Ensuring you are HIPAA compliant

This article provides a guide to help therapists ensure they are HIPAA compliant regarding training, communication, record-keeping, and reporting violations or concerns. 

HIPAA compliance training

All therapists complete mandatory HIPAA training at the time of onboarding and annually. Our Compliance Plan provides more details about HIPAA. 

HIPAA compliant email, calls, and text

As a covered entity, you'll need to make sure that your email is HIPAA compliant. Please read this article on best practices for HIPAA-compliant email services. 

All registered clients have provided consent for Rula to call, text, and email them without encryption. Details are available here.

The phone and internet are data conduits that do not require a BAA or additional HIPAA security controls. Your phone is considered HIPAA secure as long as you use a password on your mobile device. In addition, a covered entity is not responsible for the privacy or security of individuals' health information once it has been received by the individual's phone or other devices.

Rula does not endorse the use of any specific email or phone service. However, many therapists who contract with Rula use ProtonMail, HushMail, MailHippo, or Google Workspace (with a BAA). Some therapists set up a Google Voice or Grasshopper number if you prefer to use something other than a personal cell phone.

HIPAA compliant remote work environment

Clients are entitled to the same level of privacy during telehealth sessions as they would receive during in-person care, and therapists are ethically obligated to maintain client privacy. Therefore, you'll need to conduct telehealth sessions in a private location where client privacy is assured, and others will not overhear the call. Household members should never hear your sessions or see client information. 

Rula is the custodian of records

Being the "custodian of records" means Rula has the responsibility to manage and care for official documents. This involves:

  • Safekeeping: Ensuring the records are secure and protected from damage, loss, or unauthorized access.
  • Organization: Creating systems to file and track records efficiently for easy retrieval.
  • Retention: Following guidelines for how long to keep records based on legal or internal requirements.
  • Access: Providing authorized personnel with access to the records when needed.

Therefore, records can only be released to patients by our Medical Records team (records@rula.com). Therapists are prohibited from downloading or printing client records.  

Reporting any HIPAA violations or concerns

Rula promotes a supportive and "just" culture of compliance where we constantly learn and work to improve our system and processes. To self-report any HIPAA violations or concerns, please contact privacy@rula.com or use the Compliance Hotline to file a report.

Was this article helpful?

1 out of 1 found this helpful