A (1:54)

And this is really the way to disarm the HIPAA bomb. That could allergy and metaphors. Woo hoo. Love it.

B (2:04)

So before we get started though, and jumping into part two, if you are a first time guest to us, we hope that you realize like we're having fun and providing value bombs. We're going on with the whole bomb theme today. Right? Right to you all about hipaa. But we do have A special gift for you. And that is our A to Z cheat sheet. Our A to Z cheat sheet. The essentials for building and growing a dream private practice.

D (2:25)

This is our last podcast of the day.

B (2:27)

So I think we're getting into the loopy mood. I know in Oregon that' where Lyeth and Roy are, it's one close to two. And over here it's four o'. Clock. And this is our fourth recording.

A (2:38)

Fifth recording.

B (2:38)

That's true. That is our fifth recording.

A (2:40)

This is our fifth recording. Yes.

B (2:41)

So our first time friends, welcome to Startup Nation. Our gift to you is the A to Z cheat sheet Essentials for building and growing a dream practice. Head over to private practices startup.com head over to the Resources tab and go ahead and download that A to Z cheat sheet. And hang out with us on Facebook. We have a Facebook group, the private practice startup. Roy's hanging out in there as well. So if you have questions about Hippo or just questions about building and growing your gene practice in general, post our community of awesome therapists will support you. And we're in there too.

A (3:11)

And before we dive into episode two, we just want to take a quick break. For our sponsors, we have attorney approved private practice paperwork because we don't want the HIPAA bomb to go off. Right? And you don't want any legal bombs to go off in your private practice ever, preventing you from doing the work that you love, making a difference in the world and changing people's lives. So you want to make sure that you are protected by having legal and ethical paperwork that meets all of the standards and is comprehensive. And that's something that the private practice startup provides. We worked over a decade perfecting our paperwork and worked with numerous attorneys, spent over 100 plus hours bringing it to the highest quality so that we could provide a solution for you. Make sure to visit our shop over at the private practice startup. So go to privatepracticestartup.com, head over to the Shop tab. There you'll be able to browse our a la carte items and you'll also be able to browse our packages. And I'm not sure why my phone keeps ringing. So you guys may have heard a little ring there. Sorry about that.

B (4:13)

All of a sudden your phone just synced with your.

A (4:15)

Somehow my phone is synced with my computer. I'm not sure how that happened, but it's okay. We're just going to run around it.

B (4:21)

It's the universe calling.

C (4:25)

We, by the way, want to take this moment to riff on The HIPPA bomb thing to say that actually, it's actually really important I think for therap that there are very few HIPAA bombs. Like, as much as this kind of is maybe against our financial interest to tell people this, it's actually a big part of what we do at Person Centered Tech is like make it really clear that if you come from any place of fear or maladaptive anxiety, you know, we know a little bit of adaptive anxiety is necessary to do anything, right? But like maladaptive anxiety, you're gonna screw it up. Like it's bad. It's just don't do it, you know, wait until you feel better. Like seriously. But like the. There are only a couple ways in which real trouble will happen. And we have a one hour continuing education course that explains what those are and how to stop them. And so that's part of the offer we're giving your folks is that course. So I just realized that's a good moment to go ahead and mention that.

A (5:20)

Yeah, right in the middle of sponsorship. So you get a twofold sponsorship message.

C (5:25)

Oh, sorry, I thought it was dumb.

B (5:28)

No, you're fine. We're just having so much fun that we just.

C (5:31)

Okay, good.

A (5:32)

Yep, it's off the cusp. Exactly. So, yeah, we have a free HIPAA form for you that's been attorney approved. So make sure to check that out@privatepracticestartup.com you'll see all of our a la carte forms and packages available for you there as well. And then we'll have an awesome giveaway from you guys at the end of the podcast, which you just gave a little sneak peek about. So let's just dive in, Right?

B (5:54)

Yeah. And so on our first part one, we had talked about the vault and we asked you guys to make up your own answers about why are Roy and lyeth in the vault. So in part two, they're actually going to tell you why they're in a vault. So let's talk about the vault and then we'll get into HIPAA Part 2.

C (6:10)

You want to say a lot? Yes.

D (6:12)

So we are in a new office space which is at the WeWork Custom House in Portland, Oregon. And it's a historic building, so it has these awesome vaults in it that because it's a historical building, cannot be removed. And so they've made them into really awesome spaces with cool lights and sound treatment. And so we think it's a pretty sweet spot to have super secret meetings.

E (6:40)

That's right.

C (6:40)

And this is, this is super secret, right? Now. So we want to make sure we do it in a private place.

A (6:44)

Yeah, right.

B (6:45)

I was going to say HIPAA's about privacy and security. So you guys are emulating it all over.

A (6:49)

You're a brand.

C (6:51)

We're literally surrounded by.

B (6:52)

I am waiting for like the creepy music like to start happening. Because that green light behind you, Roy, is like, I'm entering into a fun house.

C (7:00)

I can arrange that.

A (7:01)

Like someone with a knife.

B (7:06)

I guess we should release this during Halloween. But anyways, so we talked a lot about HIPAA in part one, and now we're going to jump into a lot more of the techie type encryption and what you should do or not do and resource and all that good stuff. So I'm just going to let you take it away, Roy, because you've done fabulous in the first part and we just want to hear more.

C (7:27)

Oh, well, I was answering questions without questions. I don't know what to do. Oh, no problem.

B (7:32)

We got tons of those.

C (7:34)

What? Lyeth knows what to do.

D (7:37)

In between the recordings, Roy and I were talking about one aspect that kind of bridges the part one and part two, which is business associate agreements.

C (7:49)

Oh yeah.

D (7:50)

The importance of those. And we actually think that they're just as important for non covered entities as covered entities because they're serving as an agreement that your protected health information is being secured appropriately. And why wouldn't you want to have that assurance and agreement in place and to be able to give your clients peace of mind knowing that you are also taking those steps to protect them?

B (8:19)

So let's talk about, let's talk a little bit more about that because we do get a lot of questions and a lot of therapists don't even know what is a BAA or business associate agreement.

A (8:27)

So what is, what is that?

B (8:28)

What does that mean? How does that cover us? How does that help?

C (8:32)

Yeah, so the. Okay, should I do my analogy? Yep. Okay. Just gotta do it, otherwise you won't. No one will understand. So. Okay. Okay, guys, I have a startup I want to propose to you because you're the startup people, right?

B (8:43)

Yes.

C (8:43)

It's called Roy's Fax Emporium. So let me do my little pitch.

E (8:46)

All right.

C (8:47)

Do you hate faxing as much as I do? Yes. Yes. All right, so come to Roy's Fax Emporium. I've got a giant warehouse full of fax machines and I save you money by hiring a bunch of extremely poorly trained 18 year olds to work in my place. So what's gonna happen is I'm gonna give you your own special phone number. When you want to send a fax or you want to receive a fax, you just tell people that special phone number. What will happen is the fax will get to us at the warehouse and one of my poorly trained 18 year olds will go grab your fax off the machine and somehow, by some means, they'll get it. They'll get the f. You. We guarantee you will eventually receive that fax. We won't guarantee what's going to happen in between, however, because that person might do anything to that fax. And then of course, if you want to send something, you can get it to us however you want. We don't care. And then one of my poorly trained 18 year olds will take that fax and we guarantee they will send it off to the person you wanted to go to. No guarantees about what's going to happen in the meantime though. So how much would you pay for this service? Would you pay $20 a month?

B (9:47)

I was just wondering, is there like a jelly donut stain on the facts at some point? Is that extra?

C (9:53)

Yes, if you want it to be.

B (9:58)

So, yeah, no, I don't know. I don't know that I would pay much.

C (10:02)

$18.

A (10:04)

Oh, I'd be running the other way.

C (10:06)

Yeah, I know. Okay, obviously $9.99.

E (10:09)

Right?

C (10:09)

That's. No. So, okay, you, you clearly, I'm going to bet you have an intuitive response that says that's bad.

B (10:17)

Eek.

D (10:18)

That's kind of what that says, right?

E (10:19)

Right.

C (10:20)

You also know you own logically why it's bad too. But you already have it. You don't even need it. You know, this is no good. Your gut tells you because like I said in episode one, you're a therapist and therapists have a very strong security mind that we use really well.

E (10:32)

Right.

C (10:33)

And so this description, because you know what's going on, you can imagine it, you're like, this is a terrible situation.

E (10:39)

Right.

C (10:39)

One of those kids like might be like, oh, it's kind of fun to take these faxes and like sell them to big data miners. Or maybe I'm going to use it and then to figure out like, oh, hey, so and so has depression. I'm going to tell my uncle who runs a pharmaceutical, my a pharmacy to go advertise that person for the depression medicine.

E (10:55)

Right.

C (10:56)

Like they might do something like that. That's a terrible idea.

E (10:59)

Right.

C (11:00)

Anybody listening to this will know that's a bad idea. But what I just described is, without, with extremely little glossing, a perfect analogy to email and texting. Because email and texting are exactly that machines. We give you an address. There's some people, you don't know anything about them. There's no guarantees about what's gonna happen between when we receive the message for you and then we get it to you. The only thing we guarantee is that you're gonna get it. The only thing we guarantee about your sending is that it's gonna get to your destination. We're not making any guarantees about what we will or won't do in between.

B (11:33)

Gotcha.

E (11:34)

Right.

C (11:34)

Including protecting it or including misusing it, which is what free Gmail does. You got a free Gmail account. A client sends you an email. Everything the client sends you is being used to develop advertising.

A (11:45)

So that's really scary.

B (11:47)

Yeah. So as you say that. So there's some therapists who have their mail.com as their business one. So when you're saying that if that is you, we gotta make some changes there, right?

D (11:59)

Yes. You want to get a G Suite account, the paid Gmail and Gmail apps suite, and get a business associate agreement in place for that.

C (12:12)

How much does that cost? Lyeth?

D (12:14)

It is $5 per month.

C (12:16)

Wow, that is so cheap.

B (12:17)

That's much cheaper than per email address.

C (12:21)

Oh, sure. Yeah.

D (12:22)

And please note as well that you will need your own domain name at this point in time. Gmail doesn't let you have a mail address for it. One interesting note though, is that Hushmail, which is a secure Hushmail for healthcare specifically, will let you use Aushmail address if you don't have a domain that you can provide.

E (12:49)

Right.

A (12:49)

Well, and as a clinician, you really want to show that you're in an established business when you're in private practice. And so having your practice name being part of your email address is part of showing that your credit. You're someone who knows what they're doing. And you're not just like, hey, I want to be a therapist and I'm gonna, you know, like, open up this random email account and yeah, sure, email me here.

C (13:12)

Well, when you put it that way, I guess so I'm completely with you. Yeah, yeah. My address is Portland Counseling therapy dot com. It's very difficult to tell people on the phone.

A (13:25)

That's a long one.

C (13:26)

I am such a counselor and I'm totally in Portland. But yeah, it's true. And I have a G Suite account that. With a BAA business associate agreement. So Google doesn't use this information for advertising. They do not mind the data in my emails. That's Part of the agreement. And we know that they'll do that because a business associate agreement has certain basic provisions that HIPAA requires it to contain. For it to be legally a business associate agreement, it can contain anything else we want it to have. And Google certainly has other things in there that Google wants to have, but the basic provisions have to be there. One is that Google will. Essentially what it comes down to is the contract states that Google or Hushmail or what's another good therapy notes or simple practice or any of these guys, it'll say like we're gonna protect your data to the same standards you have to as a HIPAA covered entity. And we're gonna basically, we're gonna be your agent.

E (14:21)

Right.

C (14:22)

Because these people are your agent, they're part of your practice.

E (14:24)

Right.

C (14:25)

But even though they're part of your practice, you don't get to tell them what to do because they're running their own business. And that's kind of, if you think about that, that's kind of weird. Like Lyeth is my employee as well as my associate here.

E (14:36)

Right.

C (14:37)

So I could define the policies Lyeth has to follow as an employee of Person Centered Tech.

E (14:42)

Right.

C (14:43)

And she can either follow those or get a different job.

E (14:46)

Right.

C (14:47)

Which is corny and it's no. Or she can go to like the, the government say their policies are violating labor laws. You can do that too. But that, that besides, you know, you guys, I know help people with the group practices or just a practice where you have employees, you know, the people follow your policies. And the HIPAA security rule requires you have policies that govern the security of information, including the tech security. That's great. Those people are what you call workforce under hipaa. You know, they're the workforce of the practice. And what you need to do with them is make sure they don't violate your security policies, which is why you got to train them on hipaa or really you got to train them on your policies. Sometimes training them on HIPAA itself can be helpful, especially if they're or high level administrators. But otherwise really just got to make sure they don't violate your policies. That's the important thing. A business associate is a third party. They're your agent, but they're not a part of your practice. Or they're not like in your practice.

E (15:43)

Right there.

C (15:44)

They technically are part because they're an agent of your practice. Google is an agent of my practice. Hushmail is an agent of my practice. SFAX is an agent of my practice. But I can't make Them follow my policies doesn't make logical sense because they have their own facilities, their own stuff, they have other clients too, they do things their own way. And so I need an agreement that says that they're going to make sure their policies cover my needs under hipaa. And that's called a business associate agreement.

B (16:09)

And so when we talk about business associate agreements and anyone who touches potential client information needs to sign one, that's really essential. So even if you are doing some, I don't know, you're working with an online company and they can potentially see like one of the things I think of is like your forms on your website. Right. Like those are potential clients and they might turn into clients. But if you have someone, web person that can access that, you need to have them sign a baa. If you have a virtual assistant that might, I don't know, do follow up calls for you or answer the phone.

C (16:42)

BAA one's a big one. That's an excellent example. That's when I see a lot of people missing.

E (16:46)

Right.

B (16:46)

So those are if someone is going to touch potential confidential information or you can just make it as part of your practice to sign a baa so you're covered. That's just really important.

E (16:55)

Yeah.

C (16:56)

Or the person might actually be a part of your practice. There are a number of people who are kind of, there are number roles, like especially the ones you guys just talked about, and I bet you guys probably talk about these kinds of roles a lot with your people, is that we're kind of on the line between a business associate or a workforce member and it really comes down to which one do you guys want to be? Because if they're workforce, it just means they got to follow your policies and procedures. If that's cool, that's cool. If they're a business associate, that means they don't got to follow your policies and procedures, but you do got to do the agreement and they got to make sure they don't violate HIPAA for you.

E (17:25)

Right.

C (17:26)

But ostensibly, and I say that for important reasons, if they're a business associate and they sign the agreement and it's got all the provisions HIPAA requires. They do, I'm going to use the legal term, they do indemnify you against liability to a certain extent. So there's a bit of shielding from liability. I don't want to just say it's a full shield, even though it's supposed to be. Actually it's supposed to be that my business associates fully shield me. And in most cases they would like if they had a security breach that was their fault and not mine, most of the time I'm not gonna end up liable for that, assuming everything's in order. And probably most time it is. But I just don't want to guarantee that's always the case because there are situations where, like, if it's probably my fault or if I should have known better than hiring people who don't know what they're doing or something like that, I could end up with some of that liability. But largely with that business associate agreement, they take that and I am off the hook if they have a breach. Except for that whole part where one of my clients just got hurt by a security breach. Which is why you want to pick good business associates, no matter how risk tolerant you are about liability.

B (18:29)

Good point. So I know, I know people always have the question about like the tech stuff, their phones and all the stuff like that.

C (18:36)

Oh, actually before we do.

B (18:38)

Awesome. So before we go there. So when we're talking about G Suite and things like that. So I think. Well, not. I think. I know in part one, I had asked you. One of the reasons I started getting a little freaked out is even though I have G Suite and I have a baa, I started when I went to Facebook, I saw that my clients I emailed were recommend being recommended as like, potential friends. What is that?

A (18:57)

Like, what makes you think it's associated with Gmail and not like the location settings on your phone? And there next it would be very.

B (19:08)

Closely after they had emailed me for the first time.

A (19:11)

Oh, before they email you? Not.

C (19:13)

You're not physically met them?

B (19:15)

No, I don't think so.

C (19:16)

Yeah. Because Keith's talking about the most nefarious version.

A (19:19)

Yeah.

C (19:19)

Which is that you both have the Facebook app on your phone. Then your phones come nearby each other once a week about the same time.

B (19:27)

I thought it was like Gmail. I had no idea about that.

C (19:30)

Yeah, that's a thing Facebook does.

B (19:33)

I'm like minus kindergarten when it comes to a lot of, like, tech stuff behind the scenes.

C (19:37)

Oh, dude. I had no idea until I got into a news report. I would not have thought of that. I was like, oh, my God, that is these people.

B (19:44)

So yeah, maybe it was shortly after I had met them or something like that. Now, now it's making sense.

C (19:49)

If they. They might have shared contacts with Facebook somehow. So if they email you, you'll end up in their contact book. And if they had shared. Even if it's just your email address, if it's the same, you use On Facebook, then if they're. If they had shared their contact book some of Facebook, then Facebook would be aware of the link between them.

A (20:09)

Got it.

B (20:09)

All right.

C (20:10)

LinkedIn does that really? Explicitly. Yeah.

D (20:12)

Which is one reason, too, why we recommend not using the same email address for your Facebook account as your practitioner.

C (20:22)

Yeah.

A (20:23)

So.

B (20:23)

But what happens, though? Because I'm. My Facebook. Personal is a personal email. But then what about the business page being linked to it?

C (20:30)

Yep, that would do it. Okay. They got the link. That'll make the link. Yeah. Facebook. It's. This is a situation of Facebook just trying to figure out if people are connected. So they're. There are no boundaries around that. If they can find a link. That's a good point, actually. That's a good point. Yeah. Yeah. If you're professional, your professional page will usually be under your professional address, so Facebook will know it's connected to your profile.

A (20:50)

But no one's saying what kind of connection it is. And no one's qualifying that connection that it's a client of yours.

B (20:56)

But no one. No one is. But it freaked me out. Like when we talked about Amy Crane's Facebook ads, like, how you can't say you. Because most people don't know that you're targeting specific people and that you can do that. It just freaked me out. It's like, all of a sudden, I see this client, and now they're recommending as a friend, like.

D (21:12)

Watching me.

A (21:13)

It's Alexa.

B (21:14)

I know it.

C (21:17)

We say you. We tell our people that we target them in Facebook ads. We're open about that stuff.

B (21:21)

Well, she was talking about how, like, the normal consumer doesn't know that.

E (21:26)

Oh, right, right.

B (21:27)

Like, if you recently got engaged. Right. Like, someone can pull that information. They're like, that's weird. How do they know I got engaged? I don't know these people.

A (21:33)

So, yeah.

C (21:34)

That information is about 65% accurate, by the way. Just so you know.

B (21:41)

So with then having G Suite and a baa. And now I got the mystery cleared up, that it's not Google, it's the potential app. Okay.

C (21:49)

Or the client revealing their information to Facebook.

B (21:52)

Okay. Do you need to have encryption then, on your email? Don't you. What's the answer to that?

C (21:58)

Well, let's understand what encryption is.

E (22:00)

Right.

C (22:00)

So encryption taking information and turning it into a secret code. Right. So there's a thing that goes on that really confuses the heck out of people. Is the word encryption getting used as some kind of synonym for security?

A (22:14)

Yes.

C (22:15)

Because you say, like, do I need encryption on my Email. That language is used all the time, right? People use that language frequently, and that's why people are picking it up. But it's not a sensical statement like encryption on the email and how it might relate to Facebook making connections doesn't make sense. And that's not your fault, Katie. That's. You're getting told. That kind of phrasing is being told to us all, all the time by other people. Confuses us. Encryption means taking a piece of information and scrambling it.

E (22:44)

Right.

C (22:44)

So an email itself, an individual email, you could scramble it.

E (22:48)

Right.

C (22:48)

But here's the thing. If I send you guys an email scrambled with my code, how would you read it?

B (22:54)

If we had the decoder, the spider.

C (22:55)

Got it. Yes. In fact, that's the exact analogy we use. Oh, yeah?

B (23:00)

Yes.

C (23:00)

The decoder badge, the Captain Midnight Decoder.

B (23:02)

Badge, Is it the red one?

C (23:04)

If you have the right one, you're.

A (23:05)

Winning at this escape game.

C (23:09)

You're winning it. You're disarming the bomb. So that's the thing, okay? You have to have the right decoder. So if I just send you an email that's scrambled, how do you decode it? How would we make sure you have a decoder?

B (23:21)

You get it from the Cracker Jacks box.

C (23:23)

That's it. You got it. So that is why you need to have a lot of Cracker Jacks boxes. But if you notice, what that means is you and I have to prearrange a thing.

A (23:33)

Right?

E (23:33)

Right.

C (23:33)

Like, if you ever watch World War II movies about, like, the encryption, which is a huge thing in World War II. The. The challenge is that the people who want to send secret codes to each other have to have some kind of place and meeting where they establish their code together.

E (23:47)

Right?

C (23:47)

So, like, if I want to use encrypted communication with you, you and I have to be using the same decoders, which means either we, you know, are using TGP public key, or blah, blah, blah, the whole thing, which no one does, because what is that? Or we have to use the same app.

E (24:07)

Right.

C (24:08)

So I might use. I use Signal. It's a secure, free, open source, secure texting app. It's how I text with my clients. Signal. Yeah. And because of both regularly. Great. Yes. No wacky spelling.

A (24:21)

Okay.

C (24:21)

Legit question. And so, like, all they have to do is have Signal and we can text each other with this high level of security. Please, before you use Signal, go read our review of Signal, which is open to the public. So you know the pitfalls and ups and downs. Or documentation but the that's because we both have signal. So signal, the company acts as a go between that ensures that we both have the decoder rings. You're talking about trying to send an email from Gmail to any other given email address. You don't know who it's going to receive. That means that there's no decoder in exchange. So Gmail is going to send conventional normal emails that may or may not have some encryption at different points while it's moving through the Internet. We just released an article that actually describes this with very handy, colorful pictures called the three kinds of Email. If you want to go check that out, it explains it very clearly. But usually when we talk about encrypted email, what we're actually talking about is called escrow, right? Yeah. Do you want to talk about that? Lyeth. You probably have a really good description of it.

D (25:25)

So escrow email essentially works in a way where you want to send a message and want to ensure that it is encrypted and protected. So when you send that message, it doesn't actually, the escrow style email, it doesn't actually leave the server where it's being held, the service that you are using to send that. What it does is send a notification to the recipient at whatever type of service they have and then they have to go back to the server and service that is holding the email for you and retrieve it there. So its security is ensured by not landing in their inbox.

C (26:14)

Yeah, that's right. Or not. And not being sent over the Internet.

D (26:16)

And not being sent over the Internet, which may or may not use encrypted.

B (26:20)

Panels saying is that there's a secret code in the vault and if you want the code, you got to go to the vault.

C (26:26)

That's actually. Yeah, that's pretty much it. Yeah, that's right. And we'll send a messenger to you telling you, hey Roy, you got to go to the vault to read it. Yeah. And you've all gotten those, those messages that say your clinician has sent you a message. Click here to go log in and read it.

B (26:40)

And that's called what?

A (26:41)

Escrow.

C (26:43)

Escrow. Because the service is holding the message in escrow.

A (26:49)

So we're talking a little bit about the email. I'm curious about the cell phones because so many clinicians will text confirmation of scheduling. Some of them text more obviously. There's calling back and forth. That happens. There's voicemails. So talk about how HIPAA plays a part with all of that.

C (27:08)

Transmissions must be secured, the transmission Security standard applies. So like the. Well, this is part of why in part one, I was very careful to say that confidentiality is our duty to protect client privacy choices.

E (27:25)

Right.

C (27:25)

So if a client says, yeah, I would love those text reminders, that's really helpful. And you're like, well, I can't. Because my system, like my calendar system or my practice management system, it's not set up to send you those text reminders in any way that's going to be secured over the Internet. They'll be exposed to bad guy interlopers on the Internet. And the client says, I don't really care if bad guy interlopers know that. My appointments tomorrow at 10. And you're like, you do a little, you get a little risk analysis. Like, well, what if somebody who has access to your phone knows that? They're like, well, people have access to my phone, I don't care. They already know that anyways. Or, you know, something along those lines. We have a little questionnaire about that. You can do it in like two minutes with the client. And then the client's like, okay, it's like clear that this unsecure SMS that we know is limited to telling about appointment times. The client is feel safe with it. We know they actually are safe. So they're gonna sign a document saying we have the discussion. Just because I want to document that we've done that.

E (28:22)

Right.

C (28:23)

And that they want those with those texts and they can send them. That's why it's important to remember that what we're doing is upholding client privacy choices.

E (28:30)

Right.

C (28:31)

So that's why they have that right to do that. But otherwise you want to use secure texting. And this is where the whole thing of one of the questions you guys want to ask us is how has HIPAA changed?

B (28:45)

How has HIPAA changed?

C (28:46)

Yeah. Oh, let me tell you, it's a good question. So in 2009, the high tech act did a bunch of things, and then in 2013, the rules were made for that that did a bunch of things. That's the only time the rule has changed. Although there's been a couple of little modifications in the Obama administration, but they don't really hit us at all. So like what has changed is that the environment of technology has changed and that changes HIPAA because like a lot of what is appropriate technology under hipaa and our ethics as well, don't forget ethics, that's just as important here, depends on what's available and compared to the risks that we're facing, like texting is Funny. You can, you can reduce the risk of texting an email by just reducing the risk of the information you exchange by just saying we're only going to talk about appointments. That. That's a lot less risky potentially. You know, like if you're, if you're sending insurance information, that's really risky. Bad guys love to sell insurance information on the black market these days.

E (29:41)

Right.

C (29:41)

So you don't send that.

E (29:42)

Right.

C (29:43)

But now the ability to actually have something that encrypts the information that you send over the Internet to each other and make it really easy and simple and cheap to do is just so ubiquitously available that a HIPAA auditor would have very little sympathy for not using it.

B (30:02)

Right.

C (30:02)

And there's no change to the rule. The rule doesn't say anything different about that. And like, you know, certainly we can give you easy recommendations for any of these tools. Yeah. You don't have to pay us for it even.

A (30:14)

No. What are some of your recommendations for those?

C (30:17)

Oh my God. What a good question. Would you like to tell them our usual recommendations?

D (30:21)

Our usual recommendations for phone and texting or above and beyond that?

A (30:30)

Well, yeah, phone and text are with that.

D (30:33)

So texting. We always recommend that you use the secure texting app that Roy mentioned called Signal, which is free. And we do have a review of Signal, which includes usage notes, which are really important because they provide guidance on particular settings as well as policies and procedures that you need to have in place around your usage.

C (30:56)

And that sounds more complex than it is.

D (30:58)

It's really straightforward and easy to understand language.

A (31:04)

Basically, you would need to download this app on your phone, you have your clients download the app, and then once you set it up properly, you text each other through that for confirmation purposes.

D (31:13)

Yes. And Signal is one of the rare conduits. Conduits. The conduit exception under HIPAA is extremely rare to see. But. But Signal actually does qualify as a conduit.

C (31:30)

That means you don't need a business associate agreement. Yeah. Because the company doesn't actually see or have access to any of your info.

A (31:40)

So that's a great recommendation. What other recommendations? Because obviously you guys are the experts in this area. You've vetted a lot of resources. So what else?

C (31:47)

How many of your people use Google Voice for their phone?

A (31:50)

A lot of people probably.

C (31:52)

Oh yeah, Laeth, tell us about that.

D (31:55)

So even if you have a G Suite with a baa, the G Suite BAA excludes Google Voice explicitly. So Google Voice is not a HIPAA compliant or secure option.

C (32:09)

Don't lie. If you get the thing.

D (32:13)

However. And there are a number of Options that for VoIP second line phone services that will do business associate agreements. One that's really popular among our members is Ring Rx and it's a great price point, $15 per line. And the nice thing about them is that it was designed specifically for healthcare.

E (32:39)

Right.

C (32:39)

It's run by healthcare people and it's.

D (32:41)

Run by health care people as well. And that's always a good indication that a product is more likely to meet the security and ethical needs of practitioners.

E (32:53)

Right.

C (32:54)

When they're, when they at least have someone on the executive team who is a clinician if not actually run by clinicians. There's only a few exceptions to that. Yeah. And that's like, what's interesting is like, you know, some security and compliance professionals will make a case for Google Voice because of the weirdness of how phone service works under hipaa. But this is another one of those points where the availability issue, the availability of choices comes in because someone can say oh I'm going to do this big argument for why Google Voice is going to be legit and I'm going to be like but there's a higher quality service that does BaaS and it addresses your security issues more specifically and directly and only costs you 15 bucks a month.

A (33:32)

Yeah. And I've heard of people using grasshopper or phone.com.

B (33:40)

Over there.

D (33:41)

So no Grasshopper, no Grasshopper, no sideline.

C (33:47)

Yeah. I mean you don't need them and now they're starting to cost money anyways. Like if you really want something that's just like a Grasshopper style where it just has a phone number that forwards to your own phone, you can use Spruce Health which is wonderful little telemedicine app that has secure messaging. Spruce Health is one of the things we recommend as an alternative to signal. If you'd rather have a more high powered way of texting with clients like Spruce Health will actually has this great messaging system that you use with clients. They have it on their phone, you have it on your phone and it also gives you a second phone line like Grasshopper style. Along with your secure texting you can put together a treatment plan on Spruce Health and the client will get it in their phone and can approve sign off on the treatment plan. Cool things like that. In addition to texting, if you've got a team, the team can actually coordinate via Spruce Health about a specific clients and it goes into that client's record on Spruce Health and the lowest cost one for the solo provider that does the Phone line. And the text is $24 a month.

A (34:46)

Yep. And do you know how much it is for group practices?

C (34:50)

The communicator is $49, but that might be per person.

D (34:53)

That's per line because it has more features.

A (34:57)

Yeah.

C (34:58)

It gets the. The price pointing is hard on Spruce Health because they design it for dermatologists who have crap. Tons of money. Yeah.

A (35:06)

Have you heard anything about phone.com?

D (35:08)

Phone.Com, we're looking into because they actually reached out and said, will you do one of your hip appropriateness reviews?

C (35:16)

Did they really?

D (35:17)

Of us?

C (35:17)

Oh, I didn't know that.

D (35:18)

Wow. So we are.

C (35:21)

Because they do business associate agreements. They do them. So, like, we're gonna check it out. They actually. I was surprised to see that they. They do seem to be trying to meet our needs. So we're gonna check them out. Yeah.

B (35:31)

And then email. So I know you guys mentioned Hushmail, G Suite for Google. What else?

C (35:37)

Definitely Hushmail because they're our sponsor. I also consult for Hushmail, but no Laatoka. You give your favorite.

D (35:46)

Okay. So I'm a big fan of Luxai.

B (35:50)

Okay. Spell that one.

D (35:53)

That's L, U, X, S, C, I. And they are also very much oriented towards healthcare and mental health care professionals. They offer a number of different services as well as secure video, secure messaging, secure forms. They have a form builder if you're wanting to do secure information.

C (36:17)

Hushmail is also developing a form builder. I've talked to them about it. It looks awesome.

B (36:23)

It's funny you mentioned that, because I spoke to Michael Formica about that in regards to the forms and the email.

C (36:28)

Yeah, yeah.

E (36:29)

Right.

B (36:30)

Like 499 or 999 for both or something like that.

C (36:33)

Yeah, yeah. Hushmail is 999. But right now, Lux size form builder, form system is more powerful. But Hushmail is trying to catch up.

D (36:41)

And another one that is popular with a lot of people, especially in private practice, is Paul Box, because they have a Gmail integration.

C (36:52)

You mentioned Virtru, I think, last session. Virtru. Now tell us why you don't want Virtru anymore.

D (36:58)

Right. Virtru now has above and beyond your monthly user fee. Has a $500 HIPAA compliance premium each year.

C (37:10)

Yes.

B (37:10)

And that's what. And so, interestingly enough, when I started this journey about the whole HIPAA thing and the technology aspect, I had spoke to a company that was like $200 a month, number one.

C (37:20)

Yeah.

B (37:21)

That led me to virtue, which was like, you know, a monthly fee and then it was yeah, it wasn't bad at all. It was like five or six hundred dollars, but maybe it was six hundred dollars total. And as soon as he told me that I was like, nope, thank you very much. I'm gonna continue to look. I'm like there has to be cheaper things for therapists. Which led me over to you guys. What was the last one that you mentioned though?

A (37:41)

Paul Box.

D (37:42)

That's like P, like a U, B, O, X box.

C (37:47)

Yeah. Paul Box.

D (37:48)

Yeah, Box.

B (37:50)

Interesting things, I swear.

C (37:51)

Yeah, they are how Box is. The one is like the new like low cost or like small practice thing that integrates right into your Gmail for doing security.

B (38:02)

Yeah, yeah. Awesome. So I mean we could probably do part three and part four, but you guys have like shared with us.

C (38:08)

You guys should come become a member at Person Centered Tech and you can talk to us every week at office hours.

B (38:13)

Ah, super fun. And that's for any listener I had assume.

C (38:18)

Yes, yes.

D (38:18)

And you get to get access to reviews of all these products. And if there's something we haven't reviewed that you're considering adopting in your practice, you can request as many reviews as you like. This is the service for our members that's included with a number of other resources and features, including office hours sessions with Roy in which you get to ask any and all of your specific questions and we give direct input and guidance.

C (38:49)

And lyeth is always there too. Yes. There's a lot of times Elias knows something I don't.

B (38:53)

So share with us a little bit about your membership program.

D (38:57)

So the membership program consists of several primary resources. The core of it is our office hour sessions, which are 90 minute sessions four times a month in which we answer members specific questions, dialogue with them around their practice considerations and give specific input and guidance. We also are now doing special CE for office hours. So 10 times a year we give ourselves a break. In July and December we do a special CE session. So our next one on January 25th this month is actually a how to do a risk analysis because that's something that is really important part of complying with hipaa, but it's a pretty overwhelming thing. So that's going to be what.

C (39:53)

So we're going to teach you our best way of doing it. Right now we're developing better ways to do it, but we're going to teach you what we got right now.

D (39:58)

Exactly. And then the membership also includes our core courses on digital confidentiality. According to professional ethics and hipaa.

C (40:09)

How many hours of core courses do we have?

D (40:11)

Currently we have eight Hours of core courses. And then we have an additional 3.5 CES that are immediately available to you, but those are being added to on a monthly basis.

C (40:26)

How about psychologists? Can they use our continuing education credit list?

D (40:30)

Yes, they can, because all of our ces are APA and NVCC approved. And part of why we started doing the CE for office hours was to be able to give people who have the live CE requirement to be able to help meet their CE needs especially.

E (40:49)

Right.

B (40:50)

That's awesome. So not only are you guys a wealth of knowledge, you also have other services that support us and we have ces anyway, so you have to be HIPAA compliant, especially if you're a covered entity, but it is a best practice. And so we should all head over to Person Centered Tech and check out definitely their membership stuff and how they can help and support us. And so many of you have so questions on him and to spend time with Lyeth and Roy, I mean, they've done part one and part two and we're not even done. So I can only imagine the great value you guys add. And then also it really brings peace of mind. I mean, listen, you guys have heard Roy talk. And when I heard him on Joe Sandock's podcast, I was like, he's funny. He makes things light, like. And I've been taking it so seriously, like hiding out. I'm like, I can't talk about this because, you know, we're supposed to be these private practice consultants.

C (41:35)

Yeah. Oh, God. I know that.

B (41:37)

We have to lead people in the right direction. And then I'm like, katie, just get over yourself. It's fine. Be vulnerable, be transparent. And Joe was totally transparent on the podcast. And it made me feel like, okay.

C (41:46)

Joe's hilarious with that.

B (41:50)

Yeah.

A (41:50)

So I haven't heard the podcast, but I'm a fan of Joe.

B (41:53)

You guys did it in Hawaii and there was like birds and then a bird.

C (41:57)

Yeah. Oh, I love that. That's the first one I did with Joe. That's when I first met him in person.

A (42:00)

Yeah, yeah. So that was really cool.

B (42:02)

But so for part two, what do you really want people to take away from our part two podcast?

C (42:08)

Well, okay, I'd say HIPAA compliance, like full compliance, true compliance requires some tasks that most therapists find extremely difficult on their own. A number of therapists we've worked with have hired consultants to do it, like the risk analysis, for example. And I'll tell you right now, the reason we started membership is that I used to just consult one on one with people to get this stuff done, it would cost one to $3,000. But I was doing the same thing over and over again. It didn't make sense to do that. I was like, if I can have a repository of info plus be available for the customization or just to talk to you about whatever, but put boundaries around it so like, you know, it's not just killing my time.

E (42:49)

Right.

C (42:49)

Like that sounds like it would work. And that's the basis of the membership. The idea is to ensure that you can eventually get everything you need from us for a single cost, like for a fixed cost. A number of people end up getting one to one consultation anyways. I always try to tell them just come to office hours, like there's no limit, like it doesn't matter how personal your question is. We don't care if it's, we don't care if it's useless to every other member. You still should come ask us because that's what we're there for. So I want to make sure people understand that. And when we encounter colleagues out there who haven't started the journey yet, they don't really know what they don't know. And there's a lot, and I really don't like to use that kind of fear to market. It's actually against our policies. But it's something I think we realize people need to know, is that there's a lot if they haven't started that journey that you're talking about. Katie. There's a lot they don't know. They don't know. And we are very well prepared and very practiced at introducing them to it and helping them get into it.

A (43:46)

Yeah, there's that saying, ignorance is bliss. Right. But not with hipaa. Not with many other things though I would say.

C (43:53)

Well, can I actually say like, but with tech, because with hipaa actually you can get away with a lot, but you may find that. No, you can. I mean there, like I said, there aren't really many HIPAA bombs. Like there's not a lot of opportunity to get in trouble with hipaa, to be honest. But there's a lot of opportunity to hurt a client.

E (44:10)

Right, right.

C (44:11)

Or just, or to just do stuff really inefficiently. And you guys know that really well.

E (44:15)

Right.

C (44:15)

I mean, that's the thing. Half the time we actually help people just be more efficient. Yeah, exactly. That's actually most of what we end up doing. Right.

D (44:24)

And normally when folks first come to us, they'll be like coming from this place of super overwhelmed and not knowing where to Start, but feeling like they have to change everything and do it all at once. Part of what we try and do is help people identify what the highest priorities are and what the best solutions for those particular needs or issues are. And then put together a plan and provide support along the way of implementing it.

C (44:55)

Take it step by step and lots of CE hours.

D (44:58)

Yeah.

B (44:59)

Check out your guys membership site@personcentertech.com. yes. Is that where it's at? And then did you guys also have another. You had a giveaway?

D (45:06)

Yes, yes we did. So the special offer is to call me For a free 10 minute resource consultation, ask me your specific questions and I will direct you to resources and answers to those questions. And as part of having that consultation with me, we will also give you a copy of our HIPAA investigation repellent course.

C (45:35)

That's the one I mentioned at the beginning that tells you like the basic. Do this, this, this and this and you're gonna cover like 90% of the HIPAA pumps.

B (45:41)

It's like bug spray repellent.

C (45:43)

Yeah, yeah, it totally is. It's like the low hanging, easy stuff. Yeah. And we tell you exactly how to do it with videos that walk you through changing settings on your devices to do what we told you.

B (45:53)

I actually had my assistant do all that and like give me all the Cliff Notes or whatever. I have to read them.

C (45:57)

But yeah, it's really.

B (45:58)

Check that stuff out.

C (45:59)

Yeah, it's super easy. Yeah.

D (46:01)

And we also will be offering you 20% off the annual membership.

E (46:06)

Right.

C (46:07)

Basically what it is, you can either choose to take the course or 20% off the membership. Cool. But the membership includes the course, so.

D (46:14)

Yes. And you get to talk to me for 10 minutes.

C (46:17)

Yeah, I'm actually.

A (46:20)

Awesome. You guys are.

C (46:21)

I want to talk to Laia for.

A (46:22)

10 minutes of information. And so fun to talk to about this really serious stuff. But I think it's kind of been like a fun and light podcast.

B (46:30)

Yeah, I don't feel worried anymore. So guys don't feel worried. We all have HIPAA needs and I can't imagine that really any one of us, maybe Roy feels extremely confident about hipaa. And these are your go to folks. Talk with lyeth for 10 minutes on that console. Hang out in their membership, give them a call or email them, whatever. Just get connected because they're just super awesome. But we wanted to thank you guys for joining us today. I know there was a ton of information. I have notes all over my paper that I have to go now put into the show notes page.

C (47:02)

Is that writing on that wall. I was wondering what that is.

B (47:07)

Yes. I've been transcribing it all over the place. So everything that we've talked about today, the email stuff, the text stuff, which phone services not to use, we're gonna put that on the show notes page, including the giveaways that Roy and Lyeth have offered. But if you did not listen to part one, go back to part one. Listen to part two. Next week you want to join us with Jessica Dolgan from Therapy Partner. We're gonna be talking about ehr.

A (47:31)

Hey.

B (47:32)

And then we're talking about EHR there. So, Startup Nation, thank you guys so much. It is the end of our Friday after five hours of podcasting. I hope we've kept up the energy. I feel a little toast.

C (47:44)

You guys did great.

A (47:45)

You were fantastic.

B (47:46)

Toasted.

A (47:47)

Toasted.

B (47:47)

I had toast this morning. Avocado and ash toast. Maybe that's what I do, feel a little toasted. But thank you guys so much for making such a dry, boring topic. Usually fun, exciting. Love the metaphors, the analogy. It was amazing. We had a blast. We hope you guys did too. Check out the show notes page, like I said, for tips, resources, giveaway, and thank you for allowing Kate and I to continue to inspire you from startup to mastery. See you later, Startup Nation.

A (48:12)

Bye, guys.

B (48:13)

Bye.

D (48:14)

Bye.

A (48:17)

Thanks for joining us on the private practice startup. Visit theprivatepracticestartup.com for awesome resources, free trainings, attorney approved private practice paperwork, and so much more.

E (48:32)

Sam.