HIPAA Compliance Information
Our team at Note designer- most of whom are Ph.D. clinicians with a background in ethics – understands the ethical importance of ensuring that your electronic protected health information (ePHI) remains private and secure. In addition to the general ethical imperative of maintaining the confidentiality and security of patient information, many clinicians in the United States are also required to ensure that they comply with the standards and regulations of the Health Insurance Portability and Accountability Act (HIPAA). In Canada (where Note Designer Inc. is incorporated and located) we are governed by a similar set of federal regulations set forth in the Personal Information Protection and Electronic Documentations Act (PIPEDA). In this document, we will outline the steps taken at Note Designer to ensure that our company is and will remain HIPAA (and PIPEDA) compliant.
HIPAA and Note Designer Products:
The need for HIPAA compliance applies to any covered entity or business associate that receives, transmits, retains, or stores ePHI. Please take note that Note Designer never transmits, retains, or stores any ePHI. (The recently-discontinued download version of Note Designer, which offers temporary password protected storage, only stores the information on the clinician’s own computer hard-drive and Note Designer Inc. does not have any access to this information.) Note Designer Inc. does not have access to a clinician’s ePHI, and we do not transmit any ePHI or store any ePHI on our servers. When you use Note Designer and enter any ePHI, this is all happening locally in your computer’s browser. Thus, the protection and security of that information is in the direct control of the clinician and remains their responsibility (e.g., ensuring that electronic files are stored in a HIPAA compliant manner in an EHR or on the clinician’s own hard-drive, that unauthorized individuals don’t have access to the clinician’s personal computer, that there is a back-up copy of ePHI stored in a safe off-site location etc.).
Because Note Designer does not store or transmit ePHI, HIPAA compliance rests in the hands of the individual user. That being said, we do play a role in assisting clinicians in the way they document their clinical work and we are inviting them to enter ePHI into their own personal computer system. Because of this, an abundance of caution, and our own professional desire to promote, meet and maintain the highest ethical standards of being a mental healthcare professional, we at Note Designer have taken the necessary measures to ensure that we comply with all HIPAA standards and regulations.
HIPAA Compliance Measures:
At Note Designer, we implement the following measures to ensure we are and remain HIPAA compliant:
- Note Designer has a trained and designated HIPAA compliance officer who oversees the HIPAA Privacy and HIPAA Security of all Note Designer products and procedures.
- All Note Designer employees have received the required training in HIPAA compliance standards, regulations and practices. This HIPAA awareness training is updated every two years (as required by HIPPA compliance standards).
- Note Designer has and maintains a HIPAA compliance binder that contains all required and necessary documentation regarding both HIPAA privacy and HIPAA security.
HIPAA and Note Designer Users:
In the interest of offering some guidance to our users regarding their own need to maintain HIPAA compliance we offer the following reminders:
- Because all ePHI entered using Note Designer software remains on the clinician’s local computer system, it is important that the individual clinician take all necessary steps to protect the privacy and security of that information. Some suggestions include: encrypting the hard drive of your computer, encrypting any electronic files you choose to keep on your own computer (easily done using most computer systems), deleting all ePHI from your hard drive (ideally by wiping the drive) before decommissioning your computer, using a secure password to login to your computer, making sure your malware and antivirus protection are up-to-date, consider having a dedicated computer for your clinical work that you store in a locked cabinet, never leaving your computer with ePHI unattended, making sure your Electronic Health Record (EHR) company is HIPAA compliant, never transmitting ePHI using public email systems (e.g., g-mail, hotmail, etc.), limiting unsecured communications with clients and being sure to inform clients of the limits to the security and privacy of any communications done electronically.
- For clinicians using the now-discontinued downloadable version of our software, who choose to store / back up their notes as they work, keep in mind that although such notes are password-protected when stored in the small database file (included with Note Designer when you install it on your hard drive), this file could nonetheless be opened by an experienced programmer who has access to your computer. Be sure to promptly delete any notes that you choose to back up temporarily, to ensure that your computer is not accessed by unauthorized persons, and to delete all ePHI from your hard drive (ideally by wiping the drive) before decommissioning your computer.
- For clinicians using the current online/subscription version of our software who create their own custom statements and custom templates with Note Designer, please note that these statements are stored on our HIPAA compliant server system in an unencrypted form. Even though this is a secure server system, users should not create any custom statements that might reveal any ePHI (e.g., including a client’s name or other identifying information in a custom statement etc.). We are happy to store your custom statements so that you never have to worry about losing them in the event of a computer mishap, but we cannot guarantee secure, encrypted storage of ePHI entered intentionally or inadvertently into the customization slots.
Note Designer’s AI-Assisted Treatment Notes and HIPAA Compliance:
At Note Designer, we prioritize the confidentiality and security of our users’ data, especially when it involves sensitive health information. We are committed to maintaining full compliance with the Health Insurance Portability and Accountability Act (HIPAA), ensuring the utmost protection of electronic protected health information (ePHI).
What is ePHI?
According to HIPAA, ePHI constitutes electronic health information that also conveys a patient’s identity such as their name, date of birth, exact age, addresses, social security numbers, email addresses, phone numbers, geographical identifiers such as zip codes, dates of service such as admission dates, health insurance numbers, account numbers, license numbers, serial numbers, web URLs and IP addresses. To help clarify further: “depressed mood and anxiety” is considered health information. “Ms. Smith demonstrates depressed mood and anxiety” is identified health information. And when you as a therapist electronically record “Ms. Smith demonstrates depressed mood and anxiety”, this constitutes electronic Protected Health Information (ePHI). When the identifying information is removed from a patient’s record, the record is referred to as being “de-identified” and is no longer considered to be ePHI according to HIPAA.
Key Features of Our HIPAA-Compliant AI-Assisted Notes:
Local Processing of ePHI: All electronic protected health information (ePHI) is processed within the your own browser. Note Designer does not have access to this information. This design ensures that no identifying ePHI is transmitted over the internet or to our AI system.
No ePHI Transmission to AI System: Our AI functions are not involved in receiving, processing, or storing any ePHI. This ensures that the sensitive patient information remains within your control and does not leave the local environment – your browser. Please ensure that you do not add ePHI to any inputs other than the ePHI Headings tab of your note.
Data Storage and Privacy: We do not store any protected health information (PHI) or clinical notes on our servers. Our infrastructure is specifically designed to process requests without retaining any PHI, aligning with the HIPAA Privacy Rule.
Our Commitment to Privacy and Security:
We understand the importance of safeguarding patient privacy and data security. Our systems are regularly monitored and updated to ensure robust security measures in line with HIPAA regulations. By keeping all ePHI localized and ensuring that our servers play no role in its transmission or storage, we provide a secure environment for managing health information.
If you have any questions about Note Designer and HIPAA (or PEPIDA) compliance please feel free to email us at firstname.lastname@example.org