Most counselors I speak with are not fully compliant with HIPAA/HITECH (the Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act, respectively). One of the primary areas in which they are not compliant is in the documentation of a risk assessment, along with security policies and procedures. Although some elements within HIPAA are merely recommended, these are items required of every “covered entity,” whether that entity is a hospital or a solo practitioner.
A number of consultants and tools are available to help create these required items. Unfortunately, most of these tools are cost-prohibitive for counselors and have a very strong medical-centric focus. The Office of the National Coordinator for Health Information Technology provides a free tool for completing a risk assessment (see bit.ly/1B7BvkL). It is cumbersome, however, and many people can’t make it through the HIPAA and techie speak.
When I first started my consulting business, I had thoughts of creating a user-friendly tool to walk mental health professionals through this process. One of the many topics I discussed in a podcast interview with Joe Sanok of Practice of the Practice was prioritization (see bit.ly/ctaugpop). I told him that I come up with more ideas than I have time to work on, and a major factor in choosing which ones to pursue is whether I will enjoy them. The idea for developing a HIPAA risk assessment tool was one that quickly fell into the “I really don’t want to do that” basket.
Thankfully, along came Roy Huggins of Person-Centered Tech. Roy is to HIPAA compliance what I am to implementation of technology to make practices more efficient. He not only “gets it” but also is able to communicate it to counselors in a way that makes sense.
I interviewed Roy to learn more about his approach to these topics and how he translates them for mental health professionals. At the time of this interview, he was completing phase one of a workbook that will walk mental health professionals through the steps of creating required documents for HIPAA, such as a risk assessment and policies and procedures.
Rob Reinhardt: What is the HIPAA security rule all about, and how is it different from the privacy rule?
Roy Huggins: The security rule is the part of HIPAA that is concerned with the safety of digital info. As you can imagine, that wasn’t such a big deal for counselors back in 2003, but it is a big deal now. The more we use digital tech in our practices, the more relevant the security rule becomes.
The privacy rule is the part of HIPAA that tends to get better coverage in HIPAA trainings. It covers things like the notice of privacy practices (aka “the HIPAA form”), the “minimum necessary” rule, requirements to provide clients with copies of their records and all that jazz.
The security rule is pretty focused on how we protect our clients’ sensitive information, particularly when it is in a digital form.
RR: The security rule seems enormous and overwhelming. Can you sum it up in terms we can all understand?
RH: I think it seems so large partly because it is pretty large, but also because they wrote it so that it would cover the needs of everything from solo counseling practices to big hospital systems. So the law talks about all kinds of technical requirements that a solo counselor may or may not need to specifically worry about. It’s hard to know which is which, however, so it just comes across as overwhelming. The short version is this:
1) Do a needs assessment around keeping your clients’ information safe. This is what is called a risk analysis or risk assessment — either is fine. It’s a lot like a community needs assessment but for the safety of your clients’ information. Take a holistic look at your practice to see how your clients’ info is being kept safe or not, and make a list of the places where your clients’ info is at the highest safety risk right now.
2) Make a plan to meet those safety needs. This is called a risk management plan, and it’s where you come up with a list of strategies to meet the safety needs you discovered in step one.
3) Make a policies and procedures manual. While thinking about your risk management plan, you’ll come up with a list of ideas that sound something like, “I will back up my computer every Friday” or “I will make a better password for my email.” The policies and procedures manual is where you would document these good ideas and enshrine them as official policies going forward.
That last step is where the security rule’s apparent bigness comes in, in my opinion. The rule defines a bunch of things that we’re supposed to address in our policies and procedures. The way the rule is written, however, is really opaque and technical. It’s very difficult to understand what HIPAA wants without guidance or interpretation.
The truth, however, is that your policies and procedures don’t need to be written in tech speak, legalese or anything else but the kind of plain English that you and anyone else working in your practice can understand. You’ll probably need guidance to convert HIPAA’s abstract policy requirements into your own real policies and procedures manual, but once you’ve got them written, they’re written. The ongoing piece of HIPAA security is mostly about following your own policies and doing an abbreviated version of the three steps every year or so.
RR: It still sounds like there’s an awful lot a covered entity has to do to be in compliance. If counselors had to choose a starting point to work forward from, where would you suggest they begin?
RH: The upfront work of doing those three steps does take a chunk of time. That’s the unfortunate truth. The good news, however, is that you don’t necessarily have to do it all at once or do it quickly.
The powers that be are surprisingly willing to be gentle with people who demonstrate ongoing progress toward HIPAA compliance. This is especially true with the security rule, and it’s especially true right now, when most of American health care is still working out the kinks in that whole “health care information technology” thing. The important thing is just to start. Document what you do, just like in therapy!
For the security rule, the first thing is to find out the best way for you and your practice to perform that risk analysis project. Most people start with some kind of training to help them figure out where to get started on the actual compliance projects.
RR: How might this process be different for counselors from, say, medical doctors or hospitals?
RH: The compliance process is technically the same, but your outcomes might be different. Hospitals usually don’t have the freedom to collaborate and work with clients the way we do. This has a significant impact on how we manage security and, thusly, it can have a real impact on how we manage certain parts of HIPAA compliance.
Differences in the process of compliance are more about a practice’s size than about the profession in that practice. A hospital needs a compliance team and often needs professional consultants because their equipment and systems are just so much more complex than ours. Also, HIPAA’s expectations set a much higher bar for hospital security than for small counseling practice security.
Small-to-medium mental health practices can often manage most or all of the compliance work on their own if they feel confident they can do the work. I have seen many solo and small group practices do a good job of risk analysis with just a little consulting to help them out. The best way of going about it depends on the person and the practice.
RR: You’re developing a workbook that helps counselors get through this process as painlessly as possible. Can you tell us a bit about that?
RH: I’ve spent so much time over the years teaching counselors and other mental health pros about the three steps described above, but every time people ask for resources to get started, I have found myself unsatisfied with the referrals available to us. There is a lot of guidance, but it is highly technical and difficult for counselors to identify with. So I decided to finally make my own tool that counselors can feel comfortable with.
We discovered through testing that it works best as a website service that can “railroad” the counselor through simple questionnaires and creative exercises. The software then produces a risk analysis with recommendations for risk management planning. The software also has prewritten policies and procedures that meet requirements set out by HIPAA, and it will provide the counselor some guidance on how to amend those policies to meet the counselor’s specific needs. HIPAA security is quite individual, however, so the tool includes group consultation sessions to help when people hit snags.
RR: I’ve had a look at the beta version of your workbook. You do an excellent job of translating HIPAA and techie speak to language everyone can understand. How did you manage to do that?
RH: There are a surprising number of parallels between what we do as clinicians and what HIPAA asks us to do for security. One reason for the crossover is that security is heavily oriented toward risk management. We’re already accustomed to risk management because that’s how we approach working with self-harm risks in clients. We assess their risk of self-harm, then we respond with measures appropriate to the level of risk — e.g., a no-harm contract for lower risks, hospitalization for imminent and ongoing danger, etc.
We also do security already. We just don’t label it that way. Instead, we just call it “confidentiality.” In my life, I’ve never been so interested in locking file cabinets and white noise machines as I am now that I’m a professional counselor.
RR: Are there any special circumstances that would necessitate someone getting help in going through your workbook?
RH: Every situation is unique. Our tool can anticipate a lot of people’s needs but not 100 percent of them. That’s why the workbook subscription includes the online consultation meetings. That can fill in the gaps that the software doesn’t anticipate.
We have also found that therapists are much more successful in doing their security work when they do it with a group. HIPAA compliance need not be solo drudgery — it can be a shared and joyful experience if approached in the right way.
RR: How do you see the workbook developing in the future, and how do you plan to keep up with changes in technology and HIPAA/HITECH?
RH: My dream for the workbook is for it to become rather like the holographic doctor in Deep Space Nine — pardon my nerding — except for practice tech instead of medicine. This tool has the potential to one day anticipate, track and support the health information technology needs of all the counselors who use it, like a holographic technology staff for our practices that takes care of the hard stuff for us.
The tool will let us — the staff behind it — do the work of keeping up with tech and HIPAA/HITECH changes and helping counselors adjust to them as needed. I think this is a necessary part of future practice, and it’s also necessary for the tools to be affordable and easy to use.
Ten years ago, we weren’t as concerned about HIPAA because our own professional ethics were generally tighter than [HIPAA] was. We’re starting to see that happen again with digital tech. For example, the 2014 ACA Code of Ethics has a higher threshold than HIPAA does for informing our clients of security risks in using email. If we can take ownership of digital information safekeeping the same way we took ownership of paper information safekeeping long before HIPAA came along, then HIPAA will become significantly less of an overwhelm. I’m really hoping that the tool we’re building will help counselors and our colleagues to do that.
Readers can find out more about the workbook at bit.ly/CTJuly2015.
Rob Reinhardt, a licensed professional counselor supervisor, is a private practice and business consultant who helps counselors create and maintain efficient, successful private practices. Before becoming a professional counselor, he worked as a software developer and director of information technology. Contact him at email@example.com.
Letters to the editor: firstname.lastname@example.org