Sign In

CSS Submit Button Rollover



Risk Analysis Resources

HIPAA Security Workbook from Roy Huggins/Person-Centered Tech: A tool that provides very specific assistance and guidance to take mental health professionals through the HIPAA Security compliance process. Includes consultation Office Hours service.

HIPAA Security Rule Educational Paper Series: This page contains a number of publications to help small practices with HIPAA security rule compliance. It also contains the document, "Basics of Risk Analysis and Risk Management," which describes one way to perform a risk analysis and prioritize risks for risk management.

HIPAA/HITECH Information and Guidance

"Are You a Covered Entity?" Guidance Page: Here you can find descriptions of what a covered entity is, including a flowchart for determining if you are one.

NBCC on HIPAA Compliance: What You Need to Know About the New HIPAA-HITECH Rules (Sept. 2014) by Jay Ostrowski, NCC, Director of Product and Business Development for the National Board for Certified Counselors (NBCC).

Secure Messaging Apps, aka "Secure Texting"

Qliqsoft (FREE) is a health care texting app that is designed primarily for communication between medical professionals, but can be used to communicate securely with clients. It can be a little complicated to set up, but is useful if you can get it working. Remember that this app requires a smartphone or a computer, which both you and your client would need. For more information about Qliqsoft, see blog at Qliqsoft: Do I need a Business Associate Agreement?

Encrypted Email

There are tons of encrypted email services out there. Just Google "encrypted email" or "HIPAA email" and you'll find many examples. Here are two that I have had good experiences with.

Hushmail (inexpensive) is a classic, well-trusted encrypted email service. It can provide online forms that clients can fill out to send you a secure message, thus allowing people to make initial contact with you securely. It also has a scheme for "sharing" your account with clients. The downside is that it does not have a mobile app, unlike Protected Trust.

Protected Trust (inexpensive) is like Hushmail, but with some more convenient interfaces. It has a mobile app for smartphones and tablets, so it could be a replacement for texting, although it would be quite less convenient than the texting apps described above. The downside is that there is no way for clients to make an initial contact with you via Protected Trust, unlike with Hushmail.

Security For Computers

There are a number of things you should do to secure any computers on which you store sensitive information. Here I've attempted to compile a number of articles that explain how to do each of those things for Mac and Windows. Here are the needed security measures:

  • Disk encryption: Using encryption to secure the files on your computer. Safe Harbor calls for full disk encryption. Getting full disk encryption is addressed below. I generally recommend that you get a professional or strong amateur geek to help you set up encryption on your computer, unless you feel very comfortable with tech. Even though the process of encryption is generally safe, the prudent warnings given around full disk encryption can be quite alarming. Having someone nearby to interpret their meaning and make sure things are working right could be invaluable.
  • Firewall: A firewall is a piece of software you run on your computer that "protects the gates." Your computer makes connections to the outside world via its Internet connection, and other computers on the Internet may try to connect to your computer. The firewall acts as a monitor for this activity, and usually tries to block anything that looks suspicious (sometimes overzealously.) Also importantly: the firewall can keep logs of all the ingoing and outgoing traffic - this can be vital if you have a security breach and need to do your 4-point risk assessment to determine if the breach has to be reported.
  • Anti-virus: You may wonder what anti-virus software has to do with security. The truth is that most "hacking" of personal computers is done through viruses. The purpose of many viruses is to get in to a computer and compromise it for hackers. Viruses on your computer may be the most likely way that an attacker could get your email or electronic health record passwords or even read them directly. Thus, anti-virus and firewalls are probably a more important security precaution than even encrypted email, depending on how you use your computer.
  • Auto-logoff: When you log in to your computer, you unlock security precautions such as passwords and encryption so that you can use the machine. So while you're logged in, the machine and any online accounts you're using with it are vulnerable to security breaches. Thus, you need to run software that will automatically log you out if you've been idle for some period of time. Most security experts recommend that you set your machine to log out after 10 minutes of idling.

There are also some aspects of your behavior that we recommended for computer security. In this section, I'll address these aspects of behavior:

  • Making user accounts: If your machine is shared, especially with non-clinicians, it is best to make separate user accounts for each person. I also recommend making separate user accounts for your personal computer use and for your clinical computer use. Anything to separate the clinical data from non-clinical uses is usually a good idea.
  • Making good passwords: One thing I'll address below is "passwords" vs. "passphrases." Here are examples of the two:
    • A password: H6%ghd(
    • A passphrase: computer red window act stenograph
  • You've probably seen lots of passwords in your time. You'll notice that the passphrase is quite different in that it has spaces and full words. It is 5 random words strung together. These are usually easier to remember than passwords. If they are long enough and random enough, they are also stronger than passwords. I generally recommend that people use passphrases of at least 4 words wherever possible.
  • Not using unsecured WiFi: Using unsecured WiFi - generally WiFi at coffee shops, hotels, etc. that doesn't have a password to access it - is one of the higher risk areas for your computer getting invaded by a hacker. Below are some articles on the topic.

This section is separated into subsections on "all computers," "Apple computers," and "Windows computers."

All Computers

"What is Encryption?" Article - Roy's article describing encryption

AxCrypt (FREE) Another open source, free software package for encrypting files.

Anti-virus software: All the major computer security companies generally make anti-virus software for all platforms. Also, there are a lot of options out there for anti-virus and they're all good. Thus, to help you choose an antivirus program, I recommend you check out the Wikipedia Comparison of Antivirus Software page, since it is regularly updated and quite thorough.

How to Stay Safe on Public WiFi Networks: A nice article that not only explains why it's a good idea to avoid unsecured WiFi, but also gives you some pointers on what to do if you have no choice and need to use an unsecured WiFi network. I recommend you keep this one handy for when you're out and about with your laptop.

Password Strength Test Tool: A nice explanation of what makes a strong password along with a handy tool that will tell you some useful information about whatever password you type into it.

The Diceware Passphrase Home Page: The home page of the "diceware" concept, which is a process for choosing random passphrases using dice. This page has a little more explanation for what a passphrase is and describes a well-recognized way to choose really strong passphrases (you don't always have to use diceware to make good passphrases, but it helps.)

Apple (Macintosh)

Mac Security: An article about securing your Mac, including auto-logoff, firewall, setting passwords, encrypting with FileVault (the old version), and other aspects of Mac security that aren't specifically required for HIPAA security compliance.

Working with user account and Accounts preferences: Apple's support documentation for managing multiple user accounts on a Macintosh computer.

Special note about encryption on Macs:
Macintoshes come with a program called FileVault that can be used to encrypt your computer. MacOS version 10.6 ("Snow Leopard") and earlier have the original FileVault, which can only encrypt your user account's home folder. This is useful for HIPAA compliance, but does not confer Safe Harbor status on the computer's encryption. MacOS 10.7 ("Lion") and later includes FileVault2, which can do full disk encryption, thus giving Safe Harbor-level encryption.

Upgrading your Mac to the latest operating system, and thus getting the lovely security improvements, can cost as little as $20. If you don't feel confident with backing up files and general deep file operations on your computer, you may wish to get a tech helper to assist you in both the upgrade and in turning on encryption.

Going Deeper Into FileVault: An article discussing the differences between FileVault and FileVault2. For instructions on setting up FileVault (the original one), see the Mac Security article link above.

How to Set Up and Use FileVault2: The title says it all.


Auto Lock (FREE) Software for Windows to automatically log out of your computer. Note: Be careful, this page is full of spammy ads! You'll see big buttons that say "download," but those are advertisements - they are not the actual download button. Keep scrolling down to find the actual download button.

Article About Using Auto Lock: An article to help explain using Auto Lock

Securing Windows 7: Resource links for setting up security in Windows 7, including firewall, setting passwords, and using multiple user accounts.

How to Set Up BitLocker Encryption in Windows 8: BitLocker is encryption software by Microsoft that was only available for business versions of Windows before Windows 8, but Windows 8 apparently includes it in most releases now. This article explains how to set it up. Note: BitLocker may not be available in your installation of Windows. You may need to upgrade to the Pro version of Windows in order to acquire BitLocker. More information can be found here.

A beginner's guide to BitLocker, Windows' built-in encryption tool: Another useful article on setting up BitLocker for encryption on Windows computers

Security For Mobile Devices

Below are some articles to help you get your mobile devices secured for HIPAA compliance. Note that the Microsoft mobile products are still quite new, and there is very little out there on specifics of how to secure them. Microsoft claims they are quite secure out of the box, but that's generally what companies always say.

Below we will try to address how to implement these security measures in mobile devices:

  • Remote Tracking: If your device is lost or stolen, it is possible to track its location and go retrieve it if the device is turned on and communicating with the phone network or WiFi. This is very helpful in deterring security breaches.
  • Remote Wipe: If you can't retrieve the lost or stolen device, maybe you can make it wipe out its own contents. Remote wipe allows you to send a signal to your device - assuming it is powered on and connected to the phone or WiFi network - to make the device delete all its contents. This is a pretty strong way to deter security breaches if done in time. Generally you can back up your phone or tablet to your computer. If you have to wipe your old device, you may be able to restore the backups from your computer on to your next device.
  • Encryption: Just like the encryption entry in Security for Computers, above.
  • Antivirus: Just like the antivirus entry in Security for Computers, above.
  • Passwords: Just like the passwords entry in Security for Computers, above.

This section is separated into subsections on "all mobiles," "Apple (iPhone, iPad)," "Android," and "Microsoft."

All Mobiles

DHHS' guide for securing mobile devices: DHHS put out a number of web pages and videos about mobile device security. It's mostly aimed at clinics and hospitals, but there's useful stuff for solo mental health clinicians, too.

Apple (iPhone, iPad)

How to Use Find My iPhone to Locate Lost or Stolen iPhone: Article on setting up and using remote tracking with iPhones and iPads

iCloud: Erase Your Device Remotely: Apple's official instructions for setting up and using remote wipe with an iPhone or iPad

iPhones, iPads and HIPAA-Compliant Practice: Locking Down Your Apple Device: Roy's article laying out the specifics of securing an iPhone or iPad

How to Use Find My iPhone to Locate Lost or Stolen iPhone: Article on setting up and using remote tracking with iPhones and iPads

iCloud: Erase Your Device Remotely: Apple's official instructions for setting up and using remote wipe with an iPhone or iPad

Encryption on iPhones and iPads is generally something that just comes with the device. However, it only works if you set a strong password (your password essentially becomes the encryption key.)
How to protect your iPhone or iPad with a Passcode Lock is an article that takes you through the steps of setting up a strong, alphanumeric password and thus "activating" your iPhone or iPad's encryption. The instructions are for an iPhone but they should work on the iPad, too.

Firewalls for iPhones and iPads just don't exist (unless you do something that is very awesomely geeky and also, as of recently, illegal.)


Top 20 Android Security Apps: List of useful Android security apps including apps for activating remote tracking, remote wipe, anti-virus, and firewall. On Android, most of these features get handled by a single app, and this article lists several that can do all those things. One of the apps reviewed in this article is called "avast!" I will note that avast! has a long history on PCs and the app is quite full-featured. Be sure to read all the options, however, and choose the best one for you. Whichever one you choose, it's advisable that you get an IT helper to help you set up and use all the features of your Android security app.

Google's "Encrypt Your Phone" page for Android: Instructions for activating encryption on Android devices

Password Protect Your Phone: An article for setting up passwords and security patterns on Android devices.


The Windows Phone 8 and the Microsoft Surface tablet are, at the time of writing, new enough that there isn't a lot of how-tos or informational articles written for non-techies. If you're feeling geeky, I recommend these articles to learn a little about security on Microsoft's mobile devices:

Microsoft's beefing up security with Windows Phone 8 may make custom ROMs a thing of the past: Article (with a long title) about security on the newer Windows phone

Windows Phone 8 Security and Encryption: Microsoft's promotional page on Windows phone security

Password Storage Programs

A great way to help yourself manage passwords well – use a different password on every site, not write passwords down, etc – is to use a secure password storage program. With these programs, you have one master password which locks and unlocks the program's encryption. After you enter your master password, you can access your list of other passwords.

These programs can also create high-strength passwords for you. Because you never need to actually remember those passwords (because the program remembers them for you), this is a great way to get really strong passwords that are all different on every site you use. This is actually a fantastically strong security measure.

1password: A popular password storage program

LastPass: Another popular program

Secure Videoconferencing Software

A List of Telehealth Platforms and Their Features: This site is maintained by Jay Ostrowski, a well-known expert on telehealth technology for mental health clinicians. It contains a near-comprehensive list of software platforms that can be used for telehealth along with vital statistics of each.

VSee: (FREE or inexpensive) and is similar to Skype and Facetime in that it is free or cheap and is easy to download and get started quickly. However, it is designed with telehealth in mind as one of its main uses, and the company has a person whose job is to assist with and advocate for telemedicine applications of the software. None of the video software providers, including Skype, will provide a BAA for the free versions of their products. By 2016, experts agree that this makes all of them inappropriate for HIPAA Covered Entities. Unlike what many have believed, informed experts currently assert that a BAA is required of those who use VSee. VSee seems to provide a BAA to solo mental health practices at a reduced cost. You will need to inquire with VSee to find out the price and other details. You can also find an extensive comprehensive of options, with side-by-side comparisons, at If you're feeling geeky (and brave), see this technical conversation on LinkedIn for more about the subject.

Internet Phones (aka VoIP Phones)

When we say VoIP phones, we're talking about services like Vonage or Google Voice, which are sold as replacements for Plain Old Telephone Service (which is sometimes called "POTS.") These services use the Internet as a kind of telephone network, and thus save a lot on costs. Google Voice can even provide a phone number for free, and you can use it on your smartphone as an app. Unfortunately the digital nature of these services precludes them from the HIPAA security exemption that POTS services enjoy, so we do need to secure them according to the HIPAA transmission security standard. Bad news is: these services don't do that. There is also surprisingly little information out there on the subject of VoIP services that work with our HIPAA security needs.

This conversation thread on LinkedIn is the best source of info on this subject that I've seen. Also, it is likely to be updated as new information arises.

Communications and Other Office Policies

Keely Kolmes' Social Media Policy: This policy is a standard in the field for informing clients of preferred behavior around social media. It also, however, contains several elements of the Communications Policy. Combining a Communications Policy with a Social Media policy may be a good move for a lot of practices.

Electronic Health Records and Practice Management Systems

Rob Reinhardt's review of practice management systems: Many of the systems reviewed include electronic health record features.

HIPAA and Email

To Encrypt Email or Not to Encrypt Email? JDSupra's excellent article explaining how adherence to HIPAA transmission security standards a matter of prioritization, and requires flexibility

Is Email HIPAA Compliant? Roy Huggins' article on email and HIPAA

I want to offer a palette cleanser. There are a lot of people - security software developers, consultants, trainers, etc. - who profit from convincing therapists to be afraid of things on the Internet. As we discussed in interview 9 (and nearly every other interview, too), there are real risks to confidentiality with email, texting, etc. The existence of risks does not necessarily mean those risks are severe, or more importantly, that they are more severe than other risks. So if you find yourself reading something that is clearly worded with the intention to scare you into assessing Internet-based risks very highly (and I don't mean if someone is simply listing real risks - I mean if they are trying to make the risks sound scary for a purpose), I want you to read this lovely article by Leo Notenboom, an IT expert who just likes to answer computer questions for people. His approach to email may be a bit risk tolerant for mental health care, but if you've just been reading a lot of fear-inducing stuff, it could be just the antidote to get your rational risk assessment circuits back on track: Just How Secure Is Email, Anyway?

HIPAA Business Associates

Here are some extra info on the subject direct from DHHS:

DHHS page about business associates

DHHS FAQ about business associates

DHHS information about business associate contracts

Risk Management and Standard of Practice in Security

Here are some interesting resources that talk about how risk analysis and risk management approaches are useful to us in a general sense, and not just for HIPAA compliance.

The following are not about HIPAA or necessarily even about security. I include them here to provide examples of how risk analysis and risk management are used in the world at large, and aren't simply HIPAA concepts. They can also inform us about how useful risk analysis and management habits can be, in general.

Risk Management Made Simple: A document written by a company that works for non-profits. HIPAA requires us to use risk management and risk analysis for security purposes, but this document is about using risk management as a tool for improving a whole organization. It is a good example of how risk management can be used as a tool for creating improvement and fostering organizational health.

The Basics of Risk Assessment: This is a dry -- but clearly written -- explanation of risk analysis in the context of managing fisheries. Once again, it's not about security, but it looks very much like the risk analysis model that DHHS recommends we use for HIPAA compliance.

The Psychology of Security: A classic essay from famous (or infamous, depending on who you talk to) security researcher Bruce Schneier. This article discusses how humans tend to perceive risk poorly due to quirks of cognitive psychology.


De-identifying: Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule


De-identification of Protected Health Information (PHI)

Definition of De-Identified Data

HIPAA's Rules on Sharing Private Information

Hipaa's Use as Code of Silence Often Misinterprets the Law

Top of Page




Instructions for requesting accommodations for disabilities

Refund and Course Exchange Policies

Share This:

Follow Us On:     TwitterFacebookLinkedInGoogle Plus

Click here to receive clinical updates by e-mail.

Online Courses  -  Zur Institute on YouTubeYouTube
Live Workshops  -  Forensic & Expert Witness Services - Consultations for Therapists
Private Practice Handbook  -  HIPAA Compliance Kit  -  Clinical Forms  -  CE Info  -  Discussions
Online Catalog -  Free Articles  - Boundaries & Dual Relationships  - General Public Resources  - Seminars For General Public
Organizational Discounts  -  About Us  -  FAQ  - Privacy, Disclaimer, Terms of Use, DMCA  -  ADA Policy & Grievance - CV
Home -  Contact Us  -  Site Map

Ofer Zur, Ph.D., Director

321 S. Main St. #29, Sebastopol, CA 95472
Phone: 707-935-0655, Fax: 707-736-7045, Email:

© 1997-2016 Zur Institute, Inc. All rights reserved. Privacy Statement, Disclaimer & Terms of Use.
Site design/maintenance by R&D Web