Behave Health

View Original

Your Top 3 Questions About HIPAA Violations and Cloud-Based Behavioral Health Management Systems

Ben Weiss

Cloud computing has been around for nearly 20 years or longer, depending on your definition.

But to many, “saving it to the cloud” is still a novel concept.

Cloud-based behavioral health systems, like BehaveHealth, securely save information and electronic personal health information (ePHI) to remote servers hosted on the internet. Cloud-based systems are an update to the old systems, where data was saved to local servers physically present at the point of service.

Many behavioral health providers are accustomed to the outdated, on-premise computing systems and all of the inconveniences that go along with them. Although we know these old systems actually act as a barrier between providers and the ePHI they need, such systems often “feel” more secure simply because the data is kept on-site.

Decision-makers shopping for new behavioral health management systems often ask us, “If I can’t see where I’m saving my patients’ ePHI, how do I know it’s safe? If it’s so easy for me to access my patients’ data, isn’t it easy for everyone else to access it, too?”

In other words: Can cloud-based behavioral health management systems really be HIPAA compliant?

The answer is: absolutely yes.

Today, let’s look at the top 3 questions we hear about HIPAA violations and cloud-based behavioral health management systems.

HIPAA Violation Concern #1: Is it really safe to store ePHI in the cloud?

Answer: Yes, as long as certain conditions are met.


The first thing you need to check when you’re shopping for a HIPAA compliant, cloud-based behavioral health management system is whether or not your provider will enter into a Business Associate Contract or Agreement (BAA) with you.

Any system that advertises itself as “HIPAA-compliant” should have a BAA for you to sign.

Why is a BAA a great idea?

Because BAAs contractually require the cloud-based system (aka the “business associate”) to follow all HIPAA requirements when it comes to storing and transmitting ePHI on behalf of your organization.

If there’s a problem, the BAA holds your organization blameless. Should something go wrong, it’s the cloud-based system provider, not you, who is liable for any HIPAA penalties.  

Your takeaway? Providers who are building cloud-based systems and signing BAAs have a lot of skin in the game.

You can rest easy knowing that HIPAA-compliant providers like BehaveHealth are very invested in making sure your ePHI is safe and secure.

HIPAA Violation Concern #2: What about working with EHRs and ePHI on cell phones?

Answer: Not only is mobile, multi-device functionality convenient, it’s safe, too.

HIPAA doesn’t actually stipulate what types of devices are “safe” for ePHI access. Instead, HIPAA simply requires that you take “reasonable and appropriate” administrative and technical safeguards when accessing PHI.

These “reasonable and appropriate” measures need to be taken whether you’re using a computer, a phone, a tablet, or even a paper chart to access personal information.

Generally speaking, this just means using common sense around PHI.

When working with ePHI on a phone, use the cell phone security measures you (hopefully) already use in everyday life:

  • Protect your phone with a good password or pin

  • Enable encryption in settings

  • Activate remote wiping so if your phone is stolen you can disable access to ePHI

  • Avoid file sharing apps

  • Set up a firewall

  • Use security software

  • Remember to update your security software

  • Limit app downloads and don’t download unfamiliar apps

  • Keep your phone with you—don’t leave it unattended

  • Use private wifi to send and receive ePHI

  • Wipe the phone completely when you sell, donate, or recycle it

In a nutshell? Don’t rely on factory settings to protect ePHI on your device. Take a few minutes to set up your security settings. If you’re not sure what settings you need to update, contact your provider.

HIPAA Violation Concern #3: What else do I need to do on my end to make sure my ePHI is secure?

Answer: Choosing a HIPAA-compliant provider is a solid first step, but there are a few other additional safeguards you’ll want to put in place before rolling out your system.

A good cloud-based behavioral health system management provider will recommend the extra precautions that need to be taken at your organization to make sure your patients’ ePHI is secure.

The precautions for cloud-based systems are virtually identical to the precautions you might already be familiar with for on-premise systems.

Whether you’re accessing your system from desktops, laptops, phones, or tablets, you’ll want to make sure you have:

  • A secure network environment with defenses and firewalls

  • Properly configured devices

  • Access restriction (i.e. passwords and pins) on all devices

Still have questions or concerns about HIPAA compliance and cloud-based behavioral health management systems?

No problem. Reach out to the BehaveHealth team with your questions and we’ll be happy to answer any questions or concerns you have about HIPAA compliance.

Better yet, get your free trial today and see how our system’s security works first-hand.