Should therapist locator systems offer a BAA?

Should therapist locator systems offer a BAA?

By Michael G. Conner, Psy.D.
April 13, 2021 - Last updated: April 12, 2021

As the developer of a website functionally equivalent to Psychology Today’s therapist locator, I understand the technology of these systems, intranet text communication and referral technology. I also know the vulnerabilities of that technology.

A therapist locator site touches significant information provided by the public. Information collected through interactions with a therapist locator system can be time stamped, viewed, digitally recorded and saved using the system’s hosting platform. All that data could be aggregated, correlated, analyzed, viewed, saved, published and sold – legitimately or not. Without a business associate agreement (BAA), healthcare providers and the public are defenseless, denied information about privacy and security incidents.

Many therapists do not understand that they are covered entities who must adhere to HIPAA and protect patients’ protected health information. Therapist locator service companies offer services that covered entities (therapists) pay them to provide.

Therapist locator services should be designed so that personally identifiable information (PII) and protected health information (PHI) gathered through use of the site are kept implicitly and explicitly private and secure.

Business intelligence (BI) software and advanced database tools and artificial intelligence can be used to connect the identity of individuals using a locator website with the reasons people have for contacting providers.

Even if PII does not reveal a patient’s health care history, it is PHI when linked to a health condition or request for care for a health condition. A patient’s name or email alone can be considered PHI if it is in any way associated with a healthcare provider.

Database technology combined with business information software can calculate and express associations between individuals, providers and services for a health condition within a statistical level of certainty. That creates vulnerability to an incident at best and a breach of privacy at worst.

Either way, therapists could be held legally responsible for patients’ loss of privacy.

A referral-site business should offer BAAs to the professionals listed, have clear HIPAA policies and procedures in place to assure data security, privacy and integrity. Periodic review and testing for vulnerability is crucial. The therapist locator I built does that.

Professional liability insurance does not cover data privacy, security, integrity, or investigation of incidents pertaining to electronic health records or any other electronic information gathering, storage, or processing service. Imagine what an “antisocial” engineer working for a large therapist locator service could do with database and network access permissions!

BAAs for health data-handling services are required by federal regulation to assure providers are informed of significant data-handling incidents. With a breach – and no BAA – providers might be held responsible for the breach. They are responsible to report incidents.

Healthcare operations support businesses are not covered entities under HIPAA; they provide services for covered entities. Failing to obtain a BAA does not relieve covered entities of their responsibilities or alleged responsibilities under state and federal law.

With no BAA, healthcare operations support services can post disclaimers and terms of use in self-protective language that indemnify, hold harmless, waive rights to trial, limit liability, or establish jurisdiction. Common disclaimers have specific broad language that website owners are not responsible for, such as “other harmful components,” which would include databases exploited by malicious software, cyber espionage, etc.

Psychology Today operates a huge public data-handling business that does business in every state and internationally. This begs several questions: “Where is Psychology Today data and information stored? Where is the security hub? Who has access to resources in their network?

Psychology Today functionality allows therapists to communicate with other therapist-subscribers. This illustrates that these functions are health care support operations because PII and PHI are inherently available.

Few therapist locators in America or elsewhere offer BAA’s to HIPAA covered entities. There are healthcare data businesses in India that offer BAAs. Psychology Today is a corporation chartered in the Cayman Islands.

Maybe therapist locators are so big or so small that no regulatory agency has mandate or resources to learn what data they can and do collect and what they are doing with that data. Or, have these businesses developed in a world too poorly informed or too busy to notice there is a problem?

HIPAA-responsible psychologists should strive to protect the public by requiring BAAs from businesses that touch potential patient data, especially those that:

* display professional profiles,
* support electronic communication between patients and healthcare professionals and
* provide internal electronic communication for referrals.
Mental health professionals’ associations should establish standards that protect patients.

An expanded version of this article is available from the lead author.

Michael G. Conner, Psy.D., is a psychologist in private practice and an owner of Private Practice Cloud LLC, a healthcare operations business that supports The American Mental Health Alliance. He also is a member of the board of directors of Mentor Research Institute (MRI). His email address is:
Michaele P. Dunlap, Psy.D., president of MRI, also contributed to this article.

Share Button

Related Articles