Technology and Security
Policies and Procedures
Please be sure to read my HIPAA notice of privacy practices for a thorough discussion of the definition and provisions of the Health Insurance Portability and Accountability Act (HIPAA). Although I do not accept insurance, as a covered entity, I am bound to comply with HIPAA law, and I take that obligation seriously. I explain the risks involved in using various technologies throughout my counseling policies and procedures.
What does it mean when technology is HIPAA-secure?
HIPAA-compliant is the standard term used across the industry to denote a high level of privacy and security regarding the handling of protected health information, so you will see the term HIPAA-compliant used throughout my policy documents. But it is important to know that a program can be HIPAA-compliant and not be HIPAA-secure if it is not set up and managed correctly. There are many programs on the market that can be HIPAA-compliant, and it is my responsibility to implement these technologies securely. This counseling practice uses HIPAA-compliant technology securely. HIPAA-secure means that a HIPAA-compliant product or service implements the HIPAA-compliant features of the product or service with the level of privacy and security that is consistent with the HIPAA privacy and security rules. It is not enough for a program to claim it is HIPAA-compliant just because it provides a business associate agreement (BAA) with its users. The program must also be used in a HIPAA-compliant manner.
Some of the programs that may compromise your privacy and security if not used correctly include email, phone service, messaging apps (including the text messaging app on your phone), video conferencing, and interactive assessment sites. I have what’s called a business associate agreement (BAA) with every third party application I use in my practice. A BAA is a contract between that company and mine in which they agree to adhere to the requirements of the HIPAA privacy and security rules. Any third parties or third party applications that have access to protected health information (PHI) must sign a BAA with counselors or counseling services, ensuring that both parties practice HIPAA-compliance with regard to privacy and security of PHI. The technology must have HIPAA-level encryption, meaning that information is encrypted both in transit and at rest.
Without a BAA between the counseling practice and the software, along with encryption both end-to-end and in transit, emails, messaging apps, and phone calls are vulnerable to hackers. Without proper security measures in place, these communications may be inadvertently exposed to someone you live or work with. I am responsible for the security on my end. Security on your end is your responsibility. In my policies and procedures, I provide you with the tools and strategies you need to minimize risks on your end.
Let’s look at a few scenarios where security might be a concern.Scenario 1
A therapist named Lucy is in a hurry. She sends an email from her HIPAA-compliant business email to a client named Mario at Mario's personal email address. In the email is a link to Mario's treatment plan. Anyone who has access to Mario's email can access that link if it’s not password-protected. Mario’s roommate Jake borrows his computer when he’s not using it. Jake sees that Mario’s email is open in a browser tab and that Mario just got an email from his therapist. Jake’s curiosity gets the best of him. He clicks on the link in the email and instantly gains access to Mario’s treatment plan. Jake reads Mario’s diagnoses and learns what Mario has been working on in therapy. If Lucy used HIPAA-secure email messaging, Jake would not have been able to open that link without Mario’s password.Scenario 2
Lucy sends a link to Mario so he can access his client chart to fill out assessments and forms. Without two-factor verification or some other form of security that limits access to the chart, Mario's therapy chart is vulnerable to his nosy roommate Jake.Scenario 3
Mario texts Lucy from his personal phone to let her know he’s experiencing a crisis and needs to meet with her for a counseling session. Lucy’s phone line is HIPAA-compliant, but Mario’s is not. Mario’s phone carrier and any apps synced with his device or phone number are now privy to Mario’s texts with his therapist in which he discussed his mental health - something that should be a private issue. To protect Mario's privacy, Lucy should invite Mario to a HIPAA-secure text-messaging conversation using her HIPAA-compliant text=messaging program.
You can see that simply having HIPAA-compliant programs is not enough to ensure privacy. It’s how those programs are used that makes them HIPAA-compliant. HIPAA compliance is not a condition; it is a process.
What Makes a Teletherapy Practice HIPAA Compliant?
As both a covered entity and in my roles as your therapist and as the security risk officer of my company, I am trained in HIPAA compliance. I take every possible step to ensure that your protected health information (PHI) is secure. PHI must be stored in a HIPAA-encrypted program. In my practice, I use Google Workspace Enterprise for Healthcare for cloud storage and backup.
A counseling practice must attend to hardware security as well as software security. For endpoint encryption on my computers, I use Webroot Business Endpoint Protection. Endpoint protection prevents cyberattacks on my devices.
To ensure that I am fully and consistently following the legal and ethical requirements of HIPAA, I perform regular risk assessments and audits of my systems and your data to ensure that everything is set up and operating as it should be to maximize your privacy and protection.
To use teletherapy securely, you will need to set up sign-in credentials that limit access to your personal health information.
There are three terms for sign-in credentials that are often confused. You will see all three used with online programs and services.
A password is a combination of letters, numbers, and symbols, generally 6-20 characters. The more characters and the more variety, the safer the password.
A passphrase is typically a short sentence, such as I like blue bikes.
A passcode can be either a password or a passphrase.
Passwords, passphrases, and passcodes are case sensitive. You can find helpful tips on how to create safe passwords, passcodes, and passphrases in my HIPAA notice of privacy practices.
Programs Used by this Counseling Practice
I prioritize the use of HIPAA-compliant technology to protect the privacy and safety of my clients. All contact forms on my website are HIPAA-compliant. To minimize spam, I do not publish my phone number, fax number, or email addresses on my website. I will supply you with my phone number, fax number, ProtonMail email address, and Google business email address after I receive your initial contact form. I make sure you have many ways to reach me.
Below is a list of the programs I use in my counseling services. Here’s what you'll need to know about how they work.
ProtonMail is a HIPAA-compliant email service designed for your privacy. You will not need an app to receive these emails but you will need to send your completed initial contact and preliminary intake form before I will send you a secure email via ProtonMail. The initial contact form is HIPAA-compliant and starts the intake process. After you have completed the initial contact form, I will respond to you from my ProtonMail email so we can communicate securely.Encrypted Email
ProtonMail gives me the option to send secured or unsecured emails. Secured email works by keeping the content of the message out of the body of the email you receive and requires a password for you to read it. You will set up that password on your initial contact form. This way, if someone accesses your email, or you accidentally leave it open at home or at work, no one but you can view the message. Learn what that looks like and how to reply securely.
When you receive a secure email from me, you will see a link in that email that says “read your secure email”. When you click on that link, it will take you to a secure web page where you can read the content of the email message. You will have the option to reply securely.
You will not be able to initiate encrypted emails unless you open your own free ProtonMail account. This is not necessary to benefit from my services, as I include access to a HIPAA-compliant text application with my services. You can initiate HIPAA-secure texts in that texting app at any time once I send you an invitation. You will receive that invitation after I receive your initial contact form. I discuss the texting app in more detail below. See my therapy services and fees page for guidelines and limitations to texting.Accessing Encrypted Emails
On your initial contact form, you will create an identity verification passcode (IVP) that we will use to verify that you are you in all sessions and on all forms and assessments. The IVP is discussed in detail in my identity verification passcode policies and procedures. Your IVP can be a word or a phrase and will be case sensitive. The longer it is, the more secure it will be. See my notice of privacy practices for tips on how to create a safe passcode, password, or passphrase. Passphrases tend to be easier for people to remember.
A passphrase is different from a password. A password is typically 6 alphanumeric characters. A passphrase is a phrase such as “Tennis balls are round and fuzzy” or “Grass is healthy when it rains.” Make sure your passphrase is easy for you to remember but is not easy for someone who knows you to guess. The two examples I just gave have nothing to do with me, my life, my business, or counseling in general, which would make them ideal passphrases if I needed to set up a passphrase that would be difficult to guess.
When you create your IVP, create a passphrase that is unique for this purpose. Do not use a passphrase that you use for any other accounts. Using a unique passphrase for your identity verification passcode (IVP) will help us keep your personal information as safe as possible. Do not share your IVP with anyone, and do not write it down and leave it in an area that is accessible to others.Email Subject Line
When sending correspondence to me, it is a good privacy practice to avoid writing anything in the subject line that can identify your message as therapy-related. Instead, I recommend we both use general terms such as appointment, reminder, confirmation, scheduling, message, notes, details, deliverable, packets, forms, documents, receipt, or invoice.Email Precautions
If you decide to save secure email content outside your email application or on your personal devices, please be aware that your security and privacy may no longer be protected. Any personal health information you save to your personal devices via copy/paste, download, or screenshot may be vulnerable if your device or application is not secured by password-protected login and anti-malware protection. If you move or save this content outside the HIPAA-compliant system, you waive confidentiality and any legal claims from a resulting breach.
There is an option to set up autofill for your logins on both webmail and apps. I strongly advise against this, as it will compromise your security. Check to see if you have autofill turned on for passwords and if you do, turn it off. Write down your passwords, passcodes, and passphrases and put them someplace safe. It is a solid security practice not to write down your email address in the same place where you keep your email password. That way if someone finds your password, it will not be associated with the account you use it for and will be less likely to facilitate an account breach.Email Delivery
Keep in mind that email containing certain words in the subject line may automatically wind up in your spam folder, promotions folder, or clutter folder, depending on which email service provider you use. Please check these folders regularly to prevent missed communications.
iPlum Calling, Texting, and FaxingHIPAA-Secure Text Messaging/Chat
All of my therapy services come with HIPAA-compliant texting at no additional cost to you. You will be able to reach me via secure texting 24/7/365 seven days/week once we have a signed informed consent agreement in place. Therapy via text messaging or email includes text/email messaging in both directions and is a clinical service. Text-based therapy should not be used as a substitute for therapy via video conferencing; it should be used as a complement to it. See my therapy services and fees for a discussion of what constitutes text-based therapy and to familiarize yourself with expected response times.
Once you have signed the informed consent agreement, You will receive an SMS invitation with instructions to download the secure text-messaging app and accept my invitation to secure messaging. Caution: If you send me texts through the app before receiving my invitation, your messages to me will not be secure. The invitation will contain a link to install the application. When you install the app, you will register using your mobile number and accept my invitation in the app. At that point, the HIPAA-secure channel will be active and ready for secure texting. For your protection, your contact information will be stored in the HIPAA-secure app, not on my mobile device.HIPAA-Secure Phone Calls
To ensure the privacy and security of our phone conversations, we will conduct any counseling-related phone calls via the HIPAA-compliant iPlum app. I accept calls by appointment only. If you call me without an appointment, you will be routed to voicemail. The voice mail is HIPAA-secure because they are stored on the app’s HIPAA-secure server. However, phone calls will not be secure on both ends until you install the iPlum app, because the call app on your personal phone is not secure. Again, please do not install the iPlum app until you have received an invitation from me to do so. This invitation will connect you directly to my HIPAA-compliant business account. The iPlum app is free for you and is usually the fastest way to get a message to me. Please see my therapy services and fees page for expected response times.HIPAA-Compliant Fax
My preferred method of sending your records, should you request them sent directly to you, is via the HIPAA-secure encrypted ProtonMail email discussed above. When faxing is necessary, I use the iPlum fax service to send HIPAA-secure faxes unless the recipient has a landline-based physical fax machine. Landline-based fax machines do not need to be HIPAA secure because they transmit through analog rather than digital channels. Sometimes, you will need me to fax your records to another health care provider, a legal professional, or a personal representative. Please keep in mind that if the recipient does not have a HIPAA-secure fax electronic service or a landline-based physical fax machine, the contents will not be protected and the chain of HIPAA-compliance will be broken.
I use fax service primarily as a business-to-business communication. Though I will ask if the business on the other end has a landline fax or HIPAA-compliant fax technology, I cannot guarantee they will answer honestly or correctly. By requesting a fax of your records, you understand that I am no longer responsible for the security or privacy of those records after they leave my possession. Please note that there will be a cost-based fee for paper copies sent via fax. See my records request policies and procedures for details on the cost of records provision.
I use two video platforms for video conferencing. The first reason is personal preference. The second reason is that it’s important to have a backup in case of technical issues. The third reason is that they offer different levels of security.Safety During Video Conferencing
For your safety and security, I will require you to show your government-issued photo identification at the start of your first video session so I can confirm your identity and location. I must confirm your identity so none of your personal information is shared with someone impersonating you. I must confirm your location because my license is limited to treating clients who are physically located in the state of Florida at the time of service. This means that if you go on vacation outside of Florida, your services with me will not be available during that time and any advance payments you have made will apply to future sessions. If you show up for a scheduled appointment and you are not located in Florida, the session will be terminated immediately and you will be charged for the session you scheduled. It is best if you let me know in advance when you are going to be out of state so we can find you services at that location, should you want them, and so I can suspend payments for the time that you will be out of state. See my travel and conduct policies and procedures for more detailed information.
For your safety and mine, and to provide the best quality counseling experience, I ask that you keep your video on during the session. Per state law and standards of care, our initial session must be a video session. After that, I recommend a video session once a week for the first month. If you prefer phone sessions and therapy via text-messaging, those are available as well. Please see my description of online counseling services and therapy services and fees to learn about the structure of therapy with my practice.
You and I will agree on an emergency management plan to deal with emergencies and contingencies that arise in and out of session. See my emergency management policies and procedures for details.
You may have the expectation that since you are accessing services from your home, it would be appropriate to have your children, partner, or roommates hanging out in the room or passing through the room during therapy. However, this will jeopardize the quality, privacy, and effectiveness of your therapy. Teletherapy follows the same standards as in-person therapy. If you wouldn’t do it at a brick-and-mortar office, you should refrain from doing it online. An exception is when we arrange in advance to have family present to support you in your therapeutic goals. If you are unable to assume responsibility for your privacy, then this service is probably not the best fit for you.Zoom for Healthcare
In terms of quality and security, I favor the HIPAA-compliant version of Zoom for video conferencing. When we set up our video counseling sessions, I will send you a link to each session via HIPAA-secure, encrypted email or secure text messaging. Please make sure to whitelist ProtonMail by adding it to your safe senders or contact list so you won’t miss the invitation to the session. The invitation will include the meeting ID and password, ways to dial in from a phone, and the direct link with the password built into it.
You will need to install the Zoom app on your device. Follow these instructions to install Zoom on your PC or Mac, install the Zoom app on your Android mobile device, or install Zoom on your iOS mobile device.
Zoom users report occasional issues with sound or connectivity. These issues usually mean the app needs to be updated. To keep Zoom working properly, check once a week to see that you have the most recent version downloaded. To update to the latest version of Zoom, visit the Zoom homepage while on a computer. Select the resources tab from the menu on the top right (see image), and click on Download Zoom Client in the dropdown menu. The download will override whatever version is currently on your device. Note that you may need to reinstall the virtual background package once you update the app.
To update the app on your mobile device, please go to the AppStore or Play Store on your phone or tablet, choose settings from within the AppStore or Play Store (not the general phone settings), and choose auto-update apps. Note that some apps may need to be updated manually; it is a good idea to check weekly for updates of both your apps and your operating system.Google Meet
Google Meet is our backup video conferencing application. The Google Meet app syncs up between computer and mobile devices, and the application icon appears right in your Gmail tray. Unfortunately, this means anyone who can access your Gmail account can access your video conference invitations, and they can access your Google text messages through the Google Chat app as well. So even though the video and chat content is contained in a HIPAA-secured app, if others can easily access these apps, they are not as safe as the systems I prefer. To offer you the best privacy protection I can, I prefer to use Zoom for video instead of Google Meet and iPlum for texting instead of Google Chat, although Google Chat gives us a backup text method option in a pinch.
Google Workspace Enterprise for HealthcareGoogle Workspace Business EmailCloud Storage and Backup
I use Google Drive for Workspace Enterprise for virtual storage of electronic health records (EHR) and other counseling-related documents. Documents, videos, forms, and images are stored in my business Google Drive, which is HIPAA-compliant. I store all of your learning materials there as well. Access to the HIPAA-secure Drive folders is limited to me except in cases where I grant you permission to access some of your documents. When I share any digital items with you from Google Drive, permission to access those items will be restricted to you only. If the items contain your personal health information, permission will be denied to any login except your email address, so if you try to share the links to folders or files, access to anyone but you will be denied.
Note that if you download documents containing your PHI, you take responsibility for the security of those documents; I cannot be responsible for their safe keeping once they leave the HIPAA-compliant environment. In an online therapy practice, it is an expected practice for clients to download PDFs and other forms of documents related to their therapy, just as they would save printed copies in an in-person practice. However, without adequate security, an electronic device is as vulnerable as an unlocked file cabinet in a physical office. Please store your digital documents with this in mind.Google Workspace Sites
The signature on Google’s Forms involves typing in your name or checking a box. A typed e-signature is legally acceptable and legally binding on therapy documents.
You will access Google Forms several ways: links on my website, links on your private therapy and training website, links sent to your email, and links sent to you via the iPlum secure texting app. You can complete them on a computer or mobile device. All the Google Forms I send you are HIPAA-compliant, no matter where you access them from.
Some Google Forms will require you to log into your Google account. This is a security measure. If you do not have a Google account, please be advised that you will need one to receive therapy services with my therapy practice. It is free to set up a Google account. Forms that do not require a file upload or are not therapy-related do not require a Google login.
In addition to Google Forms, I may sometimes use a program called Jotform. Jotform allows for a drawn signature that you can create using a stylus, mousepad, or finger. You will be asked for your identity verification passcode (IVP) and signature, and your location will be verified. As with Google Forms, Jotform’s forms are HIPAA-compliant and can be accessed via links on my website, links on your private therapy and training website, links sent to your email, and links sent to you via the iPlum secure texting app. You can complete these forms on a computer or mobile device.
I use a HIPAA-compliant app called PsychSurveys to send you certain evidenced-based assessment forms. These assessments help me evaluate your needs so I can provide you with targeted materials and support in areas where you would most benefit. Based on the needs you express on your initial contact form, I will send some of these assessments as part of your intake and evaluation. I may send additional assessments for you to complete throughout the time that we work together. This app makes it quick and easy to fill out assessments, and the app does all the work of sending me the results so you do not have to.
These surveys will come to you through your regular, unsecured email. Their system does not have an option that lets me send them through password-protected email, but you will see an option to opt out of emails from the app in your app preferences/settings under “Survey Email Alerts”. When you opt out, the “Disable Email Alerts” checkbox will also be checked on your app setup screen. You will receive an email reminder 3 days after each initial assessment is sent, and then again every 7 days thereafter until it is completed or expires. Every email includes an “opt out” link at the end of the email. Emails are sent from PsychSurveys with a ReplyTo set to my email address, so you can reply directly to me if you have a question.
The PsychSurveys app will send you login credentials via email. Be sure to change the default password after you activate the app. For your security, the app supports a “Passcode Lock” feature which locks the app from use until a passcode is entered. This passcode can be different than the device’s passcode, allowing you to choose a passcode known only to you, separate from your device passcode. If you enable this feature, which I strongly suggest you do, only you can unlock and use the app. If you forget your unlock code for this app, you will need to either log out of the app and log back in (which clears this setting), or, uninstall and reinstall the app. I will not be able to reset that code for you.