Performing HIPAA-Compliant Risk Analysis: A Guided How-To for Mental Health Professionals

1 CE Credit Hour. Legal-Ethical. Continuing Education Session Replay

Developed by: Roy Huggins, LPC NCC
Presented By: Roy Huggins, LPC NCC; Liath Dalton; and Nicole Kramer, MBA

Course Description

Iguana leaping from one stone to another

HIPAA standards dictate that mental health professionals perform a risk analysis as part of achieving and maintaining compliance, but have you ever wondered how to actually do it?

This introductory-level seminar replay course for counselors, clinical social workers, marriage and family therapists, and clinical and counseling psychologists will help learners both understand the role of risk analysis in professional, HIPAA-compliant practice and to actually perform a risk analysis using the free tool from HIPAACOW or the Person Centered Tech proprietary tool.

Finally, the course will cover what to do with the results of the analysis and give some examples of HIPAA-compliant security policies and procedures.

Educational Objectives

  • Define the HIPAA Security Management Process standard and its implementation specifications
  • Choose practice-appropriate tools for performing a HIPAA-compliant risk analysis
  • Create an inventory of vulnerabilities to confidential information in the learner’s practice in order to meet HIPAA standards for security.


  1. What is risk analysis and how does it impact me?
    • HIPAA’s Security Management Process standard and its implementation specifications.
    • The relationship between HIPAA-compliant risk analysis and reduced liability risk.
    • The relationship between HIPAA-compliant risk analysis and ethical, professional practice as well as improved security for clients.
  2. How and when do I perform a risk analysis?
    • Risk analysis guidance from the Center for Medicare and Medicaid Studies (CMS) and the National Institute for Standards and Technology (NIST.)
    • High-level best practices around risk analysis and how they relate to mental health practices.
  3. What are the specific processes of the risk analysis model being presented?
    • Risk-based models of risk analysis and controls-based models.
    • Survey of implementation of a risk-based model using the free HIPAACOW tools and/or the Person Centered Tech proprietary tools with guidance on using them in the mental health practice context.
  4. What do I do with the results of a risk analysis?
    • Interpreting the results.
    • Writing security policies and procedures.


  • United States., Joint Task Force Transformation Initiative. (2012). Guide for conducting risk assessments Revision 1. Gaithersburg, MD: U.S. Dept. of Commerce, National Institute of Standards and Technology.
  • US Dept. of Health and Human Services. (2006). HIPAA Administrative Simplification . Washington, DC: Author.
  • US Dept. of Health and Human Services. (2013). HIPAA Omnibus Final Rule . Washington, DC: Author.
  • US Dept. of Health and Human Services. (2007, Mar). Basics of Risk Analysis and Risk Management. Retrieved Feb 6, 2014, from
1 CE Credit Hour.

Presented/Developed By

Roy Huggins, LPC NCCRoy Huggins, LPC NCC, is a counselor in private practice who also directs Person-Centered Tech. Roy worked as a professional Web developer for 7 years before changing paths, and makes it his mission to grow clinicians’ understanding of the Internet and other electronic communications mediums for the future of our practices and our professions.

Roy is an adjunct instructor at the Portland State University Counseling program where he teaches Ethics, and is a member of the Zur Institute advisory board. He has acted as a subject matter expert on HIPAA, security and clinical use of technology for Counseling licensure boards and both state and national mental health professional organizations. He has co-authored or authored 2 book chapters, and he routinely consults with mental health colleagues on ethical and practical issues surrounding tech in clinical practice. He served for 5 years on the board of the Oregon Mental Health Counselors Association and then the Oregon Counseling Association as the Technology Committee Chair.

He really likes this stuff.

Course Co-Presenters

Liathana Dalton, Deputy DirectorLiath Dalton is a Ph.D candidate in Religious Studies. She began her academic career at Reed College and continued her graduate work at the University of Cape Town.

Liath is the Deputy Director for Person Centered Tech and runs our HIPAApropriateness review program. Through her combination of experience evaluating products for their utility and security in regards to how they can meet risk management needs and providing guidance to members around what product options will best meet their specific practice needs, Liath has an intimate knowledge of both what the practice tech needs are for mental health professionals and what it takes for a product to meet those needs.

Nicole Kramer, MBANicole Kramer, MBA received her MBA in healthcare administration from Western Governors University in 2017.  Before healthcare, she worked as a licensed insurance producer where she helped individuals and businesses assess risk and mitigate liability. Her working experience includes medical clinic office management which included overseeing and implementing technology operations and HIPAA compliance.

Nicole is the Business Development Manager at Person Centered Tech.

Program Notices

Accuracy, Utility, and Risks Statement: The contents of this program are based on publications and reports from the federal Department of Health and Human Services and the National Institutes for Standards and Technology; consultation with experts on HIPAA Security standards and their implementation; and personal study from the program developers. Some interpretation and analysis presented is made by the presenter, in consultation with knowledgeable colleagues and expert consultants. Statements about applications to technology are according to presenter’s understanding of the technology at the time of the program. The presenter may not know how to apply all principles discussed to every technology type or product. This program discusses strategies for complying with HIPAA and covered ethics codes. It may not include information on all applicable state laws. Misapplication of the materials, or errors in the materials, could result in security problems, data breaches, or non-compliance with applicable laws or ethics codes.

Conflicts of Interest: None.

Commercial Support: None.

This course is subject to our cancellation/refund policy and complaint policy.

1 CE Credit Hour.
Iguana leaping from one stone to another

1 CE Credit Hour. Legal-Ethical. Continuing Education Session Replay


You are not currently logged in to this site. Need to log in? Click here→

Risk Analysis and Risk Mitigation in just 2 hours

We will do it for you!

Risk Analysis and Risk Mitigation HIPAA Security Module

Not Interested

Scheduled Maintenance

We will be temporarily taking the website offline at 10:00 PM Pacific (1:00 AM Eastern) tonight, July 6, in order to make some improvements. We plan to be back online by midnight Pacific (3:00 AM Eastern). We apologize for any inconvenience this may cause. Dismiss