Denial is a powerful defense mechanism, and despite all of our knowledge and training as counselors, many of us still stick our heads in the sand concerning the potential for the unexpected to affect us, our practices and our clients. In dealing with insurance companies, taking notes, handling phone calls or creating a contingency plan for emergencies, the counselor mantra seems to be, “I don’t want to have to deal with all that. I just want to be doing counseling.”
Most of the mental health clinicians I speak with do not have an emergency transition plan or disaster recovery plan in place despite the fact that the 2014 ACA Code of Ethics calls for one and HIPAA/HITECH require such a plan in the case of electronic data.
Standard C.2.h. in the ACA Code of Ethics states, “Counselors prepare a plan for the transfer of clients and the dissemination of records to an identified colleague or records custodian in the case of the counselor’s incapacitation, death, retirement or termination of practice.”
HIPAA/HITECH requires covered entities to have a contingency plan (see Standard § 164.308(a)(7) at hhs.gov/ocr/privacy/hipaa/administrative/securityrule/adminsafeguards.pdf). Among the requirements, covered entities and their business associates must be performing frequent, off-site, recoverable backups of data. As can be expected with HIPAA (the Health Insurance Portability and Accountability Act), you must have your backup and recovery plan documented.
The ACA Code of Ethics focuses on protecting continuity of quality care for our clients, whereas HITECH (the Health Information Technology for Economic and Clinical Health Act) focuses on safeguarding their electronic protected health information. The summary version is that we need to be doing all of these things to ensure quality care for our clients, both now and in case of transition. When we are thinking about our desire to focus on counseling, it is important that we integrate these requirements into our routines. Just as we recognize the importance of treatment plans and progress notes (even though many of us do not particularly enjoy those tasks), so must we implement contingency and transition-of-care plans.
When developing these plans, we must consider the wide array of situations in which they may be used. Although I started this discussion in the context of disasters and the unexpected, it’s possible that these plans will be useful during expected events as well. The list that follows includes just a sampling of situations, both expected and not, in which you may need a transition-of-care plan, a contingency plan for data or both.
- Pregnancy (maternal or paternal leave)
- Failed hard drive, computer or other system
- Fire, flood or other natural disaster
- An offer for an amazing new job that requires you to leave your current practice or agency
- Death (either yours or a family member’s)
- Closing of your business (or the one for which you work, or the one that runs your billing or electronic medical records service)
- A move out of state
The remainder of this article focuses on some actions you can take to ensure that your data is safe and to prepare an emergency plan. Although I present a focus on the technology implications of these requirements, please be aware that you may also need to explore and create plans for other facets of your practice (for example, what happens if a fire destroys all of your paper files/records?). In addition, because each practice is unique, you may have items that aren’t covered by the options below. Be sure to examine all parts of your practice that may be involved in an emergency plan and all data that may need to be backed up.
Use a practice management system
There are many potential benefits (e.g., increased efficiency, better cash flow and reduced overhead tasks) to using a practice management system, especially one that is cloud-based. (For a complete explanation of these systems and reviews of those available, check out tameyourpractice.com/blog/cloud-practice-management-system-table-contents.)
Using a cloud-based practice management system from a HIPAA-compliant vendor is also an excellent way to significantly reduce your HIPAA compliance risks and responsibilities. The HIPAA final/omnibus rule of 2013 greatly clarified and expanded the responsibilities of covered entities for securing electronic protected health information. Fortunately, it also required business associates (third-party vendors that covered entities use to store or transfer electronic protected health information) to comply with HIPAA as well. By entering into a business associate agreement with a cloud-based practice management system vendor, counselors can offload much of their security compliance responsibilities for electronic protected health information to that vendor.
Among the many things that vendor will now be responsible for are redundant storage, encryption and backup of electronic protected health information. Despite the vendor taking on these responsibilities, I still encourage users to keep their own backup of the electronic protected health information being stored in the cloud-based practice management system. Which brings us to …
Use a backup solution
Even if you are using a cloud-based practice management system, there are reasons to keep your own backup of the data. Most of us who provide clinical services like to review notes from previous sessions before going into session with a client. Even the most rock solid of cloud-based practice management systems can go offline occasionally. Counselors may also experience downtime with their Internet connections. According to Murphy’s law, this will eventually happen at just the wrong moment. For this reason (and because you may one day wish to switch cloud-based practice management system vendors), it is prudent to keep your own backup. The challenge becomes how to do this while remaining compliant with HIPAA. There are many specific requirements to consider, but the overriding principle is to ensure that the data are secure.
Perhaps the most obvious place to store this backup is on the computer you use regularly at your workplace because you’ll want to be able to quickly access it should the need arise. Because the data already exists in the cloud-based practice management system, you may not need your own redundant backup. However, I generally suggest that you use one to be on the safe side. For those of you not using a cloud-based practice management system to begin with, this process is imperative.
When creating a backup of anything (even a backup of a backup), it’s important that you remember to do two things: verify and back up remotely. To verify, you need to regularly ensure that the backup is operating properly, that the data is indeed being backed up completely and that it can be restored properly. Backing up remotely means storing the backup in a location that is different from the primary physical location of the original data. This is important in case the primary location experiences a fire, theft or other disaster.
There are far too many ways to perform adequate backups to cover in this column. However, once again, one of the simplest solutions is to use a cloud-based service. Several cloud-based services report being HIPAA compliant, including (but not limited to) Carbonite (carbonite.com), Box (box.com) and Mozy (mozy.com). It is important to note that prices for these services may vary widely, and some require you to get more expensive plans to get a business associate agreement.
One very affordable alternative is Google Apps for Work (google.com/work/apps/business/). At only $5 per user per month, Google Apps provides a business-level version of the Google solutions with which most of us are familiar (Gmail, Google Calendar, Google Drive). Plus, Google will enter into a business associate agreement. By using Google Drive, a user can have a set of data on his or her computer that is also automatically synced to a location on Google’s servers.
Although I bring this up in the context of backing up data from a cloud-based practice management system, this same logic applies to backing up any electronic protected health information or other data related to your practice. As always, when storing electronic protected health information on any device, I strongly encourage counselors to use full-disk encryption because of the HIPAA breach notification rule (see personcenteredtech.com/2013/04/hipaa-safe-harbor-for-your-computer-the-ultimate-in-hipaa-compliance-the-compleat-guide/). When dealing with electronic protected health information, it’s imperative that counselors educate themselves on what they need to do to reduce risks and remain compliant with HIPAA. For those attending the ACA 2015 Conference in Orlando, Florida, Roy Huggins and I will be presenting a Learning Institute that covers this in detail.
Have an emergency/disaster recovery plan
Backing up data is only one piece of having a disaster recovery plan. A complete disaster recovery plan considers not only potential technical disasters but also other types of emergencies. For example, how might your practice recover if your office was flooded? What if you or a loved one became critically ill for an extended period of time? What if you were evacuated from the area for several days or weeks because of a human-made disaster (chemical spill, rioting, etc.)? Or what if you simply want to plan for retirement?
Although you may not need to plan for every distinct possibility, it is possible to create classifications of possibilities for which to plan. One possible set of classifications might be:
- My plan if I have limited access to the office
- My plan if I have no access to the office for an extended period of time
- My plan if my office has been destroyed or is closing
- My plan if I have been incapacitated
Note that this list assumes working out of an office. Each counselor’s plan should be customized on the basis of his or her particular situation. Many counselors are aware of professional wills, and some have even followed through with preparing one. A professional will can be an important part of an emergency plan, but it likely won’t cover everything. The obvious challenge is that, as a will, it’s primarily targeted for use if the counselor dies. Furthermore, most professional wills don’t go so far as to provide all of the information a records custodian or emergency response team might need to effectively address the transition.
It is important that any disaster recovery plan, emergency plan or transition plan includes all of the information needed to run a practice. Although the most important factor is ensuring continuity of care for clients, simply having a plan to pass them off to a new provider isn’t enough. To provide the best possible care for those clients, the new provider should have access to their records. Someone should also be prepared to inform clients, help them with the transition and answer any questions they have about billing, insurance and other information. Each practice may be handling these pieces of information differently, so it is important for the practice to make it very clear in its transition plan exactly where everything can be found. Even things as simple as the location of the office keys and the password to the cloud-based practice management system won’t be obvious to someone taking over in an emergency. And in an emergency, that person doesn’t need to be spending precious moments trying to figure those things out.
A very short list of things counselors should have in their emergency plan includes:
- Basic information: National Provider Identifier number, license information
- Location of client records
- Location of any computers and devices used in your work
- Passwords for any computers and devices used in your work
- Login information for your cloud-based practice management system and other software containing pertinent business information
- Insurance companies with which you are paneled
- Information about your accountant, attorney and other professionals with whom you consult
- Information about business banking accounts
Ideally, every facet, tool and important piece of information about your practice will be documented so that someone could quickly step in and take over the operations of your practice if you were incapacitated or unable to perform your duties for whatever reason. As an exercise in developing a comprehensive plan, imagine your workday from start to finish, noting all of the tasks you complete, the devices you use, the locations of your tools and paperwork — essentially, everything you need to complete your work. For more details on the importance of such a plan, watch an informative free episode of Therapy Tech in which Nancy Wheeler and I talk with Roy Huggins about the development of our e-book that addresses this issue and includes templates (see youtube.com/watch?v=GxUDSCj8UZI).
Developing these plans may not sound like a day at the beach, but they are a requirement of our profession and essential to providing quality care to our clients. As always, I recommend that you consult with a qualified attorney about the legal aspects of HIPAA and emergency plan development. Also, bear in mind that the information presented in this column is generalized. Because each practice is unique, it may be beneficial for you to talk with a consultant to develop the best plan for your practice.
Rob Reinhardt, a licensed professional counselor supervisor, is a private practice and business consultant who helps counselors create and maintain efficient, successful private practices. Before becoming a professional counselor, he worked as a software developer and director of information technology. Contact him at firstname.lastname@example.org.
Letters to the editor: email@example.com