Hello! I’m Roy of Person Centered Tech. We know that you want to focus on your clients, so we provide articles, tools, and continuing education on how to best serve clients in the digital world.
(Sign up for other free articles addressing topics such as: telemental health, HIPAA, and practical technology tools!)
Here’s something I am sure no therapist in private practice has ever said, “I love getting to make my own hours, set my own fees, and write my own security policies and procedures.” Even a dream job is still 30% stuff you don’t really like doing, as they say. Luckily, there are resources to help make this particular task a lot easier, and good reasons to turn towards it and get it done.
One of the HIPAA Security Rule’s standards is to write policies and procedures that set out what security behaviors your practice will engage in. Essentially, full compliance with HIPAA requires your practice to write out policies that cover how you comply with all the HIPAA Security standards (and also the privacy standards, of course, but we’re not writing about those in this article.)
You’ll also need to cover any security issues, beyond those standards, that you identify as necessary. Let’s look at the “Bring Your Own Device” policy (nope, I didn’t make up that name!) as an example.
Bring Your Own Device (BYOD) is a policy the sets out rules for how staff in the practice need to keep their own personal devices secure so long as they use those devices for work. BYOD is all the rage these days since most people own smartphones and laptops which they want to use in their work (and many practices even rely on their staff members using personal devices at work.) The HIPAA Security Rule didn’t anticipate this, and so it isn’t explicitly addressed in the standards. But a policy that manages the use of personal gear is pretty essential to keeping up all the other HIPAA Security standards in a modern practice.
BYOD is a great example for illustrating two important things about HIPAA Security policies and procedures:
- The complexity of the policies and procedures you need changes with the complexity of your practice.
- Most practices need policies that go beyond just the basic HIPAA Security standards.
Comparing the Complexity of Policies and Procedures With the Practice’s Complexity
BYOD provides a great illustration of how the complexity of security policies and procedures, just like everything else in HIPAA, can scale up and down with the complexity of your practice. To illustrate, we like to sort mental health practices into three categories of complexity:
- Clinicians with no helpers at all — truly solo practitioners — usually don’t need a BYOD policy at all. Often, their personal devices are the practice’s devices.
- A practice with one clinician and one or two helpers needs a BYOD policy, but it can be quite simple. It can even be managed as an agenda item during regular staff meetings.
- Group practices often need a thorough BYOD policy that is managed (and, when necessary, enforced) by someone designated as the Security Officer.
Knowing Who Needs Policies and Procedures
Anyone who needs to comply with HIPAA needs security policies and procedures as part of full compliance.
The security and privacy world loves policies. Writing policies helps us ensure that we’ve covered everything. It helps us remember everything we need to do (or it helps staff members know what they need to do.) And it provides documentation of those great security behaviors that we regularly engage in.
It’s not much different from writing out treatment plans or documenting interventions. You want clinical documentation to prove you’re meeting standard of care, and possibly to show other clinicians who are working with common clients. In the same way, you want security documentation to prove you’re addressing security standards, and to help anyone who needs to know what your practice’s acceptable and required security behaviors are.
How to Get Template Policies and Procedures
There’s absolutely no reason you cannot write your own policies and procedures with some research and, potentially, some technical help. Most of us don’t have the time to learn all the pieces that go into it, however, much less the time to actually write the things.
Luckily, there are a few ways to get templates. Remember that HIPAA Security policies and procedures go hand-in-hand with performing a security risk analysis, so you’ll likely want a toolset or service provider that can help you with both things.
- HIPAACOW has both a risk analysis toolkit and a set of template policies and procedures. It is free for all. However, it is also highly technical. That said, it is made by experts and given freely, so we encourage the private practice security DIY enthusiasts among you to go check it out: HIPAACOW security and privacy documents.
- The NASW has a risk analysis and policies and procedures kit for its members. It’s included with NASW membership, but cannot be purchased separately. It is much easier for non-techies than the HIPAACOW tools. We see it as being not quite complete, however. But it is a very solid start. NASW HIPAA Kit.
- We here at Person Centered Tech have a risk analysis tool and set of template policies and procedures as part of our membership. As you can likely guess, we believe it to be thorough and usable by our colleagues (especially since we provide direct support for the entire process through our included Office Hours.) Person Centered Tech’s HIPAA risk tool.