This article provides a guide to help therapists ensure they are HIPAA compliant regarding training, communication, record-keeping, and reporting violations or concerns.
HIPAA compliance training
All therapists complete mandatory HIPAA training at the time of onboarding and annually. Our Compliance Plan provides more details about HIPAA.
HIPAA compliant email, calls, and text
As a covered entity, you'll need to make sure that your email is HIPAA compliant. Please read this article on best practices for HIPAA-compliant email services.
All registered clients have provided consent for Rula to call, text, and email them without encryption. Details are available here.
The phone and internet are data conduits that do not require a BAA or additional HIPAA security controls. Your phone is considered HIPAA secure as long as you use a password on your mobile device. In addition, a covered entity is not responsible for the privacy or security of individuals' health information once it has been received by the individual's phone or other devices.
Rula does not endorse the use of any specific email or phone service. However, many therapists who contract with Rula use ProtonMail, HushMail, MailHippo, or Google Workspace (with a BAA). Some therapists set up a Google Voice or Grasshopper number if you prefer to use something other than a personal cell phone.
Collaborating with another provider
If you need to connect with another provider for the purposes of care coordination for a mutual client, please reach out to Rula Support to make a request.
After confirming the mutual client and provider information, our team will provide you with the email contact details and notify the receiving provider that their information was shared for the purposes of care coordination.
HIPAA compliant remote work environment
Clients are entitled to the same level of privacy during telehealth sessions as they would receive during in-person care, and therapists are ethically obligated to maintain client privacy. Therefore, you'll need to conduct telehealth sessions in a private location where client privacy is assured, and others will not overhear the call. Household members should never hear your sessions or see client information.
Rula is the custodian of records
Being the "custodian of records" means Rula has the responsibility to manage and care for official documents. This involves:
- Safekeeping: Ensuring the records are secure and protected from damage, loss, or unauthorized access.
- Organization: Creating systems to file and track records efficiently for easy retrieval.
- Retention: Following guidelines for how long to keep records based on legal or internal requirements.
- Access: Providing authorized personnel with access to the records when needed.
Therefore, records can only be released to patients by our Medical Records team (records@rula.com). Therapists are prohibited from downloading or printing client records.
Reporting any HIPAA violations or concerns
Rula promotes a supportive and "just" culture of compliance where we constantly learn and work to improve our system and processes. To self-report any HIPAA violations or concerns, please contact privacy@rula.com or use the Compliance Hotline to file a report.