Technology Recommendations for Providers
Authority: Chief Information Security Officer, Chief Privacy Officer
Last updated: May 18, 2017
The client information available to Lyra as part of providing mental health services is regulated by HIPAA laws and should be considered confidential. Lyra takes security, user privacy, and compliance seriously and has been maintaining strict standards for confidentiality from very early on. This document is geared to provide technology recommendations for providers working with Lyra.
2. Telehealth Recommendations
If you are providing telehealth services, it is important to consider regulatory obligations. Consumer-friendly tools like FaceTime, Google Hangouts, Skype do not sign a Business Associate Agreement (BAA) and hence do not qualify as a HIPAA-compliant means of communication with clients.
3. Reporting Recommendations
If you are providing outcome metrics to Lyra, it is recommended that you upload files via Lyra-provided Google Drive folder OR respond via Lyra-provided Google Forms. Google has signed a BAA with Lyra and is contractually bound to protect the sensitive information on our Google Drive and Google Forms with HIPAA-compliant measures.
4. Email Recommendations
If you are communicating Personally Identifiable Information (PII) and/or Patient Health Information (PHI) to Lyra, please make sure that you are using secure email that encrypts the content. If you have a Gsuite email (basically, Gmail for businesses with a customized email address), you must have a signed BAA.
If you are unsure of your email service, please do not send PII or PHI to us over email. Instead call us at (650) 817-7748 to reach Lyra staff.
5. Calendar recommendations
If you are capturing Personally Identifiable Information (PII) and/or Patient Health Information (PHI) in your calendar, please make sure that you are a HIPAA compliant calendaring system (e.g., typically included with EHR/EMR’s or Gsuite with BAA).