HIPAA and Technology in Mental Health Practices
Online Course Materials: Articles Videos
Developed by Roy Huggins, LPC NCC
Course fulfills the California and other states' ethics and law requirements. Course may qualify for insurance discount. Check with your insurer.
This course is also offered as part of a HIPAA Compliance/Security & Privacy Savings Package of 22 CE Credit Hours.
General Course Description
Few things move at the speed of technology. For better and (occasionally) for worse, tech companies have taken a great interest in serving mental health clinicians. The result is a huge array of opportunities for improving care, making practice management more efficient, and meeting clients where they are. This course aims to take you from the theoretical basics up to the technical details of using digital technology in mental health practice while staying ethical and HIPAA-compliant.
This intermediate-level course consists of 12 videos and 17 short articles (transcripts are available for all videos). Section 1 covers some cognitive-emotional norming exercises to establish their relationship to technology and to security and privacy regulations (i.e. HIPAA). Section 2 explores the ethical and regulatory foundations of HIPAA and security and privacy in practice. Section 3 is a study of the legal-ethical use of tools for communication, e.g. email, texting, and videoconferencing. Following that, Section 4 explores how security incidents and breaches are handled by HIPAA, which provides a foundation for Section 5 on HIPAA requirements and practical techniques for protecting the devices that mental health professionals typically use in their practices, e.g. computers, smartphones, and tablets. Finally, Section 6 will cover the most basic information on what “cloud” means, and discusses how it is helpful and what our roles are in keeping cloud services safe, as well as how financial services fit into the HIPAA picture. Additional resources and references are provided for further study, but they are not part of the course.
- This course will teach the participant to
- Define security, privacy, confidentiality, and risk management
- Explain the basics of the HIPAA Security Rule and how it applies to therapists, including steps to compliance
- Define HIPAA-specific concepts such as covered entities, business associates, and safe harbor
- Describe encryption and its importance relative to confidentiality and the Internet
- Explain the basics of how email, texting,videoconferencing, and different types of phone service work
- Summarize the HIPAA implications of using email,text, phone service, and videoconferencing in practice
- State the guidelines for handling security incidents and breach notification
- Identify potential security threats to devices commonly used by therapists in practice
- Describe specific ways to protect devices from common security threats
- List the advantages to using cloud services in practice
- Explain how cloud security works, and ways therapists can contribute to security
- Cognitive-Emotional Norming
- Security and mental health ethics
- Therapists’ emotional relationship to security issues
- Risk management and security in clinical work
- Ethical and legal and the need for security and privacy in psychotherapy
- HIPAA Security Rule Compliance
- What is a HIPAA covered entity
- The basic HIPAA Security Rule and its application for therapists
- The 3 Pieces of HIPAA Security Rule compliance.
- The complexity of the term “HIPAA-compliant.”
- HIPAA’s safe harbor method of deidentifying client information.
- HIPAA Business Associates.
- Email, Texting, and Videoconferencing
- The commonalities between email, texting, and video conferencing.
- Understanding and using the Internet, encryption,texting, and videoconferencing software.
- The 3 kinds of email security.
- Using unsecured emails and texts in practice.
- Classic and Internet-based (VoIP) phone services.
- Use of Office Policies to communicate with clients safer and more secure.
- Security Incidents and Notification
- Security “incidents” vs. security “breaches.”
- Breach notification under HIPAA and other rules.
- The safe harbor condition for avoiding breach notification.
- Using the breach notification rules to help guide security strategies
- Protecting Computers, Smartphones, Tablets, and Similar Devices
- Thinking about security in terms of “threats” and stopping them from impacting clients and one’s practice.
- Requirements and practical methods for using:
- encryption to protect client information on devices.
- anti malware, firewalls, and trusted WiFi to protect client information on devices.
- backups to protect client information on devices.
- unique logins to protect client information on devices.
- Requirements and practical methods for physically protecting devices to protect client information.
- Using and Protecting Cloud Services
- “The Cloud.”
- Cloud services and safety of client information.
- Cloud services’ advantages in helping maintain HIPAA compliance.
- The therapist’s role in keeping cloud services secure.
- The special case of financial services under HIPAA.