Group Practice Office Hours
On Demand Streaming Consultation Sessions
HIPAA and Teletherapy Support for Mental Health Professionals and Practicing Clinicians in leadership within Group Practices and Agencies. Rather see Office Hours for Solo Practioners?
Consultations Available This Week:
I was under the incorrect impression that VPN was a magical setup that allowed you to connect to the internet from anywhere…
Answering the Question: I was under the incorrect impression that VPN was a magical setup that allowed you to connect to the internet from anywhere so that someone using a BYOD device in a coffee shop (if writing notes for example) didn’t ever have to access un-secure WiFi. I now realize that’s only the case if you use cellular data and then connect to VPN. Does it seem acceptable from a security risk perspective to let staff connect to unsecured WiFi for the 1-2 minutes it would take to connect to a VPN and ask them to delete the un-secured WiFi from their network list after they’re done using the VPN? (We’re not a HIPAA entity in case that changes the answer and/or flexibility in decisions about risk tolerance.) Thank you!d I miss or misunderstand some of the pieces of this problem, and can you add some insight to help me get unstuck on this conundrum?
PCT+ GOH 38 q5
Evan: Here’s a recent clip from group practice office hours stay till the end for a special offer. PCT only uses clips, which don’t identify the asker or when we get their permission, share the clip.
Roy: Okay. I was under the incorrect impression that VPN was a magical setup that allowed you to connect to the internet from anywhere, uh, so that someone using a BYO device in a coffee shop, if writing notes, for example, didn’t ever have access to a secure wifi, uh, Oh, no. And now I realize that’s only the case.
If you use cellular data and then connect to VPN. No, that’s not how I think about it. Okay. Does it seem accessible from a security risk perspective to let staff connect the unsecured wifi for the one or two minutes? It would take to connect to a VPN? Nope. And I asked them to delete, uh, delete the unsecure wife or from the network list.
After they’re done that needed to be yet. We’re not inventing in case changes. Okay. Yeah, no, that’s no, that doesn’t change in this case. Um, are you saying, oh, because you should be able to attack the V8, the VPN before connecting to the wifi and now you’re correct. It is magical and it should allow you to use any internet connection, uh, as long as the VPN is on.
Yeah. Even when you connected to it. That’s right. Yeah. Like you’re. Yeah. When you have what you should be running your VPN software before you connect. Um, and uh, oh, so I see what you mean. Okay. So I see what you mean about, about being on the wire, the, the wireless, cause you need to have something to connect because you need to connect to the VPN server.
Right? So like, yeah, I see what you’re saying right now. I would, um, it is magical, but I see what you’re saying that the person needs to. Get connected to the VPN server before connecting to like the copy of the wifi. Right. Um, yeah, that’s true. But it is, it is still a magical setup. It’s just that you, uh, um, yeah, you need to connect with your cancer first.
Um, yeah, I know what you mean by the one to two minutes. Um,
Roy: Hm. I mean, yes, probably. I mean, severely reduces the risks. Um, are you looking something up there life? No,
Liath: I was going to say what I would recommend is that folks connect to their cellular data, uh, activate the, um, the VPN and then switch
Right. The thing is it should work. Like when you switch, it’s got to switch over anyways. So like, I mean, you should be able to just run the VPN and then, and then, you know, just the shitty, we’ll just run the VPN first and then connect to the wifi. Cause there is no matter what you do, there’s going to be a period of time when you’re just connecting to the wifi.
Um, and the VPN has to take over. So like, this is why I really want to. Hmm, or they want a situation where the VPN, um, can already be running and shutting down internet connections for other programs while it connects while it sets up its connection to the VPN server.
Roy: Yeah. Okay. So like, um, no
Liath: trying to see some info on some of the different VPNs.
Roy: Gotcha. Okay. I was thinking, yeah, I’m thinking that might what you’re doing, right? Um, yeah. I mean like, technically, like what I want is to turn the VPN software on and connect to the wifi while it’s on. Um, I can understand, like there might, the, the VPN software might not do anything until it connects to its own server.
Uh, in which case, yeah, I think that’s just what you got to go with that, like, you shouldn’t have to connect to your why to the phone service first, because I know the idea is that it creates a connection to the VPN server or using your phone service. Uh, and then you switch, but when you switch, you still have to go through the process of the VPN, reconnecting to the server through the other connection.
Uh, through the wifi connection. So like, I would imagine, I want to just turn on the VPN software and then connect to the wifi, knowing the VPN software, won’t be able to make its connection until you turn on the wifi.
Liath: Right. So it should be, I mean, really quick though. And if you were running the VPN all the time, Um, that it’s almost instantaneous.
Roy: Yeah. Because what I hope is the VPN cause in the, in the VPN you want to have, what’s called the, uh, the kill switch on and TunnelBear, it’s called vigilant there. Um, I would hope, but I actually can’t guarantee you, it does do this. I just kind of assumed. Um, so now that you’re asking, I’m wondering if you’ve seen counter, so at least for your VPN, but I assume as these VPN as well, Um, if they’re running and the kill switches on they’ll, they’ll shut down.
They’ll shut ports down on your computer. So that connect to the wifi. Um, all the other ports are closed. So if there is a malicious actor on the wifi, they still can access your computer cause computers refusing all connections, uh, other than the VPN, um, I would hope that that’s what it’s doing while you’re connecting to the wifi.
And then it’s using the wifi to connect to the VPN server. Um, I figured it makes natural sense to me that that’s what it does for the exact reasons you were asking. Right? So like, um, I might, what I would say is I want to have the VPN software running and then connect to the wifi and let the VPN software final server, after you connect to the wifi.
Cause the VPN software should also, especially if it was a kill switch, uh, be blocking other connections from coming to your computer and until the VPN. Is able to provide you the connection right. Supposed to be doing. Um, so at this point I’m kind of doing the thing where I’m like, Hmm. Yeah. Now, now I’m like, I’ll dubious about that because your question I’m like, oh, you may have discovered something different.
Um, so like, yeah, that’s why we’re both kind of like, huh? We’re like, this is not, there’s not an understanding of how it works, but we believe you. So we’re like, please, please send some feedback if it’s, if that doesn’t function. But that’s the idea of like, what I want to do is like turn on my VPN, make sure it has that kill switch on, on TunnelBear that’s called vigilant Barrick.
Cause we often recommend TunnelBear so you may be using it. Um, and then it should try to at least try to prevent your computer from being access while it connects to the wifi. Um, uh, yeah, let us know. That’s not how it works. Wait,
Liath: and also, uh, please do let us know what the VPN services is that you are using too.
And you can be assured that we’ll, we’ll be doing a little, um, research into this issue and including on some of the most commonly used VPNs by our folks.
Roy: Exactly. That’s right. Yeah. Yeah. I’m like, yeah, this, this is important, right? You are right in, it should be that kind of magical setup. Like that should not be an incorrect impression.
Right. Um, although it might be as simple as what you are proposing, which is there’s a startup time. Um, but we still want to, we want to S we don’t even want that. If we can avoid it.
Evan: Yeah, thanks for watching. Use the coupon code P C T plus all one word to get one month free with a year long subscription to group office hours.
Want more PCT+ free Group Practice Office Hours clips?
Subscribe to be notified of new clips answering new questions from real practice leaders each week.
You might also be interested in:
Is it acceptable to connect Facebook Pixel to our website?
Is it acceptable to connect Facebook Pixel to our website? This was recommended as part of a digital assessment to help us increase traffic to our website and social media.
PCT+ GOH 37 Q4
Evan: Here’s a recent clip from group practice office hours stay till the end for a special offer. PCT only uses clips, which don’t identify the asker or when we get their permission to share the clip.
Roy: Okay. Is it acceptable to connect Facebook pixel to our website? Wow. What a great question. This was recommended as part of a digital assessment to help us increase traffic to our website and social media.
Um, yeah. So for those that don’t know what a Facebook pixel is. Uh, that is the Facebook’s name for the kind of tracking bug that you can put into your website that lets Facebook track people’s activity on your website. Uh, you may be going, why on earth? Would you do that as well? The reason you would do that is it makes for a very powerful and very affordable, um, advertising on Facebook because maybe you want, you know, everyone who.
Who who like visits your website, but doesn’t fill in the contact form. You want Facebook to then show them ads for your practice, right? You would need to have the Facebook pixel installed on your website in order for that to work. Right. That’s the idea. Uh, it actually can be really powerful if you’re trying to use Facebook advertising and Facebook advertising can be very powerful for a practice, whether it’s a group practice or a solo practice, especially because you can.
I mean, there’s just so much you can do that makes so much, that makes a lot of sense for marketing a therapy practice, um, using Facebook ads and using invest using the Facebook pixel. Right? So like this, just to show like for everybody else, why are you interested in this course? Most group practice owners know, but in case you don’t, that’s the reason why.
Right. Um, so I think your question, which is a good one, is, is this a privacy violation either in terms of HIPAA or in terms of ethics or anything like that? Right. Um, Let’s think it through a bit might let’s see what we see here. Right? So the question is, so in the previous question we broke, we got out the formula.
Let’s let’s put the formula again. That’s like this week’s theme is just like visiting the formula office hours yesterday too. Okay. Custom. No, just do nothing. Just do nothing. Why can’t I reset you? Okay, fine. Uh, okay. Um, okay, so basically the question is, is Facebook. Or are you through this action disclosing, uh, P Phi to Facebook and, or is Facebook misusing Phi on your behalf?
Or like as a result of you disclosing it to them? Right. That’s the idea. So what we need to determine is whether the pixel, the Facebook bug, whether or not it, it collects protected health information, right. It definitely connects personal identifying info. Right? There’s no question about that. Right. Um, because there’s, you know, I mean, if it didn’t, it wouldn’t be very useful.
Right. So the health info is a question. If a person is perusing the, your brochure website is that health info. I’m not entirely sure it is to be honest. Um, oh, there just go back. Okay. Like I’m not entirely sure that it is health info, like, but, um, I could imagine things happening on your website that would be health info.
And so you need to be careful about where the pixel is activated, which, you know, it only, just, I’m glad you’re asking this question. Cause it hadn’t really occurred to me before to think about this part. So, um, for example, if somebody. You know, if you have like a, make an appointment form on your site, the Facebook pixel is not going to pick up the data.
They enter into that. Like, cause if you’re, if you’re using a prop, if you’re using a proper way of doing a secure contact page or a secure way of like making an appointment on your website, like that portion of the page is not going to be scanned by the pixel because that portion of the page won’t, um, It won’t be actually be part of the website or they just like, if someone filled out the form and click submit, if you’re using a proper secure form, uh, the information will get submitted off to some other site.
Like I shouldn’t go back to the Facebook pixel. Um, so that shouldn’t be viewable to the pixel, but the thing is, it may then take the person to a thank you page on your site that says, thanks. You know, thanks for making an appointment or things for contacting us. We’ll get back in touch with you XYZ. At which point that text, if that text is on your page, then the pixel sees that the Facebook pixel sees that sees that someone just made contact or made an appointment, even if they don’t know what they asked for or.
Uh, when they made the appointment. So the, um, that would be Phi in my opinion. Yeah, exactly. That’s right. Um, and given that it’s Facebook, it’s the kind of Phi they could, they can put together. Uh, so the, um, I would, I would try to set segment your Facebook pixel so that it’s not present on any pages where Facebook, where website, visitors, um, interact with the site.
That’s what I would do.
Liath: Meaning provide their
Roy: information. Yeah. Oh, by interact. Yeah. I mean, like type something or clicking links. Yeah, and finding stuff. Um, like I think it’s, I think probably reasonable people can even disagree on whether the rest of it has health info. Um, but the, my analysis of the kind of gestalt understanding of the American health care systems idea of what’s considered health info is that they would not consider it health and film.
Like the larger world of HIPAA would not consider looking at your website to be a health info. Right. Cause they, they tend like we, as we, as mental health providers tend to actually be a lot more stringent about what we consider health info, then the rest of the, the healthcare world. Um, but I think that’s one where it’s reasonable.
Um, but I would, you know, sort of in a button out of abundance of caution, I would not allow the Facebook pixel to, uh, gather information on pages where the really visitor might interact with the page some way, other than clicking links.
Liath: Right because Facebook will not do a business associate agreement.
So that means they should cannot under HIPAA, uh, be handling protected health information on, on your behalf, which they would be, uh, otherwise.
Roy: Definitely doing. Yeah. I keep hitting the school wheel. Sorry. Ready? All right.
Evan: Thanks for watching. Use the coupon code P C T plus all one word to get one month free with a year long subscription to group office hours.
Want more PCT+ free Group Practice Office Hours clips?
Subscribe to be notified of new clips answering new questions from real practice leaders each week.