At Seattle Direct Counseling, we have taken the following steps to remain compliant with the last omnibus of the Health Information Portability and Accountability Act. The guideline discusses what Providers in healthcare are asked to do to protect the security of data shared between patients and providers, including how we store your data, how we share it (such as with your third party payor), and how we notify our patients in the case of a breach of privacy regarding your information.
We consider these steps to be part of the professional care we give to each and every client. Even if you don’t care much about who sees what, we care.
The Feds (via OHR) issued a recent set of guidelines on reasonable disclosure of patient data under HIPAA. Read the details here: http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/mhguidance.html
The omnibus is here: http://www.hhs.gov/ocr/privacy/hipaa/administrative/omnibus/index.html
Sept 23, 2013 was the deadline for Providers to indicate what steps they are taking regarding the privacy of their patient’s data. At SDC, we have taken the following steps since March 10, 2013 until now:
1. Use of HIPAA compatible video conferencing using Vsee.com, a recommended site for secure VoIP communication. We do not use Skype or Google Hangouts for mental health counseling at this time. Google Helpouts, which showed promise early in 2015, is no longer available.
2. While we offer the use of Hushmail to anyone who is concerned about emailing PHI and sensitive information, we heard your feedback. Instead, we allow your signature on our Electronic Transmission Agreement form to indicate to us what email you’d like to use, and consider your informed consent as permission to use that platform in lieu of Hushmail. See #3.
3. If the client does not wish to use Hushmail after s/he has been advised, the client may sign an agreement notifying the Provider that s/he is exercising the right to use his/her usual emailing platform, and the client is responsible for the risk of use. This agreement is included in the first session for every client at SDC and a signed copy is retained for the file.
4. The agreement in #3 is regularly maintained and updated to include any new guidelines and device uses.
5. All Counseling Associates receive adequate education on keeping client data private and secure.
6. All clients are educated on how their files are stored. We will move to store client files on site in 2016 when we have secured a proper lock for our heavy duty filing cabinet; when files are temporarily on site, they are stowed in a filing cabinet for day use.
7. Electronic files are de-identified. I (Imei) have de-identified notes taken from January 2014 forward on the current note-taking platform, and is considering moving all notes to Amazon’s cloud service, which does provide a Business Associate status to its users.
8. My (Imei) computer is currently not fully encrypted. My current practice is to password protect my computer when stepping away from my desk, and to not leave my computer in my office over weekends or holidays. We are currently about to secure the main room with an additional lock held by only the Tenant and the Landlord to add an extra layer of protection from theft and/or prying eyes.
9. For Third Party Billing, I use Office Ally, which is an approved billing site. We also use Square for credit card charges, and we discourage clients from texting receipts to their devices after the transaction has been completed. Square has recently issued a chip card reader, which should be available in early January 2016.
10. We change our passwords regularly, and we use complex passwords and phrases that meet the standards to prevent hacking (every six weeks). We also encourage clients to do the same.
I’ll be adding a new policies as the Feds advise. But I promise to make it easy to read so you don’t accidentally fall asleep in your apple pie and ice cream dessert after dinner. We’ll try to keep it short, sweet, and “edutaining”!