Apparently these kinds of services are exempt from HIPAA which is a huge problem and really should be more of an outrage and resolved quickly by congress.
Sorry to ask for a source, but is that actually true? I'm pretty sure they are covered. I would be interested in opening an account and filing a complaint against them if they aren't treating PII or PHI in a compliant manner.
The psychologists/therapists themselves would always be bound by HIPPA, from what I understand. But I don't think that a service like BetterHelp would be bound any more than google calendar would be bound by HIPPA just because doctors are using it. "Covered entities" and usually just the medical companies, insurance companies, and some governmental agencies when it comes to HIPPA.
> The psychologists/therapists themselves would always be bound by HIPPA, from what I understand. But I don’t think that a service like BetterHelp would be bound any more than google calendar would be bound by HIPPA just because doctors are using it.
If a covered entity is using it to gather and return PHI from/to clients then either (1) the service provider must be a business associated (and is, therefore, covered by HIPAA), or (2) any PHI must pass over the service provider’s encrypted and inaccessible to the service provider, and every time that doesn’t occur is a privacy breach.
But both this article and the FTC page on the settlement make it sound like BetterHelp is a provider [0], not an intermediary (note that them being subject to FTC jurisdiction because of violation of their published privacy policy, etc., does not mean that they would not also be subject to HHS jurisdiction for HIPAA violations.)
[0] From the FTC page: “California-based BetterHelp offers online counseling services under several names, including BetterHelp Counseling”
> Put simply, HIPAA only applies to insurance based transactions.
That’s not true.
(Following explanation has been edited significantly to accurately describe how HIPAA applies beyond insurance transactions; original was overly broad.)
HIPAA was centrally about insurance (it is the “Health Insurance Portability and Accountability Act”), and only covers providers who conduct certain insurance-related transactions electronically, but the privacy positions apply to conduct by those covered healthcare providers generally as well as the whole chain of insurance transactions connected to them (not just to the content of covered insurance transactions, or patients involved in those transactions), it was put in the bill to address concerns with the standardization and promotion of electronic transactions and standard identifiers for insurance transactions, which critics feared would result in a health care privacy apocalypse, but it applies beyond the scope of the insurance transactions.
You are correct that HIPAA only applies to entities who engage in insurance-related transactions, and that a cash-only provider would not be bound by it, and you are right to point this out as an important limitation.
At the same time, it does not apply only to insurance-based transactions; its applicability is on an entity level, not just a transaction level. A cash patient at a provider who engages in covered transactions is still protected by HIPAA.
> At the same time, it does not apply only to insurance-based transactions; its applicability is on an entity level, not just a transaction level. A cash patient at a provider who engages in covered transactions is still protected by HIPAA.
Also not true.
By default, if something in an organization is HIPAA-bound, the whole organization is. However, HIPAA allows organizations to be "hybrid entities". Essentially, should an organization have a desire, they can carve out the non-HIPAA compliant parts of their business as a "non-HIPAA entity".
You don't really see this in the "standard" healthcare system. It's simply far easier for everything to be treated under the same umbrella. Particularly, since most of them stand to gain nothing additional than the transaction-for-healthcare piece.
However, it seems far more common in the "direct-to-consumer" space where these companies are banking on secondary data and marketing plays.
>> A cash patient at a provider who engages in covered transactions is still protected by HIPAA.
> Also not true.
Wait, what? So if I'm paying my doctor in cash, then my doctor is not bound by HIPAA rules?
The rest of your comment doesn't seem to explain this (or I didn't understand it.)
If true, This is deeply disturbing, as it's not unusual that I pay in cash. I always assumed that I had even better privacy because no insurance company was being informed of my visit. it would mean that HIPAA isn't just weaker than people think, it's extremely weak.
> Wait, what? So if I'm paying my doctor in cash, then my doctor is not bound by HIPAA rules?
Only if the doctor does not accept any insurance payments at all (ie, from other patients). If they're "in network" with any insurance provider, they're generally required to abide by HIPAA for all patients. It's possible to get around that, but most independent providers aren't going to bother, and neither are larger health systems. Smaller practice conglomerates (e.g. the for-profit startups you see advertising on social media) are the ones most likely to be be taking advantage of this.
The main other case where you see this come up is outpatient therapy or psychiatry, because providers in most other contexts are not 100% self-pay, but many mental health providers are 100% self-pay.
> it would mean that HIPAA isn't just weaker than people think, it's extremely weak.
HIPAA is extremely weak. It's better than nothing, because the few protections it gives are important, but it's nowhere near sufficient.
It’s getting into territory that’s beyond my complete comprehension and ability to explain. There’s also a difference between what’s technically possible and what’s practical. Most places aren’t putting the effort into splitting.
If your doctor accepts insurance, they’re likely treating everything as though it’s covered by HIPAA. If your doctor is cash-only, then they are not bound by HIPAA (unless they have some other agreement that binds them).
> [list of providers] ...but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard.
In grossly simple terms, that means if insurance/medicare/medicaid is not involved, it's not a "transaction for which HHS has adopted a standard"
My wife is a nurse, and she once made a comment that alluded to this. She said that where HIPAA applies, it applies very strongly. That's why hospital staff, for instance, are always extremely careful about not violating HIPAA. But, she said, it doesn't apply everywhere. Her example was with drug and medical appliance companies who use patient data for marketing purposes.
