Episode 76: Tips for Having HIPPA Peace of Mind for Private Practitioners Part 1

A

Welcome to the Private Practice Startup where we inspire you from startup to mastery. We chat with entrepreneurs, experts in the mental health and business arenas, and successful private practitioners to give you the tools needed to make your dream practice a reality. Visit theprivatepracticestartup.com for awesome resources, free trainings and so much more. Here are your hosts, Dr. Kate Campbell and Katie Lemieux.

B

Hey there Startup Nation. Welcome back to another episode of the Private Practice Startup podcast. I am one of your co hosts, Katie Lemieux, here with my friend and business partner.

A

What's up guys? Kate Campbell here.

B

We hope you guys enjoyed our show from last week where we spoke to the very passionate Phil Singleton all about SEO Deep Dive where he really focused a lot on Google reviews, the importance of that, but then how to really take content and utilize it and duplicate it in many ways. So you'll definitely want to listen to that as well as check out the show notes for that page because there was a ton of resour from that podcast. If you're a first time listener, we wanted to say welcome and we wanted to roll out the virtual red carpet for you. And we have a special gift for you. We want you to head over to privatepracticestartup.com head over to the resources tab and download your A to Z cheat sheet. All the essentials for building and growing your dream practice. If you're a loyal member of Startup Nation family already and listener, we wanted to say hi and thank you so much for tuning in yet again. And of course you can always find us hanging out on Facebook. If you join our Facebook group community at the Private Practice Startup, there you'll be able to interact with ourselves as well as thousands of other practitioners across the globe. So today we are talking about a very important topic in the therapy world which is hipaa. And I decided to seek out probably the guy who knows most about it, the HIPAA guru. The HIPAA guru Roy Huggins. And he's also joined by Laeth Dalton. They're going to be talking to us a lot about hipaa. So much that we're doing part one and part two. So today we're recording and you're list and we've also gathered a lot of your questions as well. And the reason that I had reached out to Roy is probably months ago now is that I was noticing sometimes clients would email me and I'm not a big proponent of emailing, but some clients would email me because it's just easy and convenient. They have your email address and then they start Emailing you, right? And then I noticed I went on Facebook, and then Facebook was suggesting them as a friend, and I was, like, freaked out, weirded out. I'm like, but I signed a BAA with Google. I thought, that's what I'm supposed to do. And then, of course, I got in this panic because Kate and I actually teach laws, ethics, rules, medical errors. And then I'm, oh, my God, I'm not doing something right. And I was, like, undercover trying to figure out all this stuff and learning about virtue and encryption and this and that. And then I remember listening to a podcast with Joe Sanock and Roy, and honestly, like, just them talking about it, like, Roy just totally put me at ease. I stopped freaking out. I was like, we just need to contact him and get him on the podcast. Because if I'm freaking out about it, there's many other people freaking out about it. So I'm going to say it's okay to freak out, but we're going to give you some tips, tools to freak out less, get you HIPAA compliant. And that was good. And actually, this all started, I think I had a conversation with someone from a HIPAA company, and he started sharing with me. He's like, a lot of therapists think they're HIPAA compliant, but they're really not. And then he started sharing with me all of the tech side, and I was like, ah. So hopefully this podcast is going to bring you some peace of mind and ease, and you're probably going to really want to sit down and pay attention to this podcast specifically, so you can implement all of the things that Roy's going to talk about.

A

And this podcast is going to be really unique because this is our official underground podcast, where literally our guest experts are in an underground vault in Oregon. So cool.

C

We're the wild west out here.

A

So if you notice that there's a little, like, echo or something, or the sound quality sounds a little off, it's because this is the coolest podcast ever. They're literally. They have, like, this green light behind them. If you guys can see, it's, like, really eerie. It almost looks like a haunted house or something like that.

B

Before you guys tell us about why you're in the vault or the vault itself, I just want you guys to think about, like, them being in a vault and probably answer your own question. Like, make up something like, why are.

A

They in a vault?

C

Yeah, that's gonna be much better than the real reason.

A

Another reason this is gonna be unique is because we're doing a two Part podcast about this because there's so much to know about hipaa and we really want to make sure that you guys get a really good understanding about what you can do to protect yourself.

B

So without further ado. Hello Roy. Hello Lyeth, welcome.

C

Hello Katie and Kate.

B

Hello Katie and Kate. And before we get started, I did forget, Kate wants to just share with you guys our sponsors and then we're going to jump into the topic.

A

Today's sponsors. We have the private practice startup, which is our company, sponsoring this episode and we actually have attorney approved private practice paperwork for clinicians who really want to ensure that they're not dealing with legal issues in their private practice. So clinicians get into this line of work because they're so passionate about making a difference in the world and we want them to continue to be able to do that throughout the longevity of their career by not leaving themselves open for risk. And when Katie and I first got into private practice over a decade ago, we realized that there was a real lack of attorney approved paperwork. And we spent a decade perfecting the paperwork, worked with multiple attorneys to bring it up to the highest legal and ethical standards. And so we've done all the hard work saving you time and money and energy and all of that. So make sure you check out our attorney approved private practice paperwork, Head over to the private practices startup.com. you'll see our shop tab and there you'll be able to browse our a la carte options and package options and get your free attorney approved HIPAA form on the a la carte page. There'll be an option for you to be able to download that for free. So enjoy. And without further ado, let's dive in and get started.

B

So my first question to you, Roy, is you were in the tech world and you're also a therapist, so how did that happen?

C

Well, one day I went to grad school. Well, I'll get the short route. Yeah, right. So after college I started doing web development. This is 1999, so it's a golden time just before Microsoft stock took a dive. And it was a terrible time, but I got into that and so I was a contract web developer for about seven, eight years. It's not actually what I really needed to do with my life, so I kept sabotaging myself. You guys probably know a lot about that. About that. Yeah, and right. You know, I mean, I could have taken off a lot because it's not just that I'm pretty good at programming, but I'm really good at helping people. Helping the clients figure out what they need in their development and get it to them. That was actually the biggest thing that I why I was so successful as a developer. But you know, I did the seven, eight years and a lot of working with the early web development stuff like, you know, building programs that would run on a Unix system to parse emails and like process credit cards for e commerce systems, like writing the raw code. These days you'd get a plug in. I actually had to write it because didn't have plugins back then. We had to write our plugins uphill both ways and we liked it that way. And so, you know, I finally figured out, it's a longer story how I moved to counseling. But there were various things that you're working at camps and stuff like that. I figured out that I really want to be a helper. Had to choose between teaching and counseling, realized counseling is what I wanted and went to grad school and then figured I would give up on all things tech forever. But as all geeks know, you cannot escape. And so here I am.

B

And I was also reading in your bio is that you speak Japanese and you have an online therapy business with clients in Japan. How amazing is that?

A

That's very cool.

C

It's super amazing. I am the coolest.

A

Can you please say something to us in Japanese?

B

I was gonna say can you say therapist rock in Japanese?

C

Serapisto Rocco.

B

There you go.

C

They probably something like that.

A

Very cool.

B

That is so neat. Very awesome. Lev, why don't you share the audience a little bit about yourself and how you kind of get started and tell.

C

Them the real stuff.

B

Yeah, I heard that. I'm actually working towards my PhD at the moment, but not in counseling or.

C

Psychology, but in religious studies.

B

I was working with another organization that.

C

Does CE trainings and also tries to.

B

Get back to the community. And Roy was one of the presenters and we just clicked and he needed some help with PCT and the rest is kind of history.

A

I started more in an assistant role and then after several years of working.

C

Really closely with Roy, I'm now now our deputy director. Yes, yes, that's super cool.

B

PCT is Person Centered Tech, which is your company. Yes, exactly.

A

Very cool. Yeah. So tell us a little bit about what HIPAA is, why it was created and why it's important to know about it.

C

Well, okay, so imagine you're a little group of people called Congress and it's 1996, so you have big hair and probably shoulder pads in your suit because you know it's 1996. So just to paint a picture, but. Well, so basically you figure out that healthcare in United States is way more. It's extremely expensive. That part did not get fixed, obviously, but it's extremely expensive compared to other nations. And people lose their insurance when they move jobs. When they're not employed, they lose insurance. A lot of the expense comes from the fact that every insurance company has their own billing system. And so there's a lot of expense just in medical billing. And also Senator Gore just invented this cool Internet thing. And so we should probably figure out maybe some cool way to use that. So basically, I don't remember who proposed the act. Maybe I should know that. They said we want to make this thing where an act that's going to try to standardize insurance billing and making sure so we can bring costs down by making insurance billing happen a particular way, a standardized way. And we want to set up a system where insurance billing can happen electronically using that cool Internet superhighway thing that just came out that no one knows how to use, but we know we can move information over, et cetera. And so they made the Health Insurance Portability and Accountability act because they don't know phonics. So it has two A's instead of two P's. And it basically does what these things often do, which is to kind of say, okay, that agency of the government is charged with making administrative rule, which you guys, I'm sure are familiar with. You guys teach ethics. So you gotta. People gotta know about administrative rule versus statute and law and all that. And you're making administrative rule to accomplish all these tasks. And the tasks are allowing people to keep their insurance between employers. That failed, didn't happen. It just didn't end up in the final version you have standardized insurance. That did happen. If you got a HCFA form. HIPAA defines what's in a HCAA form. That is all from hipaa, right? And we're gonna do the national Assurance billing system through the Internet. And definitely we have that big time. The early, most popular way of using that was office ally was like one of the early things set up to use that. Now everything from office outlet to your practice management system interfaces with that so that you can do your billing electronically. And of course it's how the insurance companies want you to do it because it's a lot less expensive. So HIPAA settled that up. The act was in 1996. The first rules came out. Well, they came into effect in 2003 for the privacy rule. And then the security rule came into effect in 2005, and somewhere there was a transaction rule which defines all those insurance. And then there's, you know, other things that happened since then. But that's the basic idea. And I'm sure you're gonna have more questions, so go ahead.

B

Yeah, I was just gonna say define the difference between privacy and security in.

C

A general sense or in hipaa. In hipaa, yeah. So the private. Well, actually the same as the general sense. I don't know why I asked that. So privacy is the principles of control over one's own information and how it's used, and also rights to one's information. So, for example, like if lyeth and I being in this. This vault, this bunker where Lioth is currently trying to disarm a bomb.

B

I think we forgot to talk about why you're in the vault, didn't we?

C

Well, that's okay. We wanted people to make up their own idea. I'm just gonna keep making up things that are happening.

B

Talk about it on part two.

C

So Parvey Laioth will talk to you while I fight this bear that happens to be in the vault before we talk about privacy. Yeah, so like, if, you know, if Laeth and I wanted to have a private conversation, we'd perform privacy. We would whisper because there's these two people on the computer that can hear me through this microphone. Or we'd get out of the vaults, which we can't do because of the bomb, you know, whatever. So the privacy is a thing you perform, and it's also an issue of rights and privileges. So, like, for example, our clients have rights to get copies of their records, which before HIPAA in mental health was not an assumed thing by any means and was very controversial and difficult to talk about. HIPAA was like, no, that's just the way it is. Americans have their rights to this information. The 2009 Hitech act updated HIPAA and they made it real serious when they finally made rules based on the Hitech act in 2013. Like they said, we are super serious about this whole people have their own rights to their information thing. Release of records is super important under hipaa, and that's a privacy thing. Rights to your information, rights to gain it, rights to know what information is being kept about you, rights to know who gets to hear it. Rights to. Rights to say who gets to hear it to a certain extent. For example, there's limits. Like if you're suicidal or homicidal, there's limits to that. That kind of thing. That's privacy. And so we often just Use the word confidentiality very broadly in our business. And one, there's many models of how confidentiality relates to privacy. But one that I find is useful in this context is to say that confidentiality is our ethical and legal duty to maintain client privacy choices to the limits of confidentiality. You know, for example, privacy, self harm, other harm, those kinds of things. Abuse of children or other vulnerable populations, you know, there's limits. Then my duty of confidentiality goes out the window. And have different duties, but without those limits, my duty of confidentiality says I got to protect the privacy choices of my client. I say choices on purpose. Right. Because clients can do all kinds of stuff with that that we can't do. It's their choice. Right. So security is how you do that. It's just the logistical. Everyday nitty gritty is just how do you go about doing that privacy thing? And so in a digital world where information is getting slung about the Internet all over the place and through different servers and machines and stuff like that, suddenly security can get more complex. That used to be a lot easier. You know, put in a locked cabinet and locked room. And then we have. We know our ethical standards for behavioral security techniques. Like, for example, if I asked one of you that, like, if I said to you, okay, if I asked one of you guys to tell me about Sam Smith, your client, Sam Smith, and you don't have a client called Sam Smith, would you say to me, oh, no, I, Sam Smith is not my client. You've got the wrong therapist. Would you say that to me?

A

I would say I can't confirm or deny whether.

C

Exactly. Because you know the cool way to respond. Yeah, right. Exactly. Yeah. And that's. That's a security technique, right? That's an understanding of, like, how you're gonna protect the privacy of clients. Because the. A normal person doesn't talk like that. Like, therapists talk like that. Therapists and spies, we talk like that.

B

I like that we're elevated to the spy category. That makes like, cool dude.

C

The three of us are really good at security. Actually lie at this dude because he's been working for us for a while. But, like, therapists are really good at security. We're just not. We just don't. If we don't know what we're looking at, which you don't. When data is off in a server somewhere or going over the Internet or inside your. This little box that my smartphone. I don't. I don't understand what the innards are about. Like, if I can't see it and Know it. I can't apply my security skills. But you. But we're really good at it. And people and therapists don't realize that because you often forget the stuff you've learned over all your years of grad school and training and supervision that the average person has no idea about. Right.

A

So what are some of the basics with HIPAA compliance that therapists really need to be aware of?

B

And maybe we'll start with the regular basics and then technology basics. Oh, like, like you were kind of saying the norm stuff that we would know and then you might think technology.

C

Oh, so, yeah, essentially. Actually what you're saying is the privacy rule compliance versus security rule compliance. Okay, that's actually, basically what you just said. Yeah. Just so you know. So compliance with the privacy rule is primarily the most. The, the big thing that everyone does and needs to do is have the Notice of Privacy Practices. You guys said you have a HIPAA form, Like a HIPAA form. I assume that that is a Notice of Privacy Practices.

A

Yes, yes, it is.

C

Yeah, that's what I thought. Yeah. So you need to have that and you need to know what it says because. Geez. Oh my God. Like, a lot of times when therapists do get in trouble with hipaa, one of the big causes is they don't know what their NPP says. And so a client will then take action based on what's in there. I don't mean like a complaint. Like they'll request records or something along those lines. And the therapist does not follow their own policy that's written on their HIPAA form. And then that's, you know, they complain to the HIPAA people, the ocr, and they follow up on the complaint because they will follow up on complaints from clients, just like licensing boards. And OCR stands for what, the Office of Civil Rights. Yes.

B

I don't ever use that word or that whole phrase or.

C

Thank you.

B

Now I know.

C

Yeah, you're very welcome. It used to be the Medicare folks, the cms, they used to do it. Yeah. And OCR took over in 2009 with the high Tech Act. I don't know why, but I guess Medicare was like, we're tired of this. I don't know. But yeah, so that's. Yeah, that's the npp. That's your basic. But you'll notice if you read your npp, it says you have a bunch of these policies, so you need to make those policies. Now sometimes for a lot of therapists, they just know what the MPP says and you may be able to Wing it. But ideally, you want a policy for how you release records. Like, how does someone request a release of records? What's your policy for? Like, how do you keep an accounting of disclosures? Right. Like, for example, if I tell somebody else about the client, if I disclose information to another client, which I'm only going to do with the release from the client, I have to keep track of who I've disclosed that information to and essentially what I disclosed. And the reason being that that's me taking care of the client's right to know what I'm saying about them. Like, if I'm going to be saying something about a client, they get to ask me, what are you saying about me? And so I need to have a log of that. It's called the accounting of disclosures. You know, and there's. There's other things in the privacy rule that get deeper that, you know, as much as we're big on trying to make sure people really understand how compliance works, most therapists could probably run without compliance, like defining exactly what's in a designated record set. Probably not necessary, because it's probably just whatever is in your record anyways. And there's also psychotherapy notes. But the thing about the privacy rule is that a lot of it is sort of things you need to do in certain circumstances or opportunities, like the psychotherapy notes principle, which is kind of a way that HIPAA allows mental health clinicians specifically to keep our process notes about the process of what's occurring separate from the record. So that when a client asks for a release of records, we don't have to give them our process notes. We just have to give them the main record with the usual kind of stuff that medical folks would think of as charting. You know, we need to give. That's what we need to give them. We don't necessarily have to give them our process notes, as long as they keep.

B

I think actually in our HIPAA form, it actually states that. And we've had conversations with our attorneys and things like that about that. And that's one thing that most therapists actually don't know. That's common knowledge. And. Or you can write kind of a summary of the things and dates and times and, you know, just touching on things that were talked about, discussed and stuff like that.

C

So that's.

B

That's really.

C

Yeah, yeah. And that should go on the. That should probably go on the record, or I guess. I guess it doesn't have to. It's kind of, you know, everyone can have their own style for that. As long as your, the record that can be released to clients contains, you know, like, what's the diagnosis, what treatment did you do, when did, when did you give treatment, you know, whatever else needs to be known about it for purposes of communication with other clinicians or for the client to know what you did. You know, that stuff goes into the main record that can be released.

B

So I have my mind drifted like random, right? For a second. Like I went back to your Japan clients and I was like, well, HIPAA's United States based thing, it's not. So how do you then if you're doing online with folks from other countries, it applies. It doesn't. You just do it for best practices. How does that all work?

C

Well, check it out. And that kind of gets to the question of HIPAA covered entities.

B

All right, let's go there.

C

Yeah, let's do it. So like a HIPAA covered. And so this is why I really wanted to emphasize the how HIPAA was originally about insurance. Because remember I said that HIPAA established the national electronic billing system. Yes, yes, yes. Okay.

A

No one can hear. Yes.

B

Yeah, no one can hear me. Shake.

A

We're both nodding.

C

Yeah, you're just nodding. I'm like, huh? Right? So like what that is, is so the national system is based on the standardized insurance. Like it's based on what? The same thing the HICA perform based on, which includes the HIPAA transaction rule, which is an aspect of HIPAA that no clinician gives a crap about because we don't really deal directly with it. It's very logistical. Right. But the transaction rule is it defines what HIPAA calls covered transactions. And I'm doing air quotes when I say that, and that's important. Look at the rule like the definition of a covered entity, meaning an entity that actually must comply with hipaa. That could be a person or a practice. Right. When you talk about something that has to comply with hipaa, the rule says anybody who conducts the covered transactions electronically, that's the definition.

B

So those are those covered transactions.

C

Good question, Laia, thanks for asking. They're the things that are in the transaction rule, which are transactions with insurers.

B

So then essentially, does that mean people who are billing insurance must use hipaa? Like that's the confusing part. Like what if your Kate and I are completely private pay, we don't ever.

C

Bill insurance, Then you're not a covered entity.

B

Interesting.

C

Yeah, and I'm not either. So like I've never billed insurance at all, much less electronically, because notice I said that not just cover transactions when you conduct those transactions electron. So if you don't use the electronic billing system. Right. Then you're not a HIPAA covered entity.

B

So it feels so much better already.

C

Yeah. We can bring you down now a little bit, though.

B

We don't do best practices. Right, well, right, exactly. Because then I'm sure we can get, you know, slammed in other ways or bring up legal issues because then it goes to confidentiality. It doesn't really matter. It's if we're practicing to the best practice and the highest level care, privacy.

C

And security, or not even the highest level, just the standard of care, because the. Well, it's. Sorry to jump on that, but it's an important distinction because standard of care is not highest level. Like, standard of care is very C. Right. You can do a lot better than standard of care. Like, you know, you can't be sued for malpractice for having a bad day. Right. Like, that's, like that's not malpractice.

B

Well, it depends on your bad day.

A

But anyway.

B

That'S true.

C

You're right about that. Simply having a bad day is not grounds for malpractice is more what I mean by that. Yeah, but you're right that actually it could go really bad. Yes. And I have seen that, actually. I've seen licensure loss for that, in fact. But really, really, really bad day. Really, really bad months.

B

But that probably didn't hold up in court, though.

C

Yeah, well, no, it was really, really bad year, actually. Yeah. But the. Yeah, no, so the standard of care is like C. That's actually really important distinction because the, you know, I could actually do a lot better with security than HIPAA requires, you know, but what HIPAA requires is pretty. Pretty darn good.

B

Yeah.

C

Pretty strong. And it's not very specific. It's very broad. Right. So, like, you know, we help people figure out how to comply with the standard. And the standard is going to change what you do based on what's available and who you work with and what your practice is like. And that's why a standard of care is an important way to think about it, because. So every ethics code now finally addresses digital security. Right. Finally, the NASW just this last year finally released their new code. And so everyone's doing it now. Yeah. But none of them tell you how. They don't have any standards or guidelines other than they'll often mention encryption, which is a big deal. But it's only one piece. It's one tool. And. But if you go to the HIPAA security rule, it's got like pages of standards, right? So imagine that I'm your client and I get angry because something like your email gets hacked and so some bad guy sees my emails to you and uses that information in some way that I don't like. Whether it really hurts me or not, I just don't like it. So I go complain to the OCR that you did not secure my information. Here's the thing. That's weird, right? It's not automatic that you have had a confidentiality breach, ethically speaking.

B

Okay.

C

Right. What has to happen is like I have to prove, or someone has to prove that you are not living up to standard of care, that you weren't acting the standard of care. So how do we determine that? So let's say the OCR calls you because I complained and you say, sorry, ocr, I'm not a HIPAA covered entity. Kick bricks. Except you're much nicer than that because they're actually pretty nice people at the ocr. They aren't HIPAA police. They're actually mostly helpful people. So, you know, and they're like, oh, okay, well, never mind. Have a nice day. You're not a covered entity. We don't have the jurisdiction to do this. Wow. So I go, right, oh, sorry, yes, I went to the feds. I should have gone to your licensing board. That's what I should have done. Or I should have gone to the courts for a malpractice suit to get money out of you and your insurance company. You know, this is what I should be doing. Right. And either in the case of the licensing board, I'd have to prove that you're violating licensing board rules. Right. In the case of a malpractice suit, I have to prove that you're negligent. Right. Which means you are not working to standard of care. That's what I would have to prove. Right. So the first thing my lawyer has to do is establish what is the standard of care for therapist in Florida in your case, who, in terms of keeping emails secure from security breaches, what's the standard of care? So when we're going to look for things that define standard of care, what do we got? Well, Florida does have data breach laws, but those are going to apply to you either way. And in fact, I could probably try to take some action under that law as well, but generally the data breach laws aren't going to benefit me. I can't sue you. I can just tell the Florida Attorney General you had a data breach and if it only impacted one or two people, it may not be a big deal. Right. They may not really do anything about it. But I went from suing you and doing something else. And so my attorney is going to have to look for something that explicitly states that you explicitly describe something you didn't do and you should have done. Right. Okay. About all we got is hipaa. Like, HIPAA would describe what you should have done and didn't do, ostensibly. Assuming you assume you didn't just get really unlucky. Right. With this, with this breach, you know, assuming it's because you did do something like reuse passwords or something silly like that. Right. So if you go to HIPAA and HIPAA standards, they're gonna say, okay, so, you know, Katie. Sorry, Katie. Katie was, was negligent. Because there's a standard out here that says this is how you take care of the security of email programs. And she didn't do it. You know, she should. She. That's unprofessional. That's, that's, that's substandard care. She's negligent. We want five bazillion dollars. And so the judge has.

B

I'm gonna have to tell you to kick rocks because I don't have $5 billion.

C

Well, no, we want $5 billion from your MalPR 1 to 3 million, I think.

B

So I want all 3 million.

C

Right? Yeah. So that's the idea. Right? So, like, so the judge has to decide, is that gonna work? Can HIPAA be used as the standard of care? And there are some states where the judges said no, like Ohio, for example. They said, no, that doesn't work. HIPAA is a federal law, and Ohio law says that can't be used this way. But in, I want to say Alabama.

B

That sounds right.

C

That sounds right. The judge said, yes, you can do that. That works. You can use HIPAA as a standard care in a negligence case. And it's not tested in most states. I don't know about Florida, but like, so that's the thing you're looking at. If you're not a covered entity, HIPAA could still be applied to standard of care. And that matters because standard of care is a completely different thing from complying with a regulation. So complying with the HIPAA regulation is a different beast from making sure you practice at the standard of care or higher.

A

And this is probably a really good time to go ahead and kind of.

B

Summarize what we had talked about earlier.

A

For episode one and then transition into standard of care and talk about the online practices using the computer Using cell phones, all of those technological aspects in part two, right? Yes.

B

So, Roy, if you could kind of maybe summarize everything that we've just talked about. What do you want people to take away from part one?

C

You should know if you're a covered entity or not. And if you are not one, I gotta @ least say that you should ask your lawyer before moving forward. A lot of people don't. They feel pretty confident that they're not one. There are some resources from the feds you can go look up to kind of confirm if you're not feeling sure. But always, especially if your professional association gives you a chance to talk to a lawyer for 30 minutes, that's plenty of time to get an opinion on that topic. But even if you aren't, HIPAA standards are still a strong guideline. And I actually like to call them like hipaa, your how to avoid legal problems and malpractice suits guide. Because if you just use HIPAA as your guide for how you manage your security and privacy stuff, you actually end up covering. And I've been through the big. What's the name of the people who do the big list of state security breach rules?

B

The Mint Levin.

C

Mintz Levin, yes. This is why Lyeth is here. I've been to the Mint Levin. Big survey of all the state security breach rules. Pretty much all of them have the same safe harbor as a HIPAA does, you know, so like, if you do what HIPAA tells you around all that stuff, you're gonna cover all of it, you know, you're gonna cover these standards, you're gonna cover state laws for the most part. So I really recommend, even if you're not a covered entity, you'd still look to HIPAA as your guide.

B

Gotcha. So guys, we're gonna end part one right here. And so for part two, more on hipaa, like Kate said, we're gonna get more into the technology based stuff. Questions, Leave them in our Facebook group. The private practice startup. Roy will be part of that, if he's not already. So he can. You can actually tag him Roy Huggins and he'll answer you.

C

Yeah, but good luck giving a straight answer in a Facebook group.

B

And we like more like call me or send me an email.

C

Yeah, yeah, I guess.

B

Yeah, something like call Lyeth, call Lyeth, call Lyeth.

C

There you go.

B

So guys, we will see you on part two as we continue to talk about tips for HIPAA bringing you peace of mind. So check out the show notes for all the stuff that we've talked about today on this podcast and we'll see you shortly. So thanks for allowing us to inspire you from startup to mastery.

A

See you in a few. Thanks for joining us on the Private practice startup. Visit theprivatepracticestartup.com for awesome resources, free trainings, attorney approved private practice paperwork, and so much more. SA.