It should be the aim of every practice owner to ensure the protection of protected health information (PHI) by following the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. The purpose of this guide is to provide general information about integrating security measures for a HIPPA compliant private practice. Please note that this guide is for informational purposes only and you should explore risk exposures with your malpractice insurance and/or attorney.

General HIAA Guidelines to review

1. Clinicians are expected to stay informed on updates to HIPAA rules.

2. Clinicians should review HIPAA Privacy Rules.

3. Clinicians should review Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.

4. Clinicians should review HIPAA Security Rules for national standards to protect electronic personal health information.

Electronic Health Records

1. Clinician should aim to maintain clinician records using a secure electronic health records system, such as Simple Practice, Therapy Notes, Office Ally, and Therapy Nest.  If clinicians maintain psychotherapy notes, these should be destroyed following use.

2. Clinicians should not download PHI onto their devices without an operational justification.

3. Clinicians should password protect any files that are stored on their hard drive or cloud drive. However, it is strongly recommended that no PHI is stored on devises and only maintained in the clinician record using the EHR. It is strongly recommended that PHI that is downloaded to the hard drive be removed immediately following use.

4. Storage of printed PHI is generally not recommended.

Transmissions of PHI via email

1. Clinicians should only communicate with clients using a HIPPA compliant email

2. Hushmail provides HIPAA compliant and encrypted email service.

3. G-Suite is HIPAA compliant with a Business Associate and includes options to send confidential email.

   • Emails sent via this email should typically have standard TLS encryption (read more about encryption levels here).

   • Use the Virtru Google Chrome extension to ensure end-to-end encryption.

4. Clinicians may enable “confidential mode” when transmitting PHI via email for additional security protection.

5. Clinicians should verify the identity of the recipient prior to transmitting PHI via email.

Transmission of PHI via phone

1. Clinicians should only communicate with clients using a HIPPA compliant phone system.

2. Phone.com, Velantro, and RingRx are HIPAA compliant. Ensure to obtain a Business Associate Agreement with these companies prior to transmitting PHI.

3. Google Voice is HIPAA compliant with a Business Associate Agreement within G-Suite.

4. Clinicians should verify and document the identity of the recipient prior to discussing PHI via phone conversation

5. Clinicians should minimize transmission of PHI via text or voicemail.

Internet Use

1. Clinicians should password protect their home/private networks when working from home.

2. Clinicians should not transmit of PHI via open networks, unless using a virtual private network (VPN). Clinicians are strongly recommended to use a VPN for all internet use.

3. Clinicians should minimize use of browser-cached data in web-based applications which manage PHI.

Telehealth

1. Clinicians should conduct telehealth counseling sessions using an integrated platform through their EHR. Google Meet or Zoom may be used as a backup platform.

2. It is strongly recommended that clinicians use headphones when conducting telehealth sessions.

Electronic devices (laptops, smartphones, tablets)

1. Clinicians are encouraged to use privacy screens when working in public settings to protect devices with PHI.

2. Clinicians should password protect all devices. Clinicians should implement two-factor authentication when available. Do not share your passwords with anyone. Do not write down your passwords. Do not store your passwords.

3. Clinicians should never leave devices open and unattended. Clinicians should add additional measures to ensure unattended devices may not be accessed, including automated session termination on inactive devices or password protected screen savers for laptops.

4. Clinicians should sign-out of devices when not in use for clinical work.

5. Clinicians should ensure all security updates for devises are deployed as recommended.

6. Clinicians should install, use and regularly update virus-protection software on all portable or remote devices that access PHI.

7. Clinicians who share their laptops for personal should use separate account log-ins.

8. Configure your systems to remotely lock, locate, or erase your devises.

9. When discarding a device, return it to factory settings prior to disposal.

*Please let me know if there is anything helpful that can be added. We want to have a comprehensive guide and it is possible some nuances have been overlooked.

Check out additional resources for your private therapy practice