u/Current-Scale-5190

Lately I've been looking through therapist's websites to gain some inspiration, and I notice that they all have forms where they are taking in ePHI. Do people just have no fear of HIPAA because it legitimately scares the poop out of me!

I know for a fact all of those sites don't have a BAA with their hosting and they're not using a third party form builder. I pay a butt load for HIPAA compliant software, and I kind of feel like a sucker!

I guess my question is: Is HIPAA not concerned about small practices?

Update: I didn't think this would turn into arguments about HIPAA. I am the Privacy Officer for my company and it is a bit shocking to see the amount of misinformation being posted. I am going to post some helpful information here with sources. Do with it as you please.

Notice: I used AI to fix my writing to ensure accurate grammar and completed thoughts

• HIPAA is not limited to established clients. PHI is not defined as “information in an existing client chart.” It is individually identifiable health information that is created, received, maintained, or transmitted by a covered entity or business associate and relates to health, care, or payment for care. A prospective therapy client can absolutely submit PHI before they are formally onboarded.
• A malpractice lawsuit and a HIPAA issue are different things. A malpractice claim usually depends on a provider-patient duty, but HIPAA is a federal privacy/security framework. “They aren’t my client yet” may matter for malpractice analysis, but it does not automatically answer whether the practice received or maintained PHI.
• A person voluntarily typing information into your form does not automatically remove your HIPAA duties. Patients can choose to share information, and HHS does allow patients to initiate contact by email. But once a covered provider receives identifiable health information through a system the provider set up, the provider still has to handle it appropriately.
• The key question is what the form invites or receives. A form with only “name, phone, email, preferred contact method” is lower risk. A form asking for symptoms, diagnosis, insurance, reason for therapy, medication, crisis details, appointment type, or a free-text “tell us what’s going on” box is much higher risk.
• “Don’t include sensitive information more likely to collect PHI**” disclaimers help, but they are not magic.** They can reduce risk, especially on a very limited contact form, but they do not turn a form designed to collect health-related details into a non-HIPAA workflow.
• A third-party form, website host, CRM, portal, or cloud service may need a BAA if it creates, receives, maintains, or transmits ePHI for the practice. HHS says covered entities using cloud service providers for ePHI need a HIPAA-compliant business associate agreement and must otherwise comply with the HIPAA Rules.
• “Google” and “Google Workspace with a BAA” are not the same thing. Google Workspace can be used in a HIPAA-supporting way if the right agreement, services, configuration, access controls, and policies are in place. A personal Gmail account or random Google product is not automatically HIPAA compliant.
• “Two-factor authentication” is not the HIPAA compliance test. MFA is a good security control, but HIPAA Security Rule compliance is broader: access controls, risk analysis, risk management, audit controls, workforce access, policies, vendor management, and breach response all matter.
• Email is not automatically forbidden, but it has to be handled thoughtfully. HHS says patients may initiate email communication and providers can respond after warning patients of risks when appropriate. That is different from saying a practice can route all inquiry PHI through any unsecured website form, plugin, or hosting provider without considering HIPAA.
• “I’ve never seen anyone punished for this” is not the same as “it’s compliant.” Enforcement risk may be low in some situations, but compliance is not based on whether someone thinks OCR or a licensing board will notice.
• The reasonable middle ground: not every basic contact form is automatically a HIPAA disaster, but it is also wrong to say HIPAA only starts after someone becomes an official client. If a therapy practice receives identifiable information about someone’s mental health needs through its systems, it should treat that information as PHI/ePHI.