Transcript
Transcript – Episode 415: [Tech Tips] VPNs, Password Managers, and HIPAA
Evan Dumas
You’re listening to Group Practice Tech, a podcast by Person Centered Tech, where we help mental health group practice owners ethically and effectively leverage tech to improve their practices. I’m your co host Evan Dumas.
Liath Dalton
And I’m Liath Dalton and we are Person Centered Tech. This episode is brought to you by Therapy Notes. Therapy Notes is a robust online Practice Management and Electronic Health Record system to support you in growing your thriving practice. Therapy Notes is a complete practice management system, with all the functionality you need to manage client records. Meet with clients remotely, create rich documentation, schedule appointments, and bill insurance all right at your fingertips. To get two free months of Therapy Notes as a new Therapy Notes user, go to therapynotes.com and use promo code PCT.
Evan Dumas
Hello, and welcome to Episode 415: [Tech Tips] VPNs, Password Managers and HIPAA.
Liath Dalton
So we are often talking about all the different options for services that provide functionality that helps secure your practice or just make things work better. And in that category are VPNs, or virtual private networks,
Evan Dumas
Mhmm.
Liath Dalton
and password managers. But there are some interesting considerations for how they fit into your HIPAA compliance activities and questions that come up around them often.
Evan Dumas
Mhmm.
Liath Dalton
Evan, what is one of the number one questions that we get about VPNs and password managers?
Evan Dumas
Yeah, we just got this one today, which spurred this episode, is “Do I need a BAA and who provides a BAA for for a VPN or a password manager?”
Liath Dalton
Exactly. And the that’s a absolutely reasonable question because we are always talking about the importance of having a HIPAA Business Associate Agreement with service providers that provide functionality that touches Protected Health Information or client info.
Liath Dalton
And, you know, understandably the thought is, well, a VPN that’s giving me a secured internet connection tunnel that allows me to use otherwise untrusted networks, that’s handling all the information and traffic of my connection, including PHI. So that would be subject to HIPAA’s Business Associate Rule, right?
Evan Dumas
Mhmm.
Liath Dalton
Well, in this instance, no. Just like your Internet Service Provider, or ISP, does not constitute a Business Associate, because of the way they are handling information. You want to describe that in the kind of technical terms, Evan?
Evan Dumas
Yeah, sure. It’s called the conduit exception. And just as the term conduit implies, is really something that connects one thing to another thing, and in this case, doesn’t know what its transporting.
Evan Dumas
So in that way, the data that goes from point A to point B is effectively de identified because it’s just tiny little packets of information, they’re not reading it, they’re not looking at it scanning, you’re not looking at whatever data gets passed between these two points. And so in that way, VPNs and ISPs fall into this lovely conduit exception, so you don’t need BAAs with them.
Liath Dalton
Exactly. And they do not store the packets of data that they are handling,
Evan Dumas
Nope.
Liath Dalton
right, when we’re talking about a VPN or an Internet Service Provider. Because to get into the kind of geeky part of HIPAA, when we’re talking about a Business Associate, or a service provider that handles Protected Health Information, when they are storing it and holding on to it, even if it’s encrypted and they don’t have the encryption key, so they couldn’t unencrypt it under any circumstances. If they’re storing it, then it is subject to the Business Associate Rule and doesn’t meet the conduit exception criteria.
Evan Dumas
Mhmm.
Liath Dalton
But ISPs and VPNs aren’t holding on to any of that data, so that’s why they actually qualify udner the conduit exception. Which is great because that opens things up in a couple of really useful ways, particularly in the group practice context.
Liath Dalton
Because you’ve heard us no doubt, talk about the prohibition on personal service use for any services that handle Protected Health Information. And so, you know, this applies to a prohibition on your team members using personal phone service for client communication, and so on and so forth. But when it comes to a VPN, not only does the conduit exception apply, but in part because it applies, and it’s not actually holding PHI that you need to have control over and access to, it means that clinicians can and team members can actually use their own VPN service.
Evan Dumas
Yeah. Uh-huh.
Liath Dalton
It doesn’t have to be a practice provided service.
Evan Dumas
Yeah.
Liath Dalton
So the in a nutshell about VPNs is they are not subject to HIPAA’s Business Associate Rule, you don’t need a BAA with the service provider. And in part because of that, it also means that it is one of the few services that relates to keeping client info safe that is possible to be used as a personal service and not a practice provided service.
Evan Dumas
Yeah.
Liath Dalton
Which segues to how password managers work as well.
Evan Dumas
Mhmm.
Liath Dalton
Password managers are one of the most helpful and supportive tools
Evan Dumas
Oh yeah.
Liath Dalton
that you can have in place in in your practice, because they’re so supportive of being able to manage a lot of the security requirements for keeping accounts safe.
Evan Dumas
Yeah, yep.
Liath Dalton
And that is, through having complex, unique passwords and login credentials for every system and service that is utilized.
Evan Dumas
Yup.
Liath Dalton
And that can get almost impossible, really to manage, especially with the number of services that folks utilize both personally and professionally, if you are just trying to manage it manually. So password management programs are an excellent tool that can really help us manage security and good security practices.
Evan Dumas
Mhm.
Liath Dalton
But even though they are holding the keys that unlock systems containing client information, the login credentials themselves, so the username and passcode or passwords that a password management program are holding on to and securing for you. That’s not PHI.
Evan Dumas
Nope.
Liath Dalton
So, a password management program is not qualified as a HIPAA Business Associate because they aren’t holding Protected Health Information on your behalf.
Evan Dumas
Yeah.
Liath Dalton
So again, the great news there is no BAA is necessary. And it also means the same thing as we
Evan Dumas
Yeah.
Liath Dalton
just expressed for VPNs, that you don’t need to have a prohibition on team members using a personal service, like their own password management program. It doesn’t have to be a practice provided
Evan Dumas
No.
Liath Dalton
password management program.
Evan Dumas
Yep.
Liath Dalton
That said, we do think that because the security benefits a password management program offers are so significant, especially in a group practice context, and because they’re really affordable as well, that it makes good sense to consider having a password management program be one of the practice provided resources.
Evan Dumas
Mhm.
Liath Dalton
Rather than relying on team members to have their their own password management program or making that optional.
Evan Dumas
Yeah.
Liath Dalton
So now let’s make some specific product recommendations,
Evan Dumas
Haha, yeah.
Liath Dalton
what password management program we like best, and why, and same for VPN service.
Evan Dumas
Yeah. All right. We really like 1Password. It’s the number 1 followed by the word Password. And they’re great. They’re based in Canada. They have a non data extradition clause even, which is really, really nice. They have no history of any intrusions or anything like that. And it’s also just really easy to use, and kind of pretty, which I find helps any bit of software makes it just calmer and more soothing for me. So I really enjoy them.
Evan Dumas
It is paid. So they don’t have a free tier, but they do have a free trial for a couple of weeks, give it a shot. It’s more economical, if you buy, their sort of like, family version so that you can have a lot of other family members on your plan. So that means you can set them up with password managers. And has lots of options for like, Oh, what, what passwords are unique, which passwords are shared, etc, for like, you know, for your Netflix or things versus you know, you want to keep your business ones separate. But it’s it’s very lovely, it’s great.
Liath Dalton
Absolutely. And you can set up different password vaults as well. And one great sort of benefit of that is that for providers who have a custodian of record in the event that they become unavailable, incapacitated or deceased, that the custodian of record is going to need to be able to access client info in order to fulfill their duties and responsibilities. And, that gets really challenging if you don’t have a mechanism of making sure that they have access to the systems that contain the information that they need,
Evan Dumas
Mhm.
Liath Dalton
through having updated login credentials. But you don’t want to be sending those back and forth, or having to remember to tell them every time you updated them, and don’t want them using those passwords, of course, unless it’s under the circumstances that the custodian of record agreement and situation is intended for. And so having a password vault that is shared with them, and has a kind of break the glass setup for providing access is another great perk.
Evan Dumas
Mhm.
Liath Dalton
So 1Password is our top password management program recommendation. It used to be that we would say that there were kind of three good contenders.
Evan Dumas
Yep.
Liath Dalton
The other two being LastPass and Dashlane, though we’ve always had, among the three, a strong preference for 1Password.
Evan Dumas
Yep.
Liath Dalton
But over the last couple of years, there have been a number of incidents with LastPass, in particular, that were were pretty problematic.
Evan Dumas
Yeah totally.
Liath Dalton
So because of that, we now do have the clear cut preference for for 1Password, and in part because the way 1Password is set up, is such that the issues that impacted LastPass are not in the realm of possibility for impacting 1Password because of the way they’re managing data.
Liath Dalton
So that’s our top recommendation there.
Evan Dumas
Mhm.
Liath Dalton
And then in terms of a VPN service, we also do have a
Evan Dumas
Yeah.
Liath Dalton
clear winner in that category as well.
Evan Dumas
Yeah,
Liath Dalton
You’ve you’ve played around with more VPNs as well.
Evan Dumas
I have.
Liath Dalton
So you can speak with direct experience as to why we have a preference for Nord VPN.
Evan Dumas
Yeah, so there’s a ton of VPNs out there, it seems like every bit of software has bundled in some of their own, like white labeled VPN. Like who knows who runs it but they’re like, we’ll toss it in a VPN, like through McAfee or Norton or what others, will just like throw it in. Just like some of them are now throwing it password managers.
Liath Dalton
Mhm.
Evan Dumas
Our, also general recommendation is, get software from people who know what how it works and what they’ve made it for. Purpose built. Not like software as an accessory. You know, like the free little doodad you get when you buy something else, is never as good as the thing you actually bought. So in this case, VPNs that may come through your ISP or other people, just aren’t as full featured, well made, or well supported, as one from an actual VPN company. And Nord VPN is, that’s what they’re mostly known for. It’s in their name.
Liath Dalton
Exactly, and it has the feature of a kill switch, as well.
Evan Dumas
Mhm.
Liath Dalton
Which is necessary when we are using a VPN for HIPAA security purposes. Which basically means means that if the VPN ceases functioning, it just closes off the connection to the internet, as well, until the VPN connection is reestablished. So that you aren’t connected to the internet without the protection of the VPN.
Evan Dumas
Yeah.
Liath Dalton
Which is when, you know bad guys can get in to your computer and wreak havoc. So that’s why a kill switch is important functionality there. And it’s really easy to configure and set up.
Liath Dalton
And then one of the other benefits of Nord VPN, which is particularly relevant for folks who may be needing to use a VPN to secure their network connection, specifically, when they are going to be doing a teletherapy session.
Evan Dumas
Yeah.
Liath Dalton
And that is that Nord has a lot of different server locations and allows you to pick the one that you are connecting to. So the benefit there is that you can pick one that is as close to your actual physical location as possible, which then means that there are less jumps that your connection has to make, and therefore much less likelihood of there being lag, which can impact video quality.
Liath Dalton
Oh quite a bit.
Liath Dalton
And that’s really something we don’t want happening in a teletherapy session.
Evan Dumas
No, no, no.
Liath Dalton
So, Nord is great at managing that aspect of things, too.
Evan Dumas
Mhm.
Liath Dalton
So there you have it! A couple specific product recommendations, and the important answer to “Do I need a BAA with these service providers?”, and the rationale for why not. So hopefully that helps you make some good choices about how to employ these tools within your practice.
Evan Dumas
Mhm.
Liath Dalton
Stay tuned for next time and more tech tips and HIPAA help.
Evan Dumas
Yeah, see you next time, everybody.
Liath Dalton
This has been Group Practice Tech, you can find us at personcenteredtech.com. For more podcast episodes, you can go to personcenteredtech.com/podcast or click podcast on the menu bar.
Your Hosts:
PCT’s Director Liath Dalton
Senior Consultant Evan Dumas
Welcome solo and group practice owners! We are Liath Dalton and Evan Dumas, your co-hosts of Group Practice Tech.
In our latest episode, we share HIPAA considerations regarding VPNs and password managers for group practice owners.
We discuss if you need a BAA with your VPN service or your password management program; the conduit exception; how VPNs work; practice provided services vs personal services; and our specific product recommendations for VPNs and password managers (as well as why we like them).
Resources are available for all Group Practice Tech listeners below:
Therapy Notes proudly sponsors Group Practice Tech!
TherapyNotes is a behavioral health EMR/EHR that helps you securely manage records, book appointments, write notes, bill, and more. We recommend it for use by mental health professionals. Learn more about TherapyNotes and use code “PCT” to get two months of free software.
*Please note that this offer only applies to brand-new TherapyNotes customers
Resources for Listeners
Resources & further information
Resources:
PCT Resources:
- PCT Blog post: With a VPN, Your Staff Can Work Just About Anywhere
- PCT’s free Group Practice Service Selection Workbook & Worksheets Step 1 of the PCT Way — support for selecting HIPAA-secure, effective, and economical services to meet your practice’s functionality and operational need
- Group Practice Care Premium
- weekly (live & recorded) direct support & consultation service, Group Practice Office Hours
- + assignable staff HIPAA Security Awareness: Bring Your Own Device training + access to Device Security Center with step-by-step device-specific tutorials & registration forms for securing and documenting all personally owned & practice-provided devices (for *all* team members at no per-person cost)
- + assignable staff HIPAA Security Awareness: Remote Workspaces training for all team members + access to Remote Workspace Center with step-by-step tutorials & registration forms for securing and documenting Remote Workspaces (for *all* team members at no per-person cost) + more
- HIPAA Risk Analysis & Risk Mitigation Planning service for mental health group practices — care for your practice using our supportive, shame-free risk analysis and mitigation planning service. You’ll have your Risk Analysis done within 2 hours, performed by a PCT consultant, using a tool built specifically for mental health group practice, and a mitigation checklist to help you reduce your risks.
Group Practices
Get more information about how PCT can help you reach HIPAA compliance while optimizing and streamlining your practice.
Solo Practitioners
Get more information about how PCT can help you reach HIPAA compliance while optimizing and streamlining your practice.