A

Foreign.

B

Hi, welcome to the Abundant Practice Podcast. I'm Alison from Abundance Practice Building. I have a nearly diagnosable obsession with helping therapists build sustainable, joy filled private practices, just like I've done for tens of thousands of therapists across the world. I'm excited to help you too. If you want to fill your practice with ideal clients, we have loads of free resources and paid support. Go to abundance practice building.com Links all right, onto the show. So I've talked about therapy notes on here for years. I could talk about the features and the benefits in my sleep. But there are a couple things I want you to know about therapy notes that doesn't typically make it into an ad script. First is that they actually care if you like their platform. They don't only make themselves available on the phone to troubleshoot so you don't pull your hair out when you get stuck. They also take member suggestions and implement those that there's client demand for. Like Therapy Search, an included listing service that helps clients find you internal and external secure messaging clinical outcome measures to keep an eye on how your clients are progressing. A super smooth super bill process, real time eligibility to check on your client's insurance. In my conversations with the employees there at all levels, they all really believe in their product and they want you to love it too. Second, they are proudly independently owned. Why should you care about that? Because as soon as venture capital becomes involved, the focus shifts from making customers happy to making investors happy. Prices go way up. Innovation plateaus. Making more money with as little output as possible becomes the number one focus. With over 100,000 therapists using their platform, they've been able to stay incredibly successful and they don't have to sacrifice your experience to stay there. You can try two months free@therapynotes.com with the coupon code Abundant. Welcome back to the Abundant Practice Podcast. I'm your host, Alison Per, founder of Abundance Practice Building and I'm here with Samantha talk. She's at guardianclinicalessentials.com, which we're going to put in the show notes and we're going to talk about all those type of things that we are using or doing or maybe not doing in our daily clinical practice. We're going to talk about devices, we're going to talk about managing website documentation, these kinds of things that like we're all doing on a daily basis that we may or may not be doing the quote unquote right way. So Samantha's going to set us straight. So thanks so much for being here.

A

Thanks so much for having me. I'm excited.

B

Yeah. So I've got to ask, what got you interested in the HIPAA stuff? Because I feel like there are camps of people who are into it and camps of people who are like, it's scary.

A

Right? Well. And there are probably less of us in this camp. Right. So I have worked in supervision for a long part of my career and in doing that I've seen a lot of problems come up. A lot of situations where people had HIPAA breaches, have had different scenarios come up where they could have been liable and sometimes lawyers got involved. And I also have had a lot of colleagues of mine go into private practice and then they were coming to me and they're like, hey, what do you think about this? Or how should I set this up? Or how should I do this? And I'm like, oh my gosh, there's just such a lack of information out there and I don't want people to kind of be caught in a spot. So.

B

And I'll say I feel like the info's out there, but it's like so obtuse, like it's so hard to understand and I don't they want us to comply. Well, I guess that's why we have you to make it easier, because I feel like it could be written in a way that it's just like a checklist for us that's nice and easy, but it's a bunch of legalese.

A

Well, and not only that, but a lot of the information that's out there regarding HIPAA is really based on a medical model. So it's really for people who are in the mental health field to take stuff that feels like really not relevant for the kind of work we're doing. And it's not one size fits all. And so how do we adjust that so to actually make sense for mental health?

B

100%. So, okay, lay it out for us. What's like the most common thing you see therapists in private practice doing that.

A

You'Re like, oh, I would say probably one of the biggest things that I see is that they don't have any policies in place at all. People who are often in solo practice, they're like, it's just me, I know what I'm supposed to do. I'm the one making decisions for just me. Why do I have to have everything written down? Or even they feel like since they're not contracted sometimes either because they're self pay or because they're not contracted with community mental health, that there isn't somebody regulating them and they're not held to the same standards, a bigger group practice would have got it. And that's not true.

B

So, like, are you talking about like informed consent or they don't have it written out? Like, this is what happens in a HIPAA breach.

A

All of it.

B

All.

A

Yeah, yeah. So you of course have the informed consent. Those are things that most therapists have in place because almost everybody is using an ehr. I shouldn't say almost everybody, but a large percentage of people using EHRs. Or you've been imp practice a long time and you're on paper still, and therefore you kind of know the. The drill of needing informed consent, needing your notice of privacy practices. Those kinds of standards are the things that people usually do have in place. I'm talking more like, so how are you going to destroy records once you don't need to continue to have them anymore? And what is your policy saying? How you're going to do that in a legal, compliant, secure way and what the timeline is. Because every state has their own rules for how long you have to maintain records for people who are adults and for minors. And so having all those pieces actually written down. Because what happens if two years after you destroyed somebody's record, they come and they're like, oh, I need a copy of everything. You're like, well, I don't have that. Like, I've already destroyed all of that. How. How are you going to protect your own practice? To explain this was the procedure. And I also reach out to you and let you know that this was the time frame that you had to request any of your records before we were not going to have them anymore. So that's why people need to have all of this kind of stuff in writing. What happens if they're breached? You're actually even supposed to have sample letters to send to your clients if there's a breach, or even to send to the Office of Civil Rights if there's a breach. You're supposed to have those in place. So a lot of these policies and procedures are things that people are missing just across the board.

B

And I mean, I've been helping people with private practices for over a decade now. And I realized I do have the letters written for my own practice around a breach, but I don't have it written out how I destroy records. So thank you.

A

About that. There are a lot of other pieces because unfortunately, most of the time in grad school, they don't cover any of this.

B

Right.

A

They talk about a release of information.

B

Right. And they just assume that the agency you're going to work for for the rest of your life will handle the rest. Okay, so we get that, like forms important, like having these things written out. What's another thing that you see pretty often that concerns you?

A

People don't have a security risk analysis. Oh, describe that. A security risk analysis, or sometimes it's also called a security risk assessment, or an SRA is a document that you need to be completing on a regular basis, usually a minimum of annually.

B

Okay.

A

Or any time that there's a change. So let's say you switch how you're going to have your email system set up and now you're going to use a different kind of email or you switch which EHR you're going to use. So anytime that there's a change, or even anytime you hire somebody new or put a new system into place, a new platform, you would want to do an sra. What they are is a process of going through and making sure that every part of your practice is as secure as possible and that all of it is being documented. So, so technically you're supposed to have a log of any time that you're using any kind of device or tool along with your practice. So if you have a thumb drive that should be on a log somewhere, if you have a phone and you got a new phone because, well, yours was five years outdated because you know how those things change. So if you get a new phone, you need to say like how you destroyed your own phone, old phone, that was part of your practice setup. Maybe you had work email on there or access to your EHR on there. And so you would need to say like, what happened to your old phone to prove that you destroyed it or wiped it in a secure way. And you would also then document what your new device was. And so you would have all of these things documented and all those things are part of your sra, having your business associate agreements and making sure all of those are up to date. So a lot of times people think like, oh, well, I'm working with. One of the big ones I hear is working with Google Workspace. And they are HIPAA compliant or have the potential to be HIPAA compliant, but they aren't automatically HIPAA compliant. Nothing is really automatically HIPAA compliant. At minimum, you have to go on and find the business associate agreement and you need to retain a copy of that, whether it's hard copy or digitally. And a lot of times you also have to go into the system and actually set it up in the back end so that you've created the encryptions and all these different pieces so that really truly is compliant. Yeah.

B

And even then it's just the emails you send that are HIPAA compliant, the ones you receive are not. Unless I use POW box P A U B O X which makes it like encrypted on both ends with Google workspace for those emails. So yeah, it's like people can say the words HIPAA compliant, but that doesn't necessarily mean it's. We fully understand what they mean by that. Right, right. Okay.

A

So SREs are super important and a lot of times even the people that I've come across who have had where their system has been hacked, and I know a couple of people who've had their systems hacked and held ransom for either Bitcoin or money or whatever they're doing now. But in those situations, a lot of times if they had actually been doing the SRAs, it probably wouldn't have happened.

B

Right.

A

Can't guarantee anything, but it would have been much more secure and the chances of that coming up would have been a lot less likely. And so they would have been able to keep their client information secure.

B

Right. Okay, so like, can we talk about devices? Because I'm hearing we need to document how we wipe them, but what about when we just like we have our phones, we're using them in various ways in our practice. Whether it's answering calls or scheduling things within an app. What's safe, what's not, what do we need to be mindful of?

A

So if you, if you talk to the people who are kind of the more computer experts or technology experts on that end, they will basically tell you don't have any app on your phone that you're not using on a daily basis, even if you're using it once a month, Delete it and download it again. Oh yeah, they say don't store any kind of private information on your phone. Your phone. So pretty much all phones now are set up so that it has like a six digit code or it will scan your face before you're able to access the material in your phone and actually log in. And you definitely want those turned on. You always want multi factor your authentication turned on where it'll send a code to your email or a text or whatever so you have those extra steps. So a lot of times on any devices, whether you're using your computer, tablets, phones, what, whatever, most of them have those kinds of tools in place. Most laptops now are made where you can encrypt it right in the system depending. I mean, they're a little bit different if you have Mac or if you have Windows, but most of them are built so that they have some internal encrypt encryption process for your files. So having just. Because most people will be like, oh, well, I'll protect my work computer and I'll put a password on it. So usually it's one word or it's four digits, four numbers. That's not enough. It is not enough. When it comes to hipaa, if something were to happen, if your laptop had been stolen, it would not be considered enough. And a breach like that is usually 10 grand right off the bat. Minimal. Most of the minimal breach or even fines that are put out by the Office of Civil Rights, the Small ones are 10 grand.

B

Yikes.

A

Okay. And a lot of them go into higher five figures pretty quickly, depending on how severe the issue was. So having that kind of encryption can protect all of your documentation on your computer and can also then protect any, you know, so any files that you have on there in addition to your. The actual laptop password or computer desktop password. So you want to have all of that stuff set in place so that even if somebody else did have access to your computer, because a lot of people now work from home and a lot of people have families, so how can they prove that nobody else had access to their computer? Mm. So it's pretty difficult to do that. And so, for instance, sometimes people will say, oh, well, you know, like my. My partner knows how to, you know, run the scan disk or, you know, do my updates or do different things on my computer. I don't get into that technology stuff. If your partner or anybody else is accessing your computer, a computer that also has client information on it, if you can't prove that they didn't access it, that's considered a breach.

B

What if the client information is all in an EHR in that cloud?

A

If it is, and then obviously password protected because you have to log in. That's a little bit different. Now, a lot of times people can't necessarily say that's 100% true, because people will download letters, they'll write letters that have clients names in them, they will have card information that was emailed, and then they have to like, upload it to your computer. So then you can upload it to your ehr. Right. So all of those files that could be in Word or could be in Adobe or any of those other things, those files, if they're not encrypted, that's where the issue is. And Then to add on to that, you have to have baas for any other of those programs that you're using. So if you're using Word to write a letter, or if you're using Adobe to create something or to download any kind of photos or anything, you know, even you might have a client work on something art based in doing therapy, and then they send you a photo of what they made for their file or so that you can see it, and you want to upload that to their file. So any of those other programs that you're using that do touch any kind of client data, any phi, all of those things have to have baas. And anything that is going to hold those files, the files need to be encrypted.

B

Okay. Okay. It's doable.

A

It is. And honestly, our devices make it really, really easy. Do what your device already has. I'm not even suggesting to pay for something new and download some new encryption app or anything like that. Most that you can go into your computer system and type in encryption, and usually it'll come right up with what your encryption app is. Right. Already installed on your computer. So turn it on, please.

B

Easy. Just toggle it. There you go.

A

Yeah.

B

Okay. Okay. So that, I mean, I appreciate that. It makes it a lot less scary to know that all we have to do is toggle it on, because most of us therapists are not also super techie. And when we even use words like encryption, I can see people start to glaze over a little bit. But it's okay. It's just like, y' all can do it. I can do it. We're here, we got it. Okay. What else are we missing? As a group of private practitioners, that's really important.

A

Probably one of the other big things that I see is stuff on website.

B

Same word.

A

So websites are a minefield for HIPAA violations. Websites have an opportunity for your potential client to be coming on to your website. So now your hosting company has their IP address, and whoever you're doing hosting through, a lot of people aren't paying for HIPAA compliant hosting or secure hosting, which is a thing.

B

Mm.

A

It's expensive. Usually it's anywhere from two to $400 a month.

B

Ooh.

A

People, especially in private practice, can't foot that kind of a bill. Yeah. So. And a lot of people don't even realize that this is a thing. I remember even back when I was secure hosting. Oh, my gosh. I didn't even, like, think about if somebody's coming to my website and I don't have those kind of secure features set up. Now, guess what? They're gonna get ads for like, better help. And they're going to get ads for like all of these different kind of promotional companies out there. Because now their IP address was tracked to a therapist website. Wow. Right. And so, I mean, I'm not saying that that's necessarily a bad thing. I mean, whatever is going to help the client get the services that they need. But that also is making it so their information hasn't been secure. So now if we like, up the ante. And you actually have some kind of like a chat bot on your page, which you see all the time, or if you have newsletter that the person drops their information in to get your newsletter or a contact page. Contact pages are like one of the worst. So contact pages. Now you've actually invited them to give you all of their phi. And who knows what they might put in that little comment box. That could also be super private information. Because clients are often in a place where they're feeling a sense of desperation and they're like just putting it all out there. And so they put a ton of information into these little chat boxes that then go to your email and none of that ends up being secure unless you're actually paying for a security feature on it. Yeah.

B

Which I'll say Hushmail has one for people who need a secure contact box situation. Contact form. Yeah.

A

And that's fabulous if you. So what happens when you're doing stuff like that? If you're using, particularly in the thing that I encourage people to do, use the one that you're paying for with your EHR already. Use their right. Right integrated system where they can message you or they can go right to scheduling a consultation or an appointment. And that could be integr right into your website. Because if you navigate them off your page and they're no longer on your website, filling in this contact form or whatever information on there, if they're going on to your EHR's page or any other company's page that is secure, then it isn't that your page created the security issue because you've navigated them somewhere where it's. It's safe for them to put their information right.

B

Which y'.

A

All.

B

Squarespace is not the safe place for them to put their information. I love a Squarespace website, but you need to have a different way for them to contact. And you could also probably. You tell me if this is right or wrong. If you just put your email address with the link right, can they click on that it opens up in theirs. Is that secure?

A

So technically HIPAA doesn't want you to give them a link. If you list your email and even put. If you would like to send an email directly to our office, here's the email address. And you also provide a disclaimer that. Because on their end they're probably not emailing you because they've never talked to you before, they don't know you, they don't have anything set up in your system. So yes, there are some systems out there that will have like what you're talking about with like Paul Box, where it has like the kind of dual encryption feature where it's both directions, but a lot of them don't. So as long as you are notifying the client that, hey, if you're going to email me, this is the concern that it's not HIPAA compliant on your end. You can do that if you've let them know. But it is probably the easiest thing to do is to actually have a contact form where it is going through your EHR or it is going through a different secure system. So you can, if people have it set up where they have Google Workspace, you can have them use the Google form and fill out a contact form through secure Google Workspace because you have that, the BAA with Google Workspace and then that form is secure because you've navigated them off of your page.

B

Right, right. It's so complicated because like tech just keeps rolling and getting more and more complex and the.

A

It is complicated, but it isn't hard. It isn't hard to set some of those things up. And usually once you have them set up, as long as you're continuing to, you know, do your SRAs and monitor that things are still working the way that they're supposed to, then you're, you're good. You. It's not something you have to set up every, you know, every month or set up repeatedly. Like when once you set up that encryption system to get that secure information and so that they can communicate with you that way, instead of having the contact form right. On your website, once you set it up, it's done.

B

So yeah.

A

So not hard.

B

It's not hard. It's just not most of our skill sets. And we can shut down and just not do the work because it intimidates us, but we need to do the work to make sure that we're protecting our clients.

A

Definitely. And so because it is sometimes overwhelming and when it comes to HIPAA and people start kind of recognizing how much there is to HIPAA so much more than a release of information that one of the things I do suggest for people to do is have monthly time that you work on compliance. Set a time every month and say, like, okay, I'm gonna, like hammer out some compliance things. And that makes it so much more manageable and less overwhelming because you have specified time and you're just going to work on a little bit at a time. And the Office of Civil Rights, they love that. If you have a plan and you're consistently working on something, even if you're not perfect, they don't ever expect perfection. They want to see that you're making an effort and that you're being strategic. That's it. Got it.

B

Okay. So progress, not perfection. That's good. All right. Any other big blunders that we're just making and not realizing it while not.

A

Encrypting email like that, that would be a really big one. That happens, people not logging things. That one is huge. So what often will happen if somebody receives a release of information? Somebody will. It might be yourself or it might be the person within your practice who's in charge of managing releases and sending out medical records. But a lot of times what happens is that people will log it. Right. Jane Smith had a release sent to this person on this date, and so they log it right in. Make a note right in the person's chart, which is great and you should do that. But you also need to have logs to keep track for HIPAA reasons of where all of your information went. And it's different information than what you would necessarily really put into right. In the client's record. Oh, so you would want to know how you sent it. Like, did you mail it like hard copy mail? Did you do encrypted email? Did you send some other kind of file? Did you give it to the person? Hard copy? Like who? Somebody came to pick up something in your office. So what did you, what exactly did you give for that release? What the dates were. So there are certain things you would want to keep in that log, but there are multiple things you'd want to be logging. So in general, I want to say there's eight or 10 different logs that they want you to be maintaining.

B

Oh, my gosh.

A

And some of them aren't things you would even put a whole lot on year long, but it might be okay. Well, when was the last time you did a HIPAA training?

B

Right.

A

So, you know, for yourself or for staff, put that on your log. You know, so if you hired a new person and you had them do your HIPAA training when they started, you would want to put that on your log. So you're keeping track of when, when those trainings are. Like I had mentioned earlier, you want to log your devices that you're using within your practice. Anything that could touch phi, you would want to have all of those things accounted for on your log. And, and if you're not using them anymore, you document that, how you got rid of them or how you wipe them or how you cleaned whatever it was that had any kind of phi on it and how you wipe that information off. And then you would want to keep track of all of those kinds of things you also want to keep track of. I'm just trying to think of, like, all of the different. What are on the different logs. You would want to make sure that I'm like, kind of having a blank on, on all the logs. But anyway, there's, there's, there's multiple different things that you want to log so that you have that. Those records. Because ultimately, what happens if, if there is some type of a breach or there's ever a question, do you really think that you're going to remember all the different clients that you're going to be like, oh, no, I documented in their charts. I keep track of. Well, whose chart was it? Like, are you going to be able to pull that up if you were ever questioned? So having those things on a separate log for HIPAA is really what they want to see.

B

Right, right. Makes sense. Okay. I think we're better informed and hopefully not intimidated because like you said, none.

A

Of this is hard. It isn't. I mean, really.

B

And it's just getting it set up.

A

Yeah, yeah. I mean, it's really a workflow thing most of the time. What I find is that a lot of times therapists are doing what they need to be doing, but, you know, in our field. Is it written down? Do you write down what you did? And so it's also writing things down for any of the compliance pieces so that you have that tracked.

B

Yeah. Amazing. Well, thank you so much, Samantha.

A

Absolutely.

B

Samantha's website is in the show notes so that y' all can get in touch and yeah, I appreciate you. Thank you.

A

Thanks for having me.

B

Bye.

A

Bye.

B

If you're ready for a much easier practice, therapy notes is the way to go. Go to therapynotes.com and use the promo code abundant for two months free. If you're listening, you probably need some support building your practice. If you're a super newbie, grab our free free checklist using the link in the show notes. I'd love for you to follow rate and review, but I really want you to share this episode with a therapist friend. Let's help all our colleagues build what they want.