This is such a popular question! The short answer is, NO, Skype isn’t HIPAA compliant. The longer answer is that it may even have other problems for the licensed therapist.
The term paperless practice generally refers to a practice where paper forms are either never filled out by the client or created by the provider, or where any paper generated is quickly scanned, uploaded to computer/server, and the paper originals shredded. Sometimes it’s a combination of those two methods, since some paperwork is generally inevitable. I personally have a paperless practice, and I love it. I love the time it saves me now, and I love saving the trees!
Google Apps for Business is an affordable Do-It-Yourself way to create a cloud-based practice management system. It also provides you with a HIPAA compliant system for email and a calendar. The short video will give you more details.
EMR stands for Electronic Medical Record, and refers to any system that stores patient files electronically (ie, on your computer or on the internet.) The most typical way to use EMRs within your practice is to contract with a software company that provides access to their EMR system through the internet. These are often referred to as “Cloud based practice management systems” (CBPMS.)
If you use a smartphone for work-related things, you probably have PHI stored somewhere on your phone. It can be in your contacts, texting history, Caller ID, emails, or many other places. Did you know that Facebook Messenger’s Mobile App’s Terms of Service grant that app access to quite a lot of other places on your phone where you might have PHI?
If you (or your kids) are Harry Potter fans, you probably recognize the above quote from “Harry Potter & The Chamber of Secrets.” Not trusting things that can think for themselves is especially wise with smartphone apps. If an app on your phone is doing something for you that involves PHI, you need to know where it keeps its brain. The bulk of them are cloud-based, which means that to do their magic, they send data to their servers, where it is processed in some way, and sent back to you. If that data includes PHI, you need a BAA with those apps. A few examples:
Spend a little time teaching yourself about HIPAA security, and you’ll discover that it’s pretty easy to get caught up in confusing, overwhelming technology advice.
It’s smart to have a way (several ways, really) for visitors to your website to contact you. To hide one’s email address from spammers, many therapists choose to have a contact form built into the site. However, some contact forms can be non-compliant with HIPAA regulations, if they are served by a third party with whom you do not have a Business Associate’s Agreement. Those third parties have access to PHI as sent through the form, or worse—occasionally the forms have a default setting that cc’s an administrator for the website every time the form is used.
I have been contacted by a number of security professionals wanting to partner with me or sell me their product, and they always invariably spout a slew of technical jargon that makes me want to run the other way.
In the HIPAA for Therapists workshop, one of items specifically mentioned for the Risk Assessment is your office printer.