WELCOME TO SOUTHERN ASSOCIATION FOR COUNSELOR EDUCATION AND SUPERVISION
Technology and HIPAA Privacy Devices & Software
A lot of our SACES members contacted us requesting more in-depth information as far as why encryption is necessary as it pertains to confidentiality, safety and much more, based on a previous topic in which we discussed about external drives units and flash drives HIPAA compliant devices. We heard you and in the next few lines we will be offering relevant to your questions, answers.
Before we begin, below are some important things that every counselor educator, counseling professional, and counselors-in-training you should know as it pertains to the American Counseling Association Code of Ethics, Section H (Distance Counseling, Technology, & Social Media)-page 17 https://www.counseling.org/resources/aca-code-of-ethics.pdf :
¢ H.1.a. (Knowledge and Competency)
Counselors who engage in the use of distance counseling, technology, and/or social media develop knowledge and skills regarding related technical, ethical, and legal considerations (e.g. special certifications, additional course work).
¢ H.2.a. (Informed consent and disclosure)
Clients have the freedom to choose whether to use distance counseling, social media, and/or technology within the counseling process.
¢ H.2.b. (Confidentiality maintained by the counselor)
Counselors acknowledge the limitations of maintaining the confidentiality of electronic records and transmissions. They inform clients that individuals might have authorized access to such records or transmissions.
¢ H.2.d. (Security)
Counselors use current encryption standards within websites and/or technology-based communications that meet applicable legal requirements. Counselors take reasonable precautions to ensure the confidentiality of information transmitted through any electronic media.
¢ H.3. (Client Verification)
Counselors who engage in the use of distance counseling, technology, and/or social media to interact with clients take steps to verify the client’s identity at the beginning and throughout the therapeutic process.
¢ H.4.a. Benefits and Limitations
Counselors inform clients of the benefits and limitations of using technology applications in the provision of counseling services. Such technologies include, but are not limited to, computer hardware and/or software, telephones and applications, social media and Internet-based applications and other audio and/or video communication, or data storage devices or media.
¢ H.4.b. Professional Boundaries in Distance Counseling
Counselors understand the necessity of maintaining a professional relationship with their clients. Counselors discuss and establish professional boundaries with clients regarding the appropriate use and/or application of technology and the limitations of its use within the counseling relationship (e.g., lack of confidentiality, times when not appropriate to use).
¢ H.5 Records and Web Maintenance
¢ H.6 Social Media
What is Encryption?
According to HealthIt (2017), “Encryption is the conversion of data into a form that cannot be read without the decryption key or password. It is important to encrypt data stored locally on your mobile device (data at rest) and data sent by your mobile device (data in motion) so that it is protected from unauthorized users.”
What Should I look for Before Buying a HIPAA Compliant Encrypted Flash Drive
You should follow the following guidelines when you are looking for an encrypted Protected Health Information (PHI) storage (source from Lux Scientiae, Inc., 2016):
Why store PHI / Patient Data on a USB Flash Drive?
In organizations where use of USB drives and other portable media for patient data is not explicitly forbidden (as it should be), practitioners are left to their own devices and seek solutions to make their work as efficient as possible. USB drives are extremely cheap, extremely portable, and extremely easy to use. Practitioners commonly use them to:
So, What’s Wrong With That?
While USB Drives make things quick and easy, there are a few significant issues that warrant their complete non-use in a health care environment (at least for PHI).
Loss = Breach
A lost of stolen USB drive with ePHI on it is an automatic breach of HIPAA which can and will subject your organization to fines, negative publicity, and possibly criminal charges if willful negligence of HIPAA is determined.
This is not a joke — companies are already being fined millions of dollars for breaches involving even just one lost or stolen hard drive. It is so much easier to lose a USB drive than to have a regular-sized portable hard drive stolen from a car.
HIPAA requires all breaches to be reported, all affected patients to be notified, and the media to be notified (if the breach is large enough). Failure to report a breach would be even worse — should the breach be discovered later — as that would be “willful negligence” and you would not want to have that laid on you (see HIPAA penalties).
The “Onerous” HIPAA Security Rule
Ok – so you will be very careful so your Jump Drive is not lost of stolen? Then HIPAA says that you must be sure to:
1 Follow all the normal rules required by HIPAA for PHI in general. See our Compliance Checklist.
2 Ensure that the PHI on your USB drive can only be accessed via username and password and that that access is logged. (This is not normal and requires extra software or special hardware).
3 The data on the USB Flash Drive should be encrypted. See for example: GolddKey.
4 Log the movements of your USB Drive — i.e. you must keep a written record of everywhere it is moved to (this is best not done in a little notebook kept with the drive…)
5 When you are done with the USB Drive, you must dispose of it in a way that prevents any data from being recovered from it by a third party (that doesn’t mean just simply breaking it or dipping it in liquid… see How–and Why–to Destroy Old Flash Drives).
6 Ensure that ALL computers that you use to access the USB drive meet HIPAA requirements for Workstation Use themselves (e.g. software running, virus checkers, access controls, logging, etc.)
7 A careful reading of the HIPAA Security rule will reveal finer nuances as well.
So, while use of a Thumb Drive is possible in a healthcare setting, such use requires a lot of planning, special software, drives with built in encryption, and careful tracking and logging. Even with all that, if the drive gets lost it can still be a breach, even if the data on it is encrypted (though that will help mitigate how much trouble you are in).
Alternatives to USB Drives?
Ok – so you are ready to kick the portable drive habit. What you use instead really depends on what you are trying to accomplish, exactly, with the Flash Drives. In any and all cases, you should start with:
Then, you need to have a way to communicate your files between these computers in a compliant way without carrying them with you. There are many ways to do this.
The first two options – outsourced email or file storage – are least expensive and involve perhaps the least HIPAA knowledge and risk on your part. An EMR is useful if you have more general needs and can afford such a system … though you can get many aspects of an EMR though use of outsourced email, file storage, and collaboration software (such as that provided by LuxSci). Local File Storage requires the most knowledge and risk and a fair amount of cost, but it can grant the most flexibility if your requirements are specialized.
HIPAA Technology & Software
Certified Health IT Product List
Practice Management Software
MER/ EHR (comprehensive service for all aspects of practice)
Examples: MyClientsPlus; Simple Practice
Scheduling : Jituzu; YellowSchedule
List of reviews of Software programs : http://www.capterra.com/mental-health-software/
Remotely lock your cell-phone or erase-data from your cell phone
a. Android device:
b. iPhone device:
Gatekeeper Wireless Bluetooth Computer Lock
HIPAA E-mail companies:
Hushmail – offers free accounts
SendInc – offers free accounts
More information at: http://telehealth.org/blog/hipaa-compliant-email-
Technology Resources focused on HIPAA Privacy
Health Information Technology
Listservs specifically focused on HIPAA privacy and security
Sign Up for the OCR Privacy & Security Listserv (http://www.hhs.gov/hipaa/for-professionals/list-serve/index.html)
Want to learn more about the HIPAA Privacy & Security Rules?
OCR has established two listservs to inform the public about health information privacy and security FAQs, guidance, and technical assistance materials. We encourage you to sign up and stay informed!
These are announcement only listservs, so we will be unable to distribute or directly respond to any feedback you provide.
Privacy List Serv
Visit the OCR-PRIVACY-LIST for a summary of archived announcements
Subscribe, delete or update your subscription to the OCR Privacy Listserv
Security List Serv
Visit the OCR-SECURITY-LIST for a summary of archived announcements
Subscribe, delete or update your subscription to the OCR Security Listserv
Healthit.gov. (2016). What is encryption? Retrieved from https://www.healthit.gov/providers-professionals/2-install-and-enable-encryption
Lux Scientiae, Inc., 2016. Jump/thumb drives and phi don’t mix. Retrieved from
You have questions or comments? Contact me at firstname.lastname@example.org
SACES social media co-chair
SACES Technology Interest Network
The University of New Orleans
Counselor Education program