HIPAA, client confidentiality, and the birthworker
While birthworkers are not legally required to adhere to HIPAA laws like healthcare providers and insurance companies, it is best practice to secure your clients' personal information, which is essential to maintaining their trust and also respecting their privacy. Always stay mindful of the client information you store and ensure that it is kept confidential. Any personal details shared with you during prenatal or postpartum visits, labor notes, intake forms, contact information, and any other personal details that you keep about your clients and their care should be stored securely and only accessed by those involved in your client's care, with explicit consent given by your clients.
Building trust with your clients and following through with the commitments that you make to them should always be a top priority in all aspects of the care that you give, including what you do with the information they share with you. Communicate clearly with your clients about the type of information you will be storing and how you will safeguard their privacy. Establishing open and honest communication from the beginning can help alleviate any concerns your clients may have about sharing personal information with you, and by setting clear boundaries and expectations you can create a safe and supportive care environment together.
Please note that if you are billing Medicaid or other insurance providers for your doula services, you may be expected to be HIPAA compliant, as you will be sharing client information with an insurance entity. Being HIPAA compliant includes understanding how to properly handle and store sensitive data, as well as ensuring that only authorized individuals have access to it.
HIPAA, or the Health Insurance Portability and Accountability Act, sets the standards for protecting sensitive patient/client data. HIPAA requires that all stored client data is secure, which can be achieved by using an encrypted digital platform that is password-protected. Storing information on a cell phone or laptop with a password isn't enough; we recommend using a HIPAA compliant tool that is built specifically for storage and sharing of PHI (protected health information). One such HIPAA compliant application made specifically for birthworkers is Doulado. (this is not an ad for Doulado or a paid partnership with them, btw)
If you're keeping it old school and storing printed client information, be sure to store it in a designated safe place, and that it is always locked in a cabinet or drawer so that it isn't accessible to people outside of your practice.
Writing a clear policy on who has access to handle, view, and share client records is another step that will help to keep you compliant. Some folks to consider adding to this policy are your birthwork partners, backups, or collective members. Add what information is stored, for what purpose, and any ways that it can be shared, and with whom. You can then share this policy with your clients so they understand how their information is being stored and shared, and this will help to ensure that they have the information needed to give informed consent for sharing PHI. You can leave a space on this form for your clients consent and signature, so it can act as both a policy and consent form.
Another thing to consider is how you talk about your clients with other birthworkers, friends, partners, and community members. It's easy to break HIPAA or confidentiality when debriefing the births, abortions, and postpartum visits that you attend. Though it is essential for your practice, learning, growth, and self care to talk through your experiences, always be mindful of the information that you're sharing with others. Leave out identifying markers like names, birth locations, timing of the encounter, partner's names, what they do for a living, and anything else that can trace back to your clients. We're only separated by a few degrees, and you don't know who may also know your clients. An example of this is two nurses talking about a patient on lunch break during their shift and a family member overhearing their conversation... it shouldn't, but it happens often.
Know that we are not offering legal advice here, just an overview of best practices. If you plan to be HIPAA compliant, we do recommend that you take a full HIPAA training and to partner with outside sources such as storage platforms and email encryption/IT specialists to ensure that you are compliant. Keep up to date on your local requirements, and systematically check your practices to make sure they're up to par.