Therasoft and HIPAA Compliance

Important: HIPAApropriateness reviews, including their summaries, are for informational purposes only. They are neither consultation nor legal advice. Be aware that while we do our best to be thorough and complete, information may be missing or possibly even inaccurate. Products also change quickly, and the review may become out of date. By continuing to read, you agree to use the information in HIPAApropriateness reviews and their summaries at your own risk.

Vital Stats

HIPAA compliance with this product appears possible?: Yes.

Recommend for your HIPAA risk management needs?: Yes. Be sure to read the notes and the caveat for a couple of important points.

# of Caveats: 1 view caveats→

# of Usage Notes: 5 view notes→

Relevant Product Characteristics

This product is designed specifically with mental/behavioral health professionals in mind.

What Is This Product?

Therasoft is a comprehensive web-based practice management suite, that offers a variety of tools.
Therasoft is a good solution for clinicians who need:

A client scheduling portal.
Insurance submissions.
Case notes and client record management.
Coordination between multiple clinicians and administrators
Client reminders and payments.
Videoconference sessions with clients.
Secure communication with clients

For a full review of Therasoft’s features, see Tame Your Practice’s review. — https://tameyourpractice.com/blog/therasoft-review

Our Impressions

Our overall impression of the company was that they were committed to security and risk management, from the design of their infrastructure to the user experience. They also automatically execute a BAA with you, even as a trial user.

This product offers a free service tier or a free trial account:

We encourage all clinicians interested in this product to try out the free trial or experiment with the free tier to see if it suits your needs.

If you discover anything of concern that isn’t addressed in this review yet, please tell Liath about it at [email protected].

Click here for the free trial or free service tier information→. Important note about Business Associate Agreements: This product does not seem to offer a Business Associate Agreement for the free trial or free service tier. Do not use client information when testing the product.

This product has also been reviewed by:

Tame Your Practice: Rob Reinhardt of Tame Your Practice does highly-respected reviews of EHR products. While we review them primarily for risk management appropriateness, Rob reviews them for features and quality. Read Rob’s review of this product→

Caveats

Caveats are criticsms of the company or product that we feel are relevant to your risk management or other important considerations.

1) Therasoft does not provide ready access to access logs.

Part of HIPAA compliance requires that clinicians perform regular checks of access logs to see if there has been any unauthorized access to their records. One of Roy’s favorite methods is simply checking access logs first thing on Monday morning to see if there were any weekend access attempts.

Therasoft does not offer clinicians the ability to view access logs themselves. While Therasoft said they could provide them if necessary, that adds more steps and barriers to clinicians being HIPAA-compliant.

If you are not a HIPAA-covered entity, then this may not be a concern for you.

Notes

Notes cover points where the product can’t ensure compliance or ethical action for you. These help you know what your part of the compliance puzzle looks like when using this product. A high note count usually correlates with a feature-rich product, and not necessarily with a product that has problems.

1) Be mindful with your permissions

Therasoft allows different levels of users and administrators, which is great for group practices and practices with some non-clinical staff. Be mindful of who has permission to view what information, and if there’s no reason to give clinicians access to other clinician’s client records, or to give office staff access to client records at all, be sure to set the permissions accordingly.

2) Avoid sending unsecured appointment reminders or payment notifications without proper collaborative risk analysis

Therasoft offers appointment reminders by email and SMS text message. Therasoft can also send payment-related notifications, including to third parties, with the option of including specific or more general information.

Therasoft gives you the ability to have clients opt-out before sending them email or SMS text reminders. We recommend being very explicit with your clients around contact methods for both appointment reminders and payment, especially if those payment notifications are to a third party.

Remember that when using conventional email or text messaging, you need to determine if simple opt-out is sufficient for your ethical and legal needs. Read our article on unsecured communications here for some guidance to help you decide what you need to do to around appointment reminders to stay legal and ethical in your practice. It is also covered in Engaging in HIPAA Security and Digital Confidentiality as a Mental Health Professional, Module 4: Using Email, Text, Phone, and Video in a HIPAA-Compliant Manner in detail.

If it turns out that unsecured email or text communications are legally-ethically workable for you, Therasoft executes a Business Associate Agreement with you, which makes it legal for them to send those emails or texts on your behalf.

3) Be sure you are following simple security measures like using appropriate passwords and computer/device security

Therasoft has very un-complex password requirements, so when setting a password be sure to exceed their suggested minimum complexity.

Therasoft has a mobile app, which is very useful and convenient, and the app depends on you to keep your phone secure so that the app is secure, too. Therasoft helps a bit by requiring a fingerprint or PIN every time you launch the application. Our Device Security Instruction Center covers smartphone security in detail. Our video on how to use the security features of your smartphone is also quite helpful.

4) Avoid synchronizing your Therasoft calendar with a third-party provider unless you have a BAA with them as well

In the name of privacy, Therasoft does not have any automatic calendar notifications in the mobile app. And while it is possible to synchronize your Therasoft calendar with, say Gsuite (Google), or another calendar provider, Therasoft explicitly recommends against this and says most of their users don’t use this option.

If you did chose to synch your calendar from Therasoft to another provider like Google, make sure you have a BAA with that other provider.

5) Engage with Therasoft’s support team and training

Therasoft is a powerful, complex tool, and Therasoft’s founder and support team seems committed to touching base personally with every new customer to make sure they have the support and training that they need to make proper and safe use of their software. We strongly recommend that you welcome that engagement and enjoy the opportunity for some expert guidance.