This episode’s sponsor
Cloud phone services for the mental health professional
Discount Code: TTPC50
What are the top three things we can do to start down the path to HIPAA compliance? What is HIPAA? Why does the “I” stand for “Insurance” instead of “Information”? Who needs to comply (and why isn’t it as simple as whether you file insurance claims or not)? How can we comply? What makes HIPAA an important standard for security/privacy even outside of compliance?
Join Rob, Roy, and their special guest, Clinton Campbell, for answers to all these questions and more!
Resources
- All Call Technologies – Cloud phone services for the mental health professional. Features include, virtual receptionist, extensions that ring your phone(s), voicemail, and a HIPAA compliant vendor that will sign a BAA!
$50 discount on set up fee with discount code: TTPC50 - Your Software and Devices Are Not HIPAA Compliant – Basic explanation of how compliance is a process (TYP.)
- Roy’s 1 Hr. CE Course on the Low Hanging Fruit of HIPAA Security
- Understanding How HIPAA Applies to You — basic, free article series from Person Centered Tech that takes readers through a basic education on HIPAA security (PCT.)
- Mental Health Professionals’ 3 Steps to (Actually) Be HIPAA Security Compliant — A rundown on the 3 parts of HIPAA Security compliance that are described in the podcast (PCT.)
- Easy Safe Harbor From HIPAA Breach Notification: Now on Your Computer and Smartphone — A quick synopsis of how to use encryption to satisfy the requirements of HIPAA’s breach notification rule — so you can avoid needing to notify when you have a breach! (PCT)
- Mintz-Levin State Data Breach Matrix — A PDF from law firm Mintz-Levin with a summary of state data breaches that covers all US states and territories (where applicable.)
- HIPAACOW! — All the HIPAA Security and Privacy forms and templates you could possibly want, supplied by the HIPAA Consortium of Wisconsin.
Show Notes
-
:13
What is HIPAA And Why Should You Care?
-
5:53
Data Privacy & Security
-
8:48
Privacy vs. Security – What’s the Difference?
-
10:43
What is a Covered Entity? Who Needs to Comply?
-
19:18
How Can You Comply?
-
21:13
Three Major Components of Compliance
-
30:15
Conceptualizing Compliance w/Guest Clinton Campbell
-
49:20
Describe Question – What is Something Entertaining About Clinton?
-
52:55
Top Three Things To Get Started Toward Better Security / HIPAA Compliance
-
59:27
Credits
Episode Transcript
| Rob: | Therapy Tech with Rob and Roy. The most fun therapists can have listening to a podcast about technology. This episode of Therapy Tech with Rob and Roy is brought to you by All Call Technologies, Cloud phone services for the mental health professional. AllCallTechnolgoies.com. |
| Roy: | Welcome everybody to episode 106. Actually it's just episode 106 because it's Season 1, Episode 6. |
| Rob: | Yeah, we like to do like they do on TV. |
| Roy: | I do. Like I'm on TV, episode 106 of Therapy Tech with Rob and Roy. |
| Rob: | If this was Friends this episode would be called The One With the HIPAA. |
| Roy: | It would, that's true. |
| Rob: | Exactly. |
| Roy: | Actually, so we're talking about HIPAA, but don't we talk about that all the time, Rob? |
| Rob: | Pretty much. Pretty much, but I think we figured we should probably do kind of another one of those survey episodes where you talk about how this all fits together and why we need to care about it. |
| Roy: | Okay. Well Rob, let me ask you a question. How des this all fit together and why do we need to care about it? |
| Rob: | Wow, that's a big question, Roy. |
| Roy: | It is, it's a big questions. |
| Rob: | I mean the short version of that is HIPAA's centered around privacy and security of protected health information, information that can identify our clients and connect them to the services that they're receiving. |
| Roy: | I seem to remember you talking about that in ethics class. |
| Rob: | Yeah, so that's kind of important not only because of the legal ramification, but because we're ethically responsible for helping them maintain that privacy. |
| Roy: | Right. Okay. Well, I'm a little confused though because if it's about privacy and security, doesn't the I in HIPAA stand for insurance? |
| Rob: | I know. I know. It really should I think, and we should lobby for this, you and I Roy, alone, together ... |
| Roy: | Yes. |
| Rob: | ... should get that I changed to information, I think. |
| Roy: | Oh, so it would be the Health Information Portability and Accountability Act? |
| Rob: | Exactly. Note the two A's, HIPAA. |
| Roy: | Right. |
| Rob: | Not two Ps. I know people like to do that with the hippopotamus and all that and that's cool, but ... |
| Roy: | Oh, come on. |
| Rob: | It's two As, one P. If you want to look professional and knowledgeable it's one P, two As. |
| Roy: | Well, why you got to be down on the hippopotamus? |
| Rob: | If you want to use the hippopotamus, that's okay. It's cute. |
| Roy: | It's great. |
| Rob: | If it helps get the point across, it just confuses people about the spelling. Well, maybe we can change the spelling of hippopotamus to have one P. Then that will fix it. |
| Roy: | You guys should actually do that. That's actually not a bad idea. Yeah, I use the hippopotamus all the time. I love it. It's more fun that way. Okay, so if the I is not information, if in fact it's insurance, then what? That's the Health Insurance Portability and Accountability Act, right? |
| Rob: | That's right. You have a great explanation of why it has its insurance instead of information. |
| Roy: | Okay, so you want me to take that one. |
| Rob: | Yeah, you do a good job explaining that. |
| Roy: | I do, I have a little story. Okay great. So I'll tell my story. Imagine it's the mid-'90s. You have big hair because it's the big '90s, it's the mid-'90s. Or if you're a dude you might have really long hair and wear grunge clothes, especially if you live where I do in the Pacific Northwest. These are important details. We're talking about HIPAA. |
| It's the mid-'90s but you don't live in the Pacific Northwest because you're part of Congress. You're noticing that people have a hard time maintaining health insurance between jobs and that there's a lot of money spent just on billing insurance companies because they all do billing different ways and so there's not a standard way to do insurance billing, so every healthcare agency has to have a whole staff just dedicated to billing insurance. | |
| By the way, so far none of this is sounding much different from now, right? So that's kind of an interesting thing is that not all this changed. So you're in Congress and you're going, "Well, we want to fix this problem. We want to make sure that people maintain insurance between jobs and we want to standardize insurance billing in order to make it cheaper, like cost less. Also hey, we've got this newfangled internet thing that Senator Gore just invented, right?" | |
| Right, because he was a senator at the time, and so maybe we should use that in order to make it more efficient as well. So they said, "Okay great. So we're going to make an act." Like many acts of this nature it doesn't actually define what those rules are yet, it doesn't define how we're going to do those things. What it says is the government's going to put some agency or some taskforce in charge of figuring out how to accomplish this set of goals. | |
| Then the act talks about the goals and what they should do and who should in charge and various other details that need to be talked about and no one ever actually reads the act after they're done executing on those goals. All right? So what the act said was, I'm sure it basically said Health and Human Services will be in charge of doing this. I imagine it did or somehow referenced them and then Health and Human Services got on that task of figuring out how to make sure people have health insurance between jobs and to standardize health insurance billing and to make health insurance billing start using the newfangled information superhighway called the internet. | |
| That was enacted in 1996 and around 2003 the first set of rules from Health and Human Services finally became law. They became or became administrative law that you have to follow. What's really interesting is in between then and 2003 a lot of things shifted as they do when it comes to making legislation and regulation. We did get that standardization of health insurance billing. We got that. We call those HCFA forms. Right? | |
| Rob can actually speak to this much more detailed than I can, that HIPAA still is actually where you get the rules regarding how HCFA forms work and how you do your insurance billing. All that still is set by HIPAA pretty much. And they did actually establish the national electronic health insurance billing system that we still use today, so that was really cool. | |
| Now, the problem is it didn't really help with the losing your insurance between employers. Somehow that got lost, so the P in HIPAA didn't really happen, right? That's actually still there because that's the name of the act but it didn't really ... | |
| Rob: | There's still hope. |
| Roy: | There's still hope maybe, but not through HIPAA. |
| Rob: | Right? |
| Roy: | That's not where that hope comes from because one thing they did of course say, if we're going to establish a big internet-based billing system we have to also have rules regarding how people maintain the privacy and security of all this information that's being passed around the internet. Of course over time it became not just about insurance billing, but about all the health information people handle in their practices. |
| That's kind of how we started from this thing about insurance and moved into this big thing about privacy and security, which is what HIPAA has morphed into since that time. It has become much more about privacy and security than about insurance. | |
| Rob: | So yeah, the insurance piece is still there, it just kind of happens behind the scenes. When Roy's talking about the standardization, any of you billing electronically and using clearinghouses, that was all set up to make sure they all speak the same language and you don't have to think too much about it. |
| Roy: | Yeah, yeah. I'm sure it did actually reduce those costs quite a lot. Some people may not believe that considering how much it still costs to have a biller and run all that, especially in a medical practice. |
| Rob: | Well, and it depends on who's actually experiencing those costs versus the savings. We could have an all on debate about whether the insurance companies are experiencing more of the savings than the providers, but that's another episode I think. |
| Roy: | Yeah, probably. HIPAA was originally meant to accomplish a lot of stuff around insurance and it ended up something that accomplishes regulating security privacy in American healthcare, which is a giant bear of a task because ... |
| Rob: | But it's a good thing, right? |
| Roy: | Well yeah, I think it is a good thing especially considering, to be quite honest and to be a little elitist about our wonderful field of mental health, the rest of healthcare in the United States wasn't doing that great a job at privacy before HIPAA came along. We always did it pretty well. |
| Rob: | They weren't really doing much of anything really. |
| Roy: | Yeah, exactly, right? If you don't like HIPAA you can blame doctors because doctors don't get blamed enough for things. |
| Rob: | Right. |
| Roy: | It is true though, the medical world wasn't doing privacy anywhere near as well as mental health has done privacy for decades. I think that's a big reason in my opinion why HIPAA has only recently in the last five years or so become something people started to really actually think about because we were doing privacy actually even better than HIPAA requires, except for a few little items when the rules came along. |
| When they became required, mental health clinicians in droves went to HIPAA trainings and discovered that there wasn't really much about it that was all that new except now we had to figure out how to be okay with giving clients copies of their records or other things about their privacy rights, like their rights to information. That was about the only stuff that was different. And we weren't using cell phones, we weren't using the internet and we weren't using computers to store records, so the security rule didn't really have much meaning at the time. | |
| But now suddenly it has deep meaning and as much as we're really good at privacy, we're not trained on security and so now suddenly HIPAA comes into our lives. That's my story of how it's suddenly a big deal. | |
| Rob: | So you're talking about privacy and security. Those words keep popping up. What's the difference? |
| Roy: | The way I define it is privacy is essentially the client's rights to control of the flow of their information. They get to control who hears what, when and under what circumstances. We all know that very well. Even if you don't think about it that way, you act that way because in ethics classes and all of your other training, in all of your practicum and internship you were taught pretty much every day that that's how you treat client information, is that you keep it really secure and really private except for a few exceptions and everything else is up to the client and their decisions. |
| Security, now this is the bit we don't tend to think about in grad programs, and I propose that we start to think of it this way when we teach grad students, security is the logistics of how you uphold those decisions, like by default we don't tell anybody about our client's info unless if someone that needs to know and has a right to know. Or there's the limits to confidentiality is such as abuse or suicidality or those types of things. | |
| Security is things like I keep those paper files in a locked cabinet. If you, Rob, asked me to tell you about a client of mine, I have sort of techniques for dodging that question of shutting down your question. Even if you asked me to talk about a client that's not my client, like if you asked me about Sam Smith and Sam Smith is not my client, I wouldn't even tell you that fact, right? I have a policy, I have a behavior set that's meant to help protect the privacy of all our clients. | |
| Rob: | That's when we get to sound like politicians. We can say, "I can neither confirm nor deny ..." |
| Roy: | Exactly yes. I love that. I love that. I love teaching it to my students that way. I say, "You need to say, 'I can neither confirm nor deny the existence of clients.'" Right. |
| Rob: | Exactly. |
| Roy: | Yeah. That's all security. Knowing to do those things, having those behaviors. |
| Rob: | Policies and procedures. |
| Roy: | Exactly. That's right. That's security. That's what that is. So let me ask you, so we talked earlier about what HIPAA is and what it accomplishes, but here's a weird thing that you and I know people really wonder about and get confused about sometimes. If I'm a professional counselor, Rob, and I'm licensed, right? I'm licensed by the state of Oregon, does that mean that I have to comply with HIPAA? |
| Rob: | Well, there's two answers to that question of course. There's the technical answer, do you legally by the letter of the law have to comply? Then there's the more global really big picture do you need to comply answer. Which one you want first? |
| Roy: | How about the technical do I have to by the law? |
| Rob: | Okay, so the technical by the law, it comes down to whether you are a covered entity. You are a covered entity if you engaged in covered transactions. |
| Roy: | Okay. |
| Rob: | In our case, covered transaction usually comes down to filing electronic and insurance claims. There's other covered transactions that just don't typically apply in our realm. So if you engage in those covered transactions you're basically transmitting protected health information electronically by filing electronic insurance claims, then you are termed a covered entity and you must comply with HIPAA. |
| Roy: | Okay. Wait, wait, wait, wait. What if I transmit electronic protected health information because I'm texting with my clients? |
| Rob: | Again, if you're not filing, and this is where HIPAA's really weird, if you're not technically filing an insurance claim, you're not doing a covered transaction, then that doesn't count. |
| Roy: | It doesn't count. |
| Rob: | Which is really bizarre. Again, this is the legal technical definition of HIPAA. |
| Roy: | Wait, but every time I see an online therapy training there's this kind of statement that says as soon as you start doing online therapy, now you must comply with HIPAA. |
| Rob: | Who's been telling you that? |
| Roy: | It's implied by a lot of language and stuff about online therapy. Not like in guidelines and ethics codes. They're usually more precise than that, but you see a lot of stuff that says as soon as you do online therapy, now that's the point when you have to comply with HIPAA. I've seen a lot of language that implies that. |
| Rob: | Language from who? |
| Roy: | I don't remember. This is rumors, Rob. Answer the rumor. |
| Rob: | Well, we're starting to wander into the non-technical definition. |
| Roy: | Okay, well tell me about that then. |
| Rob: | Because we all have ethics responsibilities. We also have state privacy laws that we need to be considering, and a lot of those things tend to point to the fact that hey, even if you're not a covered entity, you still have a responsibility to protect the client data. |
| Roy: | Yeah, that's true. Yeah, that's in the ethics codes. |
| Rob: | The challenge comes in with okay, if you have this responsibility to protect data, how do you do it? As we've talked about, we don't get that training in our graduate program, so where do we look for guidance and standards and so forth? |
| Roy: | Well, I can just put my Google account into my file cabinet, right? |
| Rob: | Oh, that's true, yeah. |
| Roy: | Yeah. Man, I'm not sure how to do that though. How do I go about doing that? |
| Rob: | If you just use a really good password you will not really be doing what you need to do. |
| Roy: | Oh, I see what you're saying. You're saying if passwords are the only thing I think about, I'm not really doing it all. |
| Rob: | Right. |
| Roy: | Yeah. |
| Rob: | Because people who understand security and privacy especially from a technological perspective know that that's not enough. That's why we have to lean on something like HIPAA that provides more guidance and standards. So even if you're not a covered entity, if you want to be able to comply with ethics and also any state laws you have regarding privacy, you need to look for a standard like HIPAA to provide that guidance. |
| Roy: | Okay, so you keep talking about the state laws, right? I assume you're talking about big states like California and Texas where they tend to have their own laws about those things, right? That's what you mean? |
| Rob: | Right, but even smaller states are starting to do this as well, right? |
| Roy: | Yeah. Well, actually I was kind of prompting you to, I don't know if you know the stat, but according to the Mintz Levin survey, out of all of the American States and territories, only three of them do not have their own data breach laws. Every other single one has a law about what will happen if you have, if you as a business owner or a healthcare entity, if you have a confidentiality breach of electronic info about clients there is consequences at the state level. |
| Rob: | That sounds a little scary, Roy. What kind of consequences? |
| Roy: | Generally the consequence is the same as with HIPAA in that you have to report the breach, you have to tell. Usually in this case you have to tell some government agency often is the case, but not always. But definitely what's always the case is you have to notify all the impacted clients. Like everyone whose information got lost, got breached, you have to tell them about it. Certainly I'm sure at this point nearly all of us have gotten one of those letters from an insurance company or a hospital that says, "We may have lost your information. |
| It may have been compromised. Call this number to get credit counseling or to get some assistance with that." Those cases are generally acting on HIPAA because they had a breach that involved more than 500 people, which requires them to then provide credit counseling to those people who were impacted. Or also reputation management services. | |
| Rob: | Yeah. It sounds like a lot of fun. |
| Roy: | It sounds like tons of fun. Yeah. Luckily for us, even people with larger group practices, it's very rare for people to be able to have single breach that impacts 500 people. That higher level of breach notification usually isn't something that we need to worry too much about. For us it's usually what's called small breaches, which means there's fewer than 500 people. |
| It's unlikely you need to really think too much about the idea of having to take out an ad in the local newspaper about your breach and offer credit services to people who were impacted. Most likely what you'll have to do if you're having one of those is tell the clients that were impacted, and if you're a HIPAA covered entity you need to tell the feds. You may also have to tell your licensing board and possibly even another state agency depending on state laws. | |
| Rob: | So if that's the case, if we're unlikely to be impacted, if the real targets are the larger hospitals and other healthcare organizations because they have massive amounts of data and that's who thieves would want to get ahold of, why do we have to worry at all? |
| Roy: | Well, I'll tell you right now, certainly a person-centered tech, occasionally when practices have a security breach, like some problem, occasionally they will email or call us because they know they can trust us. But of course what we do is immediately refer them to a local lawyer because at that point you need to talk to an attorney who specializes in healthcare to get the best advice. |
| Rob: | Well, and not just an attorney, but somebody who's also familiar withy your own local laws. |
| Roy: | Yeah, exactly. That's right. Yes. Certainly you want a local attorney who does healthcare. Often, so we'll see a small practice of a few clinicians that will happen where someone broke in, stole their computers, right? Or for a solo clinician, the most common two things are that they lost their laptop and it has client records on it or even more common is that one of their online services was compromised. Like somebody guessed their password and got into their email is the most common one. |
| Bad guys strangely enough aren't usually trying to guess your password and get into your practice management system or your EHR. I so far have not seen that happen, but we've seen a lot of people get their Google Account hacked because bad guys love to get into Google Accounts. Those things are breaches. You may or often do have to then notify all the impacted clients if stuff like that happened. | |
| Rob: | Well, and to be clear, a breach, like you said, you don't have to know that a breach happened for sure. There just has to be a reasonable suspicion of a breach. |
| Roy: | Yeah. The way I would frame it is it's that once there's an incident, you have to prove a breach did not occur as opposed to the opposite, where someone else has to prove that a breach did occur. That's why the reasonable suspicion kind of brings in the need to notify, yeah. |
| Rob: | Right. Okay. So we have lots of actual reasons to comply. |
| Roy: | Or at least use it as your guide for knowing what the standards to follow are. Yeah, like I could tell people who aren't covered entities that HIPAA is your legal trouble and lawsuit prevention guide. If you know that you need to protect electronic info, you've got to do security just for ethical reasons, then you turn around and go, "Okay, what does that mean I need to do? What's the list? What's the standards?" You can turn to HIPAA for that. |
| Rob: | Hey, you should probably convince DHHS or OCR to include that as a subtitle for HIPAA. |
| Roy: | Subtitle? Your legal trouble ... |
| Rob: | Your legal trouble and lawsuit prevention guide. |
| Roy: | I'm sure the OCR would be all over that, especially because then they'd be promising some kind of outcome, which is totally what the government loves to do. |
| Rob: | Oh yes. That's why they're so specific about all this stuff instead of vague. |
| Roy: | Yes, right. |
| Rob: | We do have reasons to if not comply, use it as a guide for keeping data secure. How do we do that? |
| Roy: | There's a big list of standards and you do need to kind of address all of them. I don't meant that in the jargon term. There's a jargon term under HIPAA that you know Rob, called adjustable to addressing. I don't mean that when I say it. I mean just you need to look at all the standards and do something with them. I say it that way because as you know very well, as you said earlier, none of the standards are designed to be specific about what you do, right? They're all designed to say you need to meet this standard in the way that your organization needs it. |
| Rob: | The reason for that is because there's so many different organizations providing healthcare of different sizes and so forth and so it would be basically impossible to say this is the standard that works for everybody. |
| Roy: | Exactly. If you look at other regulations that relate to privacy and security, which there are many out there, another one that impacts our audience for example is PCIDSS, which is a kind of, it's a data security standard for people who deal with credit cards or other payment cards. So our folks deal with that, but we tend to use tools that kind of R rate it out. |
| You use Square or those other things like that. Or some of the nice online payment systems or the payment service in your practice management system, they use techniques that ensure that you generally don't need to think about PCIDSS. Or at least not too much. You can be aware of it and then you're fine. HIPAA doesn't have anything like that. There's no way to do that with HIPAA. | |
| Rob: | You can sort of see a slight analogy with business associate agreements. You can offload a good bit of your ... |
| Roy: | That's true. That's true. |
| Rob: | ... your compliance challenges to a third party vendor, but you still ultimately have the final responsibility for ... |
| Roy: | Yes. |
| Rob: | ... making sure everything's in place. |
| Roy: | Using a particular vendor or a particular set of tools does not prevent you from doing the three major things that you have to do every year to maintain HIPAA security compliance, which is ... |
| Rob: | Three major things? |
| Roy: | Three major things. |
| Rob: | We can boil it down to just three things? |
| Roy: | There's just three things. Three simple easy things that take no more than a few months to accomplish. |
| Rob: | Then ongoing yearly or periodic maintenance. |
| Roy: | Yeah, that's right. Although, I think we should tell everybody that periodic maintenance can actually be really easy and not time consuming. It's mostly a lot of work upfront, yeah. |
| Rob: | Yeah, especially in our field. If you don't go through a lot of changes in the technology you're using and so forth, once you get through over that initial hump it's more a matter of just checking in. But that initial hump can be a challenge. |
| Roy: | Right. |
| Rob: | So what are the three big steps to that initial hump? |
| Roy: | Those three big steps are a "thorough and accurate security risk analysis." I said thorough and accurate because that's the only description the law gives for what the risk analysis should constitute. What is a risk analysis? Well, if you look at the law it says it is thorough and accurate. That's what it is. |
| Now of course if refers to a concept in the world of security and privacy that's well established and well documented with lots of information about what works and what doesn't. The National Institute of Standards in Technology have standard guidelines that large organizations can follow, because this designs things for government agencies even though the private sector like us uses them. But risk guidelines and risk analysis are easier to use for technical people in large organizations. | |
| But they still give us a general idea of what a risk analysis format should look like. Now the thing is I always want to emphasize this. HIPAA doesn't tell you how a risk analysis should go. It doesn't tell you what format it should take. It just says it should be thorough and accurate. That's both good and bad because it means that you're given the leeway to do risk analysis the way your practice needs, which is generally how HIPAA does everything. | |
| It says you need to do this the way your practice needs it. The downside is that because it doesn't say what it's supposed to look like, it means that it's left up to you to determine whether or not the method you choose is "thorough and accurate" enough. | |
| Rob: | But we're all very, people in our field are very technically savvy and ... |
| Roy: | Oh yeah, no problem. |
| Rob: | Surely there's a template you can grab and just knock it out in a day, right? |
| Roy: | There are templates, but you probably can't knock it out in a day. |
| Rob: | Especially not if you use the one OCR puts out. |
| Roy: | No. Well, the OCR, well, they don't really have a ... Oh, you're talking about the OCR tool. That's right. |
| Rob: | Yeah. |
| Roy: | Sure. You could knock it out in a day if you don't think about what's happening. |
| Rob: | Yes. If you just check some boxes and don't actually read it and try to understand it. |
| Roy: | You could knock it out in a day because you just answer no to everything. |
| Rob: | Step one, risk analysis. What's step two? |
| Roy: | Step two, or item two, I like to put them ... |
| Rob: | Yeah, it should be item two, yeah. |
| Roy: | They're really kind of interactive with each other, but the risk analysis is kind of step one-ish. The next thing you do is what's called a risk management or risk mitigation plan. Because your risk analysis tells you, like the output of the risk analysis is where are the risks in your practice, right? The idea of a risk analysis is really just to make sure you've taken a thorough and holistic look at everything in your practice and everywhere where you handle client information and making sure that that client information is kept safe in the three important ways, which is the confidentiality of the information, the integrity of the information. |
| The information doesn't get changed after the fact, and the availability of the information. You don't lose it and that you can access your information when you need it. You're looking for, in the risk analysis you're looking for the ways in which any of those three aspects of the information is put at risk. So the second piece is you make a plan for reducing those risks that you found. | |
| Rob: | To zero. |
| Roy: | Zero, totally because it's totally possible to completely eliminate risk from your life. |
| Rob: | You lock it all in a triple locked safe and bury it at the bottom of the ocean. |
| Roy: | That's right. That also is easy to access when you need to get to client records. |
| Rob: | Oh man. Foiled again. |
| Roy: | Foiled again, right. You can protect confidentiality pretty easily if you don't have to worry about availability. |
| Rob: | Yes indeed. |
| Roy: | Yeah. So yeah, you need to make a plan for that. Your risk management plan is also your plan for how you do all this stuff in an ongoing way. If your risk management plan includes things like I'm going to encrypt my computers, which you should do by the way, if that's in your plan, which it probably will be, you might write down kind of when you're going to do that. |
| You might write down when you're going to check up on that kind of thing again. Basically you can write down how regularly do you repeat your risk analysis. | |
| Rob: | All right, so we've got analyze the risk, manage the risk. What's item three? |
| Roy: | Item three is you write it all down essentially. You make what we call a manual. It doesn't actually have to be a manual. It can just be a collection of policies and procedures. |
| Rob: | It sounds like you're talking about paperwork, Roy. |
| Roy: | Yeah, I am. |
| Rob: | We therapists hate paperwork, Roy. |
| Roy: | But we do so much of it, Rob. I know. We hate it, but we do it a lot. |
| Rob: | Well, and to be clear, if you're ever audited and there's a pretty low risk of that, but if you are I'm pretty sure the first thing they ask for is that paperwork. |
| Roy: | That is exactly what they ask for, yeah. They want to see the documentation of your risk analysis and they want to see, usually they'll ask you for certain policies and procedures. They'll ask you for your policy that covers this set of standards, that set of standards. That's the kind of thing they want to see. |
| Rob: | So we've got it boiled down to just three items, but they sound pretty overwhelming. We certainly weren't taught any of this in our graduate program. Most of us just want to get in there and do therapy and don't know the intricate details of technology and security, so how do we accomplish all this? |
| Roy: | That's actually a big question, Rob. I really like to be able to turn to our people and say, "You do it like this." But this is one of those ones where that's kind of the work of the moment is to figure out what's the best way to help our population do this stuff. I think the feds kind of write off the idea that our field, that the solo mental health clinician, they kind of write off the idea that we're going to get really into this and dive into it until of course there's a moment when they need to do some kind of action, like followup on a complaint about our HIPAA compliance or followup on a security breach that we reported. |
| That's the times when they investigate and now suddenly they want to see that risk analysis, they want to see those policies and procedures, but otherwise we're not really the area that people are thinking about in terms of compliance. So there is that kind of challenge. I think the bigger challenge is what's the best way for a small or solo mental health private practice or honestly even just a normal medium sized group proactive, because they find it just as difficult, what's the best way for them to do risk analysis that's accessible to us, but also still "thorough and accurate?" | |
| I can tell you we're working on that at Person-Centered Tech. We're still actively working on it. One of my people and I are working on developing templates for the policies and procedures. We're pretty far along on those. When we're done they will be available to our members at no extra cost, FYI. A little sales there. That's the big work we're trying to do and I know it's not just us trying to do it. That's the big work at the moment for our field around this is how do we come accomplish that. | |
| That said, many practices, I've seen maybe one or 2% of our colleague practices have actually managed to do the risk analysis. Often they have an IT person to help them do it. That's how they accomplished it. Certainly in the show notes we're going to link you to some resources you can use to help you accomplish it, especially if you're tech savvy or you have someone you can tap who is also tech savvy to help you with that. | |
| But that still does leave that gap. It still makes it difficult. All of us manage to comply with our ethics codes and manage to do the classical security measures like double locked files and knowing when we can talk about our clients and when we can't. We all manage to do all of that really well, but we're not quite there with risk analysis. That's a big thing we need to figure out how to do. | |
| And it would be really great if we could have someone who really is qualified to speak to the way the government speaks about this, but also speak to the way we think about this. That would be really handy if there was somebody like that. | |
| Rob: | Somebody with this deep security IT background, but also an understanding of what it's like to be a mental health professional. Gosh, I wish there was someone like that. Whoa, who's at the door, Rob? |
| Roy: | Let's go see. |
| Rob: | Oh hey, it looks like it's security professional and mental health counselor, Clinton Campbell. |
| Roy: | What luck we have. |
| Rob: | God, we're always so lucky with these. |
| Roy: | This episode is brought to you by All Call Technologies, Cloud phone services for the mental health professional. Hey Rob, you use All Call yourself, don't you? |
| Rob: | I do. I do. We've been using them at my practice, Serenity Springs Counseling for at least five years now and it's been wonderful. |
| Roy: | Wow. What would you recommend as the most useful thing about it? |
| Rob: | Well, we have multiple clinicians in the group and so each can have their own extension while still using their own phone. So people call in, they type in the extension, it goes right to the correct clinician. It's awesome. They've got a virtual receptionist feature where you can hit certain buttons to get directions and your fax number so that you don't have to answer the calls for questions like that. It's great. It's been a huge time saver. |
| Roy: | They do HIPAA Business Associate Agreements? |
| Rob: | Absolutely do. |
| Roy: | Fantastic. Use special discount code TTPC50 to get $50 off your setup fee at All Call Technologies. That's TTPC50 at AllCallTechnologies.com. All right, we are here with Clinton Campbell, LMH, CA, CISSP, MS times two. Clinton, you have a lot letters after your name. |
| Clinton C.: | Yeah sure. MS, MA. |
| Roy: | Oh, MA for counseling. You can list them both. Yeah, that's pretty good. Everybody, the reason we brought Clinton here is Clinton is both a mental health professional and a bonafide security professional. Rob and I are LPCs in our respective states, and in Washington where Clinton lives they call it a LMHC, pretty equivalent thing, but and Clinton you're an LMHCA still right? |
| Clinton C.: | Yes, I'm an associate. |
| Roy: | Right, right. I'll have you explain that in a minute. Explain yourself. No. It will make a lot of sense in a minute why Clinton has held that status for a long time. The thing we're really interested in is the CISSP. What the heck is that, Clinton? |
| Clinton C.: | CISSP is a Certified Information Systems Security Professional. It's a certificate I've held for I want to say going on 12 years now, something like that. What it is is it's one of the older certificates as far as the security profession is concerned and it requires you to have a certain amount of experience, career experience, working in a professional setting doing cybersecurity as well as passing a six or seven hour exam sort of like the licensure exam. |
| Then along the way after that you have to maintain continuing education credits, so it's a lot like the licensure process for mental health professionals, but it's maintained by an external organization of course. | |
| Roy: | That's a good way to put it. You also had to have a postgraduate degree, like a Masters or a Doctorate in Computer Science, right? |
| Clinton C.: | The Masters helped. The Masters actually simplified the work experience part a little bit. They ended up counting that as the first year or so of work experience. |
| Roy: | Got it. Where did you work in order to earn your CISSP? |
| Clinton C.: | I got it while I was at the National Security Agency. |
| Roy: | Wait, wait. Wait, the same one that's spying on my emails? |
| Clinton C.: | Yup, the very same one. |
| Roy: | Did you know Edward Snowden? |
| Clinton C.: | Eddie? Yeah, my buddy. No, no, I didn't. Edward, I believe that Snowden came through shortly after I left to start my Counseling Masters. |
| Roy: | Oh okay, okay. All right, that's too bad. It would have been cool if you met him. The key is you've been doing this a while. |
| Clinton C.: | I've been doing this a while. I think it's, I figured it's coming on, I'm getting closer and closer to that 20 year mark. |
| Roy: | Oh wow. So CISSP, what's their relationship to HIPAA? |
| Clinton C.: | CISSPs, the relationship to HIPAA in terms of ... It's not a direct relationship I guess I should say. The way I would describe the relationship is that CISSPs have to have some broad knowledge of the cybersecurity range of expertise. So we need to know some about governance, about compliance, about the legal and regulatory aspects of security as well as the technical dimensions of security. |
| In terms of HIPAA, somebody who is a CISSP is usually going to be much more qualified to help you to make decisions about what's going on with your security and the security controls than somebody who is not. Now, that's not to say that there's not a lot of value of somebody who is very steeped in what's going on on HIPAA. Usually you need both. A CISSP isn't necessarily guaranteed to have that, but they're likely to have the base to be able to dive in and help on any related problem. | |
| Roy: | Yeah. I like to think of it as kind of similar to when someone is, that same comparison you made to being a licensed mental health professional. I don't have any extra training in CBT after my graduate program, but certainly if I needed to help somebody with some basic thought stopping and such, I know how to do that even though it's not my specialty. |
| Clinton C.: | Agreed. Yup. |
| Roy: | Makes sense. Okay. Well, great. So I just want to make sure everyone understands the fact that when, he holds that sort of minimum professional certification for being the kind of person who works with HIPAA and security and the security aspects of regulation. Clinton comes from a highly expert place here and that's why we're really happy to have him on the show. Let's go to that first question, Rob. |
| Rob: | Yeah, so Clinton, since you have this giant tech brain, we're curious how you conceptualize HIPAA compliance for those that don't have that massive amount of experience? |
| Clinton C.: | I'm going to step back a little bit from the technology first because the place I usually go with people with I'm talking about HIPAA compliance is to let them know that compliance itself is not necessarily a technical problem. Compliance, there's three topics that I usually start to dive into. Three big topics when it comes to HIPAA. You have the compliance process itself, you have privacy and you have security. |
| Compliance in my mind is more of a legal matter. Compliance actually says that I complied with a certain set of regulations that are laid out by law and that the Department of Health and Human Services has set up standards and rules for. So when it comes to compliance I think of it as that legal and ethical responsibility to have business processes in place to make sure that you meet these standards. That's probably the starting point I would go with. Do you want me to keep going on security and privacy or do ... | |
| Rob: | Yup. |
| Clinton C.: | Okay, so security is the area where I would say that the technical comes in the most. When we're looking at security, I think of it primarily as actually, and this is one of the areas where my counseling background has transformed the way I approach the field of security, but I think of security as a primarily relational concept. One thing I realized going through my program was that the same words I came across on a day to day basis at my job at the NSA, vulnerability, trust, boundaries, all of these things were the same kind of core language of the mental health world that I was diving into at the time. |
| So I think of security primarily as a relational piece. It's how are we going to protect the things, the communication with one another? How are we going to safeguard it? What are the boundaries on it? What are the rules on it and how are we going to protect the information we [inaudible 00:37:28] one another? | |
| We have our own rules that are, we probably don't even think about in terms of our personal relationships for the most part unless we're sitting with our own therapists and then we're probably think quite a bit about them, about how we keep those relationships, that information, and all of those pieces secure and trustworthy, but when it comes to the computer side, where the technology really comes in is the implementation. We have this idea of what we want to accomplish in terms of our relationships. Then we have to figure out how are we going to do that given all of the technology that we have at our disposal. | |
| I think we can step away and [inaudible 00:38:06] I tend to go with folks is I tend to step away a little bit from purely from the compliance standpoint and to point how technology has transformed all areas of our relationships and how a lot of times we have boundaries related to those relationships due to the new technology and due to how we're expressing ourselves online or taking advantage of that to communicate with one another or to connect more broadly on the social side. | |
| So privacy is a little bit more difficult to explain. It is tangential to security. There is overlap because we're dealing with a lot of times the confidentiality of information. But I would privacy is predominantly a legal as well as a relational concept. When it comes to privacy the biggest thing we're thinking about is the information I give my therapist, the information I give my healthcare provider doesn't get shared beyond the ways that I intend it to be shared. | |
| So as a healthcare provider, as a mental health professional I have a legal responsibility to protect the information that my clients are giving me and that is there whether I'm storing it on paper, that is there whether I'm storing it on my computer, whether I'm communicating about it to a insurance biller, to a clearinghouse for claims or to anybody else, any other medical professional, so that's where privacy comes in. | |
| The other side to privacy that I like to think about, and this is one that doesn't, I don't think it comes up quite as much for mental health professionals, but it does pop in there some. But it's not just how we protect that information, it's how we use it. I think as I look at the changes that are happening in technology I can see pretty clearly that a lot of people are more and more sensitive to how their information is being used. | |
| So we give our information to Google in the form of our email or we give it to Microsoft in the form of our email or our documents, and then we wait and we see how they're using it. With regard to HIPAA and with regard to our job as professionals, we're supposed to use that information for the process of healthcare itself. We're supposed to use it to a limited extent to run our own businesses, to bill our clients, to do all of that. But we're not necessarily permitted to take the information about our clients and translate that into a really effective ad campaign and to target our clients to get them to do more therapy. | |
| That would be a gross misstep in terms of privacy. So it's a little bit more challenging of a concept. A lot of times because confidentiality is already such a high ethical standard, most professionals are really at a good place in terms of that. They're coming at privacy pretty conservatively and so the focus tends to be a lot more on security of information. | |
| Roy: | Clinton, let me ask, when you're talking about security, you mentioned all the technology available to us and you made a good point about how what we're supposed to do with all that is something we already understand, but the tech may not be something we understand. I think that's going to be one of the challenges for a lot of our listeners, or actually I know that's the big challenge for a lot of our listeners. They can understand the ideas behind how compliance works and the technical aspects. How do they tackle tech? How do they tackle the fact that it's not easy for them to understand? |
| Clinton C.: | It's a tricky question. It depends a lot on the particular scenario. Let's try to break it down a bit. The way I would usually start with somebody is I would try to get them to focus on the overall process. What I want to see when I'm working with somebody and what I want to see when I'm looking at whether or not somebody is compliant or is really doing the work they need to prove that they would be compliant to somebody else, I want to see that they have an intentional process going. |
| So I think one of the big obstacles that a lot of us have is that we don't like to think of ourselves as running a business. We want to do the work of mental health, we want to do the work of counseling and sit with our clients, but when it comes to being a business owner there's a lot bigger block there. | |
| So I tend to say okay, let's let that process guide us and take us through the different things that need to be done. So at that point the tech kind of comes up in reasonable bits and so I can go in and I can learn a little bit about HIPAA and learn okay, I need to keep my computer itself secure. That tends to be the more obvious one. I need to keep my computer itself secure. | |
| How do I go about that? So there's going to be a range of answers depending on what you're looking at, so encryption is a big one that I think the three of us have talked with our clients about. You want to make sure that you've encrypted your machine. You want to make sure that you've encrypted your phone or any other device that's storing information. | |
| Fortunately because the solutions are pretty mature in that area, that tends to be an easier problem to solve, especially in this case on Apple devices. It's not always the case. Sometimes Windows is easier. Sometimes Apple is easier. | |
| Roy: | Encryption is super easy on all the devices that we typically use in this business. |
| Clinton C.: | Yeah, it's one that doesn't take a whole lot to really dig in and to make it happen. So in that particular case I would say to the 55-year-old or even the 35-year-old social worker or therapist, you don't have to worry too much about the technical side of it, of what's happening. What you need to know is how to enable encryption on your device and how to make sure it's happened. Then you need to document that process. |
| That's an easy one to resolve. That's an easy one to do without having to be particularly tech savvy. I think for most cases we can kind of guide people down that path. What I tend to like to do is if I'm working with somebody one on one or if I'm working with a smaller organization I want to make them a little bit more tech savvy as we go, but I want to give it to them in bite sized pieces. I don't want to overwhelm you and make you think you have to become a tech expert, because that shouldn't be the case. | |
| If you have to be a tech expert to be HIPAA complaint, then there's a problem. Now on the other side, the trade off to that is you might have to invest a little bit to gather that expertise where it's needed because there are places where you're going to need to consult with a tech expert or you're going to need to go and research a little bit into the technology you're using. | |
| Roy: | Clinton, I think one thing you're doing here is you're definitely validating the idea of approaching HIPAA compliance in pieces, which is something I'm also a big fan of. I know Rob is too. Also, the idea of the actual compliance process is one thing, but say covering your most important risk is a different thing, but that's essentially what you just said. |
| You just talked about cover the most important and achievable risk coverage, right? You said encrypt your stuff, encrypt your devices, which I agree is the most basic easily achieved most effective thing to do. You're not prescribing say how someone goes and does a full "thorough and accurate" security risk analysis. So I'm kind of curious about, since that's the first step in the security rule, why aren't you saying do that first? | |
| Clinton C.: | You know, I think that when it comes to risk analysis it is one of the most important things and I think it's one of the most overlooked things with the people I run into. I would say the documentation and that kind of business process side of it in general tends to be overlooked by the folks that I work with or that I encounter. Even friends and colleagues, they just don't realize that needs to be there. |
| What I would say is there's a piece of that that we can look at. We could provide a checklist. There are a couple of checklists out there that say here are some key risks that you need to take care of. I think that's always a good starting point in terms of getting that process going is to take a list of the top five or the top 10 risks and to dive into those and to start looking at how you manage those. | |
| When it comes to key features like encryption, I think that becomes essential in terms of managing those risks, but there also is a point in there where it's very difficult for somebody and probably even impossible to an extent for somebody who isn't deeply technical and deeply versed in the compliance process to tease out all of those risks on their own. | |
| What I would say there is that for most people what they're going to be looking for is a research that's going to tell them what their key risks are, that's going to do a lot of that analysis legwork for them. I think that's what we tend to be providing to our clients and to the public. | |
| Roy: | It sounds familiar, right? Yeah. |
| Clinton C.: | The reason that's challenging is how user friendly our devices are becoming. The one thing you have to remember is that these devices are being made more and more user friendly in a very consumer-oriented way, but not necessarily in a business-oriented way. So we get all of these great features that pop up on our MAC or our PC or our Android or our iPhone that allow us to work more seamlessly between devices, more seamlessly with other people, but they all have implications when it comes to compliance. |
| I think this is the area because most of us, most folks out there don't have the technical knowledge, the sense of architecture of these systems to be able to really discern what has an impact and what doesn't, it becomes hard to say okay, the first thing you need to do is to go conduct your own risk analysis without outside resources. I think it's impossible to do without outside resources there. | |
| So an example of those features I'm talking about, I recently spent some time rebuilding my computer from scratch after some issues and I'd done the same with a couple of PCs lately, so I'm on a MAC. In both cases Windows and Apple, Microsoft and Apple have introduced features that will automatically if you don't know what you're doing, they'll automatically put your desktop and your documents and other key pieces of information on your computer up into their Cloud. | |
| Roy: | Yup. |
| Clinton C.: | That Cloud is probably not going to be HIPAA compliant in the least or even be compatible with HIPAA compliance in the least. So that's the place where if I'm a social worker that's not technically inclined or if I'm any sort of professional that's not technically inclined I've got to go out and I've got to be looking at okay, I need to prep a new device, I need to replace my device, to upgrade it, to take it in for maintenance. How do I do this in a way that is compatible with my responsibilities for HIPAA? |
| I wish I could say that all of those resources are in one place. The reality is that today they're not, but we're gathering them for you. I look at both of your websites ... | |
| Roy: | Say, [crosstalk 00:48:38]. |
| Clinton C.: | ... what you've done over time with your blogs is you've put a lot of those resources in place so people can find them and hit the big ticket items. That's just an ongoing process. I think that's what most people need to realize when they're doing this is be prepared for an ongoing process. |
| Roy: | Right on. Well said, Clinton. That was really good. That's very encouraging and validating for, I don't want to speak to Rob's feelings, but imagine he feels validated like I do that this is kind of the approach we've been taking for a long time now to try to help people know okay, so you don't understand the under the hood architecture of an iPhone, but let me tell you the aspects of it that you need to be aware of and that you need to address. |
| Clinton C.: | Absolutely. |
| Rob: | Exactly. |
| Roy: | Yeah, yeah. Okay. I think we could talk to Clinton all day about this, but we need to get a little more personal, don't we? We've got to deepen this relationship here, Rob. |
| Rob: | How are we going to do that? |
| Roy: | Well, maybe we should ask him something about himself, like maybe pick a word that we can use to guide us. |
| Rob: | Yeah. |
| Speaker 4: | Describe comes with over a dozen activities that can be used with clients of all ages. Find out more at DescribeCards.com. |
| Rob: | You ready, Clinton? |
| Clinton C.: | As ready as I'm going to get I guess. |
| Rob: | All right. Today's word is entertaining. |
| Clinton C.: | Entertaining. |
| Rob: | What is something entertaining about you? |
| Clinton C.: | Oh man, what is entertaining about me? Not necessarily, that wasn't necessarily in a self aggrandizing way either. |
| Roy: | All kinds of things are entertaining about you, Clinton. I don't know. |
| Clinton C.: | I am so interesting. |
| Roy: | You have a great beard. |
| Clinton C.: | I do have a good beard. I do have a good beard. I do also, and this is somewhat entertaining at least to me, I do also have the, I don't know if I've shared this with you Roy, but I have the habit of occasionally accidentally taking off my beard. I teach on occasion at the University of Washington so this was the last time I did this. I was teaching for the quarter, I went in, I knew I needed to trim up my beard a little bit and I just happened to have taken the guard off of the trimmers before I started. |
| So I end up with a big chunk out of the beard and so like most people I think that are in that position, they're trying to trim up their hair, their beard or whatever, it was like oh, I can fix this. So I started trying to fix it and then realized it was a lost cause. So the next thing I did was just say I'm going to pull this thing off completely. I shaved it, went clean-faced for the first time in probably about a year and showed up the next night to my class where I was planning on giving a quiz to my students. | |
| So for the entire 15 minute period I gave them to ask me questions in preparation for the quiz all they could do was focus on the beard or the lack of the beard and how different it looked. The previous time it happened was actually, and I share this and I think one of the reasons it's entertaining is how much different I apparently look without my beard. The time before it had happened was a weekend of a friend's wedding and in between the wedding and then a party the next day with the family I accidentally took off my beard. | |
| I had a conversation with a woman that I have known for a little while now and we're sitting there and we're talking for probably 30 minutes with a couple of other people, and then she stops and asks me in a way that I knew that she had no clue who I was, where I was visiting from to go to the wedding. In her defense I did have sunglasses on as well as not having the beard anymore and I just started laughing, took off the sunglasses and it took her a moment, but she eventually did realize who I was. I can go incognito pretty easily just by shaving that off. | |
| Roy: | That is pretty good. That is definitely an entertaining story you have. |
| Rob: | This is a remnant from your days at the NSA isn't it? |
| Roy: | We know you're a spy, Clinton. |
| Rob: | How awesome is that? |
| Roy: | This has been extremely informative, Clinton and we're definitely going to be following up on this as we continue to talk in this podcast. |
| Clinton C.: | Thank you. |
| Roy: | Right on. Thanks for joining us. |
| Rob: | People want to hear more about you and any services that you offer, where do they look for you? |
| Clinton C.: | Our website is QuirkTree, Q-U-I-R-K-T-R-E-E. So QuirkTree.com is the easiest place to find out more about us and to get information on me and to get in contact with me. |
| Rob: | For those of you driving, don't panic, it will be on the show notes. |
| Roy: | Please don't contact Clinton while driving, right on. Thanks a lot Clinton. |
| Rob: | Yes, thank you Clinton. |
| Clinton C.: | Thank you guys. |
| Rob: | Wow, that was really helpful. There was a lot of information there. Even I might feel a little overwhelmed, but I think that was really helpful for helping us conceptualize this. |
| Roy: | Yeah. I'll tell you what I found most helpful about that was Clinton, someone who has worked at NSA, who has the proper certification to actually advise on how people would perform their compliance duties in healthcare and in a lot of other fields too, him saying that doing it piecewise is actually a good way to do it, him confirming that you don't have to be in full 100% compliance in order to be working towards compliance, that was really validating for me. |
| Rob: | Yeah, the key is you've got to be doing something, at least moving in a positive direction. |
| Roy: | Right. That's right. Also, talking about what's the biggest, most important low hanging fruit items? Which is great because you and I know that those are totally doable for our field. |
| Rob: | Well, and it's another area where we can kind of, many of us can take what we often do to help our clients and utilize those skills ourselves. Hey, start with the stuff that you know you can accomplish, start to build confidence, break it down into smaller chunks. |
| Roy: | Yup, absolutely. So okay, let's real quick run through what we know are those low hanging fruit, first chunks people should probably do. For you Rob, if you've got an elevator ride to explain to somebody the first low hanging fruit items they should do, what do you tell them? |
| Rob: | I think number one, I don't know, for me it's a tie, but I'm going to go with number one being and doing full disk encryption on all your devices and peripheral things like any hard drives, external hard drives, anything that actually is containing or transmitting protected health information. |
| Roy: | Great. We'll totally put a link to some explanations of what that is in the show notes for people, because that is also my number one. But you said it's tied with something. What is it tied with for you? |
| Rob: | If something was going to tie, I would say making sure you have some really strong policies and procedures around, and again, this depends on if you're a solo practitioner, a group practice, because those things will look different depending, but I really think people need to be using things like dual authentication. |
| Roy: | Yeah. |
| Rob: | Number two being hey, expand beyond just using strong passwords, but using dual authentication and other tools that are available for making things even more secure. |
| Roy: | Yeah, that actually is solidly my number two as well. |
| Rob: | To be clear for those that may not understand what I'm saying, dual authentication also known as multifactor authentication, you have a separate piece of information you have to provide to log into a specific service. So Google Authenticator is a well known application that is used by many different applications where it's an app you install on your phone, it generates codes that change every I think 30 seconds these days. It might be less. |
| In addition to entering your password, if you're logging in from a new device to a service it will prompt you to also enter this code. So even if someone has stolen your password, they won't be able to get in unless they also have your phone or whatever device is generating those codes. | |
| Roy: | Earlier in the episode I talked about those colleagues who talked to us because their email had been hacked. In a few of those cases they actually had not been hacked, it just looked like they'd been hacked. But in the situations where it had been hacked, every single one of them, they would not have been hacked if they had been using the two factor authentication. That's the way that goes because there's always password guessing. |
| Yeah, what's interesting there by the way, is two factor is also my number two, but until about a year or two years ago virus protection was my number two. Then two factor became my number two because so many of us are actually putting so much more of our information on online services as opposed to on our computers. Now two factor, basically doing more than just having a password is becoming just so important so we're on the same page. That's right after encrypting all your stuff. | |
| Rob: | Mm-hmm (affirmative). Yeah, and to be clear, virus protection is still important. |
| Roy: | Yeah, it's my number three. Right. |
| Rob: | Yeah. |
| Roy: | By virus protection I mean the anti malware, the antivirus, but also turning on the firewall on your computer. That's also antivirus. Right. |
| Rob: | Right. |
| Roy: | Yeah, those are big things. To sell something about myself, I do have a one hour course, a CE course, that covers those things we just talked about. |
| Rob: | Is it called The Low Hanging Fruit Course? |
| Roy: | It's not, but it should be. It's called ... |
| Rob: | That's another subtitle. |
| Roy: | It actually does say low hanging fruit in the motto on the page, the brochure for the course. The course is called HIPAA Investigation Repellent, but it's one hour and it covers those low hanging fruit items. We're probably going to update it in quarter one or two of 2018 and it will get a new name, but we do have that one hour course. It's APA and NBCC approved. |
| Rob: | That's a pretty nifty name to begin with. |
| Roy: | Is it? Yeah, I thought so. Right. Yeah. Yeah, so we've got that, but of course we will have resource links in the show notes to help you figure out how to do Rob and Roy's top three things to do for HIPAA compliance. |
| Rob: | Absolutely. Again, that's not the end all be all, but it's certainly like you said, the low hanging fruit, the things where people can at least get the ball rolling or have some good security policies and procedures in place. |
| Roy: | Honestly, it will prevent a huge portion of the real risks that you would find when you do the full compliance. |
| Rob: | Right. |
| Roy: | Yeah, it will do al to. Right, so at least do those. |
| Rob: | Yeah. You will already be able to say when you get to the risk management part, you'll already have three answers for how you're managing those risks. |
| Roy: | Exactly. That's exactly right. Yeah, and if you're in a solo practice, those three things will go an especially long way. Okay. All right, so I think the rest of what we can help people with is right there in the show notes, so I know a lot of you will listen to this podcast on Google Play or on Apple Music or whatever and so you don't look at the show notes. This is one where you want to go look at the notes because you're going to want to follow up on what we tell you to do and the show notes will give you the resources for that, so make sure you check those out. |
| Rob: | All right, so that about wraps us up. |
| Roy: | Yeah. All right. |
| Rob: | Hopefully this will be a good reference point. I'm sure we'll be talking about HIPAA much, much more and directly associating it with various technology and other issues. |
| Roy: | No more HIPAA for me. |
| Rob: | Hopefully this was good ... What's that? |
| Roy: | No more HIPAA for me. I'm done. |
| Rob: | Roy's done with HIPAA. |
| Roy: | I give you all the HIPAAs. |
| Rob: | He refused to talk about any more HIPAA in future episodes. That should make for some really tough shows. |
| Roy: | Yeah. You're right. Okay, okay, fine. I'll talk about HIPAA again. All right. |
| Rob: | But this is a good, hopefully this was a good baseline podcast for everybody to get an idea, wrap their head around this concept of HIPAA so that any time we talk about it in the future you'll understand where we're coming from. |
| Roy: | Absolutely. Right on. Well, I guess we'll sign off then, Rob. |
| Rob: | Until next time. |
| Roy: | I'm Roy. |
| Rob: | And I'm Rob. This has been Therapy Tech, with us. |
| Roy: | With us. |
| Rob: | Thank you for tuning into Therapy Tech with Rob and Roy. This episode has been sponsored by All Call Technologies, Cloud phone services for the mental health professional. AllCallTechnologies.com. The episode notes and helpful resources can be found at www.TherapyTechRobRoy.com. Until next time, may both your body and your computer be free of viruses. |
Photo by Ghost Presenter on Unsplash
