by the BAA,

 

Evan Dumas 

It is, it is.

 

Liath Dalton 

if folks are using their Google Workspace Keep, but you still don’t want to be adding collaborators in that context, right? Because even though it’s okay for PHI, it would be an unauthorized disclosure from multiple clients to be listed as collaborators. So things have to be shared individually. Can you talk about the individual sharing process within Keep, Evan?

 

Evan Dumas 

A little bit. I mean, I use it with my partner when we want to share grocery lists, and you can like, click, and I always forget where the button is, and you say, like, add collaborator, and you add their name, and then it doesn’t always show up on their side easily, they’re not notified, because it kind of gets mixed in with all their lists too.

 

Evan Dumas 

You kind of want to, if you’re using this sharing system, you also want to inform them in any other way possible, saying, Hey, I shared a list with you, go and pin it. Because pinning in Google Keep pops it to the top of your list. And I know on my phone I have way too many, like, redundant grocery lists. I’m like, oh, wait, which which one are the one we’re using? So these systems are clunky, if you’re not telling everyone how to use them, which is just all the more reason to, if you’re going to implement a BAA system or like a secure system, teach people how to use it. Teach them, like, the best workflow for it, because finding it out on your own can be kind of a headache.

 

Liath Dalton 

Exactly. And this also goes very much back to the you know, guidance of compliance being a process, not just a product. That using a HIPAA compliance compatible service doesn’t mean that your use of it will always be compliant.

 

Evan Dumas 

No.

 

Liath Dalton 

Like having PHI in Keep: HIPAA compliance compatible. Adding multiple clients as a collaborator to something: that suddenly becomes an unauthorized disclosure, because you’re disclosing the identity of each client that the document in in Keep has been shared with right?

 

Liath Dalton 

So it comes down to usage, once we have the the basic framework of a compliance compatible system. So for solo practitioners, our guidance would be make sure you’re just aware of what systems you’re using and the compliance compatibility of them, and then that you’re using them in appropriate ways that don’t unintentionally or accidentally lead to that sort of unauthorized disclosure.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

And then for groups, I would say this is a really great opportunity to just add a security reminder about what systems are appropriate for what when it comes to sharing that kind of information, and you want to leverage your primary systems that are, you know, outlined in your communication policy with clients.

 

Liath Dalton 

And it’s, it doesn’t have to be a big, scary thing by any means. It’s just a sort of, do a quick review; make sure things are in order; if anything needs to be changed so that they are, make those changes; and then you got to move forward with with peace of mind.

 

Evan Dumas 

Yeah, exactly.

 

Liath Dalton 

Thanks for joining us, and we hope you found this helpful. Stay tuned for next week’s episode.

 

Evan Dumas 

Yeah, talk to you next week, everybody.

 

Liath Dalton 

This has been Group Practice Tech. You can find us at personcenteredtech.com. For more podcast episodes, you can go to personcenteredtech.com/podcast or click podcast on the menu bar.