Have Legal Questions? Ask a Lawyer Now.
Sorry, what exactly do you mean by...as part of this process...and what is meant by "health information"?
Please let me know if you are receiving what you need...not sure why, but this stuff REALLY confuses me. : \
I provide psychotherapy to clients, face to face and Skype
I do not "bill", I collect payment directly from the client at the end of each session in cash, check or credit card (using square) form
I provide a receipt for service directly to the client should they request one. That receipt includes the clients name, address, DOB, date and type of service, CPT and DSM code. This receipt is delivered to the client in person or through email if requested. This process is not connected to full slate in any way
Payment for service is not connected to full slate in any way
I do not provide any information about a client to full slate
The client provides their name and email address to full slate should they decide to schedule an appointment with me using the full slate scheduler
First, you asked whether you are a "covered entity" with regard to HIPAA. You stated that you provide psychotherapy to clients face to face and Skype, and you receive payment directly from them by cash, check, or credit card (Square), and sometimes receipts are sent by email.Health care providers are considered "covered entities" when they transmit health information electronically, which appears to be the case here. And so, the short answer would be yes. This is because based on the information you have provided, there are at least three electronic transmissions of protected health information that occur, any one of which could potentially raise coverage and compliance issues - Skype, Square, and Email receipts.If you don't mind, I want to give you a little more information about how these services might raise HIPAA and compliance issues, starting with Square. Credit card processing requires the transmission of protected health information; this is ordinarily enough to trigger coverage and require HIPAA compliance. The Office of Civil Rights (OCR) within the Department of Health and Human Services just this year clarified the law and carved out an exception for certain payment processing activities, including funds transfer, but not necessarily their email receipts that also contain protected health information. The risk of exposing confidential information by unprotected forms of electronic communication, such as email, may be reduced however by not sending electronic receipts at all and supplying paper receipts instead. I have provided a web address below to an article specifically following the every changing concerns about Square and HIPAA compliance, and what may be required by health care professionals who choose to use this service now and in the future. It's a good, plain language resource. And, because the interpretation of the law concerning this service and others like it is fluid, the site constantly updates, so you may want to check back to it often. http://www.personcenteredtech.com/2013/04/is-square-hipaa-compliant-how-about-pci-compliant/ Now, about Skype. Again, this is an electronic transmission of protected health information. Normally, when using services such as these one must obtain business associate agreements (BAA), same as you would with any other vendors and subcontractors, in which they promise to comply with HIPAA rules. Skype doesn't do this, nor does it even purport to be HIPAA compliant (unlike Full Slate, which does). While Skype might claim exemption under the conduit exception, I don't see how it would fit. Normally that exception is reserved for courier-type services, such as the U.S. Postal Service or their electronic equivalents, such as internet service providers (ISPs). Even if by some chance Skype isn't a privacy risk under federal law, state laws regarding privacy and security can be more stringent. What I suggest for health care providers who utilize technology in innovative ways, the way you are, is to retain a local HIPAA attorney to walk through your process from beginning to end, highlight for you all of the areas of potential risk at each step, and advise you about what steps you can take to minimize the risk. It is well worth the investment, especially because the changes in the law are NOT keeping up with the technology and there could be unintended and costly violations.
Lastly, using a service like Full Slate, which at least purports to utilize "technological safeguards to facilitate your compliance with HIPAA," per their website, would not make someone a covered entity - it is the electronic transmission that does. Once the electronic transmission occurs, coverage is triggered and compliance is required. Of all the technologies you describe, Full Slate is probably the least worrisome and one of the most compliant, for all of the above stated reasons.
DISCLAIMER: Answers from Experts on JustAnswer are not substitutes for the advice of an attorney. JustAnswer is a public forum and questions and responses are not private or confidential or protected by the attorney-client privilege. The Expert above is not your attorney, and the response above is not legal advice. You should not read this response to propose specific action or address specific circumstances, but only to give you a sense of general principles of law that might affect the situation you describe. Application of these general principles to particular circumstances must be done by a lawyer who has spoken with you in confidence, learned all relevant information, and explored various options. Before acting on these general principles, you should hire a lawyer licensed to practice law in the jurisdiction to which your question pertains.
The responses above are from individual Experts, not JustAnswer. The site and services are provided “as is”. To view the verified credential of an Expert, click on the “Verified” symbol in the Expert’s profile. This site is not for emergency questions which should be directed immediately by telephone or in-person to qualified professionals. Please carefully read the Terms of Service (last updated February 8, 2012).