Technology companies think about HIPAA very differently than most mental health professionals are trained to think about HIPAA. There are many loopholes, vulnerabilities and areas of misinformation related to the differing legal responsibilities of therapists and the technology companies which serve therapists.
The old saying “We don’t know what we don’t know” speaks to the issues of concern about online therapist locator services.
As the developer of a website functionally equivalent to Psychology Today’s therapist locator, internal referral communication services and a telehealth system, I have hands-on understanding of what a high-tech database, talented engineers, marketing professionals and advanced programming software are capable of doing. I have spoken with numerous developers of EHR and outcome measurement systems. I understand the technology and functionality of therapist locator systems, intranet text communication and referral technology, and the vulnerabilities of that technology.
Website developers know that a therapist locator site touches significant information provided by the public. In my opinion the public may reasonably believe that therapist search information is protected or at least private; not for distribution, sale or publication. Furthermore, therapists must bear some responsibility to vet the businesses they employ to help them market their services and facilitate communication between therapists and the public.
Every IP address, MAC Id, cursor movement, keystroke, click, or file opened in a therapist locator system, can be time stamped, viewed, digitally recorded and saved using the system’s hosting platform. All that data could be aggregated, correlated, analyzed, viewed, saved, published and sold; legitimately or not.
According to software developers and US Department of Health and Human Services, one small piece of data can be a key to identifying a person as the patient of a specific provider. Virtual private networks are not enough to keep PII and PHI private. Knowing this, a website therapist locator service should be designed so that security procedures and organizational policy keeps private and secure Personally Identifiable Information (PII) and Protected Health Information (PHI) gathered implicitly and explicitly from the public.
Like every other therapist locator website, the database I created is capable to determine the identity of individuals who use it. For example, business intelligence (BI) software and advanced SQL queries and AI are capable to connect the identity of individuals using a website with the reason those people have for contacting providers. Such software is capable to identify the providers who are contacted. That capability should be highly secured and the data should be accessible only through appropriate permission strategy, a 3 step access verification, and login tracking.
Sharing a therapist locator’s internal communication database with the capabilities of other data warehouses could allow construction of elaborate profiles of individuals who navigated the website and used the therapist locator. With that information a sophisticated phishing initiative could, for example, be developed targeting uninformed, vulnerable patients, their friends and/or family members.
We can only imagine what malicious employees of Psychology Today working with cohorts at Amazon could do! Appropriate BAAs would lock the front and back doors on opportunities for malfeasance.
As a psychologist and software engineer educated in HIPAA issues and the purposes of BAAs, I know the websites I create are high-tech healthcare operation services which should comply with HIPAA regulations. I believe businesses providing therapist locator services should set and meet a high professional and ethical bar. Ask yourself, do I have any patient who would feel harmed if their identity as a patient, what they are being treated for, and our phone numbers were published?
Patients and providers cannot be protected from the behavior of shady organizations or their employees without protections enforced by the powers of Federal and State regulation and the Departments of Justice. PHI is defined and protected by HIPAA regulation. This includes PII which covered entities use or store as part of care. That information is only shareable for medical purposes. HIPAA does not confine PHI to healthcare records and test results. PHI is any information a provider uses and/or discloses that can identify a patient seeking services, or an appointment or contact with a provider.
Even when PII does not reveal a patient’s healthcare history, it is still PHI when linked to a health condition or request for care for a health condition. A patient's name or email alone can be considered PHI if in any way associated with a healthcare provider.
Database technology combined with business information software can calculate and express the association between an individual, a provider and services for a health condition as a probability. Predictive analytic functionality is built into business information software. Patients, their providers and their conditions can be identified within a statistical level of certainty. That creates vulnerability at best and a breach of privacy at worst. Either way, therapists could be held legally and ethically responsible for patients’ loss of privacy..
A referral-site business should offer a BAA to the professionals whose practices are listed. The therapist locator and internal communication system I created has HIPAA policies and procedures in place to help assure data security, privacy and integrity. Security refers to access. Privacy refers to viewing PHI. Integrity refers to non-corruption of data. Those policies and procedures have been reviewed by a Board of professionals representing members of the site.
Why are a Review Board and BAAs important?
HIPAA is complex, not static. HIPAA regulates processes which provide assurance that people have certain rights and protections; these are not required to be “bullet proof” but must include reasonable actions to assure privacy, security and data integrity for covered entities. An advisory board of therapist-users is a valuable collaboration which protects patients and therapists.
Offering HIPAA assurance is expensive and time consuming. A potential breach is called an “incident” and must be investigated, documented and mitigated; must be reported to HHS if the incident represents a significant violation, problem and/or potential harm.
Licensed mental health professionals providing counseling and psychotherapy services are defined by HIPAA regulation as “covered entities.”
Many therapists do not understand that they are covered entities who must adhere to HIPAA and must protect patients. Therapist locator and internal communication service companies provide services that the covered entities (therapists) pay them to provide. Therapist locators do not work for the public; they work for the mental health care providers who enroll on those sites. A massive violation of HIPAA such as publication or illegal sale of PII and PHI could have significant legal and financial impact on covered entities.
Without BAAs, covered entities (therapists), patients, and the public lack affordable or feasible means to determine what a therapist locator service is doing with information gained by their service.
As part of due diligence when creating the operating policies for my company, I considered the public/patients first, therapists second and my company third.
Investigation determined that ordinary professional liability insurance such as the policy I buy for my therapy practice does not cover data privacy, security, integrity, or investigation of incidents pertaining to EHRs or any other electronic information gathering, storage, processing, and/or display service.
Cyber insurance is a separate form of insurance than therapists’ professional or general liability coverage. One million dollars of cyber insurance coverage for the therapist locator I created costs my company about $2200 per year.
Are therapist locators and their internal communication systems secure, private and reliable?
Can you imagine what an “antisocial” engineer working for a large therapist locator service could do with database and network access permissions? What if Russian, Chinese, or Iranian hackers gained access to Psychology Today’s communications and User interface (UI)? The vulnerabilities in these systems are frightening to me and to people I know who have administered these systems.
Covered entities, individual or corporate, which provide healthcare services are responsible for preventing and reporting HIPAA incidents. They are responsible when their healthcare operations support services have potential access to PII and PHI. It is implicit that covered entities should not contract with a healthcare operation support service that does not provide HIPAA assurance. The Department of Health and Human Services determines whether and when a HIPAA incident is a violation.
Without a BAA, a healthcare operations support service could dispute challenges to their security, or whether they are legally required to inform therapists, or to pay the cost of reporting a breach, or help therapists mitigate potential harm to patients. The covered entities would have to file suit against the healthcare operations support company that has no BAA and make a case, at considerable expense, if PHI or PII were misused.
If therapists had BAAs with companies offering therapist locator services, the companies would be required to report any incident to HHS and all covered entities. The U.S Department of Justice (DOJ) would be required to investigate.
BAAs for United States health data-handling services are required by federal regulation to make sure providers are informed of significant data-handling incidents. With a breach, and no BAA, providers might become named defendants held responsible for the breach. Even with a BAA, breach expense to a provider to mitigate any harm done to patients and the public trust can be significant.
Healthcare operations support businesses are not covered entities under HIPAA; they provide services to covered entities. United States healthcare operations support businesses are expected to offer BAAs and healthcare providers are expected to obtain them. Failing to obtain a BAA does not relieve covered entities of their responsibilities under State and Federal law.
I use Psychology Today myself for healthcare operation support services described generally in a contract provided by Psychology Today. I would like to believe that Psychology Today (technically) “works for me”, that its system is highly secure, and that it has no employees who are (insert any awful scenario to illustrate the point) grifters, con-artists, functional psychopaths or unwitting Russian/Chinese/Iranian assets. But can I demonstrate any proof of my hope? What outrage might make those marketing their practices on Psychology Today vulnerable to a class action lawsuit by inflamed members of the public who find their lives invaded by sneaks who know too much about their problems?
BAA’s (at least the several I have read) do not cover providers’ costs of breach notification; they exist primarily to assure customers of safe operations and commit to identify, investigate, document and fix problems. If there is a incident, therapists are ultimately responsible to notify the US Department of Health and Human Services. That is why covered entities (therapists) need BAAs for individual contractors and for companies they contract with for services. Without a BAA, a covered entity is on your own to investigate, report and mitigate harm and potential harm to their patients. An argument that you “did not know” would likely be met with “aren’t you supposed to know and isn’t it your job and legal responsibility to inform your patients and protect their privacy?”
Healthcare operations support organizations are typically profit driven and self-protective. Even if an organization displays a website policy promising to not use PII and PHI, how would you know if there was a breach? Would you expect (without BAA assurance) that a healthcare operation support business might tell you that one of their employees sold or gave away information including PII and PHI, or that such information was hacked?
In my opinion, covered entities might be held responsible when they accept services from a healthcare operation support business and there is no BAA.
Insurance for cyber security for one therapist cost $1200 to $1800 a year when recently checked. Remember, professional liability and general liability policies do not usually cover cyber security or breach costs or HIPAA incidents or violation investigations concerning an EHR.
When there have been security breaches, some larger healthcare provider systems have sued healthcare operations support businesses for damages. Without a BAA it would be difficult to for a therapist or patient to prove a healthcare operations business was negligent or criminal. It would likely require a class action lawsuit.
Healthcare operation support businesses have insurance to defend against lawsuits. I am told by my attorney that covered entities must be insured or pay out of pocket to bring a civil action against a healthcare operations support business. If you sue a technology company, you could find yourself named in a counter suit for which you may need appropriate business insurance to cover the expense.
Without a BAA, on healthcare operation support services can post disclaimers and terms of use and language that in effect indemnify, hold harmless, waiver a rights to trial, limit liability, establish jurisdiction, For example…
EACH PARTY WAIVES TO THE FULLEST EXTENT PERMITTED BY LAW ANY RIGHT TO TRIAL BY JURY IN ANY ACTION, SUIT OR PROCEEDING BROUGHT TO ENFORCE, DEFEND OR INTERPRET ANY RIGHTS OR REMEDIES ARISING UNDER, RELATING TO OR IN CONNECTION WITH THESE TERMS OF USE.
Common disclaimers have specific broad language that the website owner are not responsible for “…other harmful components.”
WE MAKE NO WARRANTY THAT THE SITE'S SERVICE WILL BE UNINTERRUPTED, THE SITE'S FUNCTIONS SHALL BE ERROR-FREE OR, THAT THE SITE OR THE SERVERS THAT MAKE IT AVAILABLE ARE FREE OF VIRUSES OR OTHER HARMFUL COMPONENTS.
Other harmful components” include databases exploited internally and the effects of databases exploited externally by malicious software, cyber espionage, and the unprecedented impact of Russian hackers who have penetrated the Federal Government and over 20,000 business networks in the U.S. including Microsoft, Amazon Web Services and Citrix,
Psychology Today operates a huge public data-handling business, does business with mental health professionals in communities in every State in America and internationally. Psychology Today offers therapist locator services, has functionality that allows therapists to communicate back channel with other therapist-subscribers, sharing PII and PHI; transmitting PII and PHI for healthcare purposes. This simultaneously complicates providers’ responsibility and illustrates that these functions are healthcare support operations because PII and PHI are inherently available. Other therapist locators offer back-channel communication among subscribers.
Many therapist locator services, including Psychology Today, do not offer BAAs. I have told you why I offer a BAA. I can only speculate about why Psychology Today and other therapist locators don’t or won’t. This is all very complicated for a solo-practice therapist to investigate. For example, last I checked, Psychology Today was a corporation chartered in the Cayman Islands. Likely, Federal and State Law, and U.S. regulations do not apply to Cayman corporations. But U.S. Regulations apply to covered entities.
Recently, Psychology Today has expanded its communications offerings to include a teletherapy videoconferencing app. The app is called Psychology Today Sessions. I encourage you to read a critique by PersonCenteredTech about that service and its "BAA."
Maybe therapist locators are so big or so small that no regulatory agency has the mandate or resources to initiate legal action to find out just what data they collect and what they are doing with that data. Or, have these businesses developed in a world that is poorly informed or too busy to notice there’s a problem?
Conclusion
At this time, based on (1) experience, (2) the information available, and (3) abundance of caution, I can find no ethical or regulatory reason why HIPAA responsible entities (mental health professionals, clinics, etc.) should not strive to protect the public by requiring BAAs from businesses that touch patient or potential patient data, especially those that (1) provide therapist locators, (2) display professional profiles, (3) publish articles on mental health, (4) support electronic communication between patients and healthcare professionals and (5) provide internal electronic communication permitting professionals to make referrals to one another. Each of these variables, in part or in total, can be used to identify people and their communications with therapists in the course of seeking services.
