HIPAA Compliance Information
Our team at Note designer- most of whom are Ph.D. clinicians with a background in ethics – understands the ethical importance of ensuring that your electronic protected health information (ePHI) remains private and secure. In addition to the general ethical imperative of maintaining the confidentiality and security of patient information, many clinicians in the United States are also required to ensure that they comply with the standards and regulations of the Health Insurance Portability and Accountability Act (HIPAA). In Canada (where Note Designer Inc. is incorporated and located) we are governed by a similar set of federal regulations set forth in the Personal Information Protection and Electronic Documentations Act (PIPEDA). In this document, we will outline the steps taken at Note Designer to ensure that our company is and will remain HIPAA (and PIPEDA) compliant.
HIPAA and Note Designer Products:
The need for HIPAA compliance applies to any covered entity or business associate that receives, transmits, retains, or stores ePHI. Please take note that Note Designer never transmits, retains, or stores any ePHI. (The recently-discontinued download version of Note Designer, which offers temporary password protected storage, only stores the information on the clinician’s own computer hard-drive and Note Designer Inc. does not have any access to this information.) Note Designer Inc. does not have access to a clinician’s ePHI, and we do not transmit any ePHI or store any ePHI on our servers. When you use Note Designer and enter any ePHI, this is all happening locally in your computer’s browser. Thus, the protection and security of that information is in the direct control of the clinician and remains their responsibility (e.g., ensuring that electronic files are stored in a HIPAA compliant manner in an EHR or on the clinician’s own hard-drive, that unauthorized individuals don’t have access to the clinician’s personal computer, that there is a back-up copy of ePHI stored in a safe off-site location etc.).
Strictly speaking, Note Designer therefore falls outside of the scope of the HIPAA compliance requirement. That being said, we do play a role in assisting clinicians in the way they document their clinical work and we are inviting them to enter ePHI into their own personal computer system. Because of this, an abundance of caution, and our own professional desire to promote, meet and maintain the highest ethical standards of being a mental healthcare professional, we at Note Designer have taken the necessary measures to ensure that we comply with all HIPAA standards and regulations.
HIPAA Compliance Measures:
At Note Designer, we implement the following measures to ensure we are and remain HIPAA compliant:
- Note Designer has a trained and designated HIPAA compliance officer who oversees the HIPAA Privacy and HIPAA Security of all Note Designer products and procedures.
- All Note Designer employees have received the required training in HIPAA compliance standards, regulations and practices. This HIPAA awareness training is updated every two years (as required by HIPPA compliance standards).
- Note Designer has and maintains a HIPAA compliance binder that contains all required and necessary documentation regarding both HIPAA privacy and HIPAA security.
HIPAA and Note Designer Users:
In the interest of offering some guidance to our users regarding their own need to maintain HIPAA compliance we offer the following reminders:
- Because all ePHI entered using Note Designer software remains on the clinician’s local computer system, it is important that the individual clinician take all necessary steps to protect the privacy and security of that information. Some suggestions include: encrypting the hard drive of your computer, encrypting any electronic files you choose to keep on your own computer (easily done using most computer systems), deleting all ePHI from your hard drive (ideally by wiping the drive) before decommissioning your computer, using a secure password to login to your computer, making sure your malware and antivirus protection are up-to-date, consider having a dedicated computer for your clinical work that you store in a locked cabinet, never leaving your computer with ePHI unattended, making sure your Electronic Health Record (EHR) company is HIPAA compliant, never transmitting ePHI using public email systems (e.g., g-mail, hotmail, etc.), limiting unsecured communications with clients and being sure to inform clients of the limits to the security and privacy of any communications done electronically.
- For clinicians using the now-discontinued downloadable version of our software, who choose to store / back up their notes as they work, keep in mind that although such notes are password-protected when stored in the small database file (included with Note Designer when you install it on your hard drive), this file could nonetheless be opened by an experienced programmer who has access to your computer. Be sure to promptly delete any notes that you choose to back up temporarily, to ensure that your computer is not accessed by unauthorized persons, and to delete all ePHI from your hard drive (ideally by wiping the drive) before decommissioning your computer.
- For clinicians using the current online/subscription version of our software who create their own custom statements and custom templates with Note Designer, please note that these statements are stored on our HIPAA compliant server system in an unencrypted form. Even though this is a secure server system, users should not create any custom statements that might reveal any ePHI (e.g., including a client’s name or other identifying information in a custom statement etc.). We are happy to store your custom statements so that you never have to worry about losing them in the event of a computer mishap, but we do not provide secure, encrypted storage of ePHI entered intentionally or inadvertently into the customization slots.
If you have any questions about Note Designer and HIPAA (or PEPIDA) compliance please feel free to email us at firstname.lastname@example.org