Technology and Security Policies and Procedures

Please be sure to read my HIPAA notice of privacy practices for a thorough discussion of the definition and provisions of the Health Insurance Portability and Accountability Act (HIPAA). Although I do not accept insurance, as a covered entity, I am bound to comply with HIPAA, and I take that obligation seriously. I explain the risks involved in using various technologies throughout my counseling policies and procedures. 

What does it mean when technology is HIPAA-secure?

HIPAA-compliant is the standard term used across the industry to denote a high level of privacy and security regarding the handling of protected health information, so you will see the term HIPAA-compliant used throughout my policy documents. But it is important to know that a program can be HIPAA-compliant and not be HIPAA-secure if it is not set up and managed correctly. There are many programs on the market that can be HIPAA-compliant, and it is my responsibility to implement these technologies securely. This counseling practice uses HIPAA-compliant technology securely. HIPAA-secure means that a HIPAA-compliant product or service implements the HIPAA-compliant features of the product or service with the level of privacy and security that is consistent with the HIPAA privacy and security rules. It is not enough for a program to claim it is HIPAA-compliant just because it provides a business associate agreement (BAA) with its users. The program must also be used in a HIPAA-compliant manner.

Some of the programs that may compromise your privacy and security if not used correctly include email, phone service, messaging apps (including the text messaging app on your phone), video conferencing, and interactive assessment sites. I have what’s called a business associate agreement (BAA) with every third party application I use in my practice. A BAA is a contract between that company and mine in which they agree to adhere to the requirements of the HIPAA privacy and security rules. Any third parties or third party applications that have access to protected health information (PHI) must sign a BAA with counselors or counseling services, ensuring that both parties practice HIPAA-compliance with regard to privacy and security of PHI. The technology must have HIPAA-level encryption, meaning that information is encrypted both in transit and at rest.

Without a BAA between the counseling practice and the software, along with encryption both end-to-end and in transit, emails, messaging apps, and phone calls are vulnerable to hackers. Without proper security measures in place, these communications may be inadvertently exposed to someone you live or work with. I am responsible for the security on my end. Security on your end is your responsibility. In my policies and procedures, I provide you with the tools and strategies you need to minimize risks on your end.

Let’s look at a few scenarios where security might be a concern.

Scenario 1

A therapist named Lucy is in a hurry. She sends an email from her HIPAA-compliant business email to a client named Mario at Mario's personal email address. In the email is a link to Mario's treatment plan. Anyone who has access to Mario's email can access that link if it’s not password-protected. Mario’s roommate Jake borrows his computer when he’s not using it. Jake sees that Mario’s email is open in a browser tab and that Mario just got an email from his therapist. Jake’s curiosity gets the best of him. He clicks on the link in the email and instantly gains access to Mario’s treatment plan. Jake reads Mario’s diagnoses and learns what Mario has been working on in therapy. If Lucy used HIPAA-secure email messaging, Jake would not have been able to open that link without Mario’s password.  

Scenario 2

Lucy the therapist sends a link to Mario the client so he can access his client chart to fill out assessments and forms. Without two-factor verification or some other form of security that limits access to the chart, Mario's therapy chart is vulnerable to his nosy roommate Jake any time Jake borrows Mario’s phone or computer. 

Scenario 3

Mario texts Lucy from his personal phone to let her know he’s experiencing a crisis and needs to meet with her for a counseling session. Lucy’s phone line is HIPAA-compliant, but Mario’s is not. Mario’s phone carrier and any apps synced with his device or phone number are now privy to Mario’s texts with his therapist in which he discussed his mental health - something that should be a private issue. To protect Mario's privacy, Lucy should invite Mario to a HIPAA-secure text-messaging conversation using her HIPAA-compliant text=messaging program. 

You can see that simply having HIPAA-compliant programs is not enough to ensure privacy. It’s how those programs are used that makes them HIPAA-compliant. HIPAA compliance is not a condition; it is a process. 

What Makes a Telehealth Therapy Practice HIPAA Compliant? 

As both a covered entity and in my roles as your therapist and as the security risk officer of my company, I am trained in HIPAA compliance. I take every possible step to ensure that your protected health information (PHI) is secure. PHI must be stored in a HIPAA-encrypted program. In my practice, I use Google Workspace Enterprise for Healthcare for secure cloud storage.

HIPAA-Compliant Cybersecurity

To really be secure, a counseling practice must attend to hardware security as well as software security. For endpoint encryption on my computers, I use Webroot Business Endpoint Protection. Endpoint protection prevents cyberattacks on my devices. To ensure that I am fully and consistently following the legal and ethical requirements of HIPAA, I perform regular risk assessments and audits of my systems and your data to ensure that everything is set up and operating as it should be to maximize your privacy and protection. 

To use telehealth securely, you will need to set up sign-in credentials that limit access to your personal health information. 

There are three terms for sign-in credentials that are often confused. You will see all three used with online programs and services.

Password

A password is a combination of letters, numbers, and symbols, generally 6-20 characters. The more characters and the more variety, the safer the password. 

Passphrase

A passphrase is typically a short sentence, such as I like blue bikes.

Passcode

A passcode can be either a password or a passphrase. 

Passwords, passphrases, and passcodes are case sensitive. You can find helpful tips on how to create safe passwords, passcodes, and passphrases in my HIPAA notice of privacy practices. 

You will find more information on when to use which type of sign-in credential below and on my start therapy page.

 I prioritize the use of HIPAA-compliant technology to protect the privacy and safety of my clients. There are HIPAA-compliant forms on my client forms page and my contact page. I make sure you have many ways to reach me directly, including HIPAA-secure texting, calling, and emailing. 

Below is a list of the programs I use in my counseling services. Here’s what you'll need to know about how they work.

Encrypted Email

ProtonMail gives me the option to send secured or unsecured emails. Secured email works by keeping the content of the message out of the body of the email you receive and requires a password for you to read it. You will set up that password on your initial contact form. This way, if someone accesses your email, or you accidentally leave it open at home or at work, no one but you can view the message. Learn what that looks like and how to reply securely. 

When you receive a secure email from me, you will see a link in that email that says “read your secure email”. When you click on that link, it will take you to a secure web page where you can read the content of the email message. You will have the option to reply securely.

Subject Line

When sending correspondence to me, it is a good privacy practice to avoid writing anything in the subject line that can identify your message as therapy-related. Instead, I recommend we both use general terms such as appointment, reminder, confirmation, scheduling, message, notes, details, deliverable, packets, forms, documents, receipt, or invoice. 

Email Precautions

If you decide to save secure email content outside your email  application or on your personal devices, please be aware that your security and privacy may no longer be protected. Any personal health information you save to your personal devices via copy/paste, download, or screenshot may be vulnerable if your device or application is not secured by password-protected login and anti-malware protection. If you move or save this content outside the HIPAA-compliant system, you waive confidentiality and any legal claims from a resulting breach.  

There is an option to set up autofill for your logins on both webmail and apps. I strongly advise against this, as it will compromise your security. Check to see if you have autofill turned on for passwords and if you do, turn it off. Write down your passwords, passcodes, and passphrases and put them someplace safe. It is a solid security practice not to write down your email address in the same place where you keep your email password. That way if someone finds your password, it will not be associated with the account you use it for and will be less likely to facilitate an account breach.  

Email Delivery

Keep in mind that email containing certain words in the subject line may automatically wind up in your spam folder, promotions folder, or clutter folder, depending on which email service provider you use. Please check these folders regularly to prevent missed communications.

HIPAA-Secure Texting, Calling, and Faxing

Once you have signed the informed consent agreement, you will receive an SMS invitation with instructions to download the secure text-messaging app and accept my invitation to secure messaging. Caution: If you send me texts through the app before receiving my invitation, your messages to me will not be secure. The invitation will contain a link to install the application. When you install the app, you will register using your mobile number and accept my invitation in the app. At that point, the HIPAA-secure channel will be active and ready for secure texting. For your protection, your contact information will be stored in the HIPAA-secure app, not on my mobile device. 

Google Chat

To offer you the best privacy protection I can, I prefer to use the iPlum app for texting instead of Google Chat, although Google Chat gives us a backup text method option in a pinch. Although the Chat app is HIPAA-secure once I have invited you to a secure conversation, please be aware that anyone who can access your Gmail account can access your Google text messages through the Google Chat app as well, so please take precautions accordingly.

HIPAA-Secure Phone Calls

To ensure the privacy and security of  our phone conversations, we will conduct any counseling-related phone calls via the HIPAA-compliant iPlum app. I accept calls by appointment only. If you call me without an appointment, you will be routed to voicemail. The voice mail is HIPAA-secure because they are stored on the app’s HIPAA-secure server. However, phone calls will not be secure on both ends until you install the iPlum app, because the call app on your personal phone is not secure. Again, please do not install the iPlum app until you have received an invitation from me to do so. This invitation will connect you directly to my HIPAA-compliant business account. The iPlum app is free for you and is usually the fastest way to get a message to me. I respond to existing clients throughout the day.

HIPAA-Compliant Fax

My preferred method of sending your records, should you request them sent directly to you, is via the HIPAA-secure encrypted ProtonMail email discussed above. When faxing is necessary, I use the iPlum fax service to send HIPAA-secure faxes unless the recipient has a landline-based physical fax machine. Landline-based fax machines do not need to be HIPAA secure because they transmit through analog rather than digital channels. Sometimes, you will need me to fax your records to another health care provider, a legal professional, or a personal representative. Please keep in mind that if the recipient does not have a HIPAA-secure fax electronic service or a landline-based physical fax machine, the contents will not be protected and the chain of HIPAA-compliance will be broken. 

I use fax service primarily as a business-to-business communication. Though I will ask if the business on the other end has a landline fax or HIPAA-compliant fax technology, I cannot guarantee they will answer honestly or correctly. By requesting a fax of your records, you understand that I am no longer responsible for the security or privacy of those records after they leave my possession. Please note that there will be a cost-based fee for paper copies sent via fax.

If you request to have your records sent anywhere -  to you, to other providers, or to a family member, I will ask you to sign an authorization for release of information before sending those records. Please keep in mind that once your records leave my care, I cannot be responsible for how they are handled by the recipient.

Zoom for Healthcare

I use the HIPAA-compliant version of Zoom for video conferencing. When we set up our video counseling sessions using Zoom, I will send you a link to each session via HIPAA-secure, encrypted email or secure text messaging. Please make sure to whitelist ProtonMail by adding it to your safe senders or contact list so you won’t miss the invitation to the session. The invitation will include the meeting ID and password, ways to dial in from a phone, and the direct link with the password built into it.

You will need to install the Zoom app on your device. Follow these instructions to install Zoom on your PC or Mac, install the Zoom app on your Android mobile device, or install Zoom on your iOS mobile device.

Zoom users report occasional issues with sound or connectivity. These issues usually mean the app needs to be updated. To keep Zoom working properly, check once a week to see that you have the most recent version downloaded. To update to the latest version of Zoom, visit the Zoom homepage while on a computer. Select the resources tab from the menu on the top right (see screenshot), and click on Download Zoom Client in the dropdown menu. The download will override whatever version is currently on your device. Note that you may need to reinstall the virtual background package once you update the app.

To update the app on your mobile device, please go to the AppStore or PlayStore on your phone or tablet, choose settings from within the AppStore or PlayStore (not the general phone settings), and choose auto-update apps. Note that some apps may need to be updated manually; it is a good idea to check weekly for updates of both your apps and your operating system.   

Google Meet

I use the Google Meet video conferencing application through my HIPAA-secure Google Workspace account. The Google Meet app syncs up between computer and mobile devices, and the application icon appears right in your Gmail tray, so please be aware that anyone who can access your Gmail account can access your video conference invitations, though they would need to be admitted to a session by me in order to crash your therapy sessions.

Safety During Video Conferencing

For your safety and security, I will require you to show your  government-issued photo identification at the start of your first video session so I can confirm your identity and location. I must confirm your identity so none of your personal information is shared with someone impersonating you. I must confirm your location because my license is limited to treating clients who are physically located in the state of Florida at the time of service. This means that if you go on vacation outside of Florida, your services with me will not be available during that time and any advance payments you have made will apply to future sessions. If you show up for a scheduled appointment and you are not located in Florida, the session will be terminated immediately and you will be charged for the session you scheduled. It is best if you let me know in advance when you are going to be out of state so we can find you services at that location, should you want them, and so I can suspend payments for the time that you will be out of state.

For your safety and mine, and to provide the best quality counseling experience, I ask that you keep your video on during the session. To provide a high standard of care, it is my policy that our initial session must be a video session. After that, I recommend a video session once a week for the first month. If you prefer phone sessions and therapy via text-messaging, those are available as well.

You and I will agree on an emergency management plan to deal with emergencies and contingencies that arise in and out of session.

You may have the expectation that since you are accessing services from your home, it would be appropriate to have your children, partner, or roommates hanging out in the room or passing through the room during therapy. However, this will jeopardize the quality, privacy, and effectiveness of your therapy. Telehealth therapy follows the same standards as in-person therapy. If you wouldn’t do it at a brick-and-mortar office, you should refrain from doing it online. An exception is when we arrange in advance to have family present to support you in your therapeutic goals. If you are unable to assume responsibility for your privacy, then this service is probably not the best fit for you. 

Google Workspace Business Email

Google Workspace business email is HIPAA-compliant for internal use only, meaning business to business. This limitation makes it necessary to use an additional email service for HIPAA-secure content. The service I’ve chosen for that correspondence is ProtonMail, which was discussed earlier in this document. My Google business email is not HIPAA-secure. Please note that an email sent to my Google Business email serves as the sender’s consent to receive a response by unsecured email. 

Cloud Storage and Backup 

I use Google Drive for Workspace Enterprise for virtual storage of  electronic health records (EHR) and other counseling-related documents. Documents, videos, forms, and images are stored in my business Google Drive, which is HIPAA-compliant. I store all of your learning materials there as well. Access to the HIPAA-secure Drive folders is limited to me except in cases where I grant you permission to access some of your documents. When I share any digital items with you from Google Drive, permission to access  those items will be restricted to you only. If the items contain your personal health information, permission will be denied to any login except your email address, so if you try to share the links to folders or files, access to anyone but you will be denied. 

Note that if you download documents containing your PHI, you take responsibility for the security of those documents; I cannot be responsible for their safe keeping once they leave the HIPAA-compliant environment. In an online therapy practice, it is an expected practice for clients to download PDFs and other forms of documents related to their therapy, just as they would save printed copies in an in-person practice. However, without adequate security, an electronic device is as vulnerable as an unlocked file cabinet in a physical office. Please store your digital documents with this in mind. 

Google Workspace Sites

I created my main website and your private therapy and training websites in Google Sites. Google Sites have HIPAA-compliant functionality when created with a Google Workspace account and restricted to specific users. The main website for my business is a public website. Your private therapy and training websites are accessible to you only, and to me as the administrator. Each client has an individual Site with an individual link. No one else has permission to view your Site. You will need to sign on with a Google email address to view it and will use your gmail password to log in. You will receive the link to your private therapy and training Google Site via secure email 1-2 weeks after your initial therapy session. It takes 1-2 weeks to add your personalized content based on the information you provide in your intake documents. 

I recommend the following precautions for accessing your private therapy and training website:

• Create a gmail account that you use only for my counseling services. Gmail allows you to create a free account. A Google Workspace agent suggested that to prevent the association of your personal health information with your primary Google account (the one you use for Android devices or Chrome bookmarks, for example), you should create a new gmail address using a pseudonym (not your initials) and a random birthdate that identifies you as an adult. This will decrease the likelihood of someone breaching your security and viewing your counseling history. If you add this Gmail account to your mobile device, make sure to remove your phone number from the new gmail account to prevent a connection between the new account and  your phone number. Since your phone number is often associated with multiple applications and accounts, keeping it out of the account you use to sign into your therapy Site will mitigate the population of your personal data across accounts. 

• Create a separate password for the new gmail - something different from the passwords  you use to sign in to your other accounts. See my notice of privacy practices for a detailed discussion about creating secure passwords. You will use the same password for your new gmail as you do for your private Site.

• Do not share your password or Site link with anyone. Do not bookmark it in your browser, and do not keep it written down where anyone can see it or easily find it. If you do write it down, keep the Site link, gmail address, and password in separate places. It may seem like a lot to remember in the beginning, but after logging in a few times, you will find it becomes automatic. To make things easier, you can create an additional Chrome browser profile that you can sign out of without having to sign out of the gmail account you usually use in Chrome.

• You may prefer to stick with the gmail account you already have. If you choose to use your existing gmail, please be aware that you are more vulnerable to someone accessing your personal health information, especially if multiple people use your computer or access your phone. 

Google Workspace Forms

For most forms and assessments, I use Google Forms. These forms are HIPAA-compliant when created in a Workspace account. Counseling forms can be found on my contact page and client forms page.

The signature on Google’s Forms involves typing in your name or checking a box. A typed e-signature is legally acceptable and legally binding on therapy documents. 

You will access Google Forms several ways: links on my website, links on your private therapy and training website, links sent to your email, and links sent to you via the iPlum secure texting app. You can complete them on a computer or mobile device. All the Google Forms I send you are HIPAA-compliant, no matter where you access them from. 

Some Google Forms will require you to log into your Google account. This is a security measure. If you do not have a Google account, please be advised that you will need one to receive therapy services with my therapy practice. It is free to set up a Google account. Forms that do not require a file upload or are not therapy-related do not require a Google login. 

In addition to Google Forms, I may use two other HIPAA-compliant forms to communicate, collect information, and conduct assessments.

PsychSurveys

I use PsychSurveys to send you standardized, evidence-based assessment forms. These brief assessments help me evaluate your needs so I can provide you with targeted materials and support in areas where you would most benefit. Based on the needs you express on your initial contact form, I may send some of these assessments as part of your intake and evaluation. I may send additional assessments for you to complete throughout the time that we work together. This app makes it quick and easy to fill out assessments, and the app does all the work of sending me the results so you do not have to.

These surveys will come to you through your regular, unsecured email. Their system does not have an option that lets me send them through password-protected email, but you will see an option to opt out of emails from the app in your app preferences/settings under “Survey Email Alerts”. When you opt out, the “Disable Email Alerts” checkbox will also be checked on your app setup screen. You will receive an email reminder 3 days after each initial assessment is sent, and then again every seven days thereafter until it is completed or expires. Every email includes an “opt out” link at the end of the email. Emails are sent from PsychSurveys with a ReplyTo set to my email address, so you can  reply directly to me if you have a question.

The PsychSurveys app will send you login credentials via email. Be sure to change the default password after you activate the app. For your security, the app supports a “Passcode Lock” feature which locks the app from use until a passcode is entered. This passcode can be different than the device’s passcode, allowing you to choose a passcode known only to you, separate from your device passcode. If you enable this feature, which I strongly suggest you do, only you can unlock and use the app. If you forget your unlock code for this app, you will need to either log out of the app and log back in (which clears this setting), or, uninstall and reinstall the app. I will not be able to reset that code for you.

Jotform

Jotform allows for a drawn signature that you can create using a stylus, mousepad, or finger. You will be asked for your identity verification passcode (IVP) and signature on Jotforms, and your location will be verified. As with Google Forms, Jotform’s forms are HIPAA-compliant and can be accessed via links on my website, links on your private therapy and training website, links sent to your email, and links sent to you via the iPlum secure texting app. You can complete these forms on a computer or mobile device. 

Form Security

To ensure your security and the validity of your signature on all forms, you will be asked to set up an identity verification passcode (IVP) when you fill out your initial contact form as discussed in the earlier section on encrypted emails. I will ask you for this passcode on all forms and in all sessions to verify that the same person (you) is associated with all relevant documents, forms, and sessions. This precaution helps prevent anyone but you from accessing your personal health information. Because you provide your IVP in sessions and on forms, it should not be the same as the passwords, passphrases, or passcodes you use to sign in to any other accounts or services. Your IVP should be unique. 

Examples of passcodes you could use for the IVP are “dogs have tails” or “I like fluffy clouds” - something random but easy to remember. Since this passcode will be used to confirm that it is you signing the forms and not a curious third party trying to pose as you, it is important that you use a passcode that would be difficult for someone who knows you to guess. If your IVP is compromised, you will notify me in a video session and change the passcode. You will not need a passcode to submit forms for general questions or anonymous feedback. 

Signing forms securely is discussed further in my notice of privacy practices. 

Square

I use Square as a payment processor for counseling services. For your convenience, I will send you payment links when you schedule your appointments. My services will appear on your billing statements as Michelle Robin Gould Corporation and my corporation will be identified as a healthcare/medical service.

Square is a HIPAA-compliant service that allows you to pay with one click. You can pay through your computer or phone. Square accepts many different types of credit and debit cards, mobile wallets, and FSA and HSA payments. 

This is a direct-pay therapy practice. I do not accept insurance. Please see my fee and payment policies for information about receipts and superbills. If you need a referral to a clinician who accepts insurance, please contact your insurance company for a list of contracted providers.

If you have questions about the technology and security policies and procedures or any other questions about the technical aspects of my counseling services, please visit the tech trainings page of my website before sending your questions. Your question has probably been answered there. If you are unable to locate the information you seek, please send your questions securely through my contact page.