Technology Recommendations for Providers

Authority: Chief Information Security Officer, Chief Privacy Officer

Last updated:  May 18, 2017

1.  Context

The client information available to Lyra as part of providing mental health services is regulated by HIPAA laws and should be considered confidential. Lyra takes security, user privacy, and compliance seriously and has been maintaining strict standards for confidentiality from very early on. This document is geared to provide technology recommendations for providers working with Lyra.

2. Telehealth Recommendations

If you are providing telehealth services, it is important to consider regulatory obligations. Consumer-friendly tools like FaceTime, Google Hangouts, Skype do not sign a Business Associate Agreement (BAA) and hence do not qualify as a HIPAA-compliant means of communication with clients.

Lyra recommends using Doxy.Me as a free video conferencing service to provide video therapy to clients.  Please see this guide for signing up for Doxy.Me.

3. Reporting Recommendations

If you are providing outcome metrics to Lyra, it is recommended that you upload files via Lyra-provided Google Drive folder OR respond via Lyra-provided Google Forms. Google has signed a BAA with Lyra and is contractually bound to protect the sensitive information on our Google Drive and Google Forms with HIPAA-compliant measures.

4. Email Recommendations

If you are communicating Personally Identifiable Information (PII) and/or Patient Health Information (PHI) to Lyra, please make sure that you are using secure email that encrypts the content.  If you have a Gsuite email (basically, Gmail for businesses with a customized email address), you must have a signed BAA.

If you are unsure of your email service, please do not send PII or PHI  to us over email. Instead call us at  (650) 817-7748 to reach Lyra staff.

5. Calendar recommendations

If you are capturing Personally Identifiable Information (PII) and/or Patient Health Information (PHI) in your calendar, please make sure that you are a HIPAA compliant calendaring system (e.g., typically included with EHR/EMR’s or Gsuite with BAA).  

6.  References