What to do if you were affected by the TherapyNotes outage

Matthew Henry / Burst / Licensed under Creative Commons ZeroMany therapists and counselors maintain their electronic health records through the site TherapyNotes. (TherapyNotes and this blog are unrelated.) Last week, TherapyNotes was down for several days following the discovery of a ransomware virus on one of their servers. [Update 7/6: They’ve put that link behind a login wall. Here’s a cached version.] If you use TherapyNotes for your records, you may be wondering what to do now.

Two things worth noting first. One, TherapyNotes reports that no medical records were stolen [cached], and that the virus could not have compromised billing data. So federal requirements for HIPAA-covered therapists to report data breaches probably do not apply. (I am not a lawyer. You may want to consult with a lawyer to be sure. As more information becomes available about the virus, appropriate responses may change.)

And two, there is no evidence yet that would appear to suggest TherapyNotes was somehow negligent in maintaining security of its servers. That’s important because of the ethical mandate for therapists to reasonably protect the security and confidentiality of their records. If it appeared the company had made mistakes in its protection of records, it would be difficult for customers to stay with them. But at least by the company’s own account [cached], their protective measures actually did their jobs, keeping medical records encrypted and billing information unavailable.

The outage made their systems unavailable for a couple of days, and that presented a major problem for customers who rely on the system for tracking their schedules and reviewing notes prior to each session. But it could have been much more of a catastrophe for client confidentiality. Instead, we can keep faith in the integrity of both TherapyNotes specifically and electronic health record systems in general.

So if you are a TherapyNotes customer, what should you do?

You do have other options in the world of electronic health records, of course. There’s SimplePractice, there’s Valant, there are many others. But this instance, for as bothersome as it may have been, doesn’t obligate you to change EHR providers. In fact, if you use and like TherapyNotes, switching may be more trouble than it would be worth. This experience will no doubt lead them to redouble their efforts at minimizing both security risk and downtime. They could easily emerge as an industry leader in the area. A second outage like this one might indicate a larger problem, but a single one can be more of a learning experience for all involved.

If you are a TherapyNotes customer and plan to remain one, it is certainly a good idea to have backup plans, particularly for your schedule. They offer some ways to do so here [cached]. (Scroll down to “How can practices be prepared for outages in the future?”)

I have never had a problem with the EHR provider I use. But I still keep my schedule on a separate calendar. That’s not a lack of faith in my provider. It’s just an acknowledgement that any electronic system can have an outage. That’s the tradeoff we make for the convenience of electronic records. In my mind, it still beats the risk of fire, flood, and theft that comes with paper records, and the fact that paper is awfully inconvenient to travel with.

Both TherapyNotes and its competitors are likely to be reviewing their security and downtime protocols after this incident. You should certainly take the opportunity to review your own processes and ensure that you are compliant with all of your legal and ethical obligations. You also may want to ensure you have backup plans in place in case of future outages. Regardless of which provider you use, it’s good practice. But while there may be other steps you choose to take in response to the outage, there’s nothing you appear to be obligated to do in response to it, at least from the information available at the time of this writing.