HIPAA Security Rule Compliance for Private Practitioners

HIPAA Security Rule Compliance for Guest Post by Rob Reinhardt, LPCS, Technology Consultant for Mental Health Professionals, CEO of Tame Your Practice

Wouldn't it be nice if someone would provide us with a brief checklist of things we need to do in order to comply with HIPAA (the Health Insurance Portability and Accountability Act)? I strongly recommend that you not wait for that to happen. HIPAA was purposely constructed to be flexible so that both large hospitals and solo practitioners would be able to comply. You wouldn't want to follow the same checklist as a hospital would you? Further, because HIPAA now covers electronic Protected Health Information (ePHI), it's important that it be flexible since technology continually evolves.

That said, there are some basic parameters and processes to be aware of. Once these concepts are understood, HIPAA no longer seems to be this overwhelming, unintelligible, monstrosity. It takes on a role similar to progress notes and other paperwork; that stuff that gets in the way of our client time, but we know we need to do it.

Here then, is a brief summary of the most important things to know about HIPAA:

It's More Than Just the HIPAA Privacy Notices

HIPAA started out in 1996 with the Privacy Rule, which regulates the use and disclosure of Protected Health Information (PHI) by Covered Entities (CEs). Protected Health Information is any data about health care that can be linked to a specific individual. Covered Entities are health plans/insurers, clearinghouses, and providers who engage in “Covered Transactions”. For most mental health clinicians, that means filing electronic insurance claims (even if you don't, be sure to read on). This is the part of HIPAA that brought us the HIPAA Notice of Privacy Practices, where providers detail for clients how and when they will use and/or disclose their PHI.

In 2003, the Security Rule was added in order to set standards for securing ePHI. It requires that CEs establish Administrative, Technical, and Physical safeguards to ensure the privacy of client data. This was further enhanced by the HITECH Act (Health Information Technology for Economic and Clinical Health Act) in 2009 and the Final (Omnibus) Rule in 2013.

I've found that most therapists have the Privacy Rule down pat, so in the following sections, I'll focus on clarifying information from the Security Rule.

HIPAA Security Compliance Is An Ongoing Process

One of the primary components of complying with the Security Rule is completing a Risk Analysis and Management Plan. This is a process of documenting reasonably anticipated threats to the security of ePHI (i.e. theft, loss, fire) and a plan for dealing with those threats. This is required to be reinforced through a documented set of Policies and Procedures (yes, even if you're a solo practitioner). Therapists wouldn't dream of assessing a client at intake and then never re-visiting that assessment. Similarly this Risk Analysis process needs to be re-visited on a regular basis. This ensures that new technologies and threats are addressed appropriately.

Software and Devices Can't Be HIPAA Compliant

If you listen to the marketing speak, you might get the impression that a CE can be in compliance as long as they choose software and devices that are “HIPAA Compliant”. The problem is that such things do not exist!

Only Covered Entities or Business Associates can be compliant with HIPAA by engaging in the processes described above. A Business Associate (BA) is any third party that a CE shares PHI with. This could be a billing agent, an EHR vendor, or a telehealth application vendor. In creating this relationship, the CE is required to establish a Business Associate Agreement with the BA, outlining the responsibilities of each. The good news is that, due to the Omnibus Rule, this requires that the BA is held to the same standards for compliance as the CE. To be clear, this doesn't release the CE from all responsibility. They still need to conduct a Risk Assessment. However, it's often the case (especially with EHR) that using a third party vendor will greatly decrease the scope of (read: amount of work involved in) the CEs process.

(Side Note: It's important to note that financial transactions are exempt from HIPAA, so typically financial institutions don't fit the definition of Business Associate. However, there are some circumstances to be aware of, such as some of the features offered by services like Square).

But I Don't Take Insurance So I Don't Have To Worry About HIPAA

It's true that, if you (or your billing representative) are not filing electronic insurance claims, you likely don't fit the definition of Covered Entity. Technically then, you don't have to comply with HIPAA. You should be aware of and consider the following, however:

  • Standard of Care - HIPAA is becoming recognized as a “Standard of Care” when it comes to Privacy and Security. If how you handle privacy and security ever comes into question, there's a solid chance that HIPAA will be the measuring stick for whether you're doing a good job.
  • Ethics – Our codes of ethics require that we keep client information confidential. In line with the first point, what standards can we use to prove that we are doing so, especially with ePHI?
  • State Law – Be sure to understand your state laws regarding client privacy. If you're in Texas, for example, your state laws are in some cases even more stringent than HIPAA.
  • Best Practices – Similar to the idea of Standard of Care, the set of requirements in HIPAA are considered “Best Practices” for securing client data. While HIPAA may seem bloated and overdone in parts, the core requirements make sense and are a good path for significantly reducing the risks to privacy.

Rob Reinhardt is a Licensed Professional Counselor Supervisor in North Carolina and CEO of Tame Your Practice. In addition to helping therapists integrate technology into their practice, he is the column editor for Counseling Today magazine and creator of Describe, a therapy tool appropriate for individuals and families of all ages!

How to Create and Sell Your First E-book (part 2)

In this guest post, counselor and consultant Clinton Power share how to put the finishing touches on your E-book and how to get the word out and sell your book. (Read part 1 how to create your first E-Book)

Use a graphic designer to make your E-book stunning

If you're planning on creating a PDF version of your E-book to sell through your website, you definitely want to get it professionally designed. Your designer can then employ visuals, highlight quotes, and use attractive fonts and graphic design elements to draw the reader in and make reading your E-book a pleasure. Your designer will also create a compelling cover page, which is essential as it will make a big difference whether people are attracted to your E-book or not.

If you're going down the Amazon route, you won't need a designer to design the inside, but you will need an awesome cover design so you stand out from the thousands of books in Amazon.

One other consideration is to make sure you have your e-book proof read once it’s complete. I employed a professional copy editor to make sure my book was grammatically sound with no spelling errors. This was a good investment.

Create a dedicated landing page for your E-book

It's worth creating a dedicated landing page on your website for, or creating a stand-alone website just for your E-book.

Even if you're selling it through Amazon, it's helpful to direct people to this page to read more about your book.

Include attractive images of the cover (3D preferably), testimonials and a bio of you, the author.

Options for selling your E-book

I chose the Amazon route and more specifically, a product called KDP Select. If you use KDP Select you have a 90-day agreement with Amazon that you won't sell your E-book anywhere else on the internet.

KDP Select also allows you to have up to 5 promotional days within the 90 days where you can give your book away for free on Amazon. This was a great strategy for getting more exposure, and helped me get over 2000 downloads. In fact, over 1,800 downloads happened in one weekend during one of my free promotions when my book went to the top of the free list for its category.

If you want more flexibility, you can just join KDP and then still sell your E-book in other places.

If you're selling your E-book through your website, I recommend using E-Junkie or Gum Road. E-Junkie will allow you to have affiliates so other people can sell your book and earn a commission, and Gum Road is very simple software where a beautiful pop-up appears on your website and guides the purchaser through a checkout.

Begin promoting your E-book

Now your E-book has been created, it's time to start promoting it. That's probably a whole other post on it's own, but one tip I'll share is I sent advanced copies to readers on my newsletter list for free, in exchange for Amazon reviews.

This was very helpful in getting reviews on Amazon just as I started to make sales. And the more positive reviews you get, the more Amazon will promote your book in its marketplace.

Don't forget to talk about your E-book on a regular basis on social media and get creative about sharing your message.

Another strategy I used was I created attractive images in PicMonkey with tips from each chapter and shared them on social media and on my blog.

Track your results

Finally, you want to track your results to see how you're doing with your sales.

Amazon makes this easy through Author Central, so make sure you create an account there. You can track the ranking of your book in the Amazon Marketplace and read all your reviews, as well as edit your author profile.

If you're selling your E-book on your website, use Google Analytics to see where traffic is coming to your landing page, and then increase your marketing efforts in those areas.

Creating an E-book has never been easier, so what's stopping you? Get writing!

Clinton Power is a Gestalt therapist and the owner of Clinton Power + Associates - a private practice dedicated to helping singles and couples move out of relationship pain in Sydney, Australia. Clinton is the author of the E-book 31 Days to Build a Better Relationship, which is available in the Amazon store. He is also the founder of Australia Counselling Directory, a free directory for finding counselors and psychologists in Australia. Follow him on Twitter @sydneytherapist

Social Media Ethics: What Private Practice Therapists Need to Know


Familiarize yourself with social media ethics and use technology intentionally to educate your community and to build your private practice.

The Internet and social media offer social workers and mental health therapists unprecedented opportunities to educate communities, to advocate for disadvantaged populations, to raise awareness about their private practice and professional services, and to establish themselves as experts in their specialty areas. Because people search online for health-related information, developing a strong online presence is increasingly important for social workers in private practice.

One aspect of developing an online presence is through social media. Although social media sites were often originally seen as “kid’s stuff,” that is no longer the case. For the first time in history, more than half of adults in the United States—65 percent—report using social networking sites like Facebook, Twitter, LinkedIn, and others. Even though these numbers are continuing to climb, many social workers seem reluctant to use and embrace social media as a valid professional activity. Fear regarding breaches of client confidentiality, potential dual relationships, and maintaining personal privacy are often cited as reasons for this reluctance.

Professional associations struggle to provide guidelines about how to ethically respond to specific technology issues because technology changes so quickly, says San Francisco psychologist Keely Kolmes, but that doesn’t mean the existing rules don’t apply in the digital realm. Without clear guidelines for social media use, social workers and other mental health professionals are encouraged to engage in ongoing discussions about policy guidelines and to use their own professional judgment in order to apply the current Code of Ethics in the digital world.

Social workers and mental health therapists who blog, post on Facebook, or use Twitter, Pinterest, LinkedIn, or any other social media should be deliberate in their behaviors—and mindful of the possible effects their online behavior may have on their clients and their careers. Engaging in meaningful and ethical social media activities can further the advancement of the core social work values: service to people in need, promotion of social justice, affirmation of the dignity and worth of each person, education on the importance of human relationships, demonstration of integrity and trustworthiness in our online behavior, and demonstration of a commitment to professional competence (NASW, 1999).

Here are suggested guidelines to mental health therapists engage in ethical social media use:

1) There’s no such thing as absolute privacy or anonymity

Privacy breaches in large corporations or agencies are frequently reported in the news, and they show that no matter how vigilantly you safeguard digital information, leaks can happen. The only way to guarantee your online privacy is to refrain from posting anything online. Because opting out of the digital world is rarely an option, it’s important to be mindful that your online activities, including social media, have the potential to be seen by others.

2) Be intentional in social media use

There are many personal and professional uses for social media. Clarifying your purpose and your goals for engaging in each social networking activity is an important part of ethical social media usage. What is your goal in setting up this account? What kinds of information do you want to share? Who are you trying to reach with this account? Developing a clear rationale and specific goals for engaging in personal and professional social media activities will help guide your efforts. Separate personal and professional social media accounts.

3) Separate personal and professional social media accounts

After you’ve developed a clear intention for your social media usage, create separate personal and professional accounts and profiles. For example, on Facebook, once you set up a personal profile, you can set up a separate professional business page for your private practice. Separating accounts into personal and professional helps protect your personal information and helps establish and strengthen your professional online presence.

4) Stay informed about privacy settings

Familiarize yourself with the privacy settings for each social media account and check frequently for updates. Privacy settings are not static and may change over time. Use the highest level of privacy settings on your personal accounts in order to protect your personal information. For professional accounts, use privacy settings on the lowest level so that more people can find your private practice business information.

5) Be cautious when posting about work on social media

Every social worker has difficult days, but venting on social media is not the best venue for processing challenging work situations. In addition to being cautious about posting about your personal responses to work, never post information about clients, period. The well-being of clients and respect for the therapist–client relationship should guide your social media activities.

6) Develop a social media policy for your practice

Developing a social media policy for your private practice is an excellent way to clarify for yourself and for your clients if and how you will be engaging professionally in social media. Components of a social media policy may include information about friending, following, interaction, business review sites, location-based services, use of search engine, and preferred method of communication (Kolmes, 2010). Social workers need not be reluctant to engage in social media as professionals—as long as they are aware of how to protect their own and their clients’ privacy, to protect the client–therapist relationship, to be intentional in social media activities, and to develop a comprehensive social media policy.

Social Media by the Numbers:

Facebook: 1.11 billion users YouTube: 1 billion users Twitter: 500 million total users Google+: 343 million users LinkedIn: 225 million users Instagram: 100 million users Pinterest: 48.7 million users Wordpress: 66 million blogs

AUTHOR BIO Julie de Azevedo Hanks, MSW, LCSW, BCD, is a member of the Private Practice Specialty Practice Section steering committee. She is also the owner and executive director of Wasatch Family Therapy. She can be contacted by e-mail at

REFERENCES Kolmes, K. (2010, April 26). Dr. Keely Kolmes Social MediaPolicy For Psychotherapists. Retrieved May 29, 2013, from Dr. Keely Kolmes:

National Association of Social Workers. (1999). Code of Ethics. Washington, DC. Pew Internet and American Life Project. (2011a, February 1). Health Topics. Retrieved May 24, 2013, from Pew Internet and American Life Project: Releases/2011/Health-Topics.aspx

Pew Internet and American Life Project. (2011b, August 26). 65% of online adults use social networking sites. Retrieved May 24, 2013, fromPew Internet and American Life Project:

Reardon, C. (2011, May/July). Building a Practice In a Digital World. Retrieved from Social Work Today:

Rob, M. (2011, Jan./Feb.). Pause Before Posting — Using Social Media Responsibly. Retrieved May 24, 2013, from Social Work Today:

Smith, C. (2013, May 26). How Many People Use the Top Social Media, Apps & Services. Retrieved May 28, 2013, from Digital Marketing Ramblings:

(This article originally appeared in the National Association of Social Workers Specialty Practice Section Private Practice Newsletter Fall 2013)


6 Ways Media Interviews Will Help Your Practice

Media Interviews Grow PracticeAre you hesitant to respond to media interviews? Performance anxiety, lack of training, or placing little value on media interviews as a strategy for practice building may be among your reasons for shying away. You may have heard that interviews don't bring in an immediate influx of new referrals. I have been actively seeking media interviews on a regular basis for the past five years and I've never had a huge increase in new referrals as a result. However, I have seen many long-term benefits of doing media interviews, that have built my practice over time. Here are 6 ways conventional media interviews have helped grow my private-pay practice.

1) Increasing awareness of your practice and services

“If you build it, they will come” doesn’t necessarily apply to opening a private practice. Most private practitioners initially struggle to get clients in the door of their practice because few people are aware of their business. Media interviews increase the exposure of your practice and allow you to get in front of more potential clients. Continued exposure makes it more likely that potential clients will remember your name and will eventually call you if they need help.

2) Opportunity for community service and education

Media interviews provide volunteer opportunities to educate your community, increase awareness about issues that matter to you and to them. In addition to making a living doing something I love, I want to make a difference for as many people as possible and media interviews allow me to make a positive impact for people well beyond the therapy office.

3) Engender public trust and increase credibility

Television stations, radio stations, newspapers, and websites spend a lot of time connecting with their readers and viewers and building their “brand”. When you are featured in the media you get to borrow their credibility and trust as they put you in front of their audience. Regular media appearances have allowed a large number of people to hear my therapeutic philosophy, and get a feel for my approach, and see me as a resource.

4) Helps transition you from provider to "expert"

Regular media appearances help position you us as more than a potential counseling or coaching provider. Interviews allow the general public to view you as an “expert” in your field or specialty area. The role of expert adds value to you and your services and makes it more likely that clients will pay out of pocket for your services.

5) Provides potential multiple income streams

Surprisingly, some media appearances have transitioned into additional income streams. I’ve been invited to be a regular contributor on television or a paid blogger. What could be better for your practice than getting paid to educate the public and create awareness of your practice?

6) Helps provide fresh consistent content for website, blog, and social media

Media interviews help provide new content for your practice website and provides helpful resources to your social media followers. Sharing video of on-camera interviews and links to print or web interviews extend your reach beyond your location driving more traffic to your website. More traffic to your practice website means more clients for you (assuming they like what the see on your website).

So, what are you waiting for? The next time you receive an email from a news or radio producer asking for your expertise, consider saying, "yes!"

Why I Only Hire W-2 Therapists (W-2 vs. 1099 part 3)

Why I Only Hire W-2 TherapistsI've noticed that private practice therapist tend to hire additional therapists as 1099 contract employees. Reasons frequently cited for choosing to hire therapists as 1099 employees is that they don't have to pay the therapists taxes. While it may be more "affordable" to hire therapists as contractors, in my experience, there are also "costs." (For an summary of the difference between W-2 and 1099 employees read part 1 in this series. To hear about my employment tax audit adventure read part 2.)

According to the IRS website, the general rule for classifying 1099 independent contractor is "if the payer has the right to control or direct only the result of the work and not what will be done and how it will be done" (italics added). It also states that an employee is not a contract employee if the services "can be controlled by an employer (what will be done and how it will be done)" and if "the employer has the legal right to control the details of how the services are performed."

In consulting with therapists around the U.S. I've heard about some of the "costs" of hiring 1099 employees. Some of the costs high turnover rates due to the part-time and often temporary nature of contract employee relationships. Some of those "costs" include lack of control over how and where therapy is done, inability to require specific paperwork, inability to require attendance at staff meetings or trainings, inability to request that therapists network and participate in community outreach to boost referrals.

Here are the four main reasons I only hire therapists as W-2 employees:

1) Overall Cohesiveness

My vision for Wasatch Family Therapy has always been to build a cohesive team with a shared long-term vision of providing excellent clinical services to clients across the lifespan from an attachment perspective, not just have a group of therapist doing any kind of therapy they choose.  Now that we have grown into a clinic of 18 therapists at 3 locations cohesiveness is even more crucial. When therapists are hired as 1099 contractors employers are not supposed to tell the contract worker how to do therapy, or make other specific requirements of the worker, such attendance at trainings.

2) Higher Level of Quality Control

If a therapist is going to work under my name and my practice name or "brand", I want to be able to have a say in how, where, and when they do the work.  I've spend over 10 years building trust, credibility, and presence in my region and I want to be able to be able provide mentoring, direction, and training in how my clinical team provides services.

3) Ability to Require Certain Activities

I want to be able to require certain activities from my team members that hiring them as 1099 workers does not allow me to do. We have streamlined forms for notes and documentation in our EHR system. I require each therapist to engage in at least one outreach or networking activity each month in order to create strong referral sources. I require attendance at two monthly staff meetings, and a certain level of professional appearance at the office.

4) Implication of Long-Term Relationship

I am not interested in hiring temporary therapists to provide services. Hiring 1099 workers generally implies a short-term relationship. I am interested in hiring therapists who have a shared vision and who I can invest in long-term, and who will invest in building the practice long-term. I want to build mutually beneficial relationships not just provide services. Hiring therapists as W-2 employees shows a greater long-term commitment to them to build their practice for the long haul. I also allows me to expect a greater commitment from them.