We have discussed previously on the blog some HIPAA issues here and there, and it’s something I often address with folks setting up Workspace for the first time. I want to make some broad points about HIPAA relevant to using Workspace as your EHR.
Getting HIPAA Advice
First of all, a critical disclaimer: never take legal advice from a social worker.
I am reasonably educated about HIPAA and I will tell you when I know what I’m talking about and when I’m not so sure. But ultimately if you find yourself in a sticky situation, you do not want to be pointing to a guy with a social work degree and no legal experience and say, “well, he told me so.”
It is important to have a legal person you can turn to with your questions – not just about HIPAA but about all your legal odds and ends, like consent forms, contracts, and all that good stuff.
Of course, paying for an attorney when you are a small operation gets expensive fast. (If you’ve ever said to yourself after seeing what your lawyer charges per hour, “boy, I picked the wrong field!”, you’re not alone.) So I will share with you a secret super-duper option I’ve been using very happily for years.
It’s called LegalShield. You pay $49 a month and they’ll review documents, consult with you about specific situations, answer questions on HIPAA and whatever else comes to mind. (You don’t get unlimited services, but you get a lot.)
$49 a month isn’t nothing, but it’s a heck of a lot cheaper than paying a lawyer by the hour. You can literally get a year’s worth of service for less than some lawyers charge for one hour! I have definitely gotten my money’s worth with this service.
So, here’s a link with more info (affiliate link). Check them out rather than relying on an amateur like me for real legal advice.
Know the HIPAA Basics
Okay, second thing about HIPAA: you need to know the basics.
I’m not saying you have to become a world expert on it, but it’s not enough to just rely on picking “HIPAA-compliant” tools (like Workspace is can be), because HIPAA compliance is a set of behaviors, not just a box you can check one time.
For example, one of the essential things you need to do is a risk assessment – meaning, figure out where your HIPAA risks are. Even if you’ve got the right tools and add-ons and all that, if you haven’t done a risk assessment then not only do you have some level of risk (because of what you don’t know), but it looks a lot worse for you in the event that something does go wrong.
In addition, just because you are using secure Google Workspace doesn’t mean you can do whatever you want now. It’s still a problem if you’re sending protected health information – securely! – to someone who isn’t supposed to have it.
So, it behooves you to learn a bit about HIPAA. I have an introductory HIPAA webinar you can check out and go from there. HIPAA compliance is not a one-and-done kind of thing. It’s a process.
Don’t Go Nuts
The last point I want to make is that, while you should get educated on the topic, you should try to avoid going freakout crazy about it. You will not end up in jail over a HIPAA mistake (unless you do something really bad on purpose).
If you made some really egregious error that affected a lot of people you might get some fine, which would still probably not be as large as the scary figures you see in the news. But most likely you would just get a stern talking-to from the Office for Civil Rights (the folks in charge of HIPAA) and a corrective plan.
So chill. Meaning, it’s important to get on the path to HIPAA compliance, but not to have panic attacks about it.
Also, effort counts. If OCR sees you’ve been working on it (especially, for example, by doing a risk assessment and then acting on it), that would be different from if you’ve just been ignoring your HIPAA obligations altogether due to the high degree of scariness (which I completely understand).
It’s worth your while to get started even just a little bit.
In Sum: Never Take Legal Advice from a Social Worker
Well, maybe take some. My advice is, when it comes to HIPAA, do something, not nothing. There are plenty of places to learn about it, and if you have specific questions, LegalShield is a great option.