1 CE credit hour guided reading on HIPAA Security Rule. On demand

HIPAA Security Compliance in Mental Health, a Guided Reading

The process of complying with the HIPAA Security Rule — which is the part of HIPAA that governs digital tech like email, phones and computers — is a relatively flexible and personalizable process. We and our colleagues in mental health technology have published a lot of material covering it.

This is a guided reading, with resource links, meant to help guide you through the process of understanding and getting in compliance with the Security Rule.

1 legal ethical CE credit hour

On-Demand Self Study

CE Credit Hours

Created for mental health, by mental health

This is an introductory-level guided reading course for counselors, marriage and family therapists, clinical social workers, and counseling and clinical psychologists to introduce them to some of the most important basic concepts in HIPAA Security.

Roles and Responsibilities under HIPAA Security Rule

Determine the clinician’s responsibilities for complying with the HIPAA Security Rule

BAA requirements

Identify when a third-party service provider is the clinician’s HIPAA Business Associate and what documentation or procedures are necessary for working with that third party

Breach Notification

Respond to security incidents in a HIPAA compliant manner

Course Details

1 legal ethical CE credit hour. Self Study

Title: Email in Mental Health Practice: Legal-Ethical, Clinical and Risk Management Issues

Authors/Presenters Roy Huggins, LPC NCC; 
CE Length:  1 hour
Legal-Ethical CE Hours: 1 hour

Educational Objectives:

  • Determine the clinician’s responsibilities for complying with the HIPAA Security Rule
  • Identify when a third-party service provider is the clinician’s HIPAA Business Associate and what documentation or procedures are necessary for working with that third party
  • Respond to security incidents in a HIPAA compliant manner


This course is a guided reading, which means it is made up of a series of related articles. Below are the articles included in this course:

  • Am I a HIPAA Covered Entity? How Much Does It Matter If I Am Or Not?: Explores the manner in which one becomes covered under HIPAA and some of the legal-ethical ramifications of both being a covered entity and not being one.
  • Mental Health Pros’ 3 Steps to (Actually) Be HIPAA Security Compliant: Explores a breakdown of the process of HIPAA Security Rule compliance into three steps, with some resources for doing each step.
  • What Is a HIPAA Business Associate?: A very basic exploration of HIPAA’s Business Associate Rule and how it applies to a variety of situations.
  • What is HIPAA Breach Notification?: A very basic exploration of both the concept of security breach notification and the manner in which HIPAA requires it be done.

So, thank you for making HIPAA as fun as it can be!! Keep it up! I am thankful to have found PCT early in my practice and I am glad you guys are in my life :)

Jessica Hudson, M.A., CCC-SLP


HIPAA Security Compliance in Mental Health, a Guided Reading

on demand self study with indefinite access


1 legal ethical CE


Meet Our Author

Presented by Roy Huggins LPC, NCC 

Roy Huggins, LPC NCC, is a counselor in private practice who also directs Person-Centered Tech. Roy worked as a professional Web developer for 7 years before changing paths and makes it his mission to grow clinicians’ understanding of the Internet and other electronic communications mediums for the future of our practices and our professions.

Roy is an adjunct instructor at the Portland State University Counseling program where he teaches Ethics and is a member of the Zur Institute advisory board. He has acted as a subject matter expert on HIPAA, security, and clinical use of technology for Counseling licensure boards, and both state and national mental health professional organizations. He has co-authored or authored 2 book chapters, and he routinely consults with mental health colleagues on ethical and practical issues surrounding tech in clinical practice. He served for 5 years on the board of the Oregon Mental Health Counselors Association and then the Oregon Counseling Association as the Technology Committee Chair.

He really likes this stuff.

Program Notices


  • American Psychological Association. (2010). American Psychological Association Ethical Principles of Psychologists and Code of Conduct . Washington, DC: Author.
  • American Association of Marriage and Family Therapists. (2015). Code of Ethics . Alexandria, VA: Author.
  • American Counseling Association. (2014). ACA Code of Ethics. Alexandria, VA: Author.
  • Mintz Levin. (2016). State Data Security Breach Notification Laws. Boston: Author.
  • National Association of Social Workers. (2008). Code of Ethics . Washington, DC: Author.
  • National Board for Certified Counselors. (2012). Code of Ethics . Greensboro, NC: Author.
  • Office for Civil Rights. (n.d.). Breach Notification Rule. Retrieved August 25th, 2016 from HHS.gov: http://www.hhs.gov/hipaa/for-professionals/breach-notification/
  • Stewart, J.; Chapple, M.; Gibson, D. (2015). Certified Information Systems Security Professional Official Study Guide. Indianapolis, IN: John Wiley and Sons, Inc.
  • US Dept. of Health and Human Services. (2005). Basics of Risk Analysis and Risk Management. Washington, DC: Author.
  • US Dept. of Health and Human Services. (2006). HIPAA Administrative Simplification. Washington, DC: Author.
  • US Department of Health and Human Services. (2013). HIPAA Omnibus Final Rule. US Federal Register.

    Accuracy, Utility, and Risks Statement: The contents of this program are based primarily on publications from the federal Department of Health and Human Services, and on the ethics codes of these professional organizations: AAMFT, ACA, APA, NASW, NBCC. Contents are also guided by statements from leadership in those organizations. Some interpretation and analysis presented is made by the presenter, in consultation with knowledgeable colleagues and expert consultants. Statements about applications to technology are according to presenter’s understanding of the technology at the time of the program. The presenter may not know how to apply all principles discussed to every technology type or product. This program discusses strategies for complying with HIPAA and covered ethics codes, and for improving security. It may not include information on all applicable state laws. Misapplication of the materials, or errors in the materials, could result in security problems, data breaches, or non-compliance with applicable laws or ethics codes.

    Conflicts of Interest: None.

    Commercial Support: None.


Scheduled Maintenance

We will be temporarily taking the website offline at 10:00 PM Pacific (1:00 AM Eastern) tonight, July 6, in order to make some improvements. We plan to be back online by midnight Pacific (3:00 AM Eastern). We apologize for any inconvenience this may cause. Dismiss