OK, “Make Friends” may be an overstatement, akin to saying “How to make friends with a bear.” Perhaps the best you can hope for is to get them to look the other way…temporarily…by convincing them that you are not a current threat.
HIPAA is complicated. The “Privacy” part is just a thin sliver of those rules. But another part of HIPAA deserves equal attention: the “Security” part.
Filing cabinets are becoming relics–something you will try to explain to your grandchildren without success. “But why didn’t you just upload it, Gramps? And what did you call that stuff….’paper’?”
HIPAA saw this coming, and instead of focussing upon adequate locks on your filing cabinet drawers, they focussed upon keeping electronic records and transactions away from prying eyes.
Four Common HIPAA mistakes therapists make
Most therapists don’t have training in data security, and often make mistakes in this area. Here are four common HIPAA mistakes therapists make, and how to correct them:
1. Inadequate Passwords
I’m guessing someone has admonished you about this before… and perhaps you have ignored the advice before. Let me try to drive it home to you in a different way. Visit this website and type in one of the passwords you use. It is sobering.
For example, if you have chosen “Tiger” as your password, a hacker can guess it in 9 milliseconds, or one tenth of the time it takes you to blink. On the other hand, if you have chosen “Bee97Fortnight!” as your password, it would take the same hacker 15 billion years to crack it. That’s quite an improvement!
Note the format of the second example: a random word, a random number, another random word, and a random symbol. Easy to remember, very hard to crack.
A note on reusing passwords: If you’ve created a great password using the suggestions above, why not use it everywhere? Because from time to time a hacker breaks into a weak system like the one for your salon's scheduling software.
If you use the same password everywhere, they now know your password for your bank account, your TherapyAppointment account, etc.
So use a different password for each account. The most practical way to do this is to use a password manager.
2. Failure to encrypt documents on your own computer
If you have a Business Associate Agreement (BAA) with a big company like TherapyAppointment, you don’t have to worry about their data encryption methods: the BAA transfers this responsibility to us, and we take that responsibility very seriously.
But you may compose a letter on your own computer that contains client information. Did you know that you are responsible for keeping that local Word document encrypted? Fortunately, Word can do this for you – here is a website that tells you how to do it.
You can also keep all your sensitive documents on an encrypted folder or drive in your computer, so you don’t have to remember to encrypt each one. Search for “how to encrypt a folder” for easy instructions for a Mac or PC.
3. Failure to back up your client data
All things must pass… and your computer’s hard drive will pass more quickly than you might imagine.
HIPAA requires that you not only keep your data secure, but also that you keep it backed up. If you are keeping all your client data in the encrypted folder mentioned above, just copy the folder onto a secured thumb drive periodically… and don’t forget the password!
4. Sending emails with client information
So you received a properly signed release of information form from your client who moved to Alaska and has a new therapist there. Can you send the client file or notes via email?
Only if the file is adequately encrypted!
If you use HushMail or a similar product, they will encrypt it for you; if you want to avoid the monthly fee for HushMail, just encrypt the information using free software like 7-ZIP and attach the 256-bit encrypted Zip file to your email.
You’ll have to get the encryption password to them separately; a phone call is best for this purpose.
See, already HIPAA is looking in another direction. Now about that hungry bear…..