Practice Management, HIPAA & Digital Ethics
E-Mails in Traditional Therapy and in TeleMental Health
Hushmail and other secure email services are a good idea, but many, if not most, clients balk at the extra hassle involved in using them to communicate with their therapists, and may choose to use the familiar and free, but unsecured, emails after being informed of the risk by their therapists (via an Informed Consent and e-mail signature.)
Use of Text in Traditional Therapy and in TeleMental Health
Therapists Googling Clients
Clients Googling Therapists
Top of Page
Yelp: Responding to Negative Postings
Facebook & Psychotherapy and Facebook Privacy Issues
- Clients as Facebook Friends, by Ofer Zur Ph.D.
- Discussion on Facebook
- Facebook & Psychotherapy, by Ofer Zur Ph.D.
- Facebook's New Privacy Changes: The Good, The Bad, and The Ugly, by Kevin Bankston (December 9, 2009)
- Facebook Privacy Changes Inspire Praise, Optimism, and Skepticism, by Kevin Bankston (June 1, 2010)
- Facebook tosses graph privacy into the bin, by Joseph Bonneau (December 11, 2009)
- The Inside Facebook Guide to Protecting Your Privacy on Facebook, by Jessica Lee (May 13, 2009)
- Are you in counseling? Would you 'friend' your therapist?, by DeeAnna. M. Nagel (June 28, 2009)
- Facebook Further Reduces Your Control Over Personal Information, by Kurt Opsahl (April 19, 2010
- Six Things You Need to Know About Facebook Connections, by Kurt Opsahl (May 4, 2010)
- How to Get More Privacy From Facebook's New Privacy Control., by Kurt Opsahl (May 26, 2010)
- Social worker in UK was sanctioned after posting clinical details on FaceBook, by Luke Stevenson (September 10, 2014)
- Why Your Doctor Won't Friend You On Facebook, by Shefali Luthra (August 24, 2015)
Stalking, Harassment & Violations of Privacy
Top of Page
HIPAA & HITECH Information, Resources, and Guidance
Are Square, Credit Cards, & Banks HIPAA Compliant?
Encryption & Computer Security
- Anti-virus software
- WiFi and Public Network
- Specific to Apple (Macintosh):
- Specific to Windows
- Specific to All Mobiles
- Specific to Apple (iPhone, iPad)
- Specific to Android
- Specific to Microsoft
Top of Page
HIPAA & NPI: Registration & Basic Info
Additional NPI Resources
Search the NPI Registry
HIPAA's Patient Access Rights: What Patients & Providers Need to Know
Risk Management & Security
Cloud Based Management Systems
Therapy Tech With Rob and Roy
- 2016: Phase 2 HIPAA Audit
- 3 Reasons Apple vs. FBI Is Huge For Mental Health Pros Beholden to HIPAA
- Am I a HIPAA Covered Entity? How Much Does It Matter If I Am Or Not? (2016 Update)
- 2015: Transitions from DSM-5 and ICD-9 to ICD-10 on Oct. 1, 2015
- Sheldon v. Kettering Health Network, 2015-Ohio-3268 - Ohio court decision that expressly states that HIPAA can not be used as a standard of care for medical malpractice lawsuits
- More Reasonable Breach Notification Reporting Periods for CA Health Care Providers in 2015
- NBCC on HIPAA Compliance: What You Need to Know About the New HIPAA-HITECH Rules (Sept. 2014) by Jay Ostrowski, NCC, Director of Product and Business Development for the National Board for Certified Counselors (NBCC).
- Risk Analysis and Risk Management Planning: Can You Do It Yourself?
- LinkedIn Discussion: Some Solid Information On Risks To Electronic Health Information
- Protect Your Client Records: Put Them On the Internet
- How Skype Became Software Non-Grata, and Other Tech Will, Too
- Security Notice for TrueCrypt Users: Moderately Urgent
- A linkedIn post stated:
"When you become incorporated you need to get a type 2 or Organizational NPI #. That will be your billing NPI # and you will use that with your tax id. You still use your rendering type 1 or individual NPI as the person who provided services. The type 2 NPI goes in box 33 as the billing NPI along with your tax id. Different insurance companies have changed some edits as to what information they want and where they want it electronically so if you file electronically check with your clearinghouse or the carrier."
Karen Habel CDA, CMBS-I, CDBS-I
Owner of Karebilling Services, Inc.
- More info regarding NPI's: NPI Instructions for Sole Providers, Group Members and LLCs
- Google and HIPAA Compliance: Gmail, Drive and Calendar Now Accessible For Health Care Professionals
- Therapy Tech With Rob and Roy: How To HIPAA-fy Your Practice Tech in 2014 (Transcript)
- It's Not Enough to Notify: Don't Forget the Policies, Risk Analyses, and Training - January 2014: The Feds have started heavily emphasizing the Risk Analysis portion of HIPAA compliance. You can learn about this in our HIPAA Package and in our Digital Ethics, Security & Privacy in Practice Management course.
- 2013: What the new HIPAA means for Digital Health Access - Jan/2013
- 2013 HIPAA Rules
- March 2013: HIPAA Omnibus Rule Released: HIPAA final rule casts more doubt on business associate status of certain software service providers
Roy Huggins, LPC NCC states: The HIPAA omnibus final rule introduced some new rules and definitions for business associates, including changes to the "conduit" exception. According to Rob Reinhardt, the conduit exception depends on data in transit being encrypted and inaccessible to the company that passes it along. Many argue that Skype is a "conduit," and therefore not a business associate. It is known that Skype can view the calls being transmitted through its service because it provides access to those calls for law enforcement.
If the interpretation is correct that a conduit must not be able to view the information passing through it, then Skype would certainly qualify as a business associate. This is still unsure at the time of writing. Also, it is already known that the text chat feature of Skype would qualify Skype as a business associate because they store the chats. So it is advised that you not use the chat feature to communicate protected health information.
The final rule also clearly states that data storage companies are business associates, even if they don't look at your PHI. The language does not explicitly mention what happens if the PHI is encrypted, but the language in the final rule would imply that even encrypting the stored data does not excuse the data storage company from a business associate relationship. If that interpretation is correct, then online data backup companies, like Carbonite and SOS Backup, would no longer be able to provide their services without a business associate contract. This is still unsure at the time of writing, however.
Top of Page
Insurance, Billing, Reimbursement & CPT Codes in E-Therapy & TeleMental Health
Informed Consent to TeleMental Health Services
Sample Consent Forms to TeleMental Health Services
(Make sure you comply with copyright laws prior to copying or employing any of the forms below in your practice)
- Avera Health
- LA County
- In the public eye: The ethical practice of media psychology. McGarrah, N., Alvord, M., Martin, J., & Haldeman, D. (2009). Professional Psychology: Research and Practice, 40, 172-180.
- Rutledge, P. What is media psychology?
Psychotherapists' Professional Associations
Federal Resources, Laws, and Regulations
Top of Page
Psychology of the Web & Telehealth
Guidelines by Prominent Organizations on TeleMental Health
Top of Page
Telehealth, e-therapy, online therapy, online counseling, tele-medicine, e-counseling, or TeleMental health: all refer to the use of digital technology to provide clinical services, such as assessment and treatment. Telehealth activities may include providing clinical services by telephone, email, chats, interactive televideo communications technology such as Skype, or via virtual reality (VR) such as Second Life (SL), to individuals in conjunction with face-to-face (f2f) therapy or with no in-person contact. States and organizations vary in their definitions of telehealth.
TeleMental Health Platforms
Make sure to verify that the platform you choose to use is HIPAA compliant and complies with your state, federal, and your state and national professional organizations rules, codes of ethics, laws, and/or regulations.
TeleMental Health Technology Comparisons: A useful website that compares different TeleMental Health options by Behavioral Health Innovation
TeleMental Health Across State Lines
- Lesley, R., J.D., LICENSING BOARD ISSUES WARNING TO PATIENTS WHO TRAVEL OUT OF STATE! Re: Telephone Counseling/Psychotherapy in Avoiding Liability Bulletin, September 2016.
- Zur, 2014: http://www.zurinstitute.com/ telehealth_across_state_lines-zur.html
- Practicing distance therapy, legally and ethically, APA Monitor
- Can I Practice "Skype Therapy" Across State Lines? by Roy Huggins, LPC NCC
- CA Status on cross state lines:
§1815.5. Standards of Practice for Telehealth (a) All persons engaging in the practice of marriage and family therapy, educational psychology, clinical social work, or professional clinical counseling via telehealth, as defined in Section 2290.5 of the Code, with a client who is physically located in this State must have a valid and current license registration issued by the Board.
- International Online Therapy: What to Know Before You Go (and Start Doing It)
- In 2014 we witnessed one of the rarest cases regarding practicing across states lines when PA psychology licensing board has filed an action to stop a psychologist located in Israel from delivering psychological services to patients who reside in PA. Dr. Joseph Abraham is licensed in Israel but is not licensed in PA. Apparently on his web site where he promotes and advertises his telepsychology services, Dr. Abraham used a PA address. For more information:
- For an excellent analysis of risk management of across state lines issues that is realistic, informed, intelligent, and not fear-based, see: Harris, E & Younggren, J. N. (2011). Risk management in the digital world. Professional Psychology: Research and Practice, 42 (6), 412-418. For Abstract: http://psycnet.apa.org/journals/pro/42/6/412/
- Crossing the line: a legal argument for interstate online therapy
State TeleHealth Laws & Licensing Boards
Malpractice Insurance for TeleMental Health or Online Therapy
Reviewing online insurance policies and the literature on the topic, it is my general understanding that the following insurance companies will cover telemental health, e-therapy or online therapy if the insured practices legally, within the scope of his/her profession, and within the scope of his/her expertise (call your insurance company to verify your coverage):
- The Trust generally covers licensed psychologists. Gerry Koocher, Ph.D. a Trustee for The Trust, posted the following on 1/15/13: "The professional liability policy provided by The Trust is a broad-based policy and would cover any policyholder for civil liability or board complaints arising out of provision of telepsychology services in the same way it provides coverage for other claims and complaints. No provider of professional liability coverage, however, will cover claims of criminal liability."
- American Professional Agency covers psychologists and other mental health professionals. In response to my inquiry regarding their coverage of telemedicne and telemental health in Jan. 2013, I received the following response on on 1/16/13: "Please be advised, that while this activity would be covered under the policy there are some factors you should take into consideration. First, if you do not hold a license in the state where your patient resides and one is required, you may not be covered by the policy. Second, you must be HIPPA compliant, which includes, but is not limited to, using
a secure site to avoid any breach of a patient's rights. Being non-compliant, could put you at risk to fines and penalties, as well as having a suit or complaint being brought against you for breach of confidentiality."
- NASW Assurance Services which covers social workers, posted An Important Caution for Social Workers Practicing Online Therapy, which includes these statements: "The Social Work Professional Liability Insurance policy sponsored by NASW Assurance Services provides coverage worldwide, as long as the claim is made and the suit is brought in the United States, its territories, possessions, Puerto Rico or Canada. Therefore, it's not necessary to purchase another policy for internet, phone/telecommunication practice... There may be different requirements and/or licensure in the various states in which you may be practicing. As stated in VI. EXCLUSIONS under item Q. of the insurance policy, coverage would be excluded for a wrongful act committed while you did not have a license as required by law. You must be practicing legally for the policy to afford coverage."
- CPH covers CA MFTs and other mental health professionals. CPH states on its web site regarding coverage for E-therapy or Internet Therapy: "Yes - provided such practice is authorized or allowable under the scope of your license in the state where you practice and provided you are performing such services lawfully. Contact your state licensing board if you are unsure."
- TelMed is affiliated with American Telemedicine Association (ATA).
Top of Page
Skype, while free, familiar and encrypted, is no longer an acceptable option for videoconferencing as part telemental health as it does not give a BAA and is not considered HIPAA Compliant.
Below is a list of several websites that market videoconferencing services to mental health and other professionals. Some of these sites claim to be HIPAA compliant. You must verify that they are, indeed, HIPAA compliant and request a Business Associate Agreement. Also pay attention to cross state lines laws in regulations.
Comprehensive list of telehealth and videoconferencing platforms, by Jay Ostrowski
HIPAA Compliant VoIP Services - LI Conversation
Free Online Therapy Software Compared: Usefulness, Ease, Security, Support, & HIPAA, by Roy Huggins
VSee and HIPAA - LI Conversation
Is Skype HIPAA Compliant?
Is FaceTime HIPAA Compliant?
Ethics Codes on TeleMental Health
TeleMental Health Guidelines
Second Life & Virtual Realities
Professional Telehealth Associations
University Centers for Telemedicine
Online Telehealth Publications and Journals
TeleMental Health Updates
Top of Page