HIPAA Security Kit for Solo Practices: The Easier Stuff Course

100 Hours.

Developed by: Roy Huggins, LPC NCC; Liath Dalton; Evan Dumas, MA
Presented By: Roy Huggins, LPC NCC; Liath Dalton;

Course Description

HIPAA Compliance sounds scary to most folks. There’s just so many pieces and so many policies, it’s hard to know where to start. Well congratulations, because you’ve already started!

This course will walk you step by step through most of the aspects of getting your practice HIPAA compliant. You’ll address everything from the security of your devices, your services as well as your physical office space. You’ll get a chance to refresh what Protected Health Information (PHI) is and where it might pop up, as well as how to work with services who might be handling your PHI. This course will guide you through all aspects of your practice, and view them from a security lens.

The flow of this course is nice and straightforward:

  • First, learn about the subject through helpful videos
  • Second, do an activity to help process what you learned
  • Third, adopt a policy or policies related to that subject
  • Lastly, check off the risk mitigation items you’ve performed

After following these steps for your devices, your services, and your space, you’ll have created a strong foundation for a HIPAA compliant practice.

This is not a continuing education course

Educational Objectives

  • Establish an understanding of device security, as well as developing policies and procedures for device transportation, backup, and loss.
  • Determine how to securely communicate with clients using phones, email, and text, as well as documenting policies for secure communication.
  • Evaluate the services your practice uses from a security lens, determine which need BAAs, which to add or drop, and create associated policies for handling those services.
  • Assess the physical space of your work environment, and maintain security by restricting access to internet hardware.
  • Create a comprehensive set of Policies and Procedures for all security aspects of your practice.


  1. Understanding security basics and your practice
    • Determining what policies best fit your type of practice
    • Why the risk analysis comes later
  2. Understanding your devices
    • How to harden your device
    • Adopting device security policies
    • Texting with your clients securely
  3. Communication security
    • Securely using internet phone and email services
    • Adopting communication policies
  4. Evaluating your services
    • Understanding Protected Health Information
    • Learning about Business Associate Agreements
    • Maintaining an ethical web presence
    • Services Worksheet process
    • Adopting services policies
  5. Assessing your office
    • Gaining an idea of physical security
    • Office Worksheet process
    • Adopting office security policies
  6. Finalizing Policies and Procedures
    • Collecting and the policies based on your practice type
    • Creating a security incident and breach notification policy


  • American Association of Marriage and Family Therapists. (2015). Code of Ethics . Alexandria, VA: Author.
  • American Counseling Association. (2014). ACA Code of Ethics. Alexandria, VA: Author.
  • American Psychological Association. (2010). American Psychological Association Ethical Principles of Psychologists and Code of Conduct . Washington, DC: Author.
  • National Association of Social Workers. (2017). Code of Ethics . Washington, DC: Author.
  • National Board for Certified Counselors. (2012). Code of Ethics . Greensboro, NC: Author.
  • US Dept. of Health and Human Services. (2006). HIPAA Administrative Simplification . Washington, DC: Author.
  • US Dept. of Health and Human Services. (2013). HIPAA Omnibus Final Rule . Washington, DC: Author.
  • US Dept. of Health and Human Services. (n.d.). Breach Notification Rule. Retrieved March 28th, 2019, from HHS.gov: https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
  • US Dept. of Health and Human Services. (n.d.). Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals. Retrieved March 28th, 2019, from HHS.gov: http://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html
100 Hours.
No product ID or SKU defined

Presented/Developed By

Roy Huggins, LPC NCCRoy Huggins, LPC NCC, is a counselor in private practice who also directs Person-Centered Tech. Roy worked as a professional Web developer for 7 years before changing paths, and makes it his mission to grow clinicians’ understanding of the Internet and other electronic communications mediums for the future of our practices and our professions.

Roy is an adjunct instructor at the Portland State University Counseling program where he teaches Ethics, and is a member of the Zur Institute advisory board. He has acted as a subject matter expert on HIPAA, security and clinical use of technology for Counseling licensure boards and both state and national mental health professional organizations. He has co-authored or authored 2 book chapters, and he routinely consults with mental health colleagues on ethical and practical issues surrounding tech in clinical practice. He served for 5 years on the board of the Oregon Mental Health Counselors Association and then the Oregon Counseling Association as the Technology Committee Chair.

He really likes this stuff.

Course Co-Presenters

Liath Dalton is a Ph.D candidate in Religious Studies. She began her academic career at Reed College and continued her graduate work at the University of Cape Town.

Liath is the Deputy Director for Person Centered Tech and runs our HIPAApropriateness review program. Through her combination of experience evaluating products for their utility and security in regards to how they can meet risk management needs and providing guidance to members around what product options will best meet their specific practice needs, Liath has an intimate knowledge of both what the practice tech needs are for mental health professionals and what it takes for a product to meet those needs.



Program Notices

Accuracy, Utility, and Risks Statement: This presentation may not include information on all applicable state or national laws. Misapplication of the materials, or errors in the materials, could result in non-compliance with applicable laws or ethics codes.

Conflicts of Interest: None

Commercial Support: None

This course is subject to our cancellation/refund policy and complaint policy.

100 Hours.
No product ID or SKU defined

100 Hours.

This is not a continuing education course

No product ID or SKU defined

You are not currently logged in to this site. Need to log in? Click here→


Scheduled Maintenance

We will be temporarily taking the website offline at 10:00 PM Pacific (1:00 AM Eastern) tonight, July 6, in order to make some improvements. We plan to be back online by midnight Pacific (3:00 AM Eastern). We apologize for any inconvenience this may cause. Dismiss