Support GroupsVirtual COVID-19 Groups (9,900) and HIPAA

Demand for virtual support groups for recovered COVID-19 patients continues to grow as more patients recover. Forced isolation has exacerbated patient depression, anxiety, and stress, causing many recovered patients to seek virtual groups to cope.

Dr. William Sanderson, a psychologist and director of the Anxiety & Depression Clinic at Hofstra University states, “Some people have been removed from the ability to meet their common human needs — socialization, meaningful work, getting together with family. Every time you block people meeting their needs, it results in emotional distress.”

He furthered, “The concern that we have is that reactions to COVID that are mild could turn into disorders beyond the pandemic. Depression is a slippery slope down … we need to help these people now to avoid a bigger problem down the road.”

Since support groups fall under the category of “treatment” as per the HIPAA regulation, behavioral health professionals wishing to offer COVID-19 groups must ensure that the groups are HIPAA compliant.

Support Groups and HIPAA

Much like a traditional support group, virtual groups must comply with the HIPAA Privacy Rule. Under the Privacy Rule, providers have an obligation to safeguard patient’s protected health information (PHI). Since the inherent nature of support groups is for patients to share information with several other patients that are experiencing similar conditions, the privacy requirement is often overlooked.

However, providers still have to adhere to the minimum necessary standard when using or disclosing PHI, ensuring its confidentiality. This means that although patients are permitted to share their own PHI, providers are not permitted to disclose patients’ PHI to the group.

Virtual groups must also ensure the integrity of PHI with security controls. As such, when choosing which telecommunications tool to use to host support groups, it is important that they have security measures in line with HIPAA standards.

This includes:

  • Access controls. Utilizes unique login credentials for each user to ensure that unauthorized users do not have access to closed sessions.
  • Audit controls. Monitors access to PHI to ensure adherence to the minimum necessary standard.
  • Masks sensitive data to ensure that it cannot be read by unauthorized users.

Lastly, telecommunications tools are considered business associates under HIPAA. As such, for the tech to be used for support groups, the tool must be willing to sign a business associate agreement (BAA). A BAA is a legal document that mandates the protections the business associate is required to have in place. Tools that are unwilling to sign a BAA cannot be used in conjunction with PHI, and therefore cannot be used to treat patients.