Digital Confidentiality According to Professional Ethics and HIPAA: A Heart-Centered Approach Level II
3 CE Credit Hours. Legal-Ethical. Self-Study Video Seminar.
Presented By: Roy Huggins, LPC NCC
Manage a practice that works for you, works for clients, and works for ethical and legal requirements.
This course series teaches mental health clinicians to use therapy-affirming approaches to security risk management as required by HIPAA and professional ethics. This Level II course, specifically, will focus on the process of complying with HIPAA’s Security Rule, dealing with security incidents, and preparing one’s own devices and practice policies to comply with the rule, protect clients, and protect one’s practice.
We will explore both requirements and opportunities in using modern technology that not only helps run a practice but also helps comply with legal-ethical requirements and keep clients’ information safer. We will also learn about cloud technology as it relates to HIPAA requirements, we’ll cover more on the HIPAA Business Associate Rule, and we will briefly touch on financial services and HIPAA.
- Incorporate client behaviors and beliefs around security/privacy into assessment and treatment.
- Conduct a HIPAA-compliant risk analysis and create a risk management plan
- Describe what is needed to secure data storage and mobile devices to HIPAA-compliant levels
Prologue: An Exercise Whose Point Is Unclear. We start with a little exercise whose purpose and utility will become clear later in the course!
- Clients, Professionals, & Behavior in Security
- How a few theories from cognitive psychology can help us understand our own approaches to security risks — and our clients’ approaches, as well.
- The importance of secure behaviors and how to cultivate them.
- Legally and Ethically Secure by the Numbers: The “Before” Part
- Three steps for complying with HIPAA’s Security Rule and other associated rules and laws.
- A brief explanation of what a risk analysis is
- A simplified explanation of how the process of risk analysis works
- A short exploration of how one goes about making a risk management plan
- Exploration of HIPAA Security’s requirement for policies and procedures in health care practice, with resources for creating them
- Legally and Ethically Secure by the Numbers: The After Part
- A brief call to do risk analysis parties in order to make HIPAA Security compliance easier, more collegial, and more social.
- What is a security incident and what must you do when you encounter one?
- What is a security breach and what must you do when you have one?
- The safe harbor in HIPAA’s Breach Notification Final Rule.
- Using encryption in your devices to meet the safe harbor requirements.
- Using remote tracking and remote wipe to mitigate security incidents involving smartphones, tablets, and other mobile devices.
- Electronic Records, and “the Cloud”
- The legal-ethical importance, value, and process of keeping backups
- Understanding the jargon term, “Electronic Health Record,” as opposed to “Electronic Medical Record.”
- Ethical discussion of disclosing one’s use of electronic records to clients.
- What is the cloud and why does it matter to your legal-ethical needs?
- How the cloud helps with certain aspects of your security needs under HIPAA and ethics.
- How the cloud helps you protect smartphones, tablets, and other mobile devices.
- How you protect your cloud service accounts.
- Doing passwords well.
- Cloud services and the HIPAA Business Associate Rule.
- Financial services and the HIPAA Business Associate Rule.
- American Counseling Association. (2014). ACA Code of Ethics. Alexandria, VA: Author.
- HealthIT.gov. (n.d.). What is an electronic health record (EHR)? Retrieved Nov 20, 2013, from HealthIT.gov: http://www.healthit.gov/providers-professionals/faqs/what-electronic-health-record-ehr
- Schneier, B. (2008, Jan). The Psychology of Security. Retrieved Sep 2013, from https://www.schneier.com/essay-155.html
- US Dept. of Health and Human Services. (2006). HIPAA Administrative Simplification . Washington, DC: Author.
- US Dept. of Health and Human Services. (2013). HIPAA Omnibus Final Rule . Washington, DC: Author.
- US Dept. of Health and Human Services. (2007, Mar). Basics of Risk Analysis and Risk Management. Retrieved Feb 6, 2014, from HHS.gov: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/riskassessment.pdf
Roy Huggins, LPC NCC, is a counselor in private practice who also directs Person-Centered Tech. Roy worked as a professional Web developer for 7 years before changing paths, and makes it his mission to grow clinicians’ understanding of the Internet and other electronic communications mediums for the future of our practices and our professions.
Roy is an adjunct instructor at the Portland State University Counseling program where he teaches Ethics, and is a member of the Zur Institute advisory board. He has acted as a subject matter expert on HIPAA, security and clinical use of technology for Counseling licensure boards and both state and national mental health professional organizations. He has co-authored or authored 2 book chapters, and he routinely consults with mental health colleagues on ethical and practical issues surrounding tech in clinical practice. He served for 5 years on the board of the Oregon Mental Health Counselors Association and then the Oregon Counseling Association as the Technology Committee Chair.
He really likes this stuff.
Accuracy, Utility, and Risks Statement: The contents of this program are based primarily on publications from the federal Department of Health and Human Services, and on the ethics codes of these professional organizations: AAMFT, ACA, APA, NASW, NBCC. Contents are also guided by statements from leadership in those organizations. Some interpretation and analysis presented is made by the presenter, in consultation with knowledgeable colleagues and expert consultants. Statements about applications to technology are according to presenter’s understanding of the technology at the time of the program. The presenter may not know how to apply all principles discussed to every technology type or product. This program discusses strategies for complying with HIPAA and covered ethics codes, and for improving security. It may not include information on all applicable state laws. Misapplication of the materials, or errors in the materials, could result in security problems, data breaches, or non-compliance with applicable laws or ethics codes.
Conflicts of Interest: None.
Commercial Support: None.