All providers will complete mandatory HIPAA training at the time of onboarding and annually. We provide more details about HIPAA in our Compliance Plan. Here are a few things to remember:
-
As a covered entity, you'll need to make sure that your email is HIPAA compliant. Please read this article for best practices for HIPAA-compliant email services. For example, many providers who contract with Rula use ProtonMail, HushMail, MailHippo, or Google Workspace (with a BAA).
- Be sure you keep your remote work environment HIPAA compliant. Household members should never hear your sessions or see patient information. Patients are entitled to the same level of privacy during telehealth sessions as they would receive during in-person care, and providers are ethically obligated to maintain patient privacy. Therefore, you'll need to conduct telehealth sessions in a private location where patient privacy is assured, and others will not overhear the call.
- Providers are prohibited from downloading or printing patient records.
-
Rula is the custodian of the record. Therefore, records can only be released to patients by our Medical Records team, records@rula.com.
-
Rula promotes a supportive and "just" culture of compliance where we constantly learn and work to improve our system and processes. To self-report any HIPAA violations or concerns, please contact privacy@rula.com or use the Compliance Hotline to file a report.
-
All registered patients have provided consent for Rula to call, text, and email them without encryption. Details are available here.
- The phone and the internet are data conduits that do not require a BAA or additional HIPAA security controls. Your phone is considered HIPAA secure as long as you use a password on your mobile device. In addition, a covered entity is not responsible for the privacy or security of individuals' health information once it has been received by the individual's phone or other devices.
- Some providers set up a Google Voice or Grasshopper number if you prefer to use something other than a personal cell phone.
- Rula does not endorse the use of any specific email or phone service.
Sharing PHI with Third Parties
To ensure the integrity of Rula client records, we prohibit providers from sharing client PHI with any third parties. This includes but is not limited to office staff, assistants, and interns. By limiting the sharing of information, we safeguard clients’ PHI and uphold our responsibilities as the custodian of records.
We understand that technology plays a vital role in enhancing our services, and we want to assure you that we will communicate with you if we adopt any third-party software.
Recording sessions
Rula does not allow providers to record sessions with clients. Rula wants clients to feel comfortable and trust that their sessions are kept confidential. Because Rula is the custodian of records, if providers created and stored recordings of client sessions, it would be difficult for us to ensure the recordings are stored securely as required by applicable privacy laws.
Patients who wish to record a session with a provider must first discuss the request with the provider. Patients may only record a session if the provider gives explicit consent. It is important to ensure that both parties are in agreement and comfortable with the arrangement before a patient records a session.
Providers should document providing or denying consent in the patient's medical record.
Updated