How JustAnswer Works:
  • Ask an Expert
    Experts are full of valuable knowledge and are ready to help with any question. Credentials confirmed by a Fortune 500 verification firm.
  • Get a Professional Answer
    Via email, text message, or notification as you wait on our site. Ask follow up questions if you need to.
  • 100% Satisfaction Guarantee
    Rate the answer you receive.
Ask Amber E. Your Own Question
Amber E.
Amber E., Attorney
Category: Legal
Satisfied Customers: 1482
Experience:  Experienced practitioner in areas of Divorce, Custody, Social Security, and Contract disputes.
Type Your Legal Question Here...
Amber E. is online now
A new question is answered every 9 seconds

Hi, Im trying to find out if Im a "covered entity" with regard

This answer was rated:

Hi, I'm trying to find out if I'm a "covered entity" with regard to HIPAA AND if not, would I become one if I used an online scheduling service (Full Slate) for my's my situation:

- I am a sole practitioner (psychotherapy) in private practice
- I do not accept payments from or are credentialed with any health care plan or EAP
- I do provide a receipt of service which includes CPT/DSM codes directly to the client for out of network reimbursement should the client request one
- I generally provide this (receipt of service) in person but can send in PDF form if the client requests it - Included in my informed consent/confidentiality statement (that the client must sign prior to service) is a section specifically devoted to the limits of confidentiality directly related to communications through technological means (internet, text, etc)...the client must initial understanding of the limits
- I accept credit cards and use "Square"

- "FullSlate" provides a means for clients to schedule their appointments online...clients are required to enter their name and email address to make an appointment...they can register on the site and receive a "log in", but this is not a required step to make an appointment. They receive email confirmations and reminders...the "subject line" of the email says either: Appointment Confirmation or Appointment Reminder
- Full slate has a HIPAA compliance statement on their site that lists their technological safeguards.
- They have a means for billing, etc., that I would NOT use.
- They do not have a means for a BAA.
- If I am currently NOT a covered entity, would I become one should I use the Full Slate service
Just a few questions.

As part of this process, do you provide any form of health care to the customer, bill the customer for any health care, or are you paid for any healthcare provided?

And if so, would you be required to transmit or communicate ANY any health information electronically in connection with the Full Slate service transactions?
Customer: replied 4 years ago.

Sorry, what exactly do you mean part of this process...and what is meant by "health information"?


By process, I mean to refer to your interaction with the customer - from providing service to your customers to being paid by them.

By health information, I mean any information about the customer that relates to their physical or mental health or condition, the provision of health care to that individual, or the payment or future payment for that care.
Customer: replied 4 years ago.

Please let me know if you are receiving what you need...not sure why, but this stuff REALLY confuses me. : \


I provide psychotherapy to clients, face to face and Skype


I do not "bill", I collect payment directly from the client at the end of each session in cash, check or credit card (using square) form


I provide a receipt for service directly to the client should they request one. That receipt includes the clients name, address, DOB, date and type of service, CPT and DSM code. This receipt is delivered to the client in person or through email if requested. This process is not connected to full slate in any way


Payment for service is not connected to full slate in any way


I do not provide any information about a client to full slate


The client provides their name and email address to full slate should they decide to schedule an appointment with me using the full slate scheduler




First, you asked whether you are a "covered entity" with regard to HIPAA. You stated that you provide psychotherapy to clients face to face and Skype, and you receive payment directly from them by cash, check, or credit card (Square), and sometimes receipts are sent by email.

Health care providers are considered "covered entities" when they transmit health information electronically, which appears to be the case here. And so, the short answer would be yes. This is because based on the information you have provided, there are at least three electronic transmissions of protected health information that occur, any one of which could potentially raise coverage and compliance issues - Skype, Square, and Email receipts.

If you don't mind, I want to give you a little more information about how these services might raise HIPAA and compliance issues, starting with Square. Credit card processing requires the transmission of protected health information; this is ordinarily enough to trigger coverage and require HIPAA compliance. The Office of Civil Rights (OCR) within the Department of Health and Human Services just this year clarified the law and carved out an exception for certain payment processing activities, including funds transfer, but not necessarily their email receipts that also contain protected health information. The risk of exposing confidential information by unprotected forms of electronic communication, such as email, may be reduced however by not sending electronic receipts at all and supplying paper receipts instead. I have provided a web address below to an article specifically following the every changing concerns about Square and HIPAA compliance, and what may be required by health care professionals who choose to use this service now and in the future. It's a good, plain language resource. And, because the interpretation of the law concerning this service and others like it is fluid, the site constantly updates, so you may want to check back to it often.

Now, about Skype. Again, this is an electronic transmission of protected health information. Normally, when using services such as these one must obtain business associate agreements (BAA), same as you would with any other vendors and subcontractors, in which they promise to comply with HIPAA rules. Skype doesn't do this, nor does it even purport to be HIPAA compliant (unlike Full Slate, which does). While Skype might claim exemption under the conduit exception, I don't see how it would fit. Normally that exception is reserved for courier-type services, such as the U.S. Postal Service or their electronic equivalents, such as internet service providers (ISPs). Even if by some chance Skype isn't a privacy risk under federal law, state laws regarding privacy and security can be more stringent. What I suggest for health care providers who utilize technology in innovative ways, the way you are, is to retain a local HIPAA attorney to walk through your process from beginning to end, highlight for you all of the areas of potential risk at each step, and advise you about what steps you can take to minimize the risk. It is well worth the investment, especially because the changes in the law are NOT keeping up with the technology and there could be unintended and costly violations.


Lastly, using a service like Full Slate, which at least purports to utilize "technological safeguards to facilitate your compliance with HIPAA," per their website, would not make someone a covered entity - it is the electronic transmission that does. Once the electronic transmission occurs, coverage is triggered and compliance is required. Of all the technologies you describe, Full Slate is probably the least worrisome and one of the most compliant, for all of the above stated reasons.

Amber E. and other Legal Specialists are ready to help you