Comprehensive, Customizable, and Cost-Effective
Group Service Plans
Security compliance is not a road into the unknown. It is simply a bridge to be where you want and need to be ethically and securely.
PCT provides tools, consulting and project management to remove the overwhelm of HIPAA compliance and solutions to effectively leveraging your practice’s technology. PCT group practice services are designed for any practice (2 or more clinicians) who want to ensure compliance and digital ethics.
Compliance is a lot like therapy…. it is a process.
We know that running a group practice isn’t easy, and we want to make it easier for you by being your “co-pilot” through your tech and security compliance needs. Our tech expertise will make the compliance process simple and custom.
Holistic approach including change management, security culture norming, and leadership coaching.
Account management for continual support and guidance.
Custom Project Management for expert organization and efficiency.
How Can Person Centered Tech help?
Starting the Risk Process
In your first consulting appointment, we will evaluate what your best strategy is to engage with this process. We will break the process it into small, actionable steps to make it easy and time-efficient.
Designate Security Officer
One of the first things PCT will do is assist you in finding the best person in your practice to be the security officer. In many cases this is not the practice owner (you.)
Performing the Risk Analysis with the PCT Tool
Our tool is specifically created by professionals in the mental health industry to be user friendly for non-tech focused individuals.
You will have direct support through the entire process which will vary based on your needs. We can give guidance on how to use the tool or we can facilitate and co-work with your Security Officer through the entire tool.
Policies & Procedures
PCT has created super timesaving Policy & Procedure templates, and we work with you on customizing them to the practice.
Being the experts, we know how to problem-solve common practice tech and security needs. We have spent countless hours vetting and researching the best and most cost effective solutions.
Forms & Logs Documentation
PCT has created blank Forms & Logs that pair directly with the tasks outlined by the Policies & Procedures, so you can document all of your good security behavior.
We provide the custom training on your specific Policy & Procedures that you will need for your staff via a live webinar, which we record and can then be used for onboarding new people.
We provide numerous CE trainings (we are an approved CE provider by APA, NBCC, and several state boards) that we pair specifically to the needs of your staff, including the depth of material and role. We will provide content specifically for your admins and security officer. We will also monitor and follow up on training assignments so you don’t have to!
Device Tech Support
The risk mitigation plan will require your staff to utilize many tech settings on their devices- encryption, syncing, passwords etc. Depending on your service plan type, we have an online repository of how-to videos for your staff to access and get step-by-step instructions. Other service plan features can include PCT meeting with your team in small groups to walk them through it and answer their questions.
Onboarding the Team
PCT will help solidify the role and authority of the Security Officer in the practice by helping them obtain the needed skills, set up structures for support, and create materials to help introduce the process, needed changes, and PCT’s role in the practice.
PCT’s support can be customized to the needs of the individual group practice. We will provide the support for a DIY option where we set up your plan, act as your expert, and guide you through the process. Or, for those who want to outsource as much as possible, PCT can be your “co-pilot” and perform many of the risk tasks on your behalf by utilizing consulting hours.
Downloadable tools we offer to groups as part of our services.
Customizable Policy & Procedures
Security Forms & Logs
Guidance & Implementation Documentation
Risk Tool with recommended measures guide
CE Training: security officer, admin, clinician
We work with your practice to create customized plans and goals for your organization. View interactive examples of our work in action.
Your customized plan + our project management system = Easy & Organized!
(Jump in… Click in the document to see it work!)
Check the entire staff’s training progress in one click!
(Click “view larger version” to get at full view.)
This is us keeping track of all the paperwork!
(Hover then click on the double blue arrows in the first column to expand view of the info.)
BYOD: Bring Your Own Device
Employee owned personal devices used for clinical work are a wonderful and effective option for device management, however proper security and management is vital and can pose a large surface area of risk to the practice if not properly addressed.
If handling PHI, you are responsible for all of the devices your clinicians use regardless if you supply them or not. PCT will help integrate the technical and behavioral security measures needed through your entire team through a custom device management plan.
Pricing based upon size of practice and included features. We have designed programs to fit needs of small to large clinics, employees vs independent contractors, and custom levels of assistance.
Bait & Tackle
All tools and materials needed for DIY
Help is always available
Project Management System
Personal Account Manager
Built in Support & Change Management
PCT performs the Risk Analysis on your behalf.
Get in Touch to Learn More
What does security compliance require of me?
Here is a summary of the main needs that group practices must do to maintain compliance:
- Designate a security officer to manage the compliance process.
- Perform an annual risk analysis, via the risk tool, to provide an in-depth view of the practice’s Protected Health Information — “PHI” — and how to maintain the confidentiality, availability and integrity of that information.
- Create and execute a Risk Mitigation plan that provide solutions that balance the impact of the risk with the practice’s ability to implement “reasonable & appropriate” solutions.
- Create and adhere to a series of Policy & Procedures that outline good security behaviors and specify the sanctions for what happens if they are not followed.
- Train staff on the practice’s unique Policies & Procedures annually. A generic “HIPAA” course will not fulfill this need.
- Document all security behaviors including the annual risk analysis and Policy & Procedure updates, along with other activities such as changing passwords, auditing devices, and reviewing access logs.
- Continually monitor for and integrate newly found risks or changes into the formal process.
What is a Risk Analysis?
What is a Risk Analysis?
A Risk Analysis is the cornerstone of your security behaviors, which evaluates and mitigates your risks and is a necessity for HIPAA compliance.
According to the Department of Health and Human Services: “The Administrative Safeguards provisions in the Security Rule require covered entities to perform risk analysis as part of their security management processes.”
The main function of the Risk analysis is to evaluate your risks and what impact they would have, and then implement a plan to mitigate those risks. The process includes defining the behaviors needed to ensure you adhere to the plan, documenting security behaviors, and continue this process for continued security. For group practices, who have a larger “surface area” of security risk, this process will be vital to your organization. Let’s look at a few key details of what is involved in this process.
What do you do in a Risk Analysis?
A risk analysis is a formal process that is, in part, performed with a Risk Analysis tool that walks you through each of the HIPAA Security standards. It helps you identify your risks, what kind of impact the risk would have if realized, and then requires a reasonable and appropriate plan to minimize your risks.
You will perform an in-depth look at your Protected Health Information (PHI) and how to maintain the confidentiality, availability, and integrity of that information. You must look at your resources through an administrative, technological, and physical security lens.
For example: your analysis will include looking at if hackers could access your email or your WIFI network; What if your cell phone with PHI was lost?; What if your practice lost power? While the chance of one of these happening might be likely (depending on your circumstances), and it would highly impact the practice, most of these scenarios are easy to mitigate.
What is reasonable & appropriate?
HIPAA standards were designed to oversee ALL covered entities ranging from a solo counselor in private practice to a multi-state network hospitals. So when we implement our risk mitigation plan, it will be custom to our needs and geared to our ability to solve the problem at hand with the resources that are within our means.
Every group practice is a unique entity with its own business model, tech setup, and resource allocation. As a result, risk vulnerabilities will be particular to each unique practice and will require custom mitigation solutions in order to ensure efficacy and feasibility.
How often do you do a Risk Analysis?
According to the Department of Health and Human Services: “Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI.”
Performing the initial risk analysis process is only one piece of this puzzle; risk analysis actually includes security behaviors that need to be a continual process within the practice. You conduct a formal risk analysis every year, but you implement, update, document, and engage with its results 24/7.
What does the Risk Process look like?
1) Analysis via the Risk Tool
2) Making your mitigation plan
3) Executing your mitigation plan over a designated timeline
4) Writing out needed security behaviors (think Policies & Procedures)
5) Performing those behaviors and documenting them as needed
6) Integrating any practice changes into this formal process
What are Policy & Procedures?
When you create a risk mitigation plan you will find that you have to define certain security behaviors. This is done in the form of Policies & Procedures. Simply put, these will be a set of comprehensive governing documents that will detail necessary behaviors.
Policies & Procedures will define many aspects of practice life for your workforce, including: how electronic devices are used, usage of secure passwords, what types of WIFI networks they can access, what information they have access to, and what happens when these Policies & Procedures are not followed.
Policies & Procedures will also set the foundation of management activity: such as determining training needs, auditing security logs, sending out security reminders, reviewing potential breaches, physical building security, and much more.
To elaborate one of the prior example circumstances about the threat of unsecure WIFI: you may find that your clinicians will use their personal devices that handle PHI when they are out of the office and will access external WIFI networks. So, you will want to create a P&P to make sure they have a clear understanding of what makes a network secure and unsecure and explicitly state when WIFI cannot be used — e.g. any public WIFI such as a coffee shop, airport, or hotel. Solutions can be really easy when you know what the problem is.
How do you document?
The format is up to you, but you will need to make sure you document your security activities. If you don’t document when you review access logs, perform a training, or audit a device — then it wasn’t done according to HIPAA. You will also need to keep a record of each annual risk analysis and the Policy & Procedure updates.
Something changed! What now?
Most changes, but not all, can be handled with a “mini risk analysis.” It’s a simplified version of the full risk analysis process which will review the change and all of the areas that are also impacted by the change. When you encounter a level of large complexity with multiple areas of potential risk impact, then you will need to evaluate if it is necessary to repeat the formal risk analysis process.
The key is to make sure that as new threats are revealed or changes happen — as they will — that they are approached in a methodical manner and integrated into your current system of security.
Who does the Risk Analysis?
The HIPAA Security rule requires that you designate a Security Officer who is the party responsible for all security activity. They will be point in performing the annual risk analysis, setting up the P&P, facilitating implementation of the risk mitigation plan, ensuring ongoing compliance activity, and documenting everything.
PCT & the Risk Process.
The Risk Analysis is a very engaging process that can be time consumptive, and can cover a lot of material where the Security Officer may not be the expert. As the security, risk, and ethics experts in the mental health field, PCT will work as your “co-pilot” through the entire process — offering as much support as needed, significant time savings, and custom solutions.
- Our tool is uniquely designed for non-techy, mental health providers. Rather than just a list of risks, we provide a narrative description of risk circumstances to help engage and drive home concepts we are familiar with.
- Our vast experience with tech setup will help create solutions that are “reasonable & appropriate” for your specific needs.
- You are supported through the entire risk process. Our consulting can be simply guiding the Security Officer on using the tool or directly facilitating and performing the process with the Security Officer.
- We provide Policy & Procedure templates and will help customize them based upon the results of the Risk Tool. (Trust us when we say you do not want to write these from scratch!)
- Blank Forms & Logs for you to document your security behaviors. “Documentation or it wasn’t done”!
Additional Needs of the Security Rule & Risk Analysis.
- Creating a contingency plan for when emergency strikes.
- Having a process for assessing and handling breaches.
- Customized training for your staff based on your unique Policy & Procedures.
- Solid documentation of all your behaviors held for at least 6 years.
What is a Security Officer?
What is a Security Officer?
The Security Officer is a designated position within a practice that leads your security activity and is a necessity for HIPAA compliance.
The HIPAA Security Rule includes this requirement: “Security Personnel. A covered entity must designate a security official who is responsible for developing and implementing its security policies and procedures.”
For group practices, who have a larger “surface area” of security risk, this position will be vital to your organization. Let’s look at a few key details of who can be the security officer, what actions they will perform, and what they will need to do to fulfil the duties of this position.
Who can be the Security Officer?
In a group practice you have many options for who can be a Security Officer. While it can be the owner of a group practice, it does not mean you have to be nor necessarily should be. Here are the considerations when designating your Security Officer — or SO.
- The person in this position should have a general comfort with tech, but they do not need to have a tech background. PCT will back them up with the technical expertise they need.
- They should have a level of empowerment from the owner necessary to enforce security measures.
- They have to be part of the practice. This position should not be contracted out; they need to be able to have an ongoing presence and authority within the practice.
- They need time designated to perform the needed activity. Initially the risk process can be time consuming, so this person would need to have allocatable time (which is why the owners might not be the best fit for large practices!)
People who we tend to see in this position: practice managers, family who provide formal support to the practice, lead admin staff, or tech savvy clinicians. One of the first steps when working with PCT is that we will help evaluate who should be the Security Officer.
What does the Security Officer do?
The SO has many responsibilities and duties both in implementing and continuing to maintain your compliance and risk mitigation needs.
Some of the duties of the SO include, but are not limited to, performing your risk analysis, developing the security plan, monitoring the plan, enforcing the plan, training the staff, and documenting everything! PCT will back them up the whole way through.
Implementing: perform the risk analysis, develop the risk mitigation plan, write the Policy & Procedure documents that will enforce the plan, and write the sanctions for violations of P&P.
Onboarding: train the staff, document security behavior, set a yearly calendar of security needs, and make any changes that are required in the mitigation plan.
Maintenance: onboard new clinicians, perform routine security risk checks and audits (ie. reviewing access logs, sending the monthly security reminders, and audit devices), perform “mini-risk analysis” when natural changes happen, and perform any breach-related activity.
PCT and your Security Officer?
The SO is a very large role with a lot of responsibility, and it may include topics where they are not the expert. As the security, risk, and ethics experts in the mental health field, PCT will work as your “co-pilot” through the entire process offering as much support as needed, significant time savings, and custom solutions.
- Use our expertise to perform a thorough and accurate risk analysis and provide the best solutions for your risk mitigation plan.
- Provide the custom staff trainings and CE offerings, monitor staff training completion and provide polite reminders if needed.
- Facilitate the onboarding process and upcoming changes to help manage staff expectation and solidify authority to the SO.
- Provide Policy & Procedures templates and guidance through the customization. (Trust us when we say you do not want to write these from scratch!)
- Provide a bank of resources to help all levels of tech comfort.
What will the Security Officer need?
- Information on your technology set up (think WIFI, network, devices) or the contact info for the people who set up your tech systems.
- Ability to contact contractors or work associates, such as billers, when integration questions arise.
- Need to be assigned administrator levels of access to important systems, like EHR systems, so they can set security measures.
- If not the owner, a level of empowerment to make decisions, enforce regulations, and be an integral part of the chain of command.
At Person Centered Tech we believe that client centered care and technology can be harmonious and mutually beneficial.
- Yes to what you need
- Effective decisions = Affordable + Functionable + Usable
- For Mental health, by Mental health