I often receive questions during consultations that require fairly brief answers. Although I tend to focus on “big picture” topics in this column, I thought I’d take a break from that routine to answer some of the most popular questions I get asked related to technology in private practice.
Some of these questions touch on legal matters, but please note that my answers do not qualify as legal advice. You should always consult an attorney about legal questions.
Can I use online accounting/billing services such as QuickBooks Online and remain compliant with the Health Insurance Portability and Accountability Act (HIPAA)?
The short answer: It depends. The answer centers around whether you are storing protected health information (PHI) in whatever online system you are using. According to the U.S. Department of Health and Human Services (HHS) summary of the HIPAA privacy rule, PHI is information, including demographic data, that relates to:
- The individual’s past, present or future physical or mental health or condition
- The provision of health care to the individual
- The past, present or future payment for the provision of health care to the individual
This information must identify the individual, or a reasonable basis must exist to believe that it can be used to identify the individual.
If you are storing PHI with a third party, you must enter into a business associate agreement (BAA) with that party. The BAA is a contract that essentially states that the vendor will comply with HIPAA. It also lays out what the vendor’s responsibilities and your responsibilities are for protecting PHI, among other things.
To the question at hand, to use any online service that stores client information, you would need to choose a vendor that complies with HIPAA and that will enter into a BAA with you. At the time of this writing, QuickBooks Online does not meet those requirements. In fact, QuickBooks Online recommends that its users do not enter PHI into its system (see bit.ly/QBHIPAA).
So, why was my initial answer, “It depends”? Because if you are not entering any PHI into QuickBooks Online, then you can still use it while complying with HIPAA. The most common case for this is when client billing is handled through a separate application (see bit.ly/EHRReviews) and a counselor uses QuickBooks only for accounting (tracking of revenue and expenses not attached to any particular client).
Can I remain HIPAA compliant if I use services such as an online calendar from a vendor that isn’t HIPAA compliant if I use only the client’s initials?
The short answer: No. HHS has clearly stated that “a data set that contained patient initials, or the last four digits of a Social Security number, would not meet the requirement of the Safe Harbor method for de-identification.”
HHS is referring to the de-identification of PHI. HIPAA does allow the storage and transfer of PHI if it has been properly de-identified. This means that someone would not be able to determine the individual with whom the PHI is associated because enough identifying information has been stripped away.
There are two methods to achieve this level of de-identification. One is the “expert method.” This means that you or someone you hire who has “appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable” is able to declare and document that the PHI has been properly de-identified. This is a highly unlikely scenario for most counselors, so you will instead need to rely on the HHS guidance for obtaining Safe Harbor. That guidance is available at hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html.
How can I get my website on the first page of search results?
The short answer is that there is no guaranteed way to get on the first page of search results. I encourage you to be wary of any “SEO optimization” vendor or service that promises that you’ll land on the top of the first page of Google search results, for example.
That being said, SEO (search engine optimization) is a real thing. It encompasses myriad tools and steps that you can take to improve the performance of your website in searches. Much of the process boils down to the content and keywords on your website, along with having external links pointing to your site, but it truly requires a focused, multipronged effort and time to achieve results.
A great place to start is with the SEO tutorial at moz.com/beginners-guide-to-seo. After reading the tutorial, you should have a good idea of the things you might be able to do yourself. Even if you ultimately hire someone else to do it all for you, you’ll be better informed about what to realistically expect and better equipped to identify those who might be making false promises.
If you’d like for me to address more questions like these in future Technology Tutor columns, send me an email. In the meantime, be sure to check out the new free TherapyTech with Rob and Roy podcast (I’m the Rob in there!) at therapytechrobroy.com.
Rob Reinhardt, a licensed professional counselor supervisor, is a private practice and business consultant who helps counselors create and maintain efficient, successful private practices. Before becoming a professional counselor, he worked as a software developer and director of information technology. Contact him at email@example.com.
Letters to the editor: firstname.lastname@example.org
Opinions expressed and statements made in articles appearing on CT Online should not be assumed to represent the opinions of the editors or policies of the American Counseling Association.