HIPAA for Therapists: When Good Software Goes Bad

A cornerstone of HIPAA for therapists is compliant software; but what do you do when good software goes bad?  In my work as a private practice coach I see lots of practice owners who have purchased robust software to handle  billing, scheduling, and email marketing. The software is efficient, perfect for their practice and signs a business associate agreement (BAA) so it is HIPAA compliant. How does good software go bad? 

• The introductory price was great and then in a few months, that price goes up and now it’s unaffordable.
• Your software was great for you as a solo practice owner, but now that you are growing you see you have to pay a per-user fee.
• Your software company goes out of business

What is HIPAA Compliance in Counseling?

PHI (protected health information) must always be protected. For those of us utilizing electronic medical records (EMR) software, we must use software that signs a BAA. If that software decides to drop the agreement or you face one of the scenarios above, you must still protect your PHI. There is no grace period. There is no, oops, I meant to do it, and my records weren’t protected for two months while I was searching the inter-webs for new software. It’s either protected or it’s not (see the show notes from my interview with Vanessa HillisHIPAA Risk Assessment with Vanessa Hillis).

Can Software be HIPAA Compliant?

It can, and then it can’t. I’ll tell you my personal story. A few months ago, everybody got this notice that Sookasa, a client record storage software that would sign a BAA, was calling it quits. Sookasa was a wonderful solution for small practice owners like me who wanted to store PHI electronically but couldn't afford the giant robust software. It was like Dropbox and Google Drive were giant filing cabinets, but I had this magical drawer called Sookasa and that drawer was locked and encrypted (and signed a BAA where Dropbox and Google would not). 

Around October, I checked my spam email box, and I catch this shocking email from Sookasa saying they are going out of business. I think I'm getting phished; this has to be fake! Then I saw the signs. I checked my billing and noticed my annual plan was gone and I was paying $10 a month. Then I noticed, and this is the scary part, they didn’t debit my card at all. That freaked me out. I’m a little bit of a procrastinator, and when I saw they hadn’t debited my card, I could picture my files in this no man’s land of no protection. I was asking myself, am I protected or not? Are they already out of business? What do I do?

Of course I shot out an email to Sookasa and they promptly responded saying, “No, no, no, we’re still protecting your files, but hard stop March 30th.” So I went to work, and I and my trusty assistant Jessica, dove in to try and find a solution.

Safeguards for HIPAA

When good software goes bad it can devastate your private practice. HIPAA for therapists best practices means mental health practice owners should be proactive and get a tribe. Make sure that you’re involved with networking groups with other therapists; have a trusted attorney or consultant, and join your professional organizations. How did I solve my problem? I discovered the HIPAA compliant version of Google Work Space was a  good alternative to Sookasa and fit the bill for what I needed. 

You have to be HIPAA compliant. When something goes wrong and your software goes bad there is no grace period. So get your network, consult, and get that PHI secured.

Blog post by Kate Walker Ph.D., LPC/LMFT Supervisor

Looking for resources for your supervision practice? Get the Essential Guide for Self-Employed Mental Health Professionals

Opt in Free Guide to SelfEmployed