How to Have a 100% HIPAA Compliant Online Presence

Fort Knox photo courtesy of Flickr

Many of you have asked me about protecting the privacy of patients in your practice online. Since this concern with privacy often feeds into the anxiety psychotherapists have about using social media, I wanted to offer you a way to build your online presence with an eye to best practices and a sense of confidence. So here is my instruction manual for having a practice that is 100% HIPAA compliant and respectful of patient confidentiality and therapist privacy. Do these things and you will never be in trouble.

1. Don’t talk about your patients online, ever.

People who work with me know that I am nonnegotiable on this one. Yes, in the 15 years I’ve been a therapist I’ve had plenty of poignant and instructive cases I could present and patients I could discuss. No, I am not going to tell you about them. Not on the internet anyway. The internet is not like a team meeting or case presentation, where you have a closed group of professionals discussing patients and asking for consultation. Anyone can read the posts, and patients can easily identify themselves (or imagine that they do) in your blog post. And if Facebook resets your privacy settings one day and I’m your 2:30 patient; and if I Google your Facebook as patients do at 3:25 and find you’ve just updated your status to say, “Just finished with the tough patient for the day, it’s all downhill from here;” then I will know, be offended, and if I’m savvy and litigious get ready to make some money to pay for the new therapist I’m about to hire.

And a special shout out to those of you who use forums such as LinkedIn and Psychology Today, even if you think your forum is open “only to professionals,” does it not occur to you that your patients are or one day could be in your profession? I look at some of the many forums I am on sometimes and I am horrified by the headings, which often resemble these:

“Wow, this patient is so self-centered!”

“What’s the funniest that thing your patient said in session today?”

“Potential clients wants to see me instead of my colleague they see now.” (Let’s hope the colleague doesn’t read the forums.)

and “I don’t want this borderline back! Help!” (Complete with a page long “brief” case presentation!)

Several of these have so much identifying information it’s not funny. And as for LinkedIn, most discussion groups are now open and searchable by web, so when you write in asking for advice about an adolescent smoking pot don’t be surprised if she ends up seeing it.

In closing on this one: I know we all need to vent and ask for help with patients from time to time. That’s what supervision is for, go buy some.

2. Life is temporary, the internet is forever.

Before you post anything, ask yourself how you would feel if it was printed on the front page of The New York Times or some similar print edition. Everything you post on the internet is housed on a server somewhere; backed up usually; then often trawled for and picked up by Google and made searchable. Once you put something on the web it stays there, even if you think you deleted it. So ask yourself, “Is it a good idea to have what I’m about to write floating around wherever it will forever?”

3. Don’t create an online identity that you aren’t prepared to have connected to you.

The nature of privacy is changing due to technology, and that means we can’t be assured that any identities we assume online will remain private now or in the future. Servers get hacked, laptops get stolen, and people, patients included, are very resourceful in satisfying their curiosity about us. So if you have specific groups or personas that you want to let loose on the world via WoW, alt.com or anywhere else, be prepared. If I can’t imagine myself being able to hold a conversation with a patient about their discovering a potential “secret identity,” I don’t create it. I know this may sound harsh, but this is one of the privileges we give up for the privilege of doing the work we do.

4. Don’t subscribe (or unsubscribe) to things you don’t want patients or colleagues to know about.

Subscribing to things is a choice, and you need to be prepared to have those choices made public. This ranges from sites which tell you how much a person donated to the Democratic Party to a blog or listserv. And in terms of collegial relationships, do not risk appearing deceitful by opting out of a Constant Contact list and then telling the colleague how much you enjoy their newsletters. Yes, this has been done to me, and I try very hard to resist telling the person that I can tell them the exact date day and time they unsubscribed on my CC account. Subscriptions and unsubscriptions are expressions of your agency online, express your agency with integrity.

5. Understand how email works.

Recently I agreed to provide coverage for a colleague, and when they offered to email a list of who I’d be covering I requested that they mail it. This surprised them, because they know what a technophile I am. When I explained it is because email is not secure they replied that the mail isn’t secure either, and that envelopes often arrive opened. That is an unfair comparison between email and mail in my opinion.

A more accurate comparison would be if you write a letter, make a copy for yourself and send me a copy; and then someone opens the letter at your post office, makes and keeps a photocopy of it and mails it to my post office, where a second worker opens it and makes and keeps a third copy of it before giving a fourth copy to me. That is how servers work, that is how hosted emails work. If you don’t want four or more entities having copies of your emails, don’t send them. If you want to send encrypted emails, which are definitely more in keeping with HIPAA and HITECH, I recommend Hushmail.

6.Keep current with the technology if you plan on using it.

You know I encourage you to try and use technology as much as possible, so the above may sound like an impossible and counterintuitive task, but there you are. If you are planning on taking pictures of your children with your iPhone and posting them on Facebook, make sure you know about geo-tags before you go about using Facebook or Craigslist. If you are considering using Dropbox or GoogleDocs for patient notes investigate whether these are verified as HIPAA compliant (I’ll save you time on this one: They are not. Don’t use them for patient notes.)

If you want to play around with some new technology, research it a little (Google “[whatever you're playing around with] and privacy.” If you want to keep current with technology and best therapy practices, I recommend you check out the Online Therapy Institute’s “Ethical Framework for the Use of Technology in Mental Health.” They are on the cutting edge of this stuff, and they have great courses as well as free resources.

So these are my suggestions for having an online presence that is HIPAA compliant and protective of your patients’ and your privacy. I know they are a tall order, but the privacy of you and your patients is worth the effort. Please feel free to add: Did I miss anything?