Digital Confidentiality According to Professional Ethics and HIPAA: A Heart-Centered Approach Level II

• Incorporate client behaviors and beliefs around security/privacy into assessment and treatment.
• Conduct a HIPAA-compliant risk analysis and create a risk management plan
• Describe what is needed to secure data storage and mobile devices to HIPAA-compliant levels

Prologue: An Exercise Whose Point Is Unclear. We start with a little exercise whose purpose and utility will become clear later in the course!

1. Clients, Professionals, & Behavior in Security
   • How a few theories from cognitive psychology can help us understand our own approaches to security risks — and our clients’ approaches, as well.
   • The importance of secure behaviors and how to cultivate them.
2. Legally and Ethically Secure by the Numbers: The “Before” Part
   • Three steps for complying with HIPAA’s Security Rule and other associated rules and laws.
   • A brief explanation of what a risk analysis is
   • A simplified explanation of how the process of risk analysis works
   • A short exploration of how one goes about making a risk management plan
   • Exploration of HIPAA Security’s requirement for policies and procedures in health care practice, with resources for creating them
3. Legally and Ethically Secure by the Numbers: The After Part
   • A brief call to do risk analysis parties in order to make HIPAA Security compliance easier, more collegial, and more social.
   • What is a security incident and what must you do when you encounter one?
   • What is a security breach and what must you do when you have one?
   • The safe harbor in HIPAA’s Breach Notification Final Rule.
   • Using encryption in your devices to meet the safe harbor requirements.
   • Using remote tracking and remote wipe to mitigate security incidents involving smartphones, tablets, and other mobile devices.
4. Electronic Records, and “the Cloud”
   • The legal-ethical importance, value, and process of keeping backups
   • Understanding the jargon term, “Electronic Health Record,” as opposed to “Electronic Medical Record.”
   • Ethical discussion of disclosing one’s use of electronic records to clients.
   • What is the cloud and why does it matter to your legal-ethical needs?
   • How the cloud helps with certain aspects of your security needs under HIPAA and ethics.
   • How the cloud helps you protect smartphones, tablets, and other mobile devices.
   • How you protect your cloud service accounts.
   • Doing passwords well.
   • Cloud services and the HIPAA Business Associate Rule.
   • Financial services and the HIPAA Business Associate Rule.

• American Counseling Association. (2014). ACA Code of Ethics. Alexandria, VA: Author.
• HealthIT.gov. (n.d.). What is an electronic health record (EHR)? Retrieved Nov 20, 2013, from HealthIT.gov: http://www.healthit.gov/providers-professionals/faqs/what-electronic-health-record-ehr
• Schneier, B. (2008, Jan). The Psychology of Security. Retrieved Sep 2013, from https://www.schneier.com/essay-155.html
• US Dept. of Health and Human Services. (2006). HIPAA Administrative Simplification . Washington, DC: Author.
• US Dept. of Health and Human Services. (2013). HIPAA Omnibus Final Rule . Washington, DC: Author.
• US Dept. of Health and Human Services. (2007, Mar). Basics of Risk Analysis and Risk Management. Retrieved Feb 6, 2014, from HHS.gov: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/riskassessment.pdf