The HIPAA-compliant virtual healthcare practice

The rise of the virtual healthcare practice in 2020

The concept of virtual healthcare has been around for over a century, going all the way back to the late 19th century when the telephone was discussed as a way to reduce visits to the doctor. In 2016, the federal government of the United States designated $16 million to improve access to healthcare in rural areas, which meant greater access to online care. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Act were both introduced in part to facilitate the virtual healthcare practice.

But it was 2020 and the COVID-19 pandemic that tipped practitioners, patients, and clients over the hump into a world where the virtual healthcare practice is not only widely accepted but, in some cases, has become the new norm.

This new healthcare environment has highlighted questions concerning privacy, security, functionality, and professional, ethical responsibilities.

In March 2020, the US Office for Civil Rights (OCR) division of the Department of Health and Human Services (HHS) issued a notice stating that it would not apply penalties for “non-compliance with the HIPAA Rules related to the good faith provision of telehealth during the COVID-19 nationwide public health emergency.”

However, this notice didn’t absolve practitioners of their responsibility to protect their patients’ information. From a professional, ethical standpoint, it was still important to do what was necessary to maintain privacy. Practitioners found themselves scrambling to set up virtual practices with telehealth, while also seeking to understand the HIPAA rules and how they apply during the pandemic.

Fortunately, putting safeguards in place for a virtual healthcare practice is as easy as signing up for HIPAA-compliant telehealth and other communication services, many of which are affordable and easy to use.

A growing need for online healthcare services

This necessary, rapid transition to online care permanently changed the way many healthcare professionals managed their practices at a time when the need was increasing, particularly in the behavioral healthcare sector.

According to an article in Psychiatric Times, “Different groups have met the qualifying criteria for posttraumatic stress disorder (PTSD) according to DSM-5 as a result of the pandemic: those who have themselves suffered from serious COVID-19 illness and potential death; individuals who, as family members and health care workers, have witnessed others’ suffering and death; individuals who have learned about the death or risk of death of a family member or friend due to the virus; and individuals who have experienced extreme exposure to aversive details (e.g., journalists, first responders, medical examiners, and hospital personnel).”

Alcohol use disorders are also on the rise. A RAND Corporation study conducted in Sept. 2020 suggested that Americans are drinking 14 percent more often in response to pandemic-related stress. For women, heavy drinking days increased by 41 percent in 2020.

That increased need for care, along with the dramatic rise in telehealth sessions (96 percent of psychologists are treating patients remotely), has led practitioners to seek out new tools to make their practices more efficient in caring for their clients. Even as many practices are opening their non-virtual doors again, maintaining a virtual office will likely become a key component of hybrid practices that offer in-person appointments as well as telehealth.

The virtual healthcare practice is here to stay

The year of the pandemic taught us that the virtual practice is worth keeping around. Even healthcare practices not normally given to telehealth, such as physical therapy, have seen an uptick in requests for virtual visits when appointments don’t require in-person care.

When combined with in-person office visits, offering telehealth appointments can be more economical than in-office alone, allowing practitioners to use a shared office space a few days a week while remotely seeing patients the rest of the time from a home office. Or, if you choose to go a hundred percent virtual, you can trade monthly rent on office space for a considerably smaller investment in technology and tools to facilitate your remote setup. A virtual practice can also be more efficient, supporting greater scheduling flexibility, and it provides both security and functionality.

If you manage a healthcare practice, you know how important it is to have well-considered security measures in place. Not just because HIPAA requires them, but because security is crucial to the peace of mind of yourself and your patients, as well as the integrity of your practice. However, a highly functional, efficient practice is important as well.

Fortunately, it’s possible to have both. In fact, security and functionality are intrinsically linked. The most secure way of doing something can also be the most functional.

There is a balance that must be maintained between security and functionality. Too much of one or the other and the balance is thrown off, which is detrimental to your practice. Here are some things to consider to maintain an equilibrium between the two. You might find you need to tweak a few to get the perfect combination for your practice, but this is a good place to start.

Primary security concerns to keep in mind

Make sure you have BAAs from every third-party service provider. A Business Associate Agreement (BAA) is a signed document that affirms a third-party service provider's willingness to accept responsibility for the safety of your patients’ PHI, maintain appropriate safeguards, and comply with HIPAA requirements when they handle PHI on your behalf. Having one of these on file for every third-party service you use, such as your billing service, email service, and online fax service, goes a long way toward ensuring your HIPAA compliance.

Review the security of the services you use. If a service provides you with a BAA, most likely they’re using some sort of encryption. TLS encryption is the widely used cryptographic protocol used to secure messages in transit only. Some services, such as Hushmail, also use OpenPGP encryption, which secures messages in transit and in storage, providing greater security than TLS alone.

Practice good operational security and take advantage of extra security features. Add as many layers of security as you can without compromising functionality, and always maintain good security practices throughout your organization. Here are some examples of security measures you can take:

Use two-step verification with your accounts
Add a security question when you email someone for the first time
Don’t share accounts
Encrypt your computer’s hard drive
Use strong passwords and a reliable password manager
Keep your computer updated

This is not an exhaustive list, of course. It’s always a good idea to stay up to date on the latest security recommendations. The National Cybersecurity Alliance is a good place to get current tips.

Look for both functionality and efficiency

Affordability. Moving to a virtual practice means trading monthly rent on a brick-and-mortar office for a handful of tools and services to launch your remote office. When you shop around for secure services, you’ll find that there is a wide range of prices. Many services charge extra for a BAA, for example. Quite a bit extra, in some cases. Hushmail includes a BAA with all Hushmail for Healthcare plans, which start at $11.99/month.

Convenient for your patients. Services have to be convenient for both you and your patients to use. For example, Hushmail email is secure even if your patient doesn’t also have a Hushmail account. Instead, they’re directed to a private message center that they can use for the duration of your relationship once they establish a password. And Hush™ Secure Forms facilitates getting intake forms completed and signed before appointments, freeing you up to focus on the care at hand.

Easy-to-use features with the healthcare practitioner in mind. Consider the extra features that are included with a secure service. A practice management software might also include telehealth, such as TheraPlatform. And Hushmail isn’t just a secure email service, but also provides secure, customizable web forms and e-signatures.

Great customer care. Fast, efficient customer care is perhaps the most important requirement from a functionality standpoint. When problems come up, it needs to be easy for you to make contact and get an answer quickly.

HIPAA compliance and the virtual healthcare practice

As a healthcare practitioner, you’re used to thinking about HIPAA requirements. Not only are they necessary to understand for compliance reasons, but they are also valuable guidance for keeping your clients’ private information safe and secure.

The rise of the virtual practice prompted practitioners to take a closer look at HIPAA, as well as state and local jurisdiction requirements, and how those rules might affect them. Understanding the HIPAA Privacy and Security Rules is essential, as is understanding the basic ethical responsibilities around handling clients’ sensitive information.

HIPAA Privacy Rule

The HIPAA Privacy Rule sets the standards for who may have access to protected health information (PHI). It covers all PHI, not just electronic, and specifies the scenarios in which personal data transmission is appropriate.

Without the HIPAA Privacy Rule, PHI could be passed back and forth online regardless of who might be viewing, mishandling, or stealing it. The rule requires healthcare practices to give careful thought to how PHI is transferred and provides some recourse when it’s mishandled.

HIPAA Security Rule

The HIPAA Security Rule sets the standards for ensuring that only those who should have access to electronic PHI (ePHI) have access. According to the HHS’s summary of the Security Rule, “the Security Rule's confidentiality requirements support the Privacy Rule's prohibitions against improper uses and disclosures of PHI.” The HIPAA Security Rule only covers ePHI and requires practices to have certain administrative, physical, and technical safeguards in place to protect PHI from leaks, breaches, cybercrimes, and other web vulnerabilities.

One of the best things you can do to ensure that your practice is protecting your clients’ privacy and implementing adequate security safeguards is to familiarize yourself with the HIPAA Privacy Rule and HIPAA Security Rule.

You can read more about these HIPAA rules as well as safeguards and best practices on our HIPAA compliance and online communication – what you need to know web page.

Ethical requirements

Besides following HIPAA rules to the letter for the sake of protecting yourself from legal liability, such adherence to compliance is also a professional, ethical requirement. Although HIPAA rules were relaxed in March 2020 to accommodate the uncommon healthcare needs prompted by the pandemic, it was widely acknowledged that security still matters. And with so many people going online for their care, securing protected health information (PHI) might be more important now than ever. Suffice to say, even if HIPAA is giving practitioners a pass for now, that doesn’t mean you should take it.

It’s also important to consider not just HIPAA but state and local regulations as well. Because virtual practice makes it easy to offer services to anyone, anywhere, it’s essential to have a clear understanding of what jurisdiction you’re licensed in and what exceptions, if any, might apply to offering services to clients outside that jurisdiction.

Guarding your practice against potential risks

When it comes to risk and your virtual practice, it’s essential to get the security and privacy component right. Here are some important questions to ask yourself about your virtual practice:

How secure is my teletherapy platform?
Are the web forms I’m using with my clients as secure as they need to be?
Can my intake forms be completed, signed, and sent back in a secure manner?
With so much of my practice online, where are the vulnerabilities?

To answer these and other questions about the security of your virtual practice, it’s a good idea to conduct a thorough risk assessment. Even if you’ve conducted a risk assessment in the past, it’s necessary to review and update it if you’ve made changes to your practice in the last six months.

Conducting a risk assessment might sound a little intimidating, but there’s no need to worry. Risk assessment is something you can do on your own at a level that’s comfortable for you. While HIPAA requires risk assessment, it is also a best practice. Once you make it a regular part of your overall practice management, you’ll wonder what you ever did without it.

You can read about how to conduct a risk assessment in our blog post Is your new virtual practice secure? Conduct a risk assessment.

Setting up for virtual health care with Hushmail

Hushmail encrypted email and web forms can help you set up your virtual practice with effective and secure communication tools that protect your most valuable asset – your clients’ health information.

Consider your practice’s communication needs

All practices are different. How you and your colleagues choose to communicate with your patients will likely vary, as will the starting point for your virtual practice. It’s important to find services that support your preferences and current needs. For example, do you already have forms that work well for you, but want them recreated digitally so you can make use of the security and convenience of web forms? Do you need encrypted email, but want to retain your email setup on Outlook? Does your practice have strong name recognition with an email domain you want to keep?

Don’t let these questions discourage you. If you know where to look, you can find easy answers that will get you the setup you need.

Encrypted email

An encrypted email service should be secure, yet versatile, allowing you to control when you encrypt messages. It should also be convenient for both you and your recipients. Hushmail gives you an email service you can use for confidential messages that can be encrypted by enabling an encryption switch, but also for everyday email purposes that don’t need encryption. Hushmail uses two types of encryption to secure your emails and web forms both in transit and in storage. We make it easy to email from anywhere with our Hushmail for iPhone app or Android integration. You can also use a third-party email app, such as Outlook, and you can even keep your own domain. Hushmail email provides you with the ideal balance of security, convenience, functionality, and cost.

Hush™ Secure Forms

Secure email is great for the confidential conversations you have with your clients in between appointments. But what about all the information you need to collect and file about your clients for practice management purposes?

There are numerous forms you need to have your clients fill out and sign before you begin providing them with virtual care. Forms such as a clear communications policy; email and texting risk questionnaire; and request for non-secure communications form go a long way toward ensuring both parties are on the same page when it comes to communication.

All of this information needs to be kept private. You can use secure web forms, protected with the same encryption as Hushmail email, to keep your client’s personal information safe and secure.

Hush™ Secure Forms makes setting up your intake forms very easy by providing a template directory with ready-made forms you can use immediately. You’ll find a wide variety of templates including the following:

Intake forms
Client experience survey
Self-administered questionnaires, such as the PHQ-9 depression screening
COVID-19 screening questionnaire

You also have access to special features, such as e-signature fields, body charts with pinpointing ability, and conditional visibility to give your clients a personalized experience.

Private message center

A Hushmail account allows you to communicate securely with your patients through encrypted emails and web forms. However, your patients probably don’t have Hushmail accounts themselves, and that’s OK. That’s where our private message center comes in.

Our message center is the communication hub between you and your patients. There they can receive secure email and web forms from you and reply securely. The message center is simple to use, and, most importantly, it’s secured with several security measures that ensure the privacy of your communications.

You can learn more about how the message center works in our blog post Top 4 tips for sending your first secure message to a new client.

Virtual healthcare practice success stories

Hushmail has proven to be the perfect fit for numerous healthcare professions from behavioral health therapists to dentists to optometrists and many others. One of the best ways to understand how Hushmail can benefit your practice is to read the stories of those who have already made the switch to encrypted email and web forms. Here are three customer success stories from different professions that demonstrate how Hushmail can be the best answer to a variety of challenges.

Carol Park, LPC-S, RD

Find out how Carol Park, a Licensed Professional Counselor and Registered Dietitian, is managing her practice during the pandemic using HIPAA-compliant web forms to help her provide telehealth services to her clients.

In Carol’s success story, you’ll read about:

How she quickly put technology in place during a stressful time
How her practice changed when she started using secure web forms
How she’s adjusted to using telehealth to care for more clients
A little about the history and use of telehealth

Carol’s story

My practice provides psychological and nutritional therapy for individuals struggling with eating disorders. I was, and still am, an individual practitioner with a full caseload. Prior to the pandemic, about 90 percent of my cases were in-office with the rest over telehealth.

I’ve been using Hushmail for years as my secure email provider, but it wasn’t until just before the COVID-19 pandemic that I started putting Hush™ Secure Forms to full use in my practice. In all candidness, I’m not the most tech-savvy person in the world, and a colleague helped me put the web forms on my website. You can find them under the Helpful forms tab.

Download the complete success story

Neil J. Gajjar, DDS

Explore how dentist Dr. Neil Gajjar safely continued providing emergency care at the height of the pandemic and reopened his elective services using encrypted web forms as part of his strategy to maintain safe contact with his patients.

In Neil’s success story, you’ll read about how he:

Used secure web form to reduce contact, increase efficiency, and streamline operations
Maintained positive interaction with patients while limiting physical contact as much as possible
Launched intake forms patients could fill out and sign at home
Efficiently screened patients and staff for COVID-19

Neil’s story

The news that I had to close my practice except for emergent care was unprecedented and a bit of a shock. I’d just returned from a trip to the US, and I chose to quarantine myself for 14 days, although at that time it wasn’t mandatory. It was the prudent decision.

When I returned to my practice, I found a stack of intake forms on my desk that were damp. When I asked why, I learned that because the forms had gone through multiple hands and multiple areas in the office, my staff had attempted to sanitize them by spraying them with disinfectant. They were difficult to read, and it was clear that paper forms would no longer work for us. It was also clear that we would have to examine all areas of the practice to make sure we responded appropriately to this situation.

Download the complete success story

Kevin L. Gee, OD, FAAO

Get to know Dr. Kevin Gee, an optometrist in Missouri City, Texas, who placed encrypted email and web forms at the center of his practice’s strategy to keep staff and patients safe during reopening, and found them to increase his efficiency in unexpected ways.

In Kevin’s success story, you’ll read about:

The two web forms he uses to safely welcome patients for their appointments
How he used easy-to-edit web forms to keep up with frequent changes to pandemic recommendations
An unexpected silver lining that’s helping him get to know his patient’s better
His three recommendations for managing a practice during uncertain times

Kevin’s story

We shut down our practice in March, except for emergency cases. During this time, it was important that our patients felt they were still connected with us. I knew communication would be key! We used an automated response on our phones to inform them that our practice was closed, and messages were rerouted to my Hushmail inbox, so I was always apprised of their needs and could respond promptly. This was a confusing time for everyone, and we figured that reliable communication would be an important component in helping our patients feel safe.

Because the future was uncertain, we sent out a newsletter encouraging our contact lens wearers to contact me if they had less than a three month supply. Within 18 hours, we filled 45 orders! Rebates, receipts, other documents were easily sent securely back and forth with Hushmail.

Download the complete success story

Our telehealth partners

Hushmail is pleased to partner with a variety of like-minded organizations that share our values and offer complementary products and services to help support your virtual practice. The following are Hushmail partners that offer telehealth services:

thera-LINK is a telehealth platform for mental and behavioral health professionals to meet securely with their clients using video technology. thera-LINK also includes scheduling, appointment reminders, credit card payments, and secure document sharing in addition to the video.

TheraNest is an all-in-one practice management software trusted by thousands of mental health professionals. Everything you need to manage your practice in one easy-to-use tool—from unlimited note templates to fully integrated Telehealth features—TheraNest is designed to make your day easier.

TheraPlatform is a secure and HIPAA compliant all-in-one: practice management, billing, documentation software with integrated video conferencing for mental health providers.

Visit our partner page for special offers, and read our guest blog post by TheraNest for tips on how to set up your telehealth practice: Partner post: telehealth mistakes to avoid.

Hushmail can support your virtual practice

Did you get a lot out of this page?

We're always publishing new information to help you better understand the intricacies of secure communication. Here are some other pages that might interest you as well:

HIPAA compliance and online communication – what you need to know
Online forms can transform your healthcare practice