Ensuring you are HIPAA compliant

This article provides a guide to help therapists ensure they are HIPAA compliant regarding training, communication, record-keeping, sharing client protected health information (PHI) with third parties, recording client sessions, and reporting violations or concerns. 

HIPAA compliance training

All therapists complete mandatory HIPAA training at the time of onboarding and annually. Our Compliance Plan provides more details about HIPAA. 

HIPAA compliant email, calls, and text

As a covered entity, you'll need to make sure that your email is HIPAA compliant. Please read this article on best practices for HIPAA-compliant email services. 

All registered clients have provided consent for Rula to call, text, and email them without encryption. Details are available here.

The phone and internet are data conduits that do not require a Business Associate Agreement (BAA) or additional HIPAA security controls. Your phone is considered HIPAA secure as long as you use a password on your mobile device. In addition, a covered entity is not responsible for the privacy or security of individuals' health information once it has been received by the individual's phone or other devices.

Rula does not endorse the use of any specific email or phone service. However, many therapists who contract with Rula use ProtonMail, HushMail, MailHippo, or Google Workspace (with a BAA). Some therapists set up a Google Voice or Grasshopper number if you prefer to use something other than a personal cell phone.

Collaborating with another provider 

If you need to connect with another provider for the purposes of care coordination for a mutual client, please reach out to Rula Support to make a request. 

After confirming the mutual client and provider information, our team will provide you with the email contact details and notify the receiving provider that their information was shared for the purposes of care coordination.

HIPAA compliant remote work environment

Clients are entitled to the same level of privacy during telehealth sessions as they would receive during in-person care, and therapists are ethically obligated to maintain client privacy. Therefore, you'll need to conduct telehealth sessions in a private location where client privacy is assured, and others will not overhear the call. Household members should never hear your sessions or see client information. 

Rula is the custodian of records

Being the "custodian of records" means Rula has the responsibility to manage and care for official documents. This involves:

  • Safekeeping: Ensuring the records are secure and protected from damage, loss, or unauthorized access.
  • Organization: Creating systems to file and track records efficiently for easy retrieval.
  • Retention: Following guidelines for how long to keep records based on legal or internal requirements.
  • Access: Providing authorized personnel with access to the records when needed.

Therefore, records can only be released to patients by our Medical Records team (records@rula.com). Therapists are prohibited from downloading or printing client records.  

Sharing PHI with Third Parties

To ensure the integrity of Rula client records, we prohibit therapists from sharing client PHI with any third parties. This includes but is not limited to office staff, assistants, interns, and external software companies - such as AI tools and note-taking applications. By limiting the sharing of information, we safeguard clients’ PHI and uphold our responsibilities as the custodian of records.


We understand that technology plays a vital role in enhancing our services, and we want to assure you that we will communicate with you if we adopt any third-party software.

Recording sessions

Rula does not allow therapists to record sessions with clients. Rula wants clients to feel comfortable and trust that their sessions are kept confidential. Because Rula is the custodian of records, if therapists created and stored recordings of client sessions, it would be difficult for us to ensure the recordings are stored securely as required by applicable privacy laws.

Patients who wish to record a session with a provider must first discuss the request with the provider. Patients may only record a session if the provider gives explicit consent. It is important to ensure that both parties are in agreement and comfortable with the arrangement before a patient records a session.

Reporting any HIPAA violations or concerns

Rula promotes a supportive and "just" culture of compliance where we constantly learn and work to improve our system and processes. To self-report any HIPAA violations or concerns, please contact privacy@rula.com or use the Compliance Hotline to file a report.

 

Rula appreciates your diligence in adhering to these guidelines and your continued commitment to protecting clients’ privacy. If you have any questions or need further clarification regarding the information in this article, please reach out to the Rula Privacy team at privacy@rula.com.

Was this article helpful?

6 out of 6 found this helpful