For any mental health professional, HIPAA, or the Health Insurance Portability and Accountability Act of 1996, has undoubtedly impacted the way you handle patient information. Written to safeguard patient information, HIPAA has served as an essential tool to ensure privacy. In the mental health space, this information is even more sacred, with clients often only trusting their providers with this delicate look into their life.
Unfortunately, lawmakers created HIPAA over two decades ago, and for many, it is unclear what obligations they need to take in the digital age to meet compliance. We created this guide as a tool for therapists, licensed social workers, psychologists, psychiatrists – but ultimately it is up to the provider to ensure that they are meeting HIPAA compliance.
It’s a good question! As platforms like Psychology Today and GoodTherapy have made it easier for patients to reach mental health providers online, many mental health professionals have created their own web pages, to intake clients and provide information seamlessly. In a separate article, we will outline the importance of having a website for your practice, but today, let’s make sure that you are not at risk of violating HIPAA compliance.
Unfortunately, there isn’t a one-size fit all definition for meeting HIPAA compliance, but if you handle any PHI (protected health information) on your website – you must meet strict HIPAA standards. PHI includes any information that can be used to identify current or future patients. This includes names, emails, phone numbers, addresses, social security numbers, and much more.
Many therapists collect PHI through contact forms and emails before establishing care. While this often conducted carefully, it is still a violation of HIPAA compliance, and any data breach can set you up for liability.
Popular website tools including WordPress, Squarespace, Weebly, and Wix often come with helpful contact forms like the above. Patients love being able to reach out to their providers quickly, but they are not a secure way of handling PHI and expose your practice to HIPAA privacy concerns.
For scheduling and some simple questions, most email is fine. However, communicating via Gmail or most email services is not HIPAA compliant if discussing patient information, diagnoses, etc. It is essential that providers have a way to send information to their patients securely.
If you store any patient information on your website (via a client portal, etc.), your site must be HIPAA compliant. Many providers use an external system for managing patient details.
Contact Forms are incredibly helpful, but many times are a violation of HIPAA regulations as they are unsecured
Therapists must obtain a BAA, or Business Associate Agreement, for each provider that ever touches the data of their patients. For many, this would require a BAA from your email provider, contact form provider, and depending on data storage, your web host.
To meet HIPAA compliance, we need to look at the places where you handle patient information. For the majority of therapists and mental health professionals, there are two areas where we should look: the contact form and email service.
For contact forms, patient information needs to be encrypted throughout the journey. HIPAA requires encryption when data is “in motion” and “at rest”. This means that your contact form must securely encrypt patient information when they hit submit, stay encrypted as it transmits to your inbox, and remain encrypted as a record. This is often referred to as end-to-end encryption.
Additionally, best practices would ensure that the content and connection of your website is secure through an SSL certificate (you can check any website’s security through the lock icon or https:// in your browser)
This leads to the second point of concern – email. All of your emails containing PHI must be encrypted. This is difficult to accomplish through traditional email providers such as Gmail. Service providers like Hushmail and Paubox specialize in data encryption and provide solutions to ensure you are meeting HIPAA compliance.
Patient data security is essential, but modern day HIPAA standard are often difficult or expensive for therapists to meet. Fuerza Design specializes in creating HIPAA-compliant solutions at an affordable rate. You do not need a new website to ensure HIPAA compliance. We would love to discuss an affordable and accessible solution for compliance.
Full HIPAA Compliance
Secured Web Forms for Patient Intake and Scheduling
Encrypted Email Inbox with Archiving
Enterprise-Grade Website Hosting
SSL Certificate for Secure Connection
Business Associate Agreements