Computer and web-based technological advances allow us to hold online psychotherapy sessions, easily manage our schedules, and have convenient access to our client’s psychotherapy notes. Most general medical charts, which sometimes include mental health treatment notes, are now kept in an electronic health record. These records are generally accessible to everyone working in a treating physician’s office, the hospital where a patient is admitted and all affiliated physicians and hospitals. Medical insurance companies also have access to patient’s personal health information as well.
While HIPAA rules are designed to protect personal health information, it appears enforcement and compliance are often inadequate. A recent ABC News Investigation found that medical records and personal health information can be easily bought online. So many people with access to the electronic health record challenges the integrity of the entire storage system. Electronic data breaches are known to occur when a computer or external storage device containing PHI is stolen or lost or when a computer or network containing medical records is hacked. Unscrupulous staffers have also been known to download patient data and then sell it to black market information peddlers. According to the HHS Health Information Privacy Tool, in 2012 alone there have been more than 78 breaches involving more than 500 patients each, affecting thousands of patients. So far this year, The Privacy Rights Clearinghouse data base reports over 154 patient record breaches.
While there may be little that individual mental health practitioners can do about the large scale problem of theft and sale of personal health care data, increased awareness can help us make wiser decisions about what kind of data we record in patient charts and how we handle and share the data we record. We also need to be cognizant of HIPAA compliance issues and vulnerabilities when choosing an electronic health record system and other technology for our telemental health practices.
Keep it Confidential
How can we help our clients/patients keep their psychotherapy data confidential? Advise them to:
- Never post anything online that they don’t want made public, particularly regarding their mental health and medical care.
- Keep all health information stored on their personal computers and other devices password protected and secure.
- Exercise caution when sharing information about their mental health diagnoses and treatment over email.
- Verify the source before sharing their personal or medical information.
- Safeguard all paper copies and documents related to medical and health insurance information and shred any insurance forms, prescriptions, or physician statements.
- Go to the Federal Trade Commission (FTC) website (http://www.ftc.gov/bcp/edu/pubs/consumer/idtheft/idt10.shtm) for more information about medical identity theft.
- For practical additional tips to help protect and secure health information online, go to: OnGuardOnline.gov.
- File a complaint if they believe their HIPAA privacy rights have been violated. Complaints can be filed with the US Department of Health and Human Services, their State Attorney General’s Office or The Federal Trade Commission.
Want to know more about technology, privacy and HIPAA compliance?
- HealthIT.gov webpage: “Protecting Your Privacy & Security: What You can Do to Protect Your Health Information“
- The Patient Privacy Rights Toolkit
- US Department of Health and Human Services Fact Sheet on Health Information Privacy and Technology
- Privacy Rights Clearinghouse link to Chronology of Date Breaches