Sign In

CSS Submit Button Rollover



HIPAA Security & Mental Health Professionals

8 True Facts About Protecting Clients and Ourselves

Clinical Update
By Zur Institute

View a complete list of Clinical Updates.

Hipaa Security


Did you know that HIPAA security requirements work out differently for a hospital than for mental health professionals in independent practice? Modern technology brings new challenges to mental health practice. Clinicians and experts often become conservative around these challenges -- even at the risk of alienating clients or reducing quality of care.

The HIPAA security rule is meant to "scale"; it adjusts for the differing capabilities of a small solo practice vs. a hospital. The difficulty lies in navigating technology and HIPAA.

For example, does HIPAA forbid texting? No, it does not. It does, however, require us to consider the risks and costs closely and to provide security where needed. Would your client be harmed if you didn't text with him or her? That's a big cost, and when that comes up it's time to consider new ways to handle the security risks. This may include collaborating with the client to simply accept those risks and proceed with texting. This can be done by informing the client of the risks and obtaining authorization to use texting.


Our newest course is offered for 10 CE Credits

HIPAA Security and Privacy in Psychotherapy, Counseling and Mental Health Practices
Developed by Roy Huggins, LPC, NCC

Explore the ways that security, privacy and technology fit into the heartful work we do on a day-to-day basis. Learn how to stay in compliance with the HIPAA security rule and the 2013 updated regulations.

The course includes 13 video interviews and a Resources page which includes details of how to make the technology in your practice HIPAA-compliant.

Video introduction to the course
View the FREE Resources page

This course is part of a HIPAA Savings Package, Save $$.


Did You Know?

  • You've been practicing "security" for your whole career. For instance, you only reveal client info on a "need to know" basis. Your records are "top secret." You protect your sessions from "surveillance": e.g. you close doors and shades as needed; maybe you use a white noise generator or play music in the waiting room. And so on.
  • You can secure your computer to "Safe Harbor" levels without spending a dime.
  • The term "risk management" is often erroneously interpreted to mean "eliminating risks." In fact, "risk management" refers to balancing risks with costs, prioritizing risks, and taking steps to reduce risks to "reasonable and appropriate" levels.
  • Using electronic communications with clients or keeping records electronically does not, by itself, make you a HIPAA "covered entity."
  • Modern mobile products -- i.e. smartphones and tablet computers -- come with excellent security features or you can add such features cheaply and easily.
  • The 2006 HIPAA regulations do not mention email, texting, Skype, or any other digital communication tools. The 2013 HIPAA final rule mentions email mostly as an example of one tool that clinicians could use to send certain information to patients (with authorization), or that patients could use to send certain information to clinicians.
  • Products and services cannot be "HIPAA compliant." There is no HIPAA certification process for products. Of course, products and services can be more or less helpful to our HIPAA compliance.
  • Expensive security reviews are generally not necessary for solo and small group practices to attain HIPAA compliance. HIPAA security requirements adjust according to our capabilities and the actual levels of security risks we face.



Additional Resources:


Top of Page




Instructions for requesting accommodations for disabilities

Refund and Course Exchange Policies

Share This:

Follow Us On:     TwitterFacebookLinkedInGoogle Plus

Click here to receive clinical updates by e-mail.

Online Courses  -  Zur Institute on YouTubeYouTube
Live Workshops  -  Forensic & Expert Witness Services - Consultations for Therapists
Private Practice Handbook  -  HIPAA Compliance Kit  -  Clinical Forms  -  CE Info  -  Discussions
Online Catalog -  Free Articles  - Boundaries & Dual Relationships  - General Public Resources  - Seminars For General Public
Organizational Discounts  -  About Us  -  FAQ  - Privacy, Disclaimer, Terms of Use, DMCA  -  ADA Policy & Grievance - CV
Home -  Contact Us  -  Site Map

Ofer Zur, Ph.D., Director

321 S. Main St. #29, Sebastopol, CA 95472
Phone: 707-935-0655, Fax: 707-736-7045, Email:

© 1997-2016 Zur Institute, Inc. All rights reserved. Privacy Statement, Disclaimer & Terms of Use.
Site design/maintenance by R&D Web