Best Practices - Protecting Patient Data in the Age of Teletherapy

The recent COVID-19 pandemic has catapulted teletherapy into the spotlight. While teletherapy had been around for years, it had yet to make it to the main stream nor get the full buy-in of various associations, agencies and insurers. However, in a matter of weeks in early March it soon became the only way some patients could continue to receive treatment. Many clinics, hospitals and schools were caught somewhat unprepared for this abrupt change. Most businesses didn't have the infrastructure in place to support teletherapy as a delivery model and most practitioners were not yet trained in the nuanced differences of technique needed to be successful in a virtual session versus an in-person session.

To help ease the transition, and to ensure patients could continue to receive treatment, the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) released a statement at the end of March that it "will exercise its enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency."

In other words, this allowed health practitioners to use non-HIPAA-compliant popular video conferencing applications such as Apple FaceTime, Facebook Messenger video chat, Google Hangouts video and Zoom during the health crisis.

While this temporary non-enforcement period has helped many practitioners make the jump to teletherapy - it should be stressed that these same practitioners should be taking active steps to get their practice or school into HIPAA compliance as soon as possible. Not just out of fear of potential penalty when the non-enforcement period ends, but as it is the right thing to do as a steward of your patient's protected health information (PHI).

First and foremost, practitioners should look to move to a HIPAA-compliant teletherapy platform - paying particular attention that it does not leak data to third parties. As part of this process you will need to sign a business associate agreement (BAA) with the company providing the teletherapy platform.

In addition to moving to a HIPAA-compliant teletherapy platform, the following are 5 best practices to help protect and secure your patient's data:

1) Practice good password hygiene

  1. Use a password manager
  2. Password managers make it easy to create and use strong passwords so that you never have to remember a password again. Popular password managers include 1Password, LastPass and Dashlane.
  3. Generate a strong unique password for every site you use
  4. Never reuse a password and never use the same password for more than one site. This will help protect you in the event that a site you use becomes compromised. Password managers have tools bulit-in to help easily generate strong passwords for you.

2) Never reuse a video conferencing room

Some video conferencing services allow users to set up a static room (i.e. the link to that room never changes). In such cases, a therapist might set the time of that room to be the whole day and email that link to all of their patients for the day (this is a big no-no).

Why is this bad? Well, what happens when your noon appointment goes a little over and your next patient decides to join five minutes early. One patient has now just "walked in" on another patient. You could argue, "patients see each other in the waiting room all the time, it's no big deal". Interestingly, this is a case where the delivery method of teletherapy actually allows us to improve patient confidentiality - but only if we take the proper steps. With teletherapy patients no longer need to be seen visiting an office location or sitting in a waiting room.

A good platform should not only make it easy to generate a clean room for each patient visit; it should also make it difficult or impossible to re-use the same room again and again. Sidekick's teletherapy platform does just that, providing a new, clean room and unique URL and password for each visit.

3) No remote access

I recently asked a question on Facebook in a popular teletherapy group: "what features do you look for in a teletherapy platform?". One of the most common answers was "remote access" or "remote control".

Some platforms allow one party to remote access the other party's computer in order to control the mouse. In other words, one party is able to control the other party's computer to click around, open files, etc.

While it is easy to understand the need (being able to jointly interact with the resource / activity) - I believe that remote access is not the answer as it presents a very high HIPAA compliance risk. Think of it this way - if you owned a clinic, would you allow patients in the waiting room to go behind the front desk and start using your clinic's computer. No way! That would be a clear HIPAA violation. This is the same thing. Allowing a patient remote access to your computer, which contains PHI, is a very questionable practice. You can't control where or what your patient clicks on.

A good platform should allow for the patient and therapist to jointly interact with or annotate a resource or whiteboard without the need to give the patient access to the therapist's computer.

On Sidekick's platform we accomplish this in two ways. One is with a huge resource library of over 600 materials that the therapist can use during the session and jointly annotate on with the patient. The other is through a brand new feature called "Click beacon". This feature gives patients a way to interact with the screen through a click or touch (i.e. if the therapist is screen sharing a Boom card) and the therapist gets immediate feedback on their screen showing where the patient clicked or touched. This allows us to meet the need of making the shared resource interactive while maintaining the highest safeguards for our patient's data.

4) Be careful when you share your screen

As a therapist you need to be diligent when sharing your screen. It can be easy to unwittingly or accidentally share part of your screen that contains PHI of another patient you are seeing.

Before you share your screen in a session ensure:

  1. You have closed all applications and browser tabs not pertinent to the activity you are sharing.
  2. There is nothing on your desktop that might contain PHI (including small details such as a patient's name within the name of a file)

5) Don’t do your session in a public place (i.e. coffee shop, airport, etc)

When you have a session, make sure you are in a closed space where others can not see nor hear you. Additionally, make sure your computer does not face a window where a passerby could view your screen.

It you follow these 5 simple steps you will help reduce the risk of the mishandling, release, or involuntarily disclosure of your patient's health data.

- Kevin Dias

Do you need a teletherapy platform for your school district or clinic? Do you want to make sure it is easy for your therapist to follow all of the above best practices? Check out Sidekick's teletherapy platform - which was designed from the start to be safe, secure and HIPAA compliant.

Zoom has been caught sending data to Facebook and, as of the publication date of this article, uses cookies and tracking pixels to send data to 3rd parties as stated in their privacy policy (i.e. Google Ads and Google Analytics). Google specifically does not cover Google Analytics in their BAA.