Podcast Series

Bonnie Rausch:

Hello, everyone. The Preferra Insurance Company RRG, formerly NASW Risk Retention Group, NASW Assurance Services, and Western Litigation have teamed up to produce a series of three podcasts to guide behavioral health professionals on the subject of teletherapy during the COVID-19 pandemic. This is podcast number two. The name of our series is What You Need to Know About Teletherapy During the COVID-19 Pandemic.

Bonnie Rausch:

I am Bonnie Rausch NASW Assurance Services, and I have joining me today three subject matter experts. They are, from the Preferra Insurance Company RRG, formerly NASW Risk Retention Group, we have with us both Phil Lawson, the vice president of product development and risk, as well as Lonnie Ropp, the director of product management and underwriting. In addition, from Western Litigation, we have Deana Larsen, who is the senior risk analyst and administrative supervisor. The format that we are using are Q&A, and we are also answering questions that we received from our policyholders regarding teletherapy and the current pandemic.

Bonnie Rausch:

But before starting, we wanted to tell everyone that our thoughts are with all affected by COVID-19. Please know that we are extremely thankful for all of the amazing work of the healthcare and behavioral care professionals as well as all other essential workers. Also, if you missed our podcast number one, it is available at www.naswassuranceservices.org. On that, you will find a specific webpage for COVID-19.

Bonnie Rausch:

Without further ado, let’s get started. The first question is for Phil. Phil, If somebody uses a cell phone for business and personal use but treats every contact as business and confidential, what are the risks for a solo practitioner and nobody else has access to any of their devices?

Phil Lawson:

Yes, that’s a really great question. There’s a blur between personal life and professional life, and using a cell phone increases that blur. Although technology improves productivity and it opens up new positive opportunities for everybody, technology makes it too easy to make mistakes, and that’s where your risk is.

Phil Lawson:

For example, unintentional calls or texts can result in breaches, and they’ll expose you to multiple HIPAA breaches. Another example is if your phone is stolen or hacked, it becomes exposed. The information audited, it becomes exposed. It’s the same as a burglar breaking into your paper file cabinet in your office with your client information. Even if nothing is disturbed in the file drawer and it’s merely opened and no files or disturbed or made public, it’s still a breach. The same thing with your phone, with your list of patients and their phone numbers and names, so you are bound by notification requirements, and related legal fees occur. You’ll have to inform your licensing board of that breach.

Phil Lawson:

I’ll give you an example. The RRG actually defended an insured for this very claim, and illegal fees were over $1,500, so if your client list is stored on a phone that’s lost or stolen, you then will fall into cyber breach strict liability, misplaced or exposed client records including names and phone numbers or data breaches, and they place a social worker squarely in the federal crosshairs of HIPAA HITECH law, 45 CFR Part 160. That is civil fines, penalties, criminal prosecution and jail time depending on the frequency and the severity of the crime. You get 12 years in jail for that and a million-dollar fine.

Phil Lawson:

Restoration procedures, whenever there’s a cyber data breach, no matter what the size of it is, could be one client, are extremely significant, and they include written notification to every client in your practice of the breach, even if it’s only one person who was breached. You have to buy an identity theft subscription for one year for the clients that were breached. You have to have a security audit by a certified or auditing firm, and that costs money too.

Phil Lawson:

Of course, you’ll have legal fees and some penalties. The RRG experienced a similar claim, which costs $12,000 for the social worker to resolve because he did not pay the extra $50 premium for the sufficient level of cyber liability protection. He would have been 100% protected. There’s a lot of risks. You have to be careful.

Bonnie Rausch:

Thank you so much for that information. Deana, I’d like to turn this question to you, please. Using a regular phone is not sufficiently secure. Are there secure phone systems that you would recommend?

Deana Larsen:

Well, as Phil just very accurately pointed out, a regular phone is not sufficiently secure. You need to do your homework. You need to reach out to your cell phone provider or your telephone provider and find out what options are available to make sure that your phone line is secure, especially in these days where everyone is working from home. Hackers have not taken the day off. In fact, they’ve amped up even harder, so please, do your homework. I do know that there are phone systems that are secure, but I don’t make specific recommendations. I would encourage each of you to do your homework, talk to the provider, ask all the questions you need to, and when you think you’ve asked them all, ask them again.

Bonnie Rausch:

Very good points. Lonnie, I would like to direct the third question to you, please. Regarding testimonials, if the client has voluntarily given a testimonial to the social worker, and the social worker has gone over the risks, can the social worker post the testimonial on her website anonymous or with names?

Lonnie Ropp:

Well, that’s a great question, and it should definitely be approached with caution. It’s a big compliment to have your services complimented in a testimonial form. We definitely want to be very, very careful to say that a post of that nature needs to be either noted as anonymous or just like a first initial. Anything beyond that could be quickly construed as a HIPAA breach, and even if the client gave the testimonial, they might change their pathway and get angry at a later time based on different things going on, so just be very, very careful in approaching that and should be a definitely a big compliment, but approach very carefully as we say.

Bonnie Rausch:

Thank you, Lonnie. [inaudible] is definitely key there. Phil, the next question’s to you, please. Doesn’t HIPAA require separate forms for telehealth services?

Phil Lawson:

Yeah, it’s a good idea to have a separate informed consent form for teletherapy; however, you need to check with HIPAA and also specifically your specific state regulations where you’re licensed regarding telehealth services and also online therapy. States are going to have different laws and regulations regarding telehealth and remote therapy. We have a sample informed consent form posted on the NASW Assurance Services website for your convenience and reference.

Bonnie Rausch:

That’s good to know. Again, back to our website of www.naswassurances.org. Deana, to you, please. Is it okay to use unencrypted email for things such as setting up appointments as well as receiving insurance membership numbers?

Deana Larsen:

No. It’s not. That sounds like very generic information, confirming an appointment and receiving an insurance membership number, but information like that can be construed as a HIPAA breach. You don’t want to use unencrypted email for important things. You could inadvertently send something to the wrong person, or when you’re trying to send a group email, for example, confirming to all of your clients that you have moved your entire practice to telehealth, there could be an unintended glitch, and all of a sudden, all of your client information has gone out to the entire group. Encrypted email is the best way to go, without question.

Bonnie Rausch:

Thank you so much for that. Lonnie, to you, please. What about utilizing email for a followup after a session has occurred, so for example, a referral for another agency support. Does client consent for utilizing email cover a social worker in terms of the risk of others reading this information?

Lonnie Ropp:

Well, just dovetailing on the great comments that Deana just shared regarding the other email question, I definitely want to just poise and suggest caution because, essentially, if somebody else got the email, it could be considered a HIPAA breach, and since that information is about the other providers, could be interpreted as protected health information, so you want to just be very, very careful in approaching email because very quickly it can go the wrong direction without any intention.

Bonnie Rausch:

All right, thank you again. Actually, this wraps up our second podcast. Phil, Lonnie, and Deana, again, thank you so much for sharing your knowledge and expertise with us, as well as thank you to our listeners. Stay tuned for podcast three of this series, and in the interim, please, everyone, be safe. Keep your distance, and don’t forget to wash your hands. Have a great day.