Copyright © 2017 by Joseph R. Sanok

All rights reserved.

  

Published in the United States by Sanok Counseling PLLC,

Traverse City, MI.

www.personcenteredtech.com/pop

  

Legal Stuff:

This publication is designed to provide accurate and

authoritative information in regard to the subject matter

covered. It is provided with the understanding that the author

and publisher are not engaged in rendering legal, accounting,

or other professional services. If legal advice or other expert

assistance is required, the service of a competent

professional person should be sought.

  

Also, please don’t copy this book illegally.

  CONTENTS

  

Chapter 1:

HIPAA Struggles

Chapter 2:

Making Security a Priority

Chapter 3:

What You Need To Know About HIPAA Audits / Investigations

Chapter 4:

Practice Basics

Chapter 5:

Lean Into Digital Security

  

HIPAA

STRUGGLES

Identity Issue

  The biggest struggle for people is to get really theoretical about it. For therapists, there's actually an identity issue around HIPAA. There are a couple of pieces to HIPAA, and the one we tend to have the easiest time with, is what's called the HIPAA Privacy Rule. That's the one where you have to give clients the HIPAA form which has your Privacy Practices on it. It's actually called the Notice of Privacy Practices, but everyone just calls it the HIPAA form. That one's pretty easy, because it's just consists of how you're going to take care of confidentiality and what your office policies are around obtaining record requests, etc.

  The HIPAA Security Rule, however, is the part that relates to digital tech. In the last five or so years, this has also become important, because we're using the digital tech and we're putting client records on servers on the internet. And, while these systems make our practices a lot more efficient, there is a security risk involved. Yet, therapists tend to have an ‘identity’ that states that they don't do technical things, they do human things. So, when the security rule came along stating that you need to think about encryption. And, when you're putting client information on a device, where does that information flow? Who has access to your information when you put it on a cloud service? Therapists have a lot of resistance to the idea of learning to understand this and learning how to manage it the way we've always managed clients security. While it’s now referred to as ‘confidentiality’, it’s the same as client security which we've done for decades. But, suddenly, because of the digital side of things, there's a big technical aspect and a lot of therapists struggle with the identity issues surrounding this.

Overwhelm Leads To Avoidance

  People are so overwhelmed, not even just unique to HIPAA, but with marketing or social media, that they become paralyzed by perfection. They want to do it right, and make sure they’re good at it, but they also like don't know where to start. When it comes to learning how HIPAA Security Compliance works, therapists often feel overwhelmed. When this happens, they turn to avoidance. They'll say, “Well, I'm not going to bother with it, because I don't I can't understand it, so why deal with the pain of being overwhelmed?”

  Ignoring What You Can’t See

  When you can see the client file, you know exactly what to do to take care of it. And, if you notice that you messed up, you feel it and you feel motivated to fix it. Like, for example, leaving the file outside of the filing cabinet, or handing it over to some shady guy on the street who says, “I'll take care of it for you”. Therapists wouldn’t do this. Instead, we're pretty good at coming up with the right kind of security measures to take care of the things, i.e.: client files, we can see. But, when it comes to things we can't see, like the Internet, people tend not to have an understanding of what it physically looks like when you put a record on a practice management system, which is in the cloud somewhere.

  People can’t really conceptualize that. An anology that might help is to think that when we use any email service, we're basically doing the equivalent of handing our client files to some guy on the street. With every email service we use, there are people holding on to all the emails we have exchanged, but we don't realise that, because we don't see it. This is not necessarily anyone's fault, because it's not in our day-to-day conversations, or even in the news. We don’t generally talk about the tech in our lives. So, you don't see it, no one talks about it, and it ends up being out of mind. It almost taps into something deeper in the brain where the things that are right in front of us, we tend to take action on, whereas the things outside of that, we don't.

  

The Belief That Someone Else Has It Under

Control

  This struggle ties in with the feeling of overwhelm leading to avoidance, and ignoring that which we cannot see. One thing we've been taught since the early 90s about technology, is that someone else takes care of it. You just use it. The general philosophy in software development is that you should make something that just works. It shouldn't be something you think about, or have to have a concept of how it works. You just do it, you just use it, and it just works. So we've been trained to think about our tech that way since the early 90s, and not for entirely bad reasons. But, now that we're suddenly moving information everywhere, using the internet, that philosophy is starting to become dangerous. Especially for professionals like us who are handling really sensitive information; information that can have a big impact on the lives of people we care about, our clients. So now, when someone comes along and says their product is HIPAA Compliant, we stop thinking. We immediately take on the perspective that ‘someone else has it under control’, and we let go of the idea of maintaining a bit of vigilance that we usually always regarding the safety of our clients’ information.

MAKING SECURITY A PRIORITY

  Within the realm of things we understand as therapists, we do this already. We didn't call it ‘security’ in grad school, but we have always made security a priority. We just called it ‘confidentiality’. When it comes to dealing with confidentiality in the online realm, or in your digital tech, it works the same. And, you want to be as vigilant as you are with your physical file cabinet. For example, if someone started mucking about with your file cabinet, or tried to walk into the room while you’re in session, you would be pissed off, right? You know that your client trusts you and considers your office a safe space, which is something you want to protect. So, we need to extend that attitude into the digital realm. It's hard, however, to have that attitude when you don't really know what's going on. You want to be able to trust someone else to take care of it for you and, to a certain extent, you can. You don’t have to learn how networking works, for example, but you do need to build an understanding about networking. When you begin to learn the shortcuts, or have the language, it reduces the feeling of overwhelm.

  

WHAT YOU NEED

TO KNOW ABOUT

HIPAA AUDITS /

INVESTIGATIONS

  The frustrating thing is that there are colleagues in this niche who also try to help people with HIPAA specifically, not just tech. They are trying to help them with the compliance and security side, and they'll mention things like, ‘The 2016 random audits are coming, are you prepared?’ Yet, the truth of the matter is that you will never be randomly audited. There have only been two random audit programs in the history of HIPAA, and both of them did about one hundred and fifty. That includes everything, even business associates, for example, companies that serve healthcare like Office Ally. Furthermore, they don't actually randomly choose them. What's random is who gets the initial survey to ask about your practice. But then, based on the surveys, they explicitly choose who taught it and they don't choose individual private practitioners or mental health practitioners. That just doesn't serve their goals. Therefore, if a company is trying to sell you a product by instilling the fear of ‘HIPAA random audits’ in you, consider it a red flag.

  The things that are likely to actually get you into it an audit, or what's called an investigation, is if someone specifically files a complaint to the Feds about your HIPAA compliance. This doesn’t mean filing a complaint to your board. Your board isn't going to investigate that. The people who investigate HIPAA is the Federal Office of Civil Rights, which is part of Health and Human Services, or your State Attorney General. Those are the people who can enforce HIPAA. So, the biggest reason people ever get into those investigations is when someone complains. And, complaining is actually very easy. There's a website where you go fill out a form and, once you've filed your complaint, they will follow up. The other possible way to get into an investigation is if you have a security breach. Meaning, you accidentally disclose records, for example, you lose records or someone gets access to the records. Essentially, a confidentiality breach. But, that's not how they frame it. Then, based on that, and depending on how many people were impacted and whether you have a pattern of this happening in the past, and various other factors, they might investigate you.

  Recently, they stated that they're starting to investigate breaches that are smaller than 500 individuals. So, it's possible that if you have a significant breach, something that impacts a dozen or so clients, they will follow up on that with an investigation. There is, however, no concrete data to determine if they are doing so, so they may or may not be doing that. But, the biggest thing you want to be concerned about are the cases addressing complaints. That's where the hard stuff happens.

Examples Of Complaints The complaint has to be founded on a HIPAA problem

  For example, the person has to complain that you're not complying with HIPAA and they have to show the way in which you're complying. Usually, the biggest way that that happens is the person complains about your privacy policies. Either, you're not following them, or your privacy policy is not actually HIPAA compliant. For example, if you don't release records on time, or you're just really cagey about releasing records. That's the biggest reason mental health practitioners get into trouble. That and if their policy for releasing records is not actually compliant with HIPAA. The other thing people complain about is, for example, not getting a timely notice of privacy practices. Furthermore, the vast majority of complainants are not people who legitimately feel like you did something wrong, it's usually clients who don't like you. Or, more often, family of clients who don't like you.

Full Device Encryption

  The first thing you need to do when it comes to HIPAA compliance regarding tech is ensure that you have full device encryption. Essentially, encryption consists of secret codes. So, when we say ‘full device encryption’, we're referring to a kind of complex process that has a very simple outcome. What it means is that all the information that's stored on the device is encrypted. So, if that device gets stolen, or lost, you can assume that the information on it is basically impenetrable. So, you can safely say that, if it's lost or stolen, there was no confidentiality breach, because all of the information was encrypted. To encrypt a Mac, for example, you go into the security settings and click on the picture of a vault with a roof on it. Then, there's a tab that says ‘File Vault’, which is the name of the encryption program on Macintoshes, go into that and turn it on. Then, follow the instructions.

Passcodes

  The thing about full device encryption is that the weak link is your password. So you need to ensure that you have a really strong passcode, and that includes on your

  Android or iPhone. You need a stronger passcode than what they let you do by default. You have to go into the phone settings and change it. It allows you to set a really long passcode and you need to do that, because that's the weak link in your encryption. These days, pretty much everybody can log into their phone with their thumbprint. So, setting a really long passcode is not a big deal, because you just use your thumb to get in instead of typing the passcode every time.

  Encryption On PCs

  For computers, and Windows in particular, you need to get the Pro Version of your Windows. This will ensure your device becomes encrypted. For some reason, however, nobody gets the Pro Version. It never seems worthwhile to therapists, if they don't know about the encryption piece. But, you need the Pro, because you need a program called ‘BitLocker’. BitLocker is what you use to do the full device encryption on a PC.

Two-Step Login

  The thumbprint is not to be confused with a two-step login. It is more like an alternative login to your passcode. A two-step login would be if you have to type your passcode and your thumbprint. A two-step login is, however, more like something you use for an online service, like your email or your practice management system. There are various different terms for this including two-step login, two-step authentication, and / or multi-factor authentication. All of these mean that you have two things you do in order to login. While the first thing almost always involves a passcode, the other thing is often a text message to your phone that contains a little code in it, which you then have to type in. Then, between that and entering the correct password, they let you in.

Password Management Systems

  Most people will end up using different variations of the same password, which is not smart. The biggest way that people end up getting into your Google email account or PayPal, for example, which are both the most targeted platforms, is that they figure out your password on some other website, that is significantly less well- secured, and then they go try that password on your PayPal or your Google. If you have the same password there, it’s easy for them to get in. Even if you're using a variation of the password, it's not hard for them to guess. So, you need to have a different password everywhere, and a significantly different password. It needs to be a big, strong password everywhere. Yet, this isn’t humanly possible, without writing your passwords down and sticking them to your monitor, which is also a bad idea. In the old days, security professionals used to say that you should write your passwords down on a piece of paper and keep it in a pocket in your wallet. This because you're very conscientious about keeping your wallet safe. These days, however, we need even more passwords, because we have a lot more accounts. Thankfully, we have a lot of great software that allows us to us store our passwords, instead of putting them in our wallets. This software is is known as ‘password management systems’ and there a few different services that you can use to do this. These include 1Password and LastPass. With LastPass, for example, if you update a password, or have a password, it pops up and asks whether you want to add this to your vault. So, whenever you create a new password, you can just hit the keyboard with numbers and symbols, until it says it's hyper secure, and then LastPass will save that combination for you so that you don’t have to remember it. Furthermore, the program synchronizes between all of your devices. So, your iPhone will have all of your passwords updated all the time, along with your computers and other devices. Then, you can just click a button and it will log you into your websites.

Anti-Malware

  People have this idea that Macs are safe and PCs are not. Macintosh Apple loves its reputation that it's immune to viruses. They've been claiming that since the 80s. And, back in the 80s and 90s, it was largely true. But, it's only true because people who wrote viruses had Windows computers, and they didn't like Macintoshes. But, these days, the Mac has a built-in antivirus included in the operating system. And, they claim that that's all you need. The fact is, however, that an anti-virus is only as good as how often it's updated. So, if you don't update your Macintosh software every day, the antivirus in the Macintosh will not be as good as the antivirus on a PC. The PC updates its antivirus every day. So, you want to have anti-malware software on your Macintosh, and there aren't a lot of anti-malware software packages that work well with the Macintosh. While every company will say ‘This is for Mac’, almost all of them will actually slow down your Mac. So, don't get Norton or Symantec for your Mac. Good ones for the Mac are Sophos, ESET, or Kaspersky.

Business Associate Agreements

  It's important to have a concept of where the information is going. This is why you don't want to just leave it to others. That's where Business Associate Agreements come in. Because, when you've got a third party, that's not your own work force but a company offering you a service and part of their service is holding on to or transferring your client information, that means that those people are now essentially coming into your office and mucking around with your file cabinet. If you have Google Mail, Google Mail is basically rifling through your file cabinet all day, because they're handling all your client emails. If you're using an online practice management system, they are holding on to your file cabinet, and they process everything that goes in and out of your file cabinet, because you're putting your records into their system. So, these are people and companies that are handling your information. It doesn’t always occur to us that when we use an online service, that means we're handing client information to some other company. So, to get a Business Associate Agreement with Google, you can make use of their paid service called G Suite. It's around $5 a month, per user, and they do Business Associate Agreements. The Business Associate Agreement means that the company is aware of what they need to do in order to protect your clients’ information and protect you on a compliant level. If they do the agreement, they're promising you - in a contract - that they will protect your information. It's like getting a confidentiality agreement with a third party. If there is some sort of hack with Google, then you’re not on the hook as much.

LEAN INTO DIGITAL SECURITY

  As mentioned previously, people have identity trouble and avoidance because of the overwhelm. Yet, we really encourage people to lean into this difficult process and be aware that this doesn't mean you have to suddenly take something that is literally overwhelming and suddenly, magically sort it all out. That's not possible. Instead, ‘leaning in’ means just being ready to deal with some negative emotions, and tolerate them. And, instead of avoiding, seek out the help you need. That can mean reaching out to , or that can be a colleague, or family member, who is more tech savvy than you are. In fact, we would recommend a combination of all of them. The people we've worked with who have that combination are often some of the most successful, because they have the local resource, they have the remote resource (podcasts, etc.), and they end up getting both emotional and logistical support and they're able to get to to get to where they need to go. Ideally, you need to create a checklist and prioritize the biggest ‘problems’ you need to take care of first. Also, identify the low-hanging fruit and then just take it one step at a time. For example, you can start with full service or full device encryption, and then setting up LastPass, and updating your Gmail and PayPal accounts. So you just make this to-do list, prioritize it, and set some time aside each week to get stuck in.