PRIVATE PRACTICE STARTUP PODCAST | EPISODE 76
Tips for Having HIPAA Peace of Mind for Private Practitioners – Part 1
Hosts: Dr. Kate Campbell & Katie Lemieux
Guests: Roy Huggins (“The HIPAA Guru”) & Laeth Dalton | Person Centered Tech
Date: March 10, 2018

Episode Overview

This episode tackles one of private practice’s most anxiety-provoking topics: HIPAA compliance. Hosts Kate and Katie welcome Roy Huggins and Laeth Dalton of Person Centered Tech to demystify HIPAA—addressing common practitioner fears, clarifying who HIPAA applies to, what it actually requires, and why non-covered entities should still pay attention. The discussion is empathetic, informal, and practical, arming mental health professionals with a mindset for compliance (and sanity) as digital technology becomes ever more integrated into clinical work.

Key Discussion Points and Insights

1. Why HIPAA Is So Stressful for Therapists (05:55–08:56)

• Katie shares personal anxiety about email, social media, and HIPAA panic, capturing the collective unease many therapists feel.
• Roy is introduced as "the HIPAA guru" who has a talent for reassuring clinicians.
• The importance of this episode: “If I'm freaking out about it, there's many other people freaking out about it...this podcast is going to bring you some peace of mind and ease.” (Katie, 02:31)

2. Meet the Experts: Roy Huggins & Laeth Dalton (06:02–08:56)

• Roy: Tech background, web developer turned therapist, fluent in Japanese, now blends both worlds in his work.
• Notable Moment: "You cannot escape [tech]...and so here I am." (Roy, 07:16)
• Laeth: Religious studies grad student, developed into deputy director for Person Centered Tech via collaboration with Roy.

3. HIPAA: What It Is and Why It Matters (09:04–11:57)

• HIPAA’s origins: 1996 act aimed to solve expensive, inefficient insurance billing, insurance portability, and to leverage emerging internet technologies.
• Why it affects practices today: "HIPAA settled that up. The act was in 1996. The first rules came out...in 2003 for the privacy rule.” (Roy, 11:03)
• HIPAA is about standardizing insurance communication, but its privacy rules have major implications for practice management and digital records.

4. Privacy Rule vs. Security Rule (12:03–16:36)

• Privacy: Concerns clients’ rights to control, access, and understand their information. “HIPAA was like, no, that’s just the way it is. Americans have their rights to this information.” (Roy, 13:14)
• Security: The practical/technical methods to maintain privacy—locked cabinets in the past, now encryption and digital safeguards.
• Memorable Analogy: “Therapists and spies, we talk like that.” (Roy, 15:50), on how therapists are good at confidentiality techniques.

5. The Basic HIPAA Musts: Privacy Rule (16:36–20:52)

• Every provider needs a Notice of Privacy Practices (NPP)—and must actually know its content. “When therapists do get in trouble with HIPAA, one of the big causes is they don’t know what their NPP says.” (Roy, 17:19)
• You must have internal policies: release of records, accounting for disclosures, and more—even if you’re solo or small.
• Special provision: Psychotherapy/process notes can be kept separate and are not part of regular records releases.

6. Are You A Covered Entity? The Insurance Link (21:09–24:23)

• Covered entity = anyone conducting insurance billing transactions electronically.
• “If you’re Kate and I, completely private pay...never bill insurance, then you’re not a covered entity.” (Katie, 22:55)
• Many therapists discover they don’t officially have to follow HIPAA (but see below…).

7. Why Follow HIPAA Anyway? Standard of Care & Legal Risk (24:23–31:24)

• Even non-covered entities may be judged against HIPAA standards in malpractice/legal proceedings.
• “Standard of care is not highest level… it’s very C.” (Roy, 24:37) — meaning, keep up with the general, not exceptional, standard.
• HIPAA’s security rule is widely referenced because it specifies reasonable safeguards, even if ethics codes are vague.
• State-to-state variability: Some states may use HIPAA as the legal standard, some may not, but for most, it’s the most defensible position regardless.

8. Main Takeaways – Part 1 (30:09–31:24)

• Figure out if you’re a covered entity—if unsure, consult a lawyer.
• Even if not a covered entity, “HIPAA standards are still a strong guideline...if you just use HIPAA as your guide for how you manage your security…you’re going to cover these standards, you’re going to cover state laws for the most part.” (Roy, 31:13)

Notable Quotes and Memorable Moments

• On therapist anxiety:
  “If I’m freaking out about it, there’s many other people freaking out about it.”
  — Katie, 02:21

• On HIPAA’s impact:
  “HIPAA was like, no, that’s just the way it is. Americans have their rights to this information.”
  — Roy, 13:14

• On HIPAA entities:
  “If you’re Kate and I, completely private pay...never bill insurance, then you’re not a covered entity.”
  — Katie, 22:55

• On compliance culture:
  “Standard of care is not highest level… it’s very C. You can do a lot better than standard of care...”
  — Roy, 24:37

• On therapist skills:
  “Therapists are really good at security...we just don’t realize it.”
  — Roy, 15:55

• On applying HIPAA:
  “HIPAA—your how-to-avoid-legal-problems and malpractice suits guide.”
  — Roy, 31:08

Timestamps for Key Segments

• 00:00–03:27 – Intros, previous episode recap, context for HIPAA anxiety
• 05:55–08:56 – Roy’s backstory, transition from tech to therapy
• 09:04–11:57 – HIPAA 101: What, why, and when
• 12:03–16:36 – The privacy rule vs. the security rule, therapist as “spy”
• 16:41–20:52 – HIPAA compliance basics: Forms and policies
• 21:09–24:23 – The insurance link: Who's a HIPAA covered entity
• 24:23–31:24 – Standard of care, legal strategies, ethics codes and HIPAA
• 30:09–31:24 – Main takeaways/summary for practitioners
• 31:24–32:18 – Preview for Part 2 and conclusion

Tone and Style

The episode is approachable, humorous, and deeply empathetic. Roy relieves anxiety with technical clarity and analogies, while Kate and Katie consistently re-focus conversation on what private practitioners really need to know. Listeners are left empowered and more at ease about HIPAA compliance.

Up Next

Part 2 will dive into the nuts and bolts of tech: email, cell phones, telehealth, and real-world scenarios for implementing these HIPAA principles.

For more resources, check the show notes or the Private Practice Startup Facebook group, where Roy will be responsive to listener follow-up questions.