> The psychologists/therapists themselves would always be bound by HIPPA, from what I understand. But I don’t think that a service like BetterHelp would be bound any more than google calendar would be bound by HIPPA just because doctors are using it.
If a covered entity is using it to gather and return PHI from/to clients then either (1) the service provider must be a business associated (and is, therefore, covered by HIPAA), or (2) any PHI must pass over the service provider’s encrypted and inaccessible to the service provider, and every time that doesn’t occur is a privacy breach.
But both this article and the FTC page on the settlement make it sound like BetterHelp is a provider [0], not an intermediary (note that them being subject to FTC jurisdiction because of violation of their published privacy policy, etc., does not mean that they would not also be subject to HHS jurisdiction for HIPAA violations.)
[0] From the FTC page: “California-based BetterHelp offers online counseling services under several names, including BetterHelp Counseling”
If a covered entity is using it to gather and return PHI from/to clients then either (1) the service provider must be a business associated (and is, therefore, covered by HIPAA), or (2) any PHI must pass over the service provider’s encrypted and inaccessible to the service provider, and every time that doesn’t occur is a privacy breach.
But both this article and the FTC page on the settlement make it sound like BetterHelp is a provider [0], not an intermediary (note that them being subject to FTC jurisdiction because of violation of their published privacy policy, etc., does not mean that they would not also be subject to HHS jurisdiction for HIPAA violations.)
[0] From the FTC page: “California-based BetterHelp offers online counseling services under several names, including BetterHelp Counseling”