Disclaimer: I am not a lawyer. Nothing I say can be construed as legal advice. This post contains my story of how I handle maintaining client confidentiality while working from home. Consult with your attorney and malpractice insurance provider when making decisions about your own practice.
While I have been doing telehealth since 2016, I did not work from home as a therapist until 2020. One of the first things I did was complete continuing education on ethical issues for therapists with home offices. The presenter opened with a story.
Apparently, there was a therapist who did telehealth from her home office. She separated from her husband and ended up in a contentious divorce. Her ex-husband, in a fit of vindictiveness, contacted her licensing board and said that he had been able to overhear some of her sessions. He claimed that she did not take enough steps to stop him from doing this, and she was sanctioned by her licensing board and fined for HIPAA violations.
I would like to think that my husband wouldn’t contact my licensing board, but I am sure this therapist thought the same thing.
The presenter said that the way to avoid this kind of complaint is to have a Business Associate Agreement which states that your spouse agrees not to access any Protected Health Information (PHI) from your home office and agrees to protect any information they do access in a way that is HIPAA compliant. The presenter said it helps if your spouse has HIPAA training to make sure they understand what this means. This also applies to anyone else you are living with – roommates, family members, et cetera, anyone who might overhear a session or see a piece of paper with a client’s name on it.
Fortunately, my husband is already HIPAA trained, and we found a free template for a Business Associate agreement online. We had to tweak it, since BAAs usually speak to sending and receiving PHI, which is not relevant to this situation. That was not hard to do, so I’m sharing the PDF that we put together. Again, I’m not saying anyone should use this as a template, but I am sharing it as a reference.
Basically, my husband agreed to the following:
- He will not attempt to access any PHI.
- He will not disclose any PHI he happens to access.
- He will let me know of any breaches to this.
And I agreed to:
- Follow HIPAA
If you work from home, you need to maintain confidentiality and protect your clients and license. This is one step I’ve taken in my business.
Now I just need to convince the cats to sign one.