Non-HIPAA Compliant Scenarios and How Meta Can Help
“In terms of HIPAA, you can run, but you cannot hide; one of its tentacles will undoubtedly find you.”
– D. Jensen, J.D., staff attorney
California Association of Marriage and Family Therapists
Jensen’s point is valid. When you’re a mental health professional, it’s inevitable that you’ll encounter a scenario that will put you within “tentacles” reach of a HIPAA violation. It’s the sole reason you’re provided with a standard of expectations that ensures you’re operating your practice ethically and your clients’ safety is protected.
As methods of communication expand, there are a plethora of scenarios that can result in HIPAA fines and the loss of trust from your clients.
Below are two scenarios that could violate HIPAA compliance.
Selma is a clinician with a thriving practice, and she prides herself on being available for client questions outside of session. Often her clients will text or email her about schedule changes, topics they want to discuss in the upcoming session, and/or billing concerns.
All is good until Selma accidentally loses her phone while on vacation. While this is upsetting, she feels reassured that all of her data is backed up to the cloud. All she needs to do is replace her phone – right?
Can you spot the three potential HIPAA violations?
1. Consider the protection of Selma’s device from unauthorized persons. What happens if Selma didn’t have security tools on her phone (instant lock, passcode-protection, remote factory reset, etc.)?
2. The potential breach of storing text messages and emails on cloud-based servers. Just because your phone and email accounts are login-protected does not mean that the data is stored in a HIPAA-compliant manner. Two important components of HIPAA: no data can be accessed by unauthorized individuals and no data can be made public (i.e. analyzed and used for marketing/web-based ads)
3. There is a potential violation from communicating with clients through non-compliant and unsecured forms of communication without explicit permission. This is easily overlooked because it’s assumed that we’re allowed to use the same form of communication that the clients choose when contacting us. Just because a client sends us an email from their free email account, doesn’t mean we are able to receive and respond from a non-compliant email service. Clients must give us their explicit permission to use text and email and we must ensure that we’re using a HIPAA complaint emailing methods.
Communication concerns such as these were considered when Meta was developed. Meta’s platform is 100% HIPAA compliant with chat and phone communication functions that are kept confidential through high level cyber security protocols.
Jorge is a therapist who wants to accommodate his clients’ need for remote sessions on occasion and has found it easiest to just use a (non-compliant) video app on his phone. He thought he was providing great service to his clients until he accidentally accepted another video call from a friend while he was already in a video session with a client.
The session turned into a video conference between all three of them and although he disconnected the call quickly, his friend saw his client and heard a brief moment of their conversation.
As if that day couldn’t get worse, he received an email from that video app asking if he would like to share the recording of a call he made the week prior to one of his social media accounts. What? He didn’t even know he had recorded the session and definitely didn’t want it to be made available to the public.
Why Jorge’s Video App Isn’t HIPAA Compliant
Most of us accept the risks when using unsecured methods to chat with friends and family through free apps that are readily available. Unfortunately, given recent revelations from tech giants, it’s clear that most companies providing communication tools are harvesting user data and even recording interactions.
Our clients look to us as experts and we depend on that trust. We must maintain the ability to keep what they tell us private and confidential at all costs. If we don’t take proper precautions to keep their information and conversations private, not only have we breached HIPAA and broken the law, we have violated our professional code of ethics.
Platforms such as Meta are correcting the mistakes of social media platforms built to harvest data by developing tools intended to maintain the privacy between therapists and clients.
Try Meta for FREE for 90 days to see for yourself.