An educational article series in 9 articles, with Further Reading and Resources at the end
We often hear from our colleagues that working with HIPAA Security is a mysterious and arduous process. At Person-Centered Tech, we think this need not be true. For most of us, HIPAA only comes across that way because the information we get only skims the surface or, in the worst cases, is completely wrong.
What’s more, many commercial interests will play on our fear of punishment from an authority to get us to buy products related to HIPAA. Unfortunately, playing on fear will only serve to make our understanding worse, and it drives us to engage in reactive behaviors detrimental to achieving HIPAA compliance.
To help turn that around, Person-Centered Tech is pleased to present the following collection of articles on the subject of HIPAA Security. Please enjoy them in good health with the reassurance that we have a number of additional affordable options for support available.
What Is This Again?
Person-Centered Tech has been publishing free articles on technology in mental health practice since 2012. The following is a curated series of those articles, painstakingly updated for the current moment and placed in an order to help you get the most benefit from them.
Along these lines, we also offer a free continuing education course on HIPAA Security in Mental Health. If you would like CE credit for your study time, and also like free things, sign up for our free courses here.
The following articles are numbered according to our recommended reading order. Of course you may buck our system and read them however you wish.
First things first! Are you even subject to HIPAA? You might or might not be. And just as importantly, what does it even mean if you aren’t? The answer to the first question is somewhat simple, the second one isn’t. This article helps make sense of it.
Did you know that just because you practice health care in the United States, you’re not necessarily legally required to comply with HIPAA? The followup question, of course, is, “Does it really change anything if you’re not?”
This next one covers a basic concept, but it’s one that not every mental health pro is very familiar with. Even if you do know what HIPAA Business Associates are, may we recommend skimming the article? It does contain some details and particulars that clinicians are often confused about. Our goal is to make sure you’ve got the basics down solid!
What if companies that handle your clients’ info signed contracts promising to safeguard the information? HIPAA calls that a Business Associate Agreement.
Okay, so some folks find the name of this next article a little intimidating. And perhaps the content, too. But I assure you that the news we’re giving you here is good. HIPAA’s way of dealing with security breaches is actually really flexible and reasonable. And what’s more, understanding how it works will make you far more prepared to understand how to avoid it all together! (Hint: the next article after this one will give you a hugely useful tip on how to do that.)
HIPAA includes prepping for when an info breach does happen. It’s like preparing for a suicidal client: a bit scary, but also something you can work with.
Okay, “breach notification” doesn’t sound so great. Luckily this next article delivers some mighty good news on the issue. Many people may want to read it right after reading the one on breach notification!
Wouldn’t it be great if your computer and smartphone could be made impervious to security breaches under HIPAA? Well, they kind of can be.
Now that we’ve made all these references to how HIPAA Security actually works, let’s get a very high-level view of the real process. This next article looks innocuous, but for many of our colleagues it’s quite revolutionary.
A simplified, chunked-down look at the process of (actual) compliance with the HIPAA Security Rule, split into three steps. Plus some busting of myths.
So if the process of HIPAA Security compliance looks like the three steps mentioned in the previous article, where do “HIPAA compliant” products come in? Well, they may not be a part of it at all! This next article clarifies.
The phrase “HIPAA-compliant” has become nigh-meaningless — like “inflammable” and “awesome.” It’s time for better terminology.
Hopefully you’re getting the idea that “risk analysis and risk management” is the name of the HIPAA game. These next two articles get into some details of why that’s a good thing for you and your practice, and also provide some guidance on how to do it.
Yep, I said it. HIPAA’s approach to security might just be the most empowering thing available to you and your clients.
By this point in the article series, our readers start to wonder how they can go about accomplishing the risk analysis portion of HIPAA Security compliance. It’s still not a simple answer at this point in history, but it doesn’t have to be as hard as it sounds. Read on for details.
HIPAA requires every practice do a risk analysis and make a risk management plan. But can you do these things yourself? (Hint: Yes, You Can)
And lastly, we offer an article with great links to a few resources that can help you with your compliance process.
HIPAA forms like the Notices of Privacy Practices, BAAs, Risk Analysis Tools, and more can be found for free from a number of helpful sources. We list our favs.
Further Reading and Resources
We’ve produced a ton of articles on HIPAA Security-related topics just for mental health professionals. Below are several that we think are worth reading your way through over time.
When I started practicing, I didn’t even want to put records on my computer. Now I frequently recommend putting everything you can on the cloud. Here’s why.
Some claim that electronic records are safer than paper because of encryption. This statement is at once totally right and dangerously wrong.
The HIPAA People To Start Investigating Small Security Breaches, *Maybe* Can Impact Small Therapy Practices
The Office of Civil Rights (the HIPAA People) recently announced a new HIPAA initiative at the local level that might impact small therapy practices.
The Office of Civil Rights is re-upping their random HIPAA audit program with several hundred new audits this year. Will you be chosen? (spoilers inside)
Apple’s battle with the FBI has big implications for our HIPAA compliance when we use iPhones. But how can we leverage what we’re learning from it?
The HIPAA Privacy Rule saw a tiny change that highlights big rifts in our understanding of HIPAA’s privacy rules for mental health.