Copyright © 2017 by Joseph R. Sanok
All rights reserved.
Published in the United States by Sanok Counseling PLLC,
Traverse City, MI.
www.practiceofthepractice.com
www.personcenteredtech.com/pop


Legal Stuff:
This publication is designed to provide accurate and
authoritative information in regard to the subject matter
covered. It is provided with the understanding that the author
and publisher are not engaged in rendering legal, accounting,
or other professional services. If legal advice or other expert
assistance is required, the service of a competent
professional person should be sought.
Also, please don’t copy this book illegally.


CONTENTS

Chapter 1:
HIPAA Struggles
Chapter 2:
Making Security a Priority
Chapter 3:
What You Need To Know About HIPAA Audits /
Investigations
Chapter 4:
Practice Basics

Chapter 5:
Lean Into Digital Security


HIPAA
STRUGGLES
Identity Issue
The biggest struggle for people is to get really
theoretical about it. For therapists, there's actually an
identity issue around HIPAA. There are a couple of
pieces to HIPAA, and the one we tend to have the
easiest time with, is what's called the HIPAA Privacy
Rule. That's the one where you have to give clients the
HIPAA form which has your Privacy Practices on it. It's
actually called the Notice of Privacy Practices, but
everyone just calls it the HIPAA form. That one's pretty
easy, because it's just consists of how you're going to
take care of confidentiality and what your office policies
are around obtaining record requests, etc.
The HIPAA Security Rule, however, is the part that
relates to digital tech. In the last five or so years, this
has also become important, because we're using the
digital tech and we're putting client records on servers
on the internet. And, while these systems make our
practices a lot more efficient, there is a security risk
involved. Yet, therapists tend to have an ‘identity’ that
states that they don't do technical things, they do human
things. So, when the security rule came along stating
that you need to think about encryption. And, when
1



you're putting client information on a device, where does
that information flow? Who has access to your
information when you put it on a cloud service?
Therapists have a lot of resistance to the idea of
learning to understand this and learning how to manage
it the way we've always managed clients security. While
it’s now referred to as ‘confidentiality’, it’s the same as
client security which we've done for decades. But,
suddenly, because of the digital side of things, there's a
big technical aspect and a lot of therapists struggle with
the identity issues surrounding this.

Overwhelm Leads To Avoidance
People are so overwhelmed, not even just unique to
HIPAA, but with marketing or social media, that they
become paralyzed by perfection. They want to do it
right, and make sure they’re good at it, but they also like
don't know where to start. When it comes to learning
how HIPAA Security Compliance works, therapists often
feel overwhelmed. When this happens, they turn to
avoidance. They'll say, “Well, I'm not going to bother with
it, because I don't I can't understand it, so why deal with
the pain of being overwhelmed?”

Ignoring What You Can’t See
When you can see the client file, you know exactly what
to do to take care of it. And, if you notice that you


2


messed up, you feel it and you feel motivated to fix it.
Like, for example, leaving the file outside of the filing
cabinet, or handing it over to some shady guy on the
street who says, “I'll take care of it for you”. Therapists
wouldn’t do this. Instead, we're pretty good at coming up
with the right kind of security measures to take care of
the things, i.e.: client files, we can see. But, when it
comes to things we can't see, like the Internet, people
tend not to have an understanding of what it physically
looks like when you put a record on a practice
management system, which is in the cloud somewhere.
People can’t really conceptualize that. An anology that
might help is to think that when we use any email
service, we're basically doing the equivalent of handing
our client files to some guy on the street. With every
email service we use, there are people holding on to all
the emails we have exchanged, but we don't realise
that, because we don't see it. This is not necessarily
anyone's fault, because it's not in our day-to-day
conversations, or even in the news. We don’t generally
talk about the tech in our lives. So, you don't see it, no
one talks about it, and it ends up being out of mind. It
almost taps into something deeper in the brain where
the things that are right in front of us, we tend to take
action on, whereas the things outside of that, we don't.

The Belief That Someone Else Has It Under

Control

3


This struggle ties in with the feeling of overwhelm
leading to avoidance, and ignoring that which we cannot
see. One thing we've been taught since the early 90s
about technology, is that someone else takes care of it.
You just use it. The general philosophy in software
development is that you should make something that
just works. It shouldn't be something you think about, or
have to have a concept of how it works. You just do it,
you just use it, and it just works. So we've been trained
to think about our tech that way since the early 90s, and
not for entirely bad reasons. But, now that we're
suddenly moving information everywhere, using the
internet, that philosophy is starting to become
dangerous. Especially for professionals like us who are
handling really sensitive information; information that
can have a big impact on the lives of people we care
about, our clients. So now, when someone comes along
and says their product is HIPAA Compliant, we stop
thinking. We immediately take on the perspective that
‘someone else has it under control’, and we let go of the
idea of maintaining a bit of vigilance that we usually
always regarding the safety of our clients’ information.

4



MAKING
SECURITY A
PRIORITY
Within the realm of things we understand as therapists,
we do this already. We didn't call it ‘security’ in grad
school, but we have always made security a priority. We
just called it ‘confidentiality’. When it comes to dealing
with confidentiality in the online realm, or in your digital
tech, it works the same. And, you want to be as vigilant
as you are with your physical file cabinet. For example, if
someone started mucking about with your file cabinet, or
tried to walk into the room while you’re in session, you
would be pissed off, right? You know that your client
trusts you and considers your office a safe space, which
is something you want to protect. So, we need to extend
that attitude into the digital realm. It's hard, however, to
have that attitude when you don't really know what's
going on. You want to be able to trust someone else to
take care of it for you and, to a certain extent, you can.
You don’t have to learn how networking works, for
example, but you do need to build an understanding
about networking. When you begin to learn the
shortcuts, or have the language, it reduces the feeling of
overwhelm.

5


WHAT YOU NEED

TO KNOW ABOUT
HIPAA AUDITS /
INVESTIGATIONS
The frustrating thing is that there are colleagues in this
niche who also try to help people with HIPAA specifically,
not just tech. They are trying to help them with the
compliance and security side, and they'll mention things
like, ‘The 2016 random audits are coming, are you
prepared?’ Yet, the truth of the matter is that you will
never be randomly audited. There have only been two
random audit programs in the history of HIPAA, and both
of them did about one hundred and fifty. That includes
everything, even business associates, for example,
companies that serve healthcare like Office Ally.
Furthermore, they don't actually randomly choose them.
What's random is who gets the initial survey to ask
about your practice. But then, based on the surveys,
they explicitly choose who taught it and they don't
choose individual private practitioners or mental health
practitioners. That just doesn't serve their goals.
Therefore, if a company is trying to sell you a product by
instilling the fear of ‘HIPAA random audits’ in you,
consider it a red flag.

6


The things that are likely to actually get you into it an
audit, or what's called an investigation, is if someone
specifically files a complaint to the Feds about your

HIPAA compliance. This doesn’t mean filing a complaint
to your board. Your board isn't going to investigate that.
The people who investigate HIPAA is the Federal Office
of Civil Rights, which is part of Health and Human
Services, or your State Attorney General. Those are the
people who can enforce HIPAA. So, the biggest reason
people ever get into those investigations is when
someone complains. And, complaining is actually very
easy. There's a website where you go fill out a form and,
once you've filed your complaint, they will follow up. The
other possible way to get into an investigation is if you
have a security breach. Meaning, you accidentally
disclose records, for example, you lose records or
someone gets access to the records. Essentially, a
confidentiality breach. But, that's not how they frame it.
Then, based on that, and depending on how many
people were impacted and whether you have a pattern
of this happening in the past, and various other factors,
they might investigate you.
Recently, they stated that they're starting to investigate
breaches that are smaller than 500 individuals. So, it's
possible that if you have a significant breach, something
that impacts a dozen or so clients, they will follow up on
that with an investigation. There is, however, no
concrete data to determine if they are doing so, so they
may or may not be doing that. But, the biggest thing you
want to be concerned about are the cases addressing
complaints. That's where the hard stuff happens.

7



Examples Of Complaints
The complaint has to be founded on a HIPAA problem.
For example, the person has to complain that you're not
complying with HIPAA and they have to show the way in
which you're complying. Usually, the biggest way that
that happens is the person complains about your privacy
policies. Either, you're not following them, or your
privacy policy is not actually HIPAA compliant. For
example, if you don't release records on time, or you're
just really cagey about releasing records. That's the
biggest reason mental health practitioners get into
trouble. That and if their policy for releasing records is
not actually compliant with HIPAA.
The other thing people complain about is, for example,
not getting a timely notice of privacy practices.
Furthermore, the vast majority of complainants are not
people who legitimately feel like you did something
wrong, it's usually clients who don't like you. Or, more
often, family of clients who don't like you.

8


PRACTICE BASICS
Full Device Encryption
The first thing you need to do when it comes to HIPAA
compliance regarding tech is ensure that you have full
device encryption. Essentially, encryption consists of

secret codes. So, when we say ‘full device encryption’,
we're referring to a kind of complex process that has a
very simple outcome. What it means is that all the
information that's stored on the device is encrypted. So,
if that device gets stolen, or lost, you can assume that
the information on it is basically impenetrable. So, you
can safely say that, if it's lost or stolen, there was no
confidentiality breach, because all of the information was
encrypted. To encrypt a Mac, for example, you go into
the security settings and click on the picture of a vault
with a roof on it. Then, there's a tab that says ‘File Vault’,
which is the name of the encryption program on
Macintoshes, go into that and turn it on. Then, follow the
instructions.

Passcodes
The thing about full device encryption is that the weak
link is your password. So you need to ensure that you
have a really strong passcode, and that includes on your

9


Android or iPhone. You need a stronger passcode than
what they let you do by default. You have to go into the
phone settings and change it. It allows you to set a really
long passcode and you need to do that, because that's
the weak link in your encryption. These days, pretty
much everybody can log into their phone with their
thumbprint. So, setting a really long passcode is not a

big deal, because you just use your thumb to get in
instead of typing the passcode every time.

Encryption On PCs
For computers, and Windows in particular, you need to
get the Pro Version of your Windows. This will ensure
your device becomes encrypted. For some reason,
however, nobody gets the Pro Version. It never seems
worthwhile to therapists, if they don't know about the
encryption piece. But, you need the Pro, because you
need a program called ‘BitLocker’. BitLocker is what you
use to do the full device encryption on a PC.

Two-Step Login
The thumbprint is not to be confused with a two-step
login. It is more like an alternative login to your
passcode. A two-step login would be if you have to type
your passcode and your thumbprint. A two-step login is,
however, more like something you use for an online
service, like your email or your practice management

10


system. There are various different terms for this
including two-step login, two-step authentication, and /
or multi-factor authentication. All of these mean that you
have two things you do in order to login. While the first
thing almost always involves a passcode, the other thing
is often a text message to your phone that contains a

little code in it, which you then have to type in. Then,
between that and entering the correct password, they let
you in.

Password Management Systems
Most people will end up using different variations of the
same password, which is not smart. The biggest way
that people end up getting into your Google email
account or PayPal, for example, which are both the most
targeted platforms, is that they figure out your password
on some other website, that is significantly less wellsecured, and then they go try that password on your
PayPal or your Google. If you have the same password
there, it’s easy for them to get in. Even if you're using a
variation of the password, it's not hard for them to
guess. So, you need to have a different password
everywhere, and a significantly different password. It
needs to be a big, strong password everywhere. Yet, this
isn’t humanly possible, without writing your passwords
down and sticking them to your monitor, which is also a
bad idea. In the old days, security professionals used to
say that you should write your passwords down on a
piece of paper and keep it in a pocket in your wallet.
This because you're very conscientious about keeping
11


your wallet safe. These days, however, we need even
more passwords, because we have a lot more accounts.
Thankfully, we have a lot of great software that allows us
to us store our passwords, instead of putting them in our

wallets. This software is is known as ‘password
management systems’ and there a few different services
that you can use to do this. These include 1Password
and LastPass. With LastPass, for example, if you update
a password, or have a password, it pops up and asks
whether you want to add this to your vault. So,
whenever you create a new password, you can just hit
the keyboard with numbers and symbols, until it says it's
hyper secure, and then LastPass will save that
combination for you so that you don’t have to remember
it. Furthermore, the program synchronizes between all of
your devices. So, your iPhone will have all of your
passwords updated all the time, along with your
computers and other devices. Then, you can just click a
button and it will log you into your websites.

Anti-Malware
People have this idea that Macs are safe and PCs are
not. Macintosh Apple loves its reputation that it's
immune to viruses. They've been claiming that since the
80s. And, back in the 80s and 90s, it was largely true.
But, it's only true because people who wrote viruses had
Windows computers, and they didn't like Macintoshes.
But, these days, the Mac has a built-in antivirus included
in the operating system. And, they claim that that's all
you need. The fact is, however, that an anti-virus is only
12


as good as how often it's updated. So, if you don't

update your Macintosh software every day, the antivirus
in the Macintosh will not be as good as the antivirus on a
PC. The PC updates its antivirus every day. So, you
want to have anti-malware software on your Macintosh,
and there aren't a lot of anti-malware software packages
that work well with the Macintosh. While every company
will say ‘This is for Mac’, almost all of them will actually
slow down your Mac. So, don't get Norton or Symantec
for your Mac. Good ones for the Mac are Sophos, ESET,
or Kaspersky.

Business Associate Agreements
It's important to have a concept of where the information
is going. This is why you don't want to just leave it to
others. That's where Business Associate Agreements
come in. Because, when you've got a third party, that's
not your own work force but a company offering you a
service and part of their service is holding on to or
transferring your client information, that means that
those people are now essentially coming into your office
and mucking around with your file cabinet. If you have
Google Mail, Google Mail is basically rifling through your
file cabinet all day, because they're handling all your
client emails. If you're using an online practice
management system, they are holding on to your file
cabinet, and they process everything that goes in and
out of your file cabinet, because you're putting your
records into their system. So, these are people and
companies that are handling your information. It doesn’t
13



always occur to us that when we use an online service,
that means we're handing client information to some
other company. So, to get a Business Associate
Agreement with Google, you can make use of their paid
service called G Suite. It's around $5 a month, per user,
and they do Business Associate Agreements. The
Business Associate Agreement means that the company
is aware of what they need to do in order to protect your
clients’ information and protect you on a compliant level.
If they do the agreement, they're promising you - in a
contract - that they will protect your information. It's like
getting a confidentiality agreement with a third party. If
there is some sort of hack with Google, then you’re not
on the hook as much.

14


LEAN INTO
DIGITAL
SECURITY
As mentioned previously, people have identity trouble
and avoidance because of the overwhelm. Yet, we really
encourage people to lean into this difficult process and
be aware that this doesn't mean you have to suddenly
take something that is literally overwhelming and
suddenly, magically sort it all out. That's not possible.
Instead, ‘leaning in’ means just being ready to deal with

some negative emotions, and tolerate them. And,
instead of avoiding, seek out the help you need. That
can mean reaching out to Person-Centered Tech, or that
can be a colleague, or family member, who is more tech
savvy than you are. In fact, we would recommend a
combination of all of them. The people we've worked
with who have that combination are often some of the
most successful, because they have the local resource,
they have the remote resource (podcasts, etc.), and they
end up getting both emotional and logistical support and
they're able to get to to get to where they need to go.
Ideally, you need to create a checklist and prioritize the
biggest ‘problems’ you need to take care of first. Also,
identify the low-hanging fruit and then just take it one
step at a time. For example, you can start with full
service or full device encryption, and then setting up
LastPass, and updating your Gmail and PayPal

15


accounts. So you just make this to-do list, prioritize it,
and set some time aside each week to get stuck in.

16