How to Create and Use HIPAA Security Policies and Procedures

1 CE Credit Hour. Legal-Ethical. Continuing Education Session Replay

Developed by: Roy Huggins, LPC NCC
Presented By: Roy Huggins, LPC NCC; Liath Dalton; and Nicole Kramer, MBA

Course Description

Kid With Crayons

HIPAA requires mental health professionals to create a set (or “manual”) of security policies and procedures as part of their compliance process. It sounds like a big task — and it can be, if you’re not careful! This CE for Office Hours session replay will teach you the basic requirements along with providing tips and resources for getting the task done legally, ethically, and simply.

This introductory-level course for counselors, clinical social workers, marriage and family therapists, and clinical and counseling psychologists will help learners both understand the role of security policies and procedures in professional, HIPAA-compliant practice and to actually author and adopt security policies and procedures using the templates from HIPAACOW, NASW, or Person Centered Tech.

Educational Objectives

  • Describe the set of HIPAA security standards which need to be addressed in policies and procedures for compliance.
  • Choose practice-appropriate tools for assisting in authoring HIPAA-compliant security policies and procedures.
  • Describe how the risk analysis process informs the policies and procedures authoring process.


  1. What are HIPAA security policies and procedures and why do I need them?
    • Addressing HIPAA Security standards.
    • The relationship between HIPAA-compliant risk analysis and policies and procedures.
    • HIPAA investigations and policies and procedures.
    • Efficient practices and policies and procedures.
  2. How and when do I create or update my policies and procedures?
    • HIPAA policy and procedure authoring guidance from the Center for Medicare and Medicaid Studies (CMS.)
    • High-level best practices around security policies and procedures and how they relate to mental health practices.
  3. What tools are available to help author security policies and procedures?
    • Survey of tools that provide templates and guidance for HIPAA security policies and procedures, with a focus on mental health-oriented tools.
  4. What do I do with my policies and procedures?
    • HIPAA and security training.
    • Requirements for maintaining compliance documents.


  • US Dept. of Health and Human Services. (2006). HIPAA Administrative Simplification . Washington, DC: Author.
  • US Dept. of Health and Human Services. (2013). HIPAA Omnibus Final Rule . Washington, DC: Author.
1 CE Credit Hour.

Presented/Developed By

Roy Huggins, LPC NCCRoy Huggins, LPC NCC, is a counselor in private practice who also directs Person-Centered Tech. Roy worked as a professional Web developer for 7 years before changing paths, and makes it his mission to grow clinicians’ understanding of the Internet and other electronic communications mediums for the future of our practices and our professions.

Roy is an adjunct instructor at the Portland State University Counseling program where he teaches Ethics, and is a member of the Zur Institute advisory board. He has acted as a subject matter expert on HIPAA, security and clinical use of technology for Counseling licensure boards and both state and national mental health professional organizations. He has co-authored or authored 2 book chapters, and he routinely consults with mental health colleagues on ethical and practical issues surrounding tech in clinical practice. He served for 5 years on the board of the Oregon Mental Health Counselors Association and then the Oregon Counseling Association as the Technology Committee Chair.

He really likes this stuff.

Course Co-Presenters

Liath Dalton is a Ph.D candidate in Religious Studies. She began her academic career at Reed College and continued her graduate work at the University of Cape Town.

Liath is the Deputy Director for Person Centered Tech and runs our HIPAApropriateness review program. Through her combination of experience evaluating products for their utility and security in regards to how they can meet risk management needs and providing guidance to members around what product options will best meet their specific practice needs, Liath has an intimate knowledge of both what the practice tech needs are for mental health professionals and what it takes for a product to meet those needs.

Nicole Kramer, MBANicole Kramer, MBA received her MBA in healthcare administration from Western Governors University in 2017.  Before healthcare, she worked as a licensed insurance producer where she helped individuals and businesses assess risk and mitigate liability. Her working experience includes medical clinic office management which included overseeing and implementing technology operations and HIPAA compliance.

Program Notices

Accuracy, Utility, and Risks Statement: The contents of this program are based on publications and reports from the federal Department of Health and Human Services and the National Institutes for Standards and Technology; consultation with experts on HIPAA Security standards and their implementation; and personal study from the program developers. Some interpretation and analysis presented is made by the presenter, in consultation with knowledgeable colleagues and expert consultants. Statements about applications to technology are according to presenter’s understanding of the technology at the time of the program. The presenter may not know how to apply all principles discussed to every technology type or product. This program discusses strategies for complying with HIPAA and covered ethics codes. It may not include information on all applicable state laws. Misapplication of the materials, or errors in the materials, could result in security problems, data breaches, or non-compliance with applicable laws or ethics codes.

Conflicts of Interest: None.

Commercial Support: None.

This course is subject to our cancellation/refund policy and complaint policy.

1 CE Credit Hour.
Kid With Crayons

1 CE Credit Hour. Legal-Ethical. Continuing Education Session Replay


You are not currently logged in to this site. Need to log in? Click here→

Risk Analysis and Risk Mitigation in just 2 hours

We will do it for you!

Risk Analysis and Risk Mitigation HIPAA Security Module

Not Interested

Scheduled Maintenance

We will be temporarily taking the website offline at 10:00 PM Pacific (1:00 AM Eastern) tonight, July 6, in order to make some improvements. We plan to be back online by midnight Pacific (3:00 AM Eastern). We apologize for any inconvenience this may cause. Dismiss