Technology and Security

Policies and Procedures

I will start taking appointments in January of 2023.

Technology Orientation

I realize that everyone has a different level of experience with technology. If you are not very experienced with technology but are willing to learn, you may see this new experience as exciting territory to explore, and you may gain some new skills for your efforts. If the thought of using video conferencing freaks you out, virtual counseling is probably not the right service for you.

For most technical issues, I recommend that you refer to my technical support policies and procedures for troubleshooting steps you can try on your own so you don’t have to devote session time to techie stuff. I am happy to spend time with you on any technical issues during your session if you need guidance. In fact, this is one of the topics we’ll discuss in your initial video session. I am patient with explaining technical issues and will break it down to your skill level.

But to save you time and money and keep your sessions focused on your therapy, I'd like to give you everything you need to know so you don't have to devote paid session time to learning about technology. That said, I am happy to answer any questions prior to our first meeting. Please review the materials provided below before submitting questions.


HIPAA-Compliant Technology

Please be sure to read my HIPAA notice of privacy practices for a thorough discussion of the definition and provisions of the Health Insurance Portability and Accountability Act (HIPAA). Although I do not accept insurance, as a covered entity, I am bound to comply with HIPAA law, and I take that obligation seriously. I explain the risks involved in using various technologies throughout my counseling policies and procedures.

What does it mean when technology is HIPAA-secure?

HIPAA-compliant is the standard term used across the industry to denote a high level of privacy and security regarding the handling of protected health information, so you will see the term HIPAA-compliant used throughout my policy documents. But it is important to know that a program can be HIPAA-compliant and not be HIPAA-secure if it is not set up and managed correctly. There are many programs on the market that can be HIPAA-compliant, and it is my responsibility to implement these technologies securely. This counseling practice uses HIPAA-compliant technology securely. HIPAA-secure means that a HIPAA-compliant product or service implements the HIPAA-compliant features of the product or service with the level of privacy and security that is consistent with the HIPAA privacy and security rules. It is not enough for a program to claim it is HIPAA-compliant just because it provides a business associate agreement (BAA) with its users. The program must also be used in a HIPAA-compliant manner.

Some of the programs that may compromise your privacy and security if not used correctly include email, phone service, messaging apps (including the text messaging app on your phone), video conferencing, and interactive assessment sites. I have what’s called a business associate agreement (BAA) with every third party application I use in my practice. A BAA is a contract between that company and mine in which they agree to adhere to the requirements of the HIPAA privacy and security rules. Any third parties or third party applications that have access to protected health information (PHI) must sign a BAA with counselors or counseling services, ensuring that both parties practice HIPAA-compliance with regard to privacy and security of PHI. The technology must have HIPAA-level encryption, meaning that information is encrypted both in transit and at rest.

Without a BAA between the counseling practice and the software, along with encryption both end-to-end and in transit, emails, messaging apps, and phone calls are vulnerable to hackers. Without proper security measures in place, these communications may be inadvertently exposed to someone you live or work with. I am responsible for the security on my end. Security on your end is your responsibility. In my policies and procedures, I provide you with the tools and strategies you need to minimize risks on your end.

Let’s look at a few scenarios where security might be a concern.

Scenario 1

A therapist named Lucy is in a hurry. She sends an email from her HIPAA-compliant business email to a client named Mario at Mario's personal email address. In the email is a link to Mario's treatment plan. Anyone who has access to Mario's email can access that link if it’s not password-protected. Mario’s roommate Jake borrows his computer when he’s not using it. Jake sees that Mario’s email is open in a browser tab and that Mario just got an email from his therapist. Jake’s curiosity gets the best of him. He clicks on the link in the email and instantly gains access to Mario’s treatment plan. Jake reads Mario’s diagnoses and learns what Mario has been working on in therapy. If Lucy used HIPAA-secure email messaging, Jake would not have been able to open that link without Mario’s password.

Scenario 2

Lucy sends a link to Mario so he can access his client chart to fill out assessments and forms. Without two-factor verification or some other form of security that limits access to the chart, Mario's therapy chart is vulnerable to his nosy roommate Jake.

Scenario 3

Mario texts Lucy from his personal phone to let her know he’s experiencing a crisis and needs to meet with her for a counseling session. Lucy’s phone line is HIPAA-compliant, but Mario’s is not. Mario’s phone carrier and any apps synced with his device or phone number are now privy to Mario’s texts with his therapist in which he discussed his mental health - something that should be a private issue. To protect Mario's privacy, Lucy should invite Mario to a HIPAA-secure text-messaging conversation using her HIPAA-compliant text=messaging program.

You can see that simply having HIPAA-compliant programs is not enough to ensure privacy. It’s how those programs are used that makes them HIPAA-compliant. HIPAA compliance is not a condition; it is a process.

What Makes a Teletherapy Practice HIPAA Compliant?

As both a covered entity and in my roles as your therapist and as the security risk officer of my company, I am trained in HIPAA compliance. I take every possible step to ensure that your protected health information (PHI) is secure. PHI must be stored in a HIPAA-encrypted program. In my practice, I use Google Workspace Enterprise for Healthcare for cloud storage and backup.


HIPAA-Compliant Cybersecurity

A counseling practice must attend to hardware security as well as software security. For endpoint encryption on my computers, I use Webroot Business Endpoint Protection. Endpoint protection prevents cyberattacks on my devices.

To ensure that I am fully and consistently following the legal and ethical requirements of HIPAA, I perform regular risk assessments and audits of my systems and your data to ensure that everything is set up and operating as it should be to maximize your privacy and protection.


Sign-in Credentials

To use teletherapy securely, you will need to set up sign-in credentials that limit access to your personal health information.

There are three terms for sign-in credentials that are often confused. You will see all three used with online programs and services.

Password

A password is a combination of letters, numbers, and symbols, generally 6-20 characters. The more characters and the more variety, the safer the password.

Passphrase

A passphrase is typically a short sentence, such as I like blue bikes.

Passcode

A passcode can be either a password or a passphrase.

Passwords, passphrases, and passcodes are case sensitive. You can find helpful tips on how to create safe passwords, passcodes, and passphrases in my HIPAA notice of privacy practices.

You will find more information on when to use which type of sign-in credential below, on my getting started with therapy page, and throughout my policies and procedures.


Programs Used by this Counseling Practice

I prioritize the use of HIPAA-compliant technology to protect the privacy and safety of my clients. All contact forms on my website are HIPAA-compliant. To minimize spam, I do not publish my phone number, fax number, or email addresses on my website. I will supply you with my phone number, fax number, ProtonMail email address, and Google business email address after I receive your initial contact form. I make sure you have many ways to reach me.

Below is a list of the programs I use in my counseling services. Here’s what you'll need to know about how they work.

ProtonMail

ProtonMail is a HIPAA-compliant email service designed for your privacy. You will not need an app to receive these emails but you will need to send your completed initial contact and preliminary intake form before I will send you a secure email via ProtonMail. The initial contact form is HIPAA-compliant and starts the intake process. After you have completed the initial contact form, I will respond to you from my ProtonMail email so we can communicate securely.

Encrypted Email

ProtonMail gives me the option to send secured or unsecured emails. Secured email works by keeping the content of the message out of the body of the email you receive and requires a password for you to read it. You will set up that password on your initial contact form. This way, if someone accesses your email, or you accidentally leave it open at home or at work, no one but you can view the message. Learn what that looks like and how to reply securely.

When you receive a secure email from me, you will see a link in that email that says “read your secure email”. When you click on that link, it will take you to a secure web page where you can read the content of the email message. You will have the option to reply securely.

You will not be able to initiate encrypted emails unless you open your own free ProtonMail account. This is not necessary to benefit from my services, as I include access to a HIPAA-compliant text application with my services. You can initiate HIPAA-secure texts in that texting app at any time once I send you an invitation. You will receive that invitation after I receive your initial contact form. I discuss the texting app in more detail below. See my therapy services and fees page for guidelines and limitations to texting.

Accessing Encrypted Emails

On your initial contact form, you will create an identity verification passcode (IVP) that we will use to verify that you are you in all sessions and on all forms and assessments. The IVP is discussed in detail in my identity verification passcode policies and procedures. Your IVP can be a word or a phrase and will be case sensitive. The longer it is, the more secure it will be. See my notice of privacy practices for tips on how to create a safe passcode, password, or passphrase. Passphrases tend to be easier for people to remember.

A passphrase is different from a password. A password is typically 6 alphanumeric characters. A passphrase is a phrase such as “Tennis balls are round and fuzzy” or “Grass is healthy when it rains.” Make sure your passphrase is easy for you to remember but is not easy for someone who knows you to guess. The two examples I just gave have nothing to do with me, my life, my business, or counseling in general, which would make them ideal passphrases if I needed to set up a passphrase that would be difficult to guess.

When you create your IVP, create a passphrase that is unique for this purpose. Do not use a passphrase that you use for any other accounts. Using a unique passphrase for your identity verification passcode (IVP) will help us keep your personal information as safe as possible. Do not share your IVP with anyone, and do not write it down and leave it in an area that is accessible to others.

Email Subject Line

When sending correspondence to me, it is a good privacy practice to avoid writing anything in the subject line that can identify your message as therapy-related. Instead, I recommend we both use general terms such as appointment, reminder, confirmation, scheduling, message, notes, deliverable, packets, forms, documents, receipt, or invoice.

Email Precautions

If you decide to save secure email content outside your email application or on your personal devices, please be aware that your security and privacy may no longer be protected. Any personal health information you save to your personal devices via copy/paste, download, or screenshot may be vulnerable if your device or application is not secured by password-protected login and anti-malware protection. If you move or save this content outside the HIPAA-compliant system, you waive confidentiality and any legal claims from a resulting breach.

There is an option to set up autofill for your logins on both webmail and apps. I strongly advise against this, as it will compromise your security. Check to see if you have autofill turned on for passwords and if you do, turn it off. Write down your passwords, passcodes, and passphrases and put them someplace safe. It is a solid security practice not to write down your email address in the same place where you keep your email password. That way if someone finds your password, it will not be associated with the account you use it for and will be less likely to facilitate an account breach.

Email Delivery

Keep in mind that email containing certain words in the subject line may automatically wind up in your spam folder, promotions folder, or clutter folder, depending on which email service provider you use. Please check these folders regularly to prevent missed communications.

iPlum Calling, Texting, and Faxing

HIPAA-Secure Text Messaging/Chat

All of my therapy services come with HIPAA-compliant texting at no additional cost to you. You will be able to reach me via text from 12-9pm ET seven days/week once we have a signed informed consent agreement in place. Therapy via text messaging or email includes text/email messaging in both directions and is a clinical service. Text-based therapy should not be used as a substitute for therapy via video conferencing; it should be used as a complement to it. See my therapy services and fees for a discussion of what constitutes text-based therapy.

Once you have signed the informed consent agreement, You will receive an SMS invitation with instructions to download the secure text-messaging app and accept my invitation to secure messaging. Caution: If you install the app before receiving my invitation, your messages to me will not be secure. The invitation will contain a link to install the application. When you install the app, you will register using your mobile number and accept my invitation in the app. At that point, the HIPAA-secure channel will be active and ready for secure texting. For your protection, your contact information will be stored in the HIPAA-secure app, not on my mobile device.

HIPAA-Secure Phone Calls

To ensure the privacy and security of our phone conversations, we will conduct any counseling-related phone calls via the HIPAA-compliant iPlum app. I accept calls by appointment only. If you call me without an appointment, you will be routed to voicemail. I will return voicemails by email only. The voice mail is HIPAA-secure because they are stored on the app’s HIPAA-secure server. However, phone calls will not be secure on both ends until you install the iPlum app, because the call app on your personal phone is not secure. Again, please do not install the iPlum app until you have received an invitation from me to do so. This invitation will connect you directly to my HIPAA-compliant business account. The iPlum app is free for you and is usually the fastest way to get a message to me. Please see my therapy services and fees page for expected response times.

HIPAA-Compliant Fax

When faxing is necessary, I use the iPlum fax service to send HIPAA-secure faxes. Please keep in mind that if the recipient does not have a HIPAA-secure fax service (including the receiving phone line of a physical fax machine), the contents will not be protected and the chain of HIPAA-compliance will be broken. So for example, it would not be HIPAA-secure for me to send a fax to you at your house because even though the program I am using is HIPAA-compliant, the setup at your house is not. Because of this limitation of faxing, my preferred method of sending your records, should you request them sent directly to you, is via the HIPAA-secure encrypted ProtonMail email discussed above.

I use fax service primarily as a business-to-business communication. Though I will ask if the business on the other end has HIPAA-compliant technology if faxing is necessary, I cannot guarantee they will answer honestly or correctly. Please note that there will be a cost-based fee for paper copies sent via postal service, along with associated charges for postage. See my records request policies and procedures for details on the cost of records provision.

If you request to have your records sent anywhere - to you, to other providers, or to a family member, I will ask you to sign an authorization for release of information before sending those records. Please keep in mind that once your records leave my care, I cannot be responsible for how they are handled by the recipient.

Video Conferencing

I use two video platforms for video conferencing. The first reason is personal preference. The second reason is that it’s important to have a backup in case of technical issues. The third reason is that they offer different levels of security.

Safety During Video Conferencing

For your safety and security, I will require you to show your government-issued photo identification at the start of your first video session so I can confirm your identity and location. I must confirm your identity so none of your personal information is shared with someone impersonating you. I must confirm your location because my license is limited to treating clients who are physically located in the state of Florida at the time of service. This means that if you go on vacation outside of Florida, your services with me will not be available during that time and any advance payments you have made will apply to future sessions. If you show up for a scheduled appointment and you are not located in Florida, the session will be terminated immediately and you will be charged for the session you scheduled. It is best if you let me know in advance when you are going to be out of state so we can find you services at that location, should you want them, and so I can suspend payments for the time that you will be out of state. See my travel and conduct policies and procedures for more detailed information.

For your safety and mine, and to provide the best quality counseling experience, I ask that you keep your video on during the session. Per state law and standards of care, our initial session must be a video session. After that, I recommend a video session once a week for the first month. If you prefer phone sessions and therapy via text-messaging, those are available as well. Please see my description of online counseling services and therapy services and fees to learn about the structure of therapy with my practice.

You and I will agree on an emergency management plan to deal with emergencies and contingencies that arise in and out of session. See my emergency management policies and procedures for details.

You may have the expectation that since you are accessing services from your home, it would be appropriate to have your children, partner, or roommates hanging out in the room or passing through the room during therapy. However, this will jeopardize the quality, privacy, and effectiveness of your therapy. Teletherapy follows the same standards as in-person therapy. If you wouldn’t do it at a brick-and-mortar office, you should refrain from doing it online. An exception is when we arrange in advance to have family present to support you in your therapeutic goals. If you are unable to assume responsibility for your privacy, then this service is probably not the best fit for you.

Zoom for Healthcare

In terms of quality and security, I favor the HIPAA-compliant version of Zoom for video conferencing. When we set up our video counseling sessions, I will send you a link to each session via HIPAA-secure, encrypted email or secure text messaging. Please make sure to whitelist ProtonMail by adding it to your safe senders or contact list so you won’t miss the invitation to the session. The invitation will include the meeting ID and password, ways to dial in from a phone, and the direct link with the password built into it.

Zoom home page showing resources menu with Zoom download for latest version

You will need to install the Zoom app on your device. Follow these instructions to install Zoom on your PC or Mac, install the Zoom app on your Android mobile device, or install Zoom on your iOS mobile device.

Zoom users report occasional issues with sound or connectivity. These issues usually mean the app needs to be updated. To keep Zoom working properly, check once a week to see that you have the most recent version downloaded. To update to the latest version of Zoom, visit the Zoom homepage while on a computer. Select the resources tab from the menu on the top right (see image), and click on Download Zoom Client in the dropdown menu. The download will override whatever version is currently on your device. Note that you may need to reinstall the virtual background package once you update the app.

To update the app on your mobile device, please go to the AppStore or Play Store on your phone or tablet, choose settings from within the AppStore or Play Store (not the general phone settings), and choose auto-update apps. Note that some apps may need to be updated manually; it is a good idea to check weekly for updates of both your apps and your operating system.

Google Meet

Google Meet is our backup video conferencing application. The Google Meet app syncs up between computer and mobile devices, and the application icon appears right in your Gmail tray. Unfortunately, this means anyone who can access your Gmail account can access your video conference invitations, and they can access your Google text messages through the Google Chat app as well. So even though the video and chat content is contained in a HIPAA-secured app, if others can easily access these apps, they are not as safe as the systems I prefer. To offer you the best privacy protection I can, I prefer to use Zoom for video instead of Google Meet and iPlum for texting instead of Google Chat, although Google Chat gives us a backup text method option in a pinch.

Google Workspace Enterprise for Healthcare

Google Workspace Business Email

My Google Workspace business email is HIPAA-compliant for internal use only. This limitation makes it necessary to use an additional email service for HIPAA-secure content. The service I’ve chosen for that correspondence is ProtonMail, which was discussed earlier in this document. My Google business email is not HIPAA-secure. Please note that an email sent to my Google Business email serves as the sender’s consent to receive a response by unsecured email.

Cloud Storage and Backup

I use Google Drive for Workspace Enterprise for virtual storage of electronic health records (EHR) and other counseling-related documents. Documents, videos, forms, and images are stored in my business Google Drive, which is HIPAA-compliant. I store all of your learning materials there as well. Access to the HIPAA-secure Drive folders is limited to me except in cases where I grant you permission to access some of your documents. When I share any digital items with you from Google Drive, permission to access those items will be restricted to you only. If the items contain your personal health information, permission will be denied to any login except your email address, so if you try to share the links to folders or files, access to anyone but you will be denied.

Note that if you download documents containing your PHI, you take responsibility for the security of those documents; I cannot be responsible for their safe keeping once they leave the HIPAA-compliant environment. In an online therapy practice, it is an expected practice for clients to download PDFs and other forms of documents related to their therapy, just as they would save printed copies in an in-person practice. However, without adequate security, an electronic device is as vulnerable as an unlocked file cabinet in a physical office. Please store your digital documents with this in mind.

Google Workspace Sites

I created my main website and your private therapy and training websites in Google Sites. Google Sites have HIPAA-compliant functionality when created with a Google Workspace account and restricted to specific users. The main website for my business is a public website. Your private therapy and training websites are accessible to you only, and to me as the administrator. Each client has an individual Site with an individual link. No one else has permission to view your Site. You will need to sign on with a Google email address to view it and will use your Gmail password to log in. You will receive the link to your private therapy and training Google Site via secure email 1-2 weeks after your initial therapy session. It takes 1-2 weeks to add your personalized content based on the information you provide in your intake documents.

I recommend the following precautions for accessing your private therapy and training website:

  • Create a Gmail account that you use only for my counseling services. Gmail allows you to create a free account. A Google Workspace agent suggested that to prevent the association of your personal health information with your primary Google account (the one you use for Android devices or Chrome bookmarks, for example), you should create a new Gmail address using a pseudonym (not your initials) and a random birthdate that identifies you as an adult. This will decrease the likelihood of someone breaching your security and viewing your counseling history. If you add this Gmail account to your mobile device, make sure to remove your phone number from the new gmail account to prevent a connection between the new account and your phone number. Since your phone number is often associated with multiple applications and accounts, keeping it out of the account you use to sign into your therapy Site will mitigate the population of your personal data across accounts.

  • Create a separate password for the new Gmail - something different from the passwords you use to sign in to your other accounts. See my notice of privacy practices for a detailed discussion about creating secure passwords. You will use the same password for your new Gmail as you do for your private Site.

  • Do not share your password or Site link with anyone. Do not bookmark it in your browser, and do not keep it written down where anyone can see it or easily find it. If you do write it down, keep the Site link, Gmail address, and password in separate places. It may seem like a lot to remember in the beginning, but after logging in a few times, you will find it becomes automatic. To make things easier, you can create an additional Chrome browser profile that you can sign out of without having to sign out of the Gmail account you usually use in Chrome.

  • You may prefer to stick with the Gmail account you already have. If you choose to use your existing Gmail, please be aware that you are more vulnerable to someone accessing your personal health information, especially if multiple people use your computer or access your phone.

Google Workspace Forms

For simpler forms and assessments, I use Google Forms. These forms are HIPAA-compliant when created in a Workspace account. Counseling forms can be found on my contact page and client forms page.

The signature on Google’s Forms involves typing in your name or checking a box. A typed e-signature is legally acceptable and legally binding on therapy documents.

You will access Google Forms several ways: links on my website, links on your private therapy and training website, links sent to your email, and links sent to you via the iPlum secure texting app. You can complete them on a computer or mobile device. All the Google Forms I send you are HIPAA-compliant, no matter where you access them from.

Jotform

In addition to Google Forms, I use a program called Jotform for our informed consent agreement, your authorization for release of information, and other more complex forms. Jotform allows for a drawn signature that you can create using a stylus, mousepad, or finger. You will be asked for your identity verification passcode (IVP) and signature, and your location will be verified. As with Google Forms, Jotform’s forms are HIPAA-compliant and can be accessed via links on my website, links on your private therapy and training website, links sent to your email, and links sent to you via the iPlum secure texting app. You can complete these forms on a computer or mobile device.

Forms Security

To ensure your security and the validity of your signature on all forms, you will be asked to set up an identity verification passcode (IVP) when you fill out your initial contact form as discussed in the earlier section on encrypted emails. I will ask you for this passcode on all forms and in all sessions to verify that the same person (you) is associated with all relevant documents, forms, and sessions. This precaution helps prevent anyone but you from accessing your personal health information. Because you provide your IVP in sessions and on forms, it should not be the same as the passwords, passphrases, or passcodes you use to sign in to any other accounts or services. Your IVP should be unique.

Examples of passcodes you could use for the IVP are “dogs have tails” or “I like fluffy clouds” - something random but easy to remember. Since this passcode will be used to confirm that it is you signing the forms and not a curious third party trying to pose as you, it is important that you use a passcode that would be difficult for someone who knows you to guess. If your IVP is compromised, you will notify me in a video session and change the passcode. You will not need a passcode to submit forms for general questions or anonymous feedback.

Signing forms securely is discussed further in my notice of privacy practices.


Payment Methods

This section talks about the programs I use for collecting payment. My services will appear on your billing statements as Michelle Robin Gould Corporation and my corporation will be identified as a healthcare/medical service. I provide two methods of payment, both of which feature the ability to link to your bank account or credit cards.

You can read my payment policies on my therapy services and fees page.

PayPal

PayPal is recognized worldwide for its convenience and ease of use. My PayPal business link is paypal.me/michellerobingould. PayPal is not HIPAA-compliant. Payment activities are not included in the HIPAA privacy rule. However, for clients who want the additional protection of a HIPAA-compliant payment platform, I offer Square as an option on my payment page.

Square

Square is a HIPAA-compliant service that allows you to pay with one click. You can pay through your computer or right through your phone with your credit card, Apple Pay, Google Pay, ACH bank transfer, or HSA.


Questions

If you have questions about the technology and security policies and procedures or any other questions about counseling services, please visit the tech trainings page of my website for tutorials and articles before sending your questions. Your question has probably been addressed there. If you are unable to locate the information you seek, please submit any questions about my counseling services via my question about counseling services form.