Produce spilling from baskets in a market Everyone loves apps and cloud services these days, and mental health practices are no exception. You can hardly find anyone who keeps records on paper or on their own computer — nearly all of us keep records in an online service, such as an EHR or practice management system.

One thing that remains a conundrum, however, is how to evaluate when a service is appropriate for your practice’s security and privacy (e.g. HIPAA) needs, and when it isn’t. That’s why we created this handy-dandy guide, all with checklists and evaluation questions for you to employ.

Product/Service Evaluation Tool

This tool is intended to be used by mental health practices to help them evaluate the software or cloud service companies that they are considering using in their practices.

This tool is based on PCT’s work on HIPAApropriateness Reviews. HIPAApropriateness Reviews are a service offered to Person Centered Tech members.

How to Use This Tool

To use this tool, collect information as noted below. Certain items are deal-breakers, and will be noted as such. Otherwise, there is no specific rubric for determining what kinds of answers indicate that you should or shouldn’t go ahead and use a particular service. This tool is meant to help you gather information and apply your best judgement to it.

When you use this tool to evaluate a product or service, you should end up with some information about it that resembles one of our “HIPAApropriateness Reviews.”

For examples of HIPAApropriateness Reviews that we have completed, go to: (you must be a Person Centered Tech member to read the full text of the reviews, but everyone can read the summaries.)

For an example of a full HIPAApropriateness Review that is open for the public to see, go to:

General Questions to Answer

A) Nature of the Service

  1. Does this service create a Business Associate relationship with you? Or would it be a Business Associate if not for exemptions to the Business Associate rule?
    • Generally, if a service isn’t a business associate (or would be if it weren’t exempt), then there isn’t much reason to apply the questions in this tool. You can stop here.
    • “Exemptions” to the rule are for “conduits” and financial services. To learn more, see our article on Business Associates and our article on Banks and HIPAA.
  2. Do you work for them? Is this a company that will be hiring you to do clinical work as a contractor or employee?
    • Do they ask you to do anything you know to be unethical or illegal? If so, do they claim to make it okay through waivers or excuses? This is a dealbreaker.
    • Do they ask you to share client information with anyone with whom it isn’t clinically appropriate to share it? This is usually a dealbreaker.
  3. What are the features offered by the service? Knowing what features are offered will help you pick out questions to ask later under “Assess the Features.”

B) Trustworthiness of the Company

  1. Is there any known history of privacy or security problems with this vendor? What was done to respond to them?
    • Generally, a history of privacy or security problems will reveal information about the company culture. If the problem indicated cultural flaws, then the company should demonstrate full cultural change before you consider using them.
    • Googling the company and/or product name can help you find this kind of historical information.
  2. Get a copy of the Business Associate Agreement (BAA) and read it (unless the product is exempt and doesn’t do BAAs.)
    • Are there any features or services of the product that are excluded from the BAA? Some exceptions in the BAA may not be a dealbreaker at all. It depends on what you intend to use the product for and how you intend to use it.
    • Do they argue that you can use them without a BAA while trying to sell you on hiring them/signing up with them? Usually, this is a dealbreaker for anything besides financial services that meet the conditions of the exemption to the Business Associate rule.
  3. Ask what you need to do to execute the BAA with them once you sign up for the product.
  4. Get any info you can on how they maintain compliance as a HIPAA Business Associate.
    • Are they ready to provide info on their security procedures and safeguards? Are they slippery about it? Most companies haves some documents (often called “white papers”) or web pages about their security. A lack of information on this point is not necessarily a dealbreaker, but could be a bad sign.
    • This looks simple, but is frequently the hardest part of the assessment process.

C) Supporting Your Basic Compliance and Security Needs

For these items, sometimes you can ask the company about them or sometimes you may need to sign up for a trial account on the product so you can investigate for yourself.

  1. Does the product include access and activity logs that you can look at? Do the logs contain information about who logged in to your account, at what time, and from where? If the product includes record-keeping services, do the logs tell you which clients’ records were accessed or edited, when, and by who?
  2. Does the product offer 2-step authentication? Not a dealbreaker (yet), but certainly very good for your security.
  3. If you need to have multiple people access your practice’s account on the product, see if the product supports giving different people different levels of access based on their role in the practice. This might or might not be a dealbreaker depending on your practice, but it will help a lot in maintaining your own HIPAA compliance in any case.

Our free, informative articles are brought to you by Hushmail,
who is offering our readers 15% off for life!
Wondering why this is here? See our sponsorship policy for details.

Hushmail Image

Roy with coffee mugRoy says: Hushmail is one of several secure email options that serves health care practitioners like us. Hushmail is highly trusted, affordable, includes secure web forms that accept e-signatures, and has earned a recommendation from us for use by mental health professionals. Learn more about Hushmail for Healthcare and get 15% off for life.

More Specific Questions to Answer

The following are clusters of questions you should seek answers to when they are appropriate for the product you’re reviewing. In most cases, the easiest way to get answers to these questions is to get a trial account or full-featured demo of a product and poke around in it to find the answers. Or you can try asking the company if that’s not possible.

A) Payment processing question options:

Ask these questions about products that offer payment processing.

  1. Can the product be used to request payments from clients?
    • If yes, then this product may also perform notifications. Look at asking the questions in the Notification questions block below.
    • Invoicing and requesting payments are generally not exempted from the Business Associate rule, so should be avoided when using services that don’t execute a BAA with you.
  2. If a user sends a payment to someone, do they receive a receipt via email or text?
    • If yes, then this product may also perform notifications. Look at asking the questions in the Notification questions block below.
  3. If they receive a receipt, what information is contained in the receipt? (Such as name of individual/business, email and or/phone number of the recipient)
  4. Does the company provide services beyond simply facilitating payment?

B) Notification questions:

Ask these when a product send notifications by email, text, or other means. Notifications includes things like appointment reminders, links for joining into an online video session, payment receipts, and the like.

  1. What communication mediums are used to perform notifications (e.g. email? texting? automated phone call?)?
  2. Is it possible to opt out of receiving nonsecured email and/or text notifications?
    • Can the therapist opt out of notifications all together?
    • Can the therapist opt out of notifications on a case-by-case/client-by-client basis?
    • Can the client opt out of notifications?
    • Can the client set a preference for medium of communication (e.g. phone call, email, text, etc.)?
  3. What information is contained in notifications? (Is there any PHI in them?)
    • Can the therapist modify the content/format of notifications?
  4. What instruction is provided to therapists and/or clients about risk analysis and ethical-legal requirements around nonsecure notification mediums?

C) Record-Keeping questions:

Get answers to these questions for products that include record-keeping features.

  1. How can you audit the access and usage logs?
    • Do audit logs include information about the activities performed by those who accessed the system? Do they include information about which individuals’ records were accessed and when? Do they include information about which individuals’ records were edited and when?
  2. Can records be edited or deleted after they are “signed”/locked/completed? How?

D) Data Backup questions:

Get answers to these questions for products that focus on data backup.

  1. How can customers ensure that backups are successful?
  2. Does the backup service have compatibility issues with disk encryption, most especially Filevault (Mac) or BitLocker (Windows)?

E) Videoconferencing for Telemental Health:

Get answers to these questions for products that offer videoconferencing services for telemental health.

  1. Is there a waiting room feature available? If not, how does the product protect client privacy?
  2. Does the service include a contact list which indicates when contacts are online or offline? Can clients be excluded from these contact lists?
    • American Telemedicine Association guidelines state that videoconferencing software shouldn’t have “social media functions,” like contact lists, which expose when clients are connected to the service and when they aren’t. Waiting rooms are a common solution that helps maintain client privacy while still making it easy for client and therapist to find each other on the videoconferencing platform.
  3. Is the product usable on both desktop and mobile platforms? Just one or the other?


While this set of questions cannot cover every eventuality, it will cover the majority of situations where service providers may hold on to our protected health information or send it over the Internet. To that extent, we find it to be a good tool for making sure we hit the primary areas of concern when evaluating a new product. We hope you find it useful, as well.


Scheduled Maintenance

We will be temporarily taking the website offline at 10:00 PM Pacific (1:00 AM Eastern) tonight, July 6, in order to make some improvements. We plan to be back online by midnight Pacific (3:00 AM Eastern). We apologize for any inconvenience this may cause. Dismiss