Abundant Practice Podcast – Episode #729: Daily HIPAA Breaches, feat. Samantha Schalk
Host: Allison Puryear
Guest: Samantha Schalk, guardianclinicalessentials.com
Date: February 4, 2026
Episode Overview
This episode tackles a rarely discussed but critical aspect of running a private therapy practice: HIPAA compliance and the everyday missteps that can lead to data breaches. With guest expert Samantha Schalk, Allison Puryear guides listeners through practical, actionable steps for therapists to properly secure client information, set up necessary policies, and avoid costly errors. The conversation is down-to-earth, demystifying HIPAA’s “scary legalese” and empowering clinicians to secure their practices without tech overwhelm.
Key Discussion Points & Insights
1. Why Are Most Therapists Unprepared for HIPAA?
- Lack of Direct, Accessible Information:
- Much of the available HIPAA guidance is written for large medical organizations, not small practices, making it difficult for therapists to comprehend and implement.
- “A lot of the information out there regarding HIPAA is really based on a medical model... It's not one-size-fits-all.” — Samantha Schalk [04:01]
2. Common HIPAA Pitfalls in Private Practice
- Missing Written Policies & Procedures
- Many solo practitioners wrongly assume that just because they're the only one involved, formal documentation isn't necessary.
- “They don’t have any policies in place at all... why do I have to have everything written down?” — Samantha Schalk [04:38]
- Written procedures should cover record retention/destruction, breach notification, and state-specific timelines.
- Breach Letters & Documentation
- Few therapists have pre-written letters for notifying clients or the Office of Civil Rights in the event of a breach.
- “You're supposed to have sample letters to send to your clients if there's a breach, or even to the Office of Civil Rights.” — Samantha Schalk [07:13]
- Record Destruction as a Liability
- Failing to document how and when records are destroyed can cause legal issues if former clients request information post-destruction.
3. The Security Risk Analysis (SRA)
- What It Is:
- A periodically updated document mapping every tool, device, or process that interacts with client information, including how devices (phones, computers) are wiped, what software is used, and maintaining Business Associate Agreements (BAAs).
- “A security risk analysis... is a document to be completed regularly, usually a minimum of annually or anytime there’s a change.” — Samantha Schalk [08:13]
- Device Tracking:
- Every device accessing client info needs to be logged—including what happens to it when retired (“wiped in a secure way”).
- Regularity:
- Should be updated annually or whenever a system/process changes, including staff changes.
4. Devices: Security Tips for Phones and Computers
- Minimize App Usage:
- Only keep essential apps; if you use something only monthly, delete and reinstall as needed for best security.
- “Don’t have any app on your phone that you’re not using on a daily basis... delete and download it again.” — Samantha Schalk [12:27]
- Device Encryption & Passwords:
- Use built-in encryption and strong passwords (not single words or just four digits).
- Multifactor authentication is vital.
- “Having just a password... is not enough. When it comes to HIPAA, if your laptop is stolen, it would not be considered enough.” — Samantha Schalk [13:56]
- Minimum fines for breaches often start at $10,000.
- Family Access and Shared Devices:
- If anyone else (family/partner) could access your computer, and you can’t prove otherwise, that’s a potential breach—unless information is entirely cloud-based and not downloaded.
- “If your partner or anybody else is accessing your computer... that's considered a breach.” — Samantha Schalk [15:41]
5. Using EHRs and Third-Party Tools
- Cloud EHRs Are Good, But...
- Be careful: Many therapists download client letters or files to their computers—unless these files are encrypted and properly logged, risk remains.
- Any program (Word, Adobe, etc.) used for client data needs a BAA and encrypted storage.
- Google Workspace & “HIPAA Compliant” Services:
- No system is automatically compliant—BAAs need to be obtained and security settings (like encryption) manually activated.
- “At minimum, you have to go on and find the business associate agreement and you need to retain a copy of that.” — Samantha Schalk [09:54]
6. Website HIPAA Risks—And How to Fix Them
- Standard Hosting vs. HIPAA Hosting:
- Regular website hosting exposes visitor IP addresses; true HIPAA-compliant hosting can be cost-prohibitive ($200-$400/month).
- “Websites are a minefield for HIPAA violations.” — Samantha Schalk [18:25]
- Contact Forms and PHI:
- Basic contact forms may collect sensitive client information insecurely. Use secure forms like Hushmail or—better yet—integration with your EHR’s secure contact/scheduling portal.
- “If you have a chat bot on your page... or a contact page... you've invited them to give you all of their PHI.” — Samantha Schalk [19:18]
- Best Practice:
- Guide users off your website (onto your EHR’s portal) before collecting any private info.
7. Email Security & Logging Practices
- Require Email Encryption
- Not using encrypted email or failing to secure both sent and received messages is a prominent risk.
- Maintain Multiple Logs
- Track not just the release of information in patient files but also maintain global logs for:
- How and when info is sent, and by what method (mail, encrypted email, hard copy pickup, etc.)
- Device tracking
- HIPAA training dates for self and staff
- Record destruction
- “There are eight or ten different logs [HIPAA requires] you be maintaining.” — Samantha Schalk [27:15]
- Track not just the release of information in patient files but also maintain global logs for:
8. Progress Over Perfection
- Monthly Compliance Check-Ins:
- Set aside a recurring monthly time slot for compliance tasks, to prevent overwhelm and demonstrate good faith to regulators.
- “Have monthly time that you work on compliance. The Office of Civil Rights... doesn’t expect perfection. They want to see you’re making an effort.” — Samantha Schalk [24:34]
- Write Down What You Do:
- Therapists are often doing the right things but failing to document. “Is it written down?” is the mantra for compliance.
Notable Quotes & Memorable Moments
- “If your laptop had been stolen, it would not be considered enough. And a breach like that is usually 10 grand right off the bat.” — Samantha Schalk [14:06]
- “It’s not hard. It’s just not most of our skill sets.” — Allison Puryear [24:21]
- “None of this is hard. It isn’t. I mean—really. And it’s just getting it set up.” — Samantha Schalk [29:11]
- “Usually, once you have them set up... as long as you're continuing to do your SRAs... you're good.” — Samantha Schalk [24:09]
Timestamps for Key Segments
- [02:47] – How Samantha became focused on HIPAA and therapy compliance
- [04:01] – Difficulty of finding useful HIPAA guidance for mental health
- [04:38] – Most-common compliance mistake: lack of written policies
- [08:13] – Security Risk Analysis: what it is and how to use it
- [12:27] – How to handle devices, phones, and data security
- [14:06] – The real financial risks of HIPAA breaches
- [18:25] – Website vulnerabilities & insecure contact forms
- [23:31] – Practical strategies for secure website contact
- [24:34] – Monthly compliance check-ins for manageable progress
- [27:15] – The importance of detailed HIPAA logs
- [29:11] – Wrapping up and main takeaways
Summary Takeaways
- HIPAA compliance isn’t just about client forms—it’s daily, multi-layered work.
- Documentation is everything: If you did it, write it down and keep logs.
- Prioritize practical steps: Encrypt your devices, develop simple written policies, and use secure tools already integrated with your practice.
- Monthly check-ins avert overwhelm and help you steadily improve compliance.
- It’s not about perfection, but consistent, good faith effort.
Further Resources
- Samantha Schalk’s site: guardianclinicalessentials.com
- HIPAA-compliant hosting example: Hushmail, Google Workspace (with BAA and added security)
- Allison’s support resources: Abundance Practice Building
- Contact for help: help@abundancepracticebuilding.com
For therapists seeking an actionable, step-wise approach to compliance, this episode dispels fear and offers a roadmap toward secure, sustainable practice.