Can a Client Waive the Need for HIPAA-Compatible Telehealth?
By Barbara Griswold, LMFT (April 24, 2023)
Question: “Dear Barbara, I have a client that wants to continue to use Facetime [or another non-HIPAA-compatible telehealth platform] after the Public Health Emergency (PHE) ends. Is this OK? I checked with my malpractice company, and was told that if the client signs a waiver stating that they are aware that the platform is not secure, it is OK to use that platform. That is, if we have client consent, a non-secure video platform can be considered HIPAA-compliant. I was also told that phone sessions can be continued without any special waiver.”
Barbara Answers: I’m no HIPAA expert, so I reached out to the amazing Liath Dalton, my go-to HIPAA expert and Co-Director/Owner of Person Centered Tech (PCT) (www.personcenteredtech.com). Her reply:
“The malpractice company’s answer is absolutely, categorically wrong and unfortunately reveals a fundamental misunderstanding of HIPAA. A client CANNOT waive the Business Associate Rule. The therapist who is a HIPAA covered entity MUST have a HIPAA Business Associate Agreement (BAA) in place whenever a third-party service provider, organization or individual is “creating, receiving, maintaining, or transmitting” a client’s (or prospective client’s) Protected Health Information (PHI).
This requirement was not enforced during the Public Health Emergency (PHE), but will once again be enforced when the post-PHE transition time period is over (see Barbara’s article on the transition period — click here). If waiving the BAA were an option, the government would have stated so in their notification about the PHE ending and the transtion period (see press release here)
Video platforms that DO NOT offer a BAA include Apple FaceTime, Facebook Messenger, Google Hangouts, and free versions of Zoom or Skype. These CANNOT be used once the post-PHE transition period is over.
Additionally, if your video platform or Electronic Health Record system sends out appointment reminders or email links to join the video session, your clients should be signing a request for non-secure communication (see PCTs free sample Request for Non-Secure Communications form, which can be obtained here).
Furthermore, providers need a BAA with their phone service provider. While you can get BAAs from T-Mobile and Verizon on a business cell line, Person Centered Tech typically recommends the use of a HIPAA-friendly Voice over Internet Protocol (VoIP) service like iPlum, RingRx, SpruceHealth, or TalkRoute, as they are more economical and provide greater functionality. Any phone number can be ported, so folks needn’t worry that complying with HIPAA will result in having to change their phone number.
It is important to note that many HIPAA covered entities have been penalized for violating HIPAA by using service providers with whom they didn’t have a BAA. Beyond HIPAA requirements, each professional ethics code (AAMFT, ACA, APA, NASW, NBCC) explicitly require the protection of the confidentiality of client data – and a HIPAA BAA is one mechanism that is supportive of this when a third party is handling your clients’ data. Ultimately, a BAA is protective and helpful for the provider on multiple levels. BAA’s are your friend!”
Wow, thanks, Liath!
But what about emails and texts? “There are additional HIPAA security requirements and provisions when it comes to emails and texts,” she says. And heaven knows, the poor, patient woman tried to explain them to me, but I confess my brain short-circuited each time. So, for more info, I’m going to steer you to Person Centered Tech’s free articles on HIPAA as it applies to email and texts:
- 3 Kinds of Email Security: How to Make an Informed and HIPAA-Aware Choice
- “HIPAA-Compliant” Is a Meaningless Phrase. Let’s Use “HIPAA-Secure.”
- Clients Have the Right to Receive Unencrypted Emails (and Texts) Under HIPAA
If you still have any questions about HIPAA or technology in your practice, please, don’t call me on this topic! Do reach out to Liath and the folks at Person Centered Tech to recommend what resources are the right fit for your practice questions and needs at email@example.com . They have a wealth of resources, including their direct consultation service that’s part of their Practice Care Premium offering.