How to Comply with HIPAA in a Behavioral Health Practice by Roy Huggins, LPC

It was our pleasure to interview one of the few experts on HIPAA compliance for Mental Health practitioners.  Roy Huggins, LPC NCC is Director of Person-Centered Tech, a consulting and continuing education firm that serves the healthcare community. Roy worked as a professional Web developer for 7 years before changing paths and makes it his mission to grow behavioral health clinicians’ understanding of the Internet and other electronic communications mediums for the future of our practices and our professions. Roy also acts as Technology Chair for the Oregon Counseling Association, is an advisory board member for the Zur Institute, and is an adjunct instructor at the Portland State University Department of Counselor Education. He routinely consults with healthcare professionals on issues of technology in practice as well as compliance with the HIPAA Security Rule.


Roy was a guest on Mental Health News Radio.

Listen to the Show! 

One of the topics of discussion was around EHR vendors and the fear-based tactics used to sell their software.  We have had many providers call and email stating they received emails about “going to jail” from EHR vendors. This information is wrapped in “we, the vendor, are simply supplying you with information to help your practice.”  These kinds of tactics are used for one reason and one reason only: to sell software.  EverythingEHR is working to dispel some of those marketing agendas so providers have access to the facts.

Roy’s company Person Centered Tech is one of the few that offers providers CE credits related to security, compliance, and HIPAA.  He has graciously offered all of our listeners and providers  a 15% discount. Just use this coupon code at registration: EHRANDMORE

Some of the topics we covered on the show are listed below, as well as, links to information available to any and all mental health practitioners and providers.

How do you comply with HIPAA?

Know the difference between the Privacy Rule vs. Security Rule.

Security now a major issue due to technology expansion which we will discuss in depth on the show.

Every practice needs to start with a Risk Analysis and then make a Risk Management plan and security policies and procedures manual.

How do behavioral health professionals do that? How is that within our capabilities?

As an industry, we need to develop new standards for how that works. Many practices create groups of their own, join consulting groups or hire consultants like myself.

Practices often confuse Security and Risk Assessments with simple confidentiality forms.  There is a difference.

What is the difference between confidentiality and security?

Confidentiality is the duty and the clinical-ethical principle, security is the logistics of how you execute those guidelines.

Confidentiality is black and white, and security is subject to each practice. It is a grey area.

Clinicians get tripped up by confidentiality principles when trying to assess security issues in their practices.

The industry needs to develop its own understanding of security and incorporate it into our practice the same way we do with legal-ethical concepts like confidentiality, privilege, duty to warn, mandated reporting, etc.

So, how does a risk analysis work?

I will describe that process on the show and in future shows on Mental Health News Radio.

There is guidance from the federal government and we provide links to this information in this article and on my website.

On the show I use examples of analyzing risks versus assessing “confidential vs non-confidential.”

A lot of people won’t feel like they’re competent to do that by themselves. How do they get the information they need for it?

I have seen clinicians do their own risk analysis and do a fine job.  You don’t always have to hire an outside source.

I and some other colleagues have written many articles whose purpose is to provide information about vulnerabilities and about risk management measures.

We’ll link to my article archive in this interview.

I also recommend that groups take my online webinar together. The group can combine energies and competencies and get CE credit for their trouble.

Depending on how confident the clinicians feel, they can have a consultant work with the whole group — thus splitting the fees — or have a consultant look over their documentation and make suggestions.

You said something about risk management planning and a policies and procedures manual?

After you identify your top risks, you write down your plan for reducing those risks.

Examples of technical security measures versus administrative measures.

Never underestimate the power of policies to protect your information. This is why HIPAA requires you have a manual of policies.

Subscribers to my free newsletter get access to my template for the policies and procedures manual

The general impression we get is that to be HIPAA compliant, we must use things like encrypted email services or products that say “HIPAA compliant” on their front page. You’re telling a different story. Why is that?

Following risk analysis, encrypted email may emerge as the thing you need for your risk management plan.

Risk analysis makes that flexible and work according to your own needs and those of your clients, however, products (like EHRs) cannot be HIPAA compliant.

Products cannot be HIPAA compliant. That is marketing.

How much do behavioral health clinicians need to be concerned about other forces besides HIPAA that affect their use of technology?

Increasingly so: Codes of ethics, professional guidelines, state licensing boards and legislatures are jumping on working to provide guidance.

CE Offerings

Digital Confidentiality LIVE Webinar Series (6 Ethics CE Hours Total)

everythingEHR listeners receive a 15% discount on our events. Just use this coupon code at registration: EHRANDMORE

Roy’s On-Demand Courses at The Zur Institute (various)

Resources to Understand HIPAA Security Compliance and the Risk Analysis Process

From the Feds

Guidance material on the HIPAA Security Rule for small providers

Guidance on risk analysis and risk management planning for small providers

Model Notice of Privacy Practices (“The HIPAA Form”)

From Roy and Others

Risk Analysis and Risk Management Planning: Can You Do It Yourself?

Am I a HIPAA Covered Entity? How Much Does It Matter If I Am Or Not?

What Is a HIPAA Business Associate Agreement?

HIPAA “Safe Harbor” For Your Computer (the Ultimate In HIPAA Compliance): the Complete Guide

Clients Have the Right to Receive Unencrypted Emails Under HIPAA

New HIPAA Rules Are Here. Yay!

Online Data Backups and HIPAA Compliant Practice: A Government-Produced Monkey Wrench

Good Stuff Besides HIPAA

Initial Client Contact by Email: The 2014 ACA Code of Ethics vs. HIPAA (1st in a series)

Emailing and Texting Security vs. The ACA 2014 Code of Ethics (2nd in a Series)

Articles and Resources On Specific Pieces of Technology and Their Relationship to HIPAA Compliance

Extensive Resources Page on Security for Computers, Mobile Devices (phones and tablets), Encrypted Email, Secure Texting Apps, and more

Google and HIPAA Compliance: Gmail, Drive and Calendar Now Accessible For Health Care Professionals

iPhones, iPads and HIPAA-Compliant Practice: Locking Down Your Apple Device

Leave a Reply

Your email address will not be published. Required fields are marked *

13 − 1 =