[Transcript] Episode 443: Your Phone Calls Might Not Be Secure

 

Evan Dumas

You’re listening to Group Practice Tech, a podcast by Person Centered Tech, where we help mental health group practice owners ethically and effectively leverage tech to improve their practices. I’m your co-host, Evan Dumas.

 

Liath Dalton 

And I’m Liath Dalton, and we are Person Centered Tech.

 

Liath Dalton 

This episode is brought to you by Therapy Notes. Therapy Notes is a robust online practice management and electronic health record system to support you in growing your thriving practice. Therapy Notes is a complete practice management system with all the functionality you need to manage client records, meet with clients remotely, create rich documentation, schedule appointments and bill insurance all right at your fingertips. To get two free months of Therapy Notes as a new Therapy Notes user go to therapynotes.com and use promo code PCT.

 

Evan Dumas 

Hello and welcome to Episode 443: Your Phone Calls Might Not Be Secure.

 

Liath Dalton 

We know that is a scary thought to consider, particularly in the context of client phone calls, and also in terms of personal phone calls. And we don’t want to be fear mongering, but we want to inform you of what the reality is in terms of the risk exposure and threats that are actively being realized currently, and then equip you to be able to navigate that and communicate securely and safeguard client info and communications.

 

Liath Dalton 

So what precipitated our deciding to discuss this today is the recently revealed massive Chinese hack of global telecom providers.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

Yeah. Which is incredibly massive. So far we know that like 80 global telecom providers, including AT&T Verizon, T Mobile, etc, have all been infiltrated, and the FBI and CISA are, and The National Security Agency, are letting us know that that’s all also ongoing.

 

Liath Dalton 

So what is, what does that mean? Well, in in the words of one official, unless you’re using a specialized app, any one of us, and every one of us today, is subject to the review by the Chinese government of any cell phone conversation you have with anyone in America.

 

Evan Dumas 

Mhm. yeah.

 

Liath Dalton 

Doesn’t sound good.

 

Evan Dumas 

Haha, no.

 

Liath Dalton 

Right? Okay, so let’s, let’s take a step back though and talk about what the alternatives are. Because it’s already addressed in that that quote I just shared, of the specialized app, which means that if you are using a phone service that works through an app that provides encryption, that that is protecting you, providing a good layer of protection from that infiltration, and that is what we refer to as secure communications.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

And under HIPAA, the HIPAA Security Rule, specifically transmission security, they want, secure communications. Secure communications, encryption while data is in transit, and at rest, is required, and that applies to phone communications and text communications. And yet, we kind of exist in this context where, because there are exceptions to that, with caveats, of course, and we’re going to talk about what those are, that a lot of people are using non-secure communications that don’t meet the HIPAA Security Rule transmission security standard, and in a number of cases, also aren’t what we refer to as HIPAA friendly.

 

Liath Dalton 

So let’s talk about what HIPAA secure is, and then what HIPAA friendly is, and then we’ll talk about the the solutions. So HIPAA secure means that all the data that’s being handled is being encrypted, and that you have a Business Associate Agreement in place with the service provider that’s handling that data, that’s providing that service to you. That’s HIPAA secure.

 

Liath Dalton 

Now, HIPAA friendly, is a service with whom you have a HIPAA Business Associate Agreement, but where the communications aren’t encrypted, where the transmission security standard isn’t being met. But that is HIPAA acceptable, provided, and here’s, here’s the really key piece, provided two things: one, reiterating that you must have a HIPAA Business Associate Agreement with the service provider, and two, that the client whom you are communicating with, that they have requested non-secure communications, they have been informed of the risks and agree to accept them anyway.

 

Liath Dalton 

And Evan what is something that we utilize with folks in in helping them talk to and inform clients about the risks of non-secure communication to make sure that if they are giving that request or making that request, that it actually is informed?

 

Evan Dumas 

Oh yeah, it’s a real simple little document called the request for non-secure communication, and it lets clients opt out of secure communication, saying that secure communication is the default, that it informs them of the risks, and it also, straight up gets their signature on it, because you both need to inform them and get their signature of consent.

 

Liath Dalton 

Exactly. And paired with that is also an email and texting risk questionnaire that you can utilize, either to go through it or just to be a basis for having a conversation about it as well. And Evan emphasized something that’s really vital here, which is that secure communications needs to be the default if you are using HIPAA friendly communication, but don’t have HIPAA secure communication. Clients are not actually able to, they don’t have choice and autonomy there. So their their request is really because then they have no other means of being able to communicate with you. So that’s not meeting the HIPAA standard or the standard of care either. So it really is imperative to have secure communications available. And as Evan said, secure communications needs to be the default.

 

Liath Dalton 

And when using non-secure, it can only be provided that the client has requested it after being informed of the risks, that you document that, and, just reiterating again, because we see this not in place so often, unfortunately, the Business Associate Agreement with the service provider that’s handling those communications.

 

Liath Dalton 

So that’s your default AT&T, T-Mobile, or Verizon line, where you don’t have a BAA, where they’re not handling that data any differently to the average consumer line, right? So that does mean there is really a significant responsibility for how communications of this nature are managed, and that we put the correct systems and processes and policies in place to ensure that all of the standards are being met.

 

Liath Dalton 

So you might be thinking, well, I use a VoIP service, a Voice over Internet Protocol phone service for my practice, and I have a HIPAA Business Associate Agreement with them. Does that mean that my communications are secure, and that this is not an issue that could impact me? It depends which VoIP service you are using.

 

Liath Dalton 

There are a lot of VoIP services that are HIPAA friendly, but that don’t have the secure messaging feature specifically. So if you are looking for a platform that does have the secure messaging feature, which is what we strongly, strongly recommend, some good options there are, iPlum, Spruce Health is another. Those are really the top two in terms of features, functionality and affordability.

 

Liath Dalton 

There are, well, there is at least one platform that is specifically marketed to healthcare providers saying that they are secure communications, when they are not. And so that is a service that we strongly advise against using. You can use it in a HIPAA friendly way, but it’s not HIPAA secure, and because of the kind of patent misrepresentation of the the functionality, we don’t have trust or confidence in that provider. And I’m going to go ahead and name them, that’s phone.com.

 

Liath Dalton 

So we strongly advise, in the current landscape and what’s going on, threat wise, that you make sure that your practice is utilizing a phone service that really meets your needs as a mental health care provider, as a HIPAA covered entity, and that is not going to create issues for you and and how you’re able to safeguard your practice and your clients’ info.

 

Liath Dalton 

I know that the phone service piece has been something that was, has been really wonky for a long time. Because there used to be a consideration that it was kind of excepted from the HIPAA Security Rule, because classic landlines, like traditional analog land lines weren’t subject to the Security Rule, but those don’t exist anymore, really, they are now digital and using Wi Fi. And the Office of Civil Rights, the HIPAA regulators, have clarified in great detail that cell communications and modern phone service absolutely is within the purview of the HIPAA Security Rule.

 

Liath Dalton 

So even though that is a shift from how things were managed for a long time, and what kind of became the just colloquial understanding of ah, the there’s this exception or area where HIPAA doesn’t really apply, that is is no longer the case. And because that’s both the case in the like regulatory requirement realm and in the real threat realm, we wanted to emphasize that, let you know what your options are, and also just kind of highlight why this is a topic that should be addressed and not left to to chance down down the road.

 

Liath Dalton 

Now, Evan, you’re always really good assuaging worry. Is there, what would you add to this, now that I’ve been so emphatic. What would you add for folks?

 

Evan Dumas 

Oh, well, how you know this decision is to be made by a well informed client. So like, let them make the decision. So you, now you as a practitioner, have the information that, oh crap, all our phone calls may have been spied on now, and you’re like, oh, do I need to switch to iPlum, etc? And you make the switch, you find the right items, and you try to present it to your clients, and your clients may say, you know, I’m okay with phone calls like VoIP phone calls, etc. I don’t fear being spied on, etc, but I’m still glad you’re learning of this, because you want them to be informed.

 

Evan Dumas 

Yeah.

 

Evan Dumas 

Maybe they’re like, oh, crap, I’m kind of a dissident, or, oh, I have family members who may be targeted, or I do work with state based things, I don’t want my phone calls. Thank you for informing me. So just sharing the information and comforting your clients. And, oh, here are some alternatives. Yes, we used to do it the wrong way, but we can do it the right way, and we care about your security.

 

Evan Dumas 

It’s just, all this care around confidentiality, availability, integrity that HIPAA has can be reframed as client care, because you’re caring about client coordination, sorry, client communications, client info and those types of things. So if you see it in that light, it’s much easier to swallow, I could say. So try, try to wear it in that light.

 

Liath Dalton 

That’s a perfect point. Evan, that the it is about client care at the the heart of it, and the way you approach it as a clinician and as a practice owner, if you’re a group practice leader, the way you approach it with your team, as well, has a big impact on how it’s received as well, and the kind of success of onboarding people to secure communications, if you are approaching it as, this is something to our benefit, this is something that’s that’s part of how we care for clients, it matters. Instead of, this is a kind of arbitrary requirement that requires we do things that are a bit more of a pain than the default way, or the the old way of doing them. That’s that’s going to land a little differently.

 

Liath Dalton 

So wanting to equip you going forward, please check out the show notes, because we will link to our free email and texting risk questionnaire form and the request for non-secure communications, though, again, that should only be utilized if you have a secure communications option.

 

Liath Dalton 

And for a long time, PCT has taken the position that really secure communications should be the exclusive option. But we understand, as many practitioners do as well that for some, the hassle of using a specific app for communications isn’t worth it. So there are provisions for that, too. So check those show notes out for those free resources to help you out. Thanks for joining us, and we’ll talk to you next time.

 

Evan Dumas 

Yeah, talk to you next time everybody.

 

Liath Dalton 

This has been Group Practice Tech. You can find us at personcenteredtech.com. For more podcast episodes, you can go to personcenteredtech.com/podcast, or click podcast on the menu bar.