Welcome solo and group practice owners! We are Liath Dalton and Evan Dumas, your co-hosts of Group Practice Tech.

In this episode, we’re sharing why risk analysis is essential for mental health providers, inspired by a recent webinar from the Office of Civil Rights (OCR). 

We discuss the core mandate of the HIPAA Security Rule; how risk analysis is essential to safeguarding PHI; conceptualizing the lifecycle of PHI in your practice; how often to do a risk analysis; written policy vs. implemented policy; security measures degrading over time; and HIPAA as a useful tool for client care.

PCT Resources

  • PCT’s HIPAA Risk Analysis & Risk Mitigation Planning  service for mental health group practices — care for your practice using our supportive, shame-free risk analysis and mitigation planning service. You’ll have your Risk Analysis done within 2 hours, performed by a PCT consultant, using a tool built specifically for mental health group practice, and a mitigation checklist to help you reduce your risks.

  • PCT’s Group Practice PCT Way HIPAA Compliance Manual & Materials  — comprehensive HIPAA Security Policies & Procedures for the practice as HIPAA covered entity *and/or* Business Associate/MSO. Comprehensively covers the HIPAA P&Ps for contractor clinician structure group practices, employee structure group practices, and practices that are hybrid.   

    Policies & Procedures include:

    • Customizable templates that address each of the HIPAA Security Rule Standards. Ready for plug-and-play real practice application.

    • Computing Devices and Electronic Media Technical Security Policy

    • Bring Your Own Device (BYOD) Policy

    • Communications Security Policy

    • Information Systems Secure Use Policy

    • Risk Management Policy

    • Contingency Planning Policy

    • Device and Document Transport and Storage Policy

    • Device and Document Disposal Policy

    • Security Training and Awareness Policy

    • Passwords and Other Digital Authentication Policy

    • Software and Hardware Selection Policy

    • Security Incident Response and Breach Notification Policy

    • Security Onboarding and Exit Policy

    • Sanction Policy Policy

    • Release of Information Security Policy

    • Remote Access Policy

    • Data Backup Policy

    • Facility/Office Access and Physical Security Policy

    • Facility Network Security Policy

    • Computing Device Acceptable Use Policy

    • Business Associate Policy

    • Access Log Review Policy

    Forms & Logs include:

    • Workforce Security Policies Agreement

    • Security Incident Report

    • PHI Access Determination

    • Password Policy Compliance

    • BYOD Registration & Termination

    • Data Backup & Confirmation

    • Access Log Review

    • Key & Access Code Issue and Loss

    • Third-Party Service Vendors

    • Building Security Plan

    • Security Schedule

    • Equipment Security Check

    • Computing System Access Granting & Revocation

    • Training Completion

    • Mini Risk Analysis

    • Security Incident Response

    • Security Reminder

    • Practice Equipment Catalog


    • Workforce Security Manual & Leadership Security Manual — the role-based practical application oriented distillation of the formal Policies & Procedures (includes the prohibitions on non-HIPAA-acceptable personal services + defines what personal services *are* allowable.)

    • 2 complimentary seats of the Security Officer Endorsement Training Program (1 for Security Officer; 1 for Deputy (or future Deputy) Security Officer.

    PCT’s free “mini risk” tool, for needs identification related to what’s within and what’s outside your practice’s Security Circle (including personal device use)

  • Group Practice Care Premium  for weekly (live & recorded) direct support & consultation service with PCT consulting team + monthly session co-facilitated by Eric Ström, JD PhD LMHC
  • + assignable staff HIPAA Security Awareness: Bring Your Own Device training + access to Device Security Center with step-by-step device-specific tutorials & registration forms for securing documenting personal & practice-provided devices(for *all* team members at no per-person cost) + more
  • + assignable staff HIPAA Security Awareness: Remote Workspaces training for all team members + access to Remote Workspace Center with step-by-step tutorials & registration forms for securing documenting Remote Workspaces (for *all* team members at no per-person cost)




Scheduled Maintenance

We will be temporarily taking the website offline at 10:00 PM Pacific (1:00 AM Eastern) tonight, July 6, in order to make some improvements. We plan to be back online by midnight Pacific (3:00 AM Eastern). We apologize for any inconvenience this may cause. Dismiss