Yep, I said it. HIPAA’s approach to security might just be the most empowering thing available to you and your clients — because HIPAA requires us to use a risk management approach.
I know what you’re thinking: every time someone utters the words “risk management,” it’s just before they start telling us all the things we should be afraid of. And it seems we end up with a list of things we should never do.
I’m here to tell you that in the real world of risk management, that is not how it works.
Risk management is:
- A decision-making lens that encourages us to objectively assess what is actually going on in our practices.
- A system of balancing our desired outcomes with the costs of achieving those outcomes.
- A model that enables problem-solving instead of problem-avoidance.
Disempowerment Through Black and White Decision-Making
The empowering value of risk management can be partly discovered by contrasting it with examples of taking a black and white approach.
Without risk management, we tend to see ethical issues (which include security) without nuance. Potential actions are seen as either “all okay” or “all bad.” This black and white approach leads to:
1) Appealing to authorities to define what we can and can’t do, regardless of what those authorities actually understand about our circumstances or the risks we’re facing.
Importantly, this is different from consulting with authorities to discover what is legally or ethically permitted. Discovering what is permitted is often a vital part of the risk management process. Similarly, your risk management process may require other information that is most reliably obtained from an authority.
It may also become important, at times, to ask for authoritative counsel to help us lessen our own anxiety when we need it. Runaway anxiety gets in the way of wise decision-making, and sometimes we need to consult simply to bring down the unuseful anxiety.
Black and white thinking, on the other hand, can cause us to believe we have no choice but to ask perceived authorities to make decisions for us. When authorities respond to these requests, their decisions are usually highly conservative. Imagine being asked to make a risk management decision for another person. How much risk would you be willing to ask them to tolerate? How confident would you be in their ability to navigate the vicissitudes of the risk?
2) Relying on a false sense of control.
A primary driver of black and white thinking is the desire to feel in control of difficult circumstances — so as to assuage the anxiety we feel in those circumstances.
When we unilaterally reject a course of action because it feels risky, our human minds are able to suppress the anxiety that naturally arises when we turn towards risk. There are times when suppression is healthy for us. But the desire to suppress will generally cause us to turn away from risk and therefore fail to understand the risks in front of us.
What may be even more dangerous is the ability of black and white thinking to lull us into a false sense of control. When we make what seems like a “safe” decision, it is easy to afterwards forget the whole thing and cease any ongoing examination of risk. Some examples:
A therapist rejects all efforts from a client to reach out by text messaging. She (quite naturally) feels anxious about texting because she doesn’t quite understand how it works.
Left unexamined, her anxiety prevents her from having a nuanced conversation with the client about texting. Instead, she tries to nip the conversation — and any accompanying anxiety — in the bud. She feels that doing so is the “safe” decision and her anxiety about poor outcomes is assuaged.
She is not sure why this particular client seems to carry so much “resistance” in therapy, though.
A therapist subscribes to an email service because an authority figure said it was “HIPAA compliant.” Relying on this authoritative assurance, the therapist takes no further action to ensure they are actually using the service in a way that is HIPAA compliant or safe for clients. A data breach occurs and clients are harmed.
This kind of outcome is one reason why HIPAA does not endorse any product or service as “HIPAA compliant.” That label is purely for marketing purposes when used to describe a product or service. For more, see our article on why “HIPAA-compliant” can be a meaningless phrase→
3) Suppressing innovative benefit in our practices and those of our colleagues.
When we start to examine risks, it’s incredible how quickly we forget about our professional goal of creating benefit for clients. This happens to everyone, including the supposedly so-very-risk-tolerant folks here at Person-Centered Tech. It’s natural.
If we view risks as either existing or not existing without any thought about the grey areas of those risks, we remove our ability to innovate in creating benefit for clients.
Consider this: when a client sitting in front of you exhibits some risk that they may harm themselves, you don’t immediately get them into a cop car headed to the hospital. That intervention is for imminent and present risks of harm to self. Instead, you tolerate any nervousness you feel and help the client manage their risk of self harm so that you can be in a position to benefit the client going forward. If a hold becomes necessary (according to your professional assessment), you ask for one.
Despite our high tolerance for clients’ self-harm risks, it is easy for therapists to ignore the potential benefits that come from taking risks that we are not specifically trained to manage.
For example, we all know that professional contact with social media can create a lot of risks. Thus our professional ethics and guidelines discourage us from using social media in connection with clients, or at least require us to keep personal and professional social media presences separate.
At Person-Centered Tech, we have seen several examples of therapists who have come across circumstances where contacting social media in a professional capacity, despite the risks, could create significant benefit for an existing client or a potential client population. (These are the kinds of questions we get from Person-Centered Tech Support subscribers.)
As the authorities that these colleagues appealed to for guidance, we had to put aside black and white thinking in order to provide guidance with a mind towards both beneficial client outcomes and maintaining nonmaleficence, rather than simply turning our colleagues off to the risks carte blanche. Of course this requires a fair amount of thinking and learning. We have to consider professional ethics codes, laws, and the needs of clients in the equation. The effort is worth it to make sure that our professions’ ability to benefit clients is not unnecessarily quelled by fear of the risks that come with modern tech.
Lastly, bear in mind the kind of impact we have on each other. One way we maintain competence is through liberal use of peer consultation. That’s an excellent thing we do and a great tool for supporting risk management thinking. As such, we need to keep in mind the ways that we can positively impact our colleagues and their clients by helping to sooth unuseful anxiety and foster risk management thinking.
Empowerment Through Risk Management Thinking
Risk management thinking enables therapists and clients to find paths to desired outcomes that increase overall benefit while minimizing bad outcomes. There is a ton of nuance in the theory of risk management, but the basic concept is valuable by itself.
Lets revisit the above example of the therapist who struggles with a client who wishes to use text messaging:
Instead of suppressing texting outright, the therapist shares the dilemma with her client and helps him understand that she both values his confidentiality and also has a legal-ethical duty to protect it. She also communicates her very reasonable boundary needs.
The client indicates that he still wants to use texting to some extent. He doesn’t seem to fully buy into the idea that it may not be safe.
So our therapist does some research to understand what the real risks around texting are. Through a collaborative risk analysis with the client, coupled with use of her professional assessment and counseling skills, the therapist works with the client to come up with boundaries around text messaging that minimize risks while maximizing benefit.
In the end, the way they use texting together is very different from how the client imagined it before engaging in the risk management process. However, with better information, a sense of personal agency in the final decision, and greater confidence in the therapist’s wisdom regarding the risks involved, this client is more likely to use texting in a thoughtful manner. And he also built more trust and rapport with the therapist. When he doesn’t use good judgement in texting, the therapist has the interpersonal leverage needed to challenge and correct his behavior.
The above example shows us that risk management involves:
- Soothing one’s anxiety enough to tackle new assessment and research tasks. This is where peer and expert consultation is wonderful. Consultation with peers is a huge part of competent practice and a wonderful way to develop new knowledge and skills.
- Knowing enough factual information to understand risks to the extent you need to understand them. In the case above, the therapist probably had to get some understanding of how text messages move across the Internet and where they end up. The therapist also needed to understand how texts are vulnerable in these environments and what threats may be posed to them. I know this sounds very, very technical. Let me assure you that we have trained hundreds of therapists to understand these things — in a way that is sufficient for risk management — without having to go into difficult-to-understand detail.
- Balancing benefit and risk, as well as balancing costs with risk management techniques. This therapist is perfectly happy to get rid of text messaging in order to also get rid of its risks. In a vacuum, that’s totally reasonable and appropriate for her to do. She doesn’t get much personal benefit from it, so there’s no reason for her to tackle its risks. It’s when texting starts to impact clients and therapeutic relationships that she gets into managing the risks and looking for more nuanced solutions. Also, we glossed over the details of the risk management plan she made with her client, but I guarantee you that it would involve restricting some aspects of text messaging use in order to reduce its risks. Therapist and client would have looked at the benefits and risks involved in the various ways they could use texting, and they would have struck a balance between the two.
We could explore examples of therapist-client success through risk management all day. For now, let’s focus on ensuring that we can start to shift any of our paradigms of thought that are grounded in black and white thinking towards risk management thinking — just like the HIPAA Security Rule mandates.
HIPAA Security “Mandates” Risk Management?
The HIPAA Security Rule clearly describes the kind of process it wants us to use when managing the security of electronic information in our practices. It also describes certain standards we must meet, but those standards can fit into the risk management approach to decision-making with little finagling necessary.
First Thing’s First: Risk Analysis
The HIPAA Security Rule requires that compliance starts with performing a practice-wide security risk analysis.
The Security Rule then goes on to require that all HIPAA covered entities engage in a risk management process to handle all the risks discovered during the risk analysis process. It never says you must eliminate risks — in fact it says you must reduce them to “reasonable and appropriate levels.”
The Security Rule also lists a bunch of risk management measures you are required to use in your practice. E.g. you need to have a password management policy and various policies for managing any “workforce” you may have, among a big list of other things. I like to call it the HIPAA Security Wishlist. HIPAA calls it the Administrative, Technical, and Physical Safeguards (they don’t share my knack for catchy names.)
However, HIPAA even flexes on how you are required to implement all the things on the Wishlist. The second item in the HIPAA Security Rule is the “flexibility of approach” section, which describes an approach that risk management experts would call a “cost-benefit analysis.” If you aren’t capable of doing certain things on the HIPAA Security Wishlist in the way they ask you to do it, it is acceptable for you to flex and find some other way of making that Wishlist item work in your practice.
The point where HIPAA doesn’t flex is the Business Associate Rule. Sometimes that gets in our way, but it mostly makes sense for the modern world. For more on that, see our article “What is a HIPAA Business Associate Agreement?”
HIPAA is notorious in the technology community for being frustratingly vague. They really don’t like that it isn’t specific and concrete about what exactly has to be done to be in compliance.
That, however, is how risk management works. While it means that HIPAA Security doesn’t supply conveniences like certifying which products and services we can use, it also means that we’re allowed — nay, required! — to use that most empowering decision-making lens of risk management in the security of our practices.
If you need help doing risk management with your practice tech, Person-Centered Tech supplies a wide range of tools and services to help manage the risks and bring out the benefits of technology in therapy practice. That’s what we’re here for!