Podcast Summary

Podcast: Private Practice Startup Podcast
Episode: 77 – “Tips for Having HIPAA Peace of Mind for Private Practitioners, Part 2”
Hosts: Dr. Kate Campbell & Katie Lemieux
Guests: Roy Huggins & Liath Dalton (Person Centered Tech)
Release Date: March 17, 2018

Overview

The episode continues a deep dive into managing HIPAA compliance for private practice owners, focusing on practical, tech-focused strategies. Roy and Liath from Person Centered Tech join hosts Kate and Katie in a lively, metaphor-rich conversation about how mental health professionals can confidently and efficiently navigate HIPAA, emphasizing real risks and best practices without fear-mongering.

Key Discussion Points & Insights

The “HIPAA Bomb” Metaphor

The spirit of the episode is playful and approachable, making a complex topic accessible, reassuring listeners that while HIPAA is important, it doesn't have to be intimidating.

• (04:25) Roy: “It’s actually really important...there are very few HIPAA bombs. As much as this maybe is against our financial interest to tell people this, it’s a big part of what we do at Person Centered Tech: make it really clear that if you come from any place of fear or maladaptive anxiety...you’re gonna screw it up.”
• The main compliance risks are clear, finite, and manageable.

Business Associate Agreements (BAAs) – What, Why, and Who Needs Them

• (07:37-17:25)
  • Definition & Analogy:
    • Roy’s “Fax Emporium” story illustrates why sending information via insecure methods (like personal email or basic texting) is problematic.
    • Quote at (11:00): “What I just described, with extremely little glossing, is a perfect analogy to email and texting...The only thing we guarantee is that you’re gonna get it. We’re not making guarantees about what we will or won’t do in between.”
  • BAAs should be secured with any third-party service (including email providers and virtual assistants) that handles client data.
  • G Suite (paid Google service) can provide a BAA, unlike regular Gmail.
    • Cost: $5/month (12:14).
  • Hushmail for Healthcare is another option, especially for those without their own domain.

Secure Email & Encryption

• (21:49–26:49)
  • What does encryption mean in the context of HIPAA?
    • Encryption is often misused to mean all security, but it’s just “scrambling the data.”
    • Quote at (22:00): “Encryption means taking a piece of information and scrambling it...not a synonym for security.”
  • True end-to-end encrypted email requires both sides to have the same system or 'decoder ring’—otherwise, escrow-style secure messaging (where the message is accessed via a portal) is used.
  • Escrow Email: The recipient logs into a secure portal, rather than the message being sent over the open Internet.

Phones, Texting, and Secure Communication

• (26:49–34:46)
  • Texting appointment confirmations or brief messages can be done if clients provide documented consent, understanding the risks.
  • For broader or sensitive communication, secure tools are recommended.
    • Signal: Free, open-source texting app; highly recommended for secure messaging (30:33–31:30).
    • Uses of Google Voice, Grasshopper, or similar services are not HIPAA compliant (32:09).
    • RingRx, Spruce Health, and (potentially) Phone.com are recommended alternatives for phone and messaging.

Recommended Secure Email Solutions

• (35:31–38:02)
  • Hushmail (Roy consults for them, and they’re a sponsor), LuxSci, and Paubox are solid choices with healthcare-specific features.
  • Virtru: Now charges a significant HIPAA compliance premium ($500/year), making it less practical for most clinicians.
  • Always look for services that can provide a BAA and are transparent about their data handling policies.

The Reality of HIPAA and Evolving Best Practices

• (43:46) Roy: “There aren’t really many HIPAA bombs. There’s not a lot of opportunity to get in trouble with HIPAA, to be honest. But there is a lot of opportunity to hurt a client or do stuff really inefficiently.”
• (44:24) Liath: "Normally when folks come to us, they're super overwhelmed...Part of what we try and do is help people identify what the highest priorities are and what the best solutions are for those particular needs or issues, and then put together a plan and provide support along the way."

Notable Quotes & Memorable Moments

• On BAAs:
  • Roy (08:32): “A business associate is a third party. They're your agent, but they're not a part of your practice...they don't got to follow your policies and procedures, but you do gotta do the agreement.”
• On selecting tech solutions:
  • Liath (31:55): “Even if you have a G Suite with a BAA, the G Suite BAA excludes Google Voice explicitly. So Google Voice is not HIPAA compliant or a secure option.”
• On being practical, not fearful:
  • Roy (43:53): “With HIPAA...you can get away with a lot, but you may find that...there’s a lot of opportunity to hurt a client. Or just do stuff really inefficiently.”
• On starting somewhere:
  • Liath (44:24): “Part of what we try and do is help people identify what the highest priorities are...and then put together a plan and provide support along the way.”

Resource Round-Up & Recommendations

Meeting HIPAA with Peace of Mind – Practical Tools

• Secure Email: G Suite with BAA, Hushmail for Healthcare, LuxSci, Paubox
• Texting: Signal (preferred for all confidential texting), Spruce Health for integrated phone/texting
• Phone: RingRx, Spruce Health, Phone.com (being vetted)
• Form Builders: LuxSci (current leader), Hushmail (developing)
• Always: Ensure vendors provide BAAs

Action Steps/Triage

• Evaluate vendors—do they offer BAAs? Are they healthcare-oriented?
• Use secure platforms for all electronic PHI;
  • Don’t use @gmail.com, Google Voice, Grasshopper, or other generic services that don’t sign BAAs.
• Document client consent for any unencrypted messaging.
• Seek help if overwhelmed—use professional resources to prioritize and make stepwise changes.

Timestamps for Key Segments

• [05:25] Dispelling “fear marketing” and realistic HIPAA risks
• [07:37–17:25] Business Associate Agreements explained (with fax analogy)
• [18:57] The link between Gmail, Facebook, and privacy
• [21:49–26:49] Email encryption, escrow messaging, and “decoder rings”
• [27:08–34:46] Texting/phone HIPAA compliance; recommended apps/services
• [35:31–38:02] Top secure email, forms, and phone service recommendations
• [43:46–44:24] “What really matters” – efficiency, client risk, and prioritized plans

Offers & How to Connect

• Person Centered Tech Membership: Weekly office hours, product reviews, 8+ CE hours, direct Q&A, and special CE events.
  • [38:57] Details on content and support offered.
  • [45:06] Free 10-minute consultation with Liath + free HIPAA Investigation Repellent course or 20% off membership.
  • [45:35] Roy: “Do this, this, and this, and you’re gonna cover like 90% of the HIPAA bombs.”
  • Find them at PersonCenteredTech.com.
• Show Notes: Full list of recommendations and resources at PrivatePracticeStartup.com.

Final Takeaways

• HIPAA compliance for private practitioners can be straightforward and stress-free with the right approach and resources.
• Focus on using secure, healthcare-specific tech services and creating a prioritized, stepwise action plan.
• Don’t act out of fear—there are very few true “HIPAA bombs,” but plenty of opportunities to improve efficiency and client safety.
• Tap into supportive communities (like Person Centered Tech) for ongoing help, CE credits, and product recommendations.

Episode tone: Playful, reassuring, and practical—making a heavy subject fun and manageable for clinicians.