How to Have a 100% HIPAA Compliant Online Presence

Fort Knox photo courtesy of Flickr

Many of you have asked me about protecting the privacy of patients in your practice online. Since this concern with privacy often feeds into the anxiety psychotherapists have about using social media, I wanted to offer you a way to build your online presence with an eye to best practices and a sense of confidence. So here is my instruction manual for having a practice that is 100% HIPAA compliant and respectful of patient confidentiality and therapist privacy. Do these things and you will never be in trouble.

1. Don’t talk about your patients online, ever.

People who work with me know that I am nonnegotiable on this one. Yes, in the 15 years I’ve been a therapist I’ve had plenty of poignant and instructive cases I could present and patients I could discuss. No, I am not going to tell you about them. Not on the internet anyway. The internet is not like a team meeting or case presentation, where you have a closed group of professionals discussing patients and asking for consultation. Anyone can read the posts, and patients can easily identify themselves (or imagine that they do) in your blog post. And if Facebook resets your privacy settings one day and I’m your 2:30 patient; and if I Google your Facebook as patients do at 3:25 and find you’ve just updated your status to say, “Just finished with the tough patient for the day, it’s all downhill from here;” then I will know, be offended, and if I’m savvy and litigious get ready to make some money to pay for the new therapist I’m about to hire.

And a special shout out to those of you who use forums such as LinkedIn and Psychology Today, even if you think your forum is open “only to professionals,” does it not occur to you that your patients are or one day could be in your profession? I look at some of the many forums I am on sometimes and I am horrified by the headings, which often resemble these:

“Wow, this patient is so self-centered!”

“What’s the funniest that thing your patient said in session today?”

“Potential clients wants to see me instead of my colleague they see now.” (Let’s hope the colleague doesn’t read the forums.)

and “I don’t want this borderline back! Help!” (Complete with a page long “brief” case presentation!)

Several of these have so much identifying information it’s not funny. And as for LinkedIn, most discussion groups are now open and searchable by web, so when you write in asking for advice about an adolescent smoking pot don’t be surprised if she ends up seeing it.

In closing on this one: I know we all need to vent and ask for help with patients from time to time. That’s what supervision is for, go buy some.

2. Life is temporary, the internet is forever.

Before you post anything, ask yourself how you would feel if it was printed on the front page of The New York Times or some similar print edition. Everything you post on the internet is housed on a server somewhere; backed up usually; then often trawled for and picked up by Google and made searchable. Once you put something on the web it stays there, even if you think you deleted it. So ask yourself, “Is it a good idea to have what I’m about to write floating around wherever it will forever?”

3. Don’t create an online identity that you aren’t prepared to have connected to you.

The nature of privacy is changing due to technology, and that means we can’t be assured that any identities we assume online will remain private now or in the future. Servers get hacked, laptops get stolen, and people, patients included, are very resourceful in satisfying their curiosity about us. So if you have specific groups or personas that you want to let loose on the world via WoW, alt.com or anywhere else, be prepared. If I can’t imagine myself being able to hold a conversation with a patient about their discovering a potential “secret identity,” I don’t create it. I know this may sound harsh, but this is one of the privileges we give up for the privilege of doing the work we do.

4. Don’t subscribe (or unsubscribe) to things you don’t want patients or colleagues to know about.

Subscribing to things is a choice, and you need to be prepared to have those choices made public. This ranges from sites which tell you how much a person donated to the Democratic Party to a blog or listserv. And in terms of collegial relationships, do not risk appearing deceitful by opting out of a Constant Contact list and then telling the colleague how much you enjoy their newsletters. Yes, this has been done to me, and I try very hard to resist telling the person that I can tell them the exact date day and time they unsubscribed on my CC account. Subscriptions and unsubscriptions are expressions of your agency online, express your agency with integrity.

5. Understand how email works.

Recently I agreed to provide coverage for a colleague, and when they offered to email a list of who I’d be covering I requested that they mail it. This surprised them, because they know what a technophile I am. When I explained it is because email is not secure they replied that the mail isn’t secure either, and that envelopes often arrive opened. That is an unfair comparison between email and mail in my opinion.

A more accurate comparison would be if you write a letter, make a copy for yourself and send me a copy; and then someone opens the letter at your post office, makes and keeps a photocopy of it and mails it to my post office, where a second worker opens it and makes and keeps a third copy of it before giving a fourth copy to me. That is how servers work, that is how hosted emails work. If you don’t want four or more entities having copies of your emails, don’t send them. If you want to send encrypted emails, which are definitely more in keeping with HIPAA and HITECH, I recommend Hushmail.

6.Keep current with the technology if you plan on using it.

You know I encourage you to try and use technology as much as possible, so the above may sound like an impossible and counterintuitive task, but there you are. If you are planning on taking pictures of your children with your iPhone and posting them on Facebook, make sure you know about geo-tags before you go about using Facebook or Craigslist. If you are considering using Dropbox or GoogleDocs for patient notes investigate whether these are verified as HIPAA compliant (I’ll save you time on this one: They are not. Don’t use them for patient notes.)

If you want to play around with some new technology, research it a little (Google “[whatever you’re playing around with] and privacy.” If you want to keep current with technology and best therapy practices, I recommend you check out the Online Therapy Institute’s “Ethical Framework for the Use of Technology in Mental Health.” They are on the cutting edge of this stuff, and they have great courses as well as free resources.

So these are my suggestions for having an online presence that is HIPAA compliant and protective of your patients’ and your privacy. I know they are a tall order, but the privacy of you and your patients is worth the effort. Please feel free to add: Did I miss anything?

Comments

  1. Gowalla and Foursquare.

  2. BTW, this is a well written post and I appreciate the concise summary. Good job and good reminders for us all.
    Cynthia

  3. Number one haunts me. Horrifies me.

    I think low-tech for the “work” of therapy is probably always going to be the absolute most sane, easy way to go. Personal files locked in a file cabinet locked in an office. Usually then locked in a building.

    • Hi Elizabeth, you are right in framing any communication about patients as part of the work. I think social media has its place with patients and in health care and it is still evolving. I think it also requires us to have a more mutual sort of discussion with patients and find out what they want, then see if we can reconcile it with our best practices.

  4. Thank you Mike for this post. Very timely and useful.

  5. I am wondering about the ability to email an invoice for those who want to submit it to flex plan option…if the client signs a release of information for the specific type of email and the content? Touchy stuff… CPT code cost and maybe diagnosis?

    • I’d suggest asking your patients if they are comfortable with this, just to make sure. That is in addition to having it in your release that they sign at the beginning of their treatment with you. And the best way to handle this on your own would be to snail mail or hand it to them in session.

      But Kathleen, I would actually suggest you use a billing service that mails out the claims on paper, and is bonded and HIPAA-compliant. The one I used is http://www.cms-billing.com/ and they more than make up for their fee with the errors and payments they catch.

  6. thank you!

  7. Thank you, Mike for covering this important topic of HIPPA compliance…although now you have made me a bit concerned about my blog. Need I be worried about the very discrete way that I write?

    To recap, my full name is not disclosed, the location and place where I am working is not disclosed and when I do refer to a patient, no name is provided and only very little identifying information is presented which has also been changed so that there is no way that it could be tied to the person.

    Furthermore, very little in the history is offered as well for the same reason. In short, I only share the bare minimum to convey a particular point/
    learning in a totally discrete manner.

    • Hi Dorlee, I can understand your concern, although I think the comments have begun to point out that we can only strive for best practices rather than perfection. I’m torn, because I love your posts and love commenting on other people’s examples, because they aren’t about my patients. On the other hand, I think that patients can often see themselves in our posts even if they weren’t actually the one’s we were writing about. So from a therapeutic point of view we need to always be prepared for what a post might “mean” to the patient even though we know we aren’t writing about them.

      My suggested compromise position is to have a disclaimer that you put in each and every post explaining that the patient listed is a fictional composite and the lengths you go to to disguise clinical information, and put it at the bottom of every post as a footnote. Am I being too conservative? What do you and others think?

      • Thanks, Mike. I like your suggestion of inserting a disclaimer to make things quite clear but I think I’d rather put it in an obvious spot on the landing page than on each and every post.

        Now for the wording… if you have happened to run across any good text examples for such a disclaimer, please let me know…It’s always easier to edit and change something that’s already been written than to start totally from scratch.

  8. Hi MIke, great post, but I do want to point out that none of us can ever be 100% HIPAA compliant. The law states that we need to do our best with the most up to date methodologies to keep patient info safe, but even under those circumstances we can’t ‘guarantee” that there won’t be some glitch or breach. In the example above – technically someone could open the snail mail and there’s nothing we could do about it. It’s not under lock and key, nor is there an impenetrable force field around it :-).

    I believe the thought that things need to be ‘water tight’ is what keeps many health care professionals from sticking their toes in the water of new business paradigms and technologies. 100% isn’t possible, doing our best is the best we can do.

    • Hehe, this post was just a microphone check to see if you were listening Susan. 🙂

      Seriously, I was hoping someone would point out that this is an ideal to shoot for, rather than a state that can actually be achieved. You’re absolutely right, we can never be 100% HIPAA compliant, nor should people who have already done some of the things that I talk about take in their shingle and stop practicing. And I certainly don’t want to discourage the use of technology. The title was tongue and cheek and my version of the “fear-mongering” that takes the place of common sense. The list of suggestions are for the most part about being a lifelong learner and having common sense, especially number 1. So your point is well taken, and I agree we should be shooting for best practice, not 100%.

  9. I didn’t read this post immediately because I’m not a provider who takes insurance, and I usually ignore stuff about HIPAA as not applying to me. However, Mike, I think you’ve written here about broader issues of confidentiality and common sense — which do apply to us all.

    Thanks, and keep up the great work!

  10. Hi Mike- thanks for the mention in your post! I am with Susan. Our ethical framework is a way to encourage best practice. Therapists wanting to dip their toes in online waters should first and foremost become educated (by reading posts like this for example!) and then practice risk management as we do in all areas of our practice.

    Kathleen, I would suggest using an email service like Hushmail with your clients to send periodic information and documents that hold sensitive information. You can send an email that is password protected. The client must know the password to unencrypt the message. Or, if both of you have a hushmail account, then correspondence between you is encrypted.

    DeeAnna

    • Hi Deanna, I’m with you both too! This is a controversial topic that I’ve planted myself in the midst to, but I am definitely encouraging people to think things through so that they can then move forward and use the technology, because that’s the whole point.

  11. Thanks for a very informative post, Mike!

    At the risk of being too obvious, I would like to add one more condition. My clients know that I teach and train and write. As a result, I secure written consents from them to share about their cases, even though all the identifying data will be removed/changed. I even had one person ask to choose what name she would be known by when I talk about our work. We talk about what types of things will be shared (and not shared). If I were to share any of these cases in a blog post, I would also indicate in the post that I have permission from the person and that it’s always possible the person will see the post. I would add that last part because I would want people who leave comments to be aware of the fact that the client might, in fact, read a post.

    From my perspective, the key is that there is written, informed consent with a client from whom I have behavioral evidence that they will say no to me (i.e., they have done it in the past) if they aren’t comfortable with something I am doing. And then there needs to be a dialogue about what gets shared, what doesn’t, etc. I will always ask if there are particular things that they don’t want shared.

    The people I’ve done this with have felt very good about being able to support the learning of other therapists. Most of them have had more than their share of “bad” therapy experiences, so they are passionate about therapists learning more.

    • Hi Nancy, I was wondering when you’d show up! I think there is no such thing as “too obvious” when it comes to informed consent. I am glad you laid out this clear and respectful roadmap for those of us who teach as well as practice. I am sure that for many patients of yours or others it would feel both holding and appreciated to be part of future therapists’ learning.

      My personal style and bent is to be very “old school” about this, and I never present a case example without changing key identifying info, so that the old become young, males, females, etc. What I DO do specifically with my patients who are therapists and know that I teach is an Informed UNconsent, meaning that if they request I not present their case in classes I promise not to, ever. This may be more of an issue down here in Cambridge because we’re saturated with therapists and training programs, and I have been in at least one training where several of us recognized the identity of the patient (a colleague of ours) being presented. NOT Ok.

      • I very much like the old school approach to changing identifying data. I do similar things…change gender, age, job, geography, type of disability (if disability needs to stay “in” the case to understand what’s going on). Your example of the Cambridge faux pas made me wonder if part of why I have been so thorough about it is because of trying to avoid just that disaster. I have had many therapist clients myself and might well end up presenting a case to an audience of people who, in fact, know the person. I think people think of “identifying data” much too narrowly…I have always defined it for my students this way: “someone who knows that person shouldn’t recognize who is being talked about.”

  12. Here’s another resource for clinicians trying to find there way through social media: http://drkkolmes.com/blog/clinicians/

  13. Hi Mike,

    How does a practitioner use cell phone and texting and still remain HIPPA compliant?

    I would love to hear more about Hush mail. I have gone to their site but I would like to hear how you explain this to clients the wording on consent forms etc. (maybe that is another whole blog).

    Thank you for your cutting edge leadership.

    Debbie

  14. Sorry for the extra comment, I forgot to check the box for f/u comment.

  15. As an online student at Capella (MS Mental Health Counseling), I really appreciate this post. Presently I am working on a discussion post for my ethics class and would love to quote you. Do you mind?

    Cecelia

  16. L Charles says

    Every time I hear about behaviour described in this article I have to shake my head and wonder. The internet and social networking sites are no longer a new phenomenon, but people will continue to be naive about this. In the UK the data protection act requires that any information held online is available to clients, employees, parents, patients, etc etc etc. Even some of your handwritten process notes can be subpoenaed. Emails are also part of this, and people need to think about what they write. If you wouldn’t be willing to show this to your patient/client/employer, etc, don’t write it on the internet. full stop.

    Your concerns and opinions about your clients belong in supervision or personal therapy sessions, and not anywhere else.

  17. Thank you so much for this information! Now that MobileMe is getting rid of idisk, I have been doing more research on what to use as a replacement, and what “cloud” technology is safe for storing confidential patient files. Good to know Dropbox is not HIPAA compliant. Any suggestions for what to use instead??

    • I use Wuala for secure/encrypted cloud storage to back up patient information and notes kept in an encrypted partition of my computer’s hard drive, using TrueCrypt. Thanks to Keely Kolmes, I also use Hushmail, even though it’s kind of clunky. Amazingly enough, Wuala, TrueCrypt & Hushmail all have free versions, which are quite adequate for my solo psychotherapy practice. And, they can all be used on my Android phone. I’m a mid-50s sorta techish psychologist and was able to make it all work (TrueCrypt was the most complicated, but they have very clear directions). Such a deal.

      Thanks for the straight up post!

  18. Glad I came across this. We’re frustrated that we can’t get a straight answer about using a autorepapnser like Aweber and Hipaa. Can anyone comment on it? Thx

  19. Thank you, Mike. Super helpful. I really appreciate the discussion and the specific recommendations.

  20. Great post. Just now found it, thanks to @KeelyKolmes, and linked to it on my blog. For myself, still trying to decide between Hushmail and just getting specific authorization from clients who want to use email.

Trackbacks

  1. […] This post was mentioned on Twitter by Cynthia Mckenna, Lisa . Lisa said: RT @MikeLICSW: How to Have a 100% HIPAA Compliant Online Presence « Mike Langlois,… http://wp.me/p10rZX-ao […]

  2. […] about video games, and play this past week, and that was not a coincidence.  The post I did about HIPAA attracted a lot of positive attention, and some negative. I think the title had something to do […]

  3. […] How to Have a 100% HIPAA Compliant Online Presence Article written by Mike Langlois […]

  4. […] experienced people to help guide therapists in this process (e.g., see Mike Langlois, LCSW: How to Have a 100% HIPAA Compliant Online Presence, see Susan Giurleo, PhD’s posts social media for therapists), and–here’s a […]

Leave a Reply to Deborah Tucker Cancel reply

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.