What is it? Why do we need it? Why does it matter to clients?
This blog is for other clinicians out there more than clients, though some of the technology recommendations apply to clients as well. There are lots of kinds of compliance you must worry about in healthcare in general, but I will focus on behavioral and mental healthcare private practice, specifically including telehealth.
To start (not necessarily in order of importance, since they are all very important):
- HIPAA Compliance: mostly the Security and Privacy rules within HIPAA (The Health Insurance Portability and Accountability Act of 1996), HiTECH (2009), CARES (2020)
- Accreditation Compliance: Joint Commission or CARF
- License/Board Compliance: whatever license you hold to practice therapy has national and state regulations and codes of ethics you must adhere to to maintain your license in good standing
- Legal Compliance: in terms of your business, insurance, etc.
- Documentation Compliance
- Clinical Compliance & Best Practices
- Marketing & social media
These are a lot of considerations, and most clinicians get totally overwhelmed by all the details. I could write a ton about this, but I am just going to hit some highlights – if you are interested in a longer conversation about any of these, just email me: firstname.lastname@example.org. I will not cover all of these in this post.
*Disclaimer: I am not a lawyer or information technology specialist. This information is not intended as a substitute for due diligence. You must set up, manage, and audit these systems as appropriate for your company. Nothing in this blog constitutes legal advice (just like all the other disclaimers you will see in the resources and articles). Also, states are currently in control of most cybersecurity and data protection laws, so make sure you are aware of the legal ramifications in your state as well as the laws and regulations governing your setting.
Your personal security may or may not impact your professional security, but please consider implementing all of these recommendations for your personal networks and devices.
Why do we need compliance?
Well, unfortunately, a lot of people in the world are not as compliant as you or I might be, and that means that there are gaps and loopholes that others will exploit. No one wants to get hacked or have their identity stolen, and PHI is a prime target, partly because providers have historically not done a great job of it. That is part of why we have HIPAA in the first place!
Why is compliance important for clients?
Our clients are trusting us with some pretty significant personal information. It is important that we acknowledge that trust and do everything we can to maintain it. Misuse of information would be a significant breach of trust not only ethically and professionally but could also cause clients harm. No caregiver wants that, especially if it is due to something they could prevent.
HIPAA is the thing that scares people the most. I think it is mostly because people who gravitate towards caring professions are generally not all that into technology, and a lot of the rules are related to that. Also, who likes combing through all the legal and technical jargon to figure out what they need to do? The law is written in pretty broad strokes on purpose, because there are a lot of types of facilities and providers this would pertain to, from sole providers to international corporations. Obviously, not all solutions are appropriate for all these settings.
Things to know about HIPAA (remember, these are just some highlights!):
- What is a compliance officer and what do they do? A compliance officer is supposed to be someone who keeps up with the changes and developments related to HIPAA. All organizations are required to designate a compliance officer and have them listed in their HIPAA statement as a point of contact. Usually, this person has something to do with technology and security, writing policies, making sure all federal and state confidentiality laws are adhered to, and completing the annual Risk Assessment that is required for all covered entities. Here is a checklist if you want to know more about those basics: https://compliancy-group.com/hipaa-compliance-checklist-download/
- What is OCR? It stands for the Office of Civil Rights, the federal agency in the Department of Health & Human Services that administers HIPAA and all the attendant audits, fines, etc. https://www.hhs.gov/hipaa/for-professionals/index.html
- What is PHI? Protected Health Information – pretty much everything you know about your clients.
- What is a BAA? Business Associate Agreement – you must have one of these for all entities you work with that have access to PHI.
- What is encryption? This one is a little harder, but you would know if you had it. It is not standard on most computers or devices. Depending on what operating system you use, it may be part of the software that you need to set up, but make sure that any computer you have (including you phone, tablet, laptop, and any other mobile device) requires a password to access any client information, and that you cannot get on that computer without a password. https://compliancy-group.com/hipaa-encryption/
- You should also make sure your phone, email, and any other methods of communication with clients are HIPAA compliant.
- What do I need to do, really?
- Write policies & procedures – even if you are working by yourself
- Designate a compliance officer
- Do your Risk Assessments and address issues in your policies & procedures
- Have a HIPAA statement and Rights & Consent that cover all of these issues
- Make sure you have BAA’s in place for anyone who works with PHI
- Encrypt your devices
- Set up for cloud-based services (like Google Workspace, Zoom or your EMR) by signing a BAA and following the recommendations of the service provider
- Set up your Wi-Fi/LAN with appropriately complex passwords and encryption
- Make sure every device you own is being tracked and that you can wipe it remotely (called Find My Device on most phones) in case it gets stolen or lost
- Do training every year
Accreditation: I am going to focus on what clients and other individual providers need to know but suffice it to say all facilities must be accredited and there are many different sections to concern yourself with.
Licensing Boards all have different criteria – if you do not understand what you need to do, they always have a way to contact them to ask questions. As with all requests of that type, please make sure you read the FAQs and information on their website before you contact them to make sure your questions are not already answered.
Documentation: we all know that if we did not document it, it did not happen. This protects you as much as it protects clients! Most EMRs do a pretty good job of making sure we have what we need in our documentation for billing, but make sure the platform you are using is set up not only for billing but also to satisfy the requirements of protecting information.
Clinical: so, I work with a lot of clients struggling with eating disorders, and there are specific APA criteria related to the levels of care a client should be in for this diagnostic population. This is true of other types of diagnoses, of course, but please make sure you are following those guidelines. If you are treating a client at a lower level of care than is appropriate, you are not doing them any favors. You are basically diagnosing them with the flu and sending them home without any medication – most clients will not be able to get better until they get the right intervention, and it is just not ethical.
Marketing & social media: these are kind of synonymous these days, and it has changed the landscape of what we do. Please make sure there is adequate and appropriate separation between your personal and professional digital life. Any marketing you do on behalf of your business should be with a business account and with appropriate privacy restrictions in place.
I always tell new clinicians that if you do not want your entire family, your boss, and your clients to know something about you, do not put it on social media. And never EVER be friends with clients on social media with your personal accounts. Business accounts are set up differently, so you have contacts, followers and page likes, not ‘friends.’
You have an obligation to protect clients even if they do not protect themselves. This is true in all aspects of your clinical work, including documentation, laws, and technology standards. Even if a client, for instance, writes a negative review of you online, there are very limited ways you can respond without violating their confidentiality.
To sum up: ignorance of these issues is not an excuse. If you feel overwhelmed, seek out more information! Knowledge is your best weapon, especially when it some to technology, compliance, and risk management.
Most clinicians tend to focus on the clinical – no surprise, that is what we are trained to do! The ethical, legal, technological, and other business aspects of our work cannot be ignored any more than the modalities and diagnoses that we learned about in school.
Email me to find out more.