Comprehensive Consulting for Mental Health and Wellness Professionals in Private Practice


Hello | My Account | Login
Our blog

The Blog

Occasional insights, inspirations, and recommendations for practice taming.


Your Software and Devices Are Not HIPAA Compliant

Your Software and Devices Are Not HIPAA Compliant

Do you have a documented plan for the transfer of care of your clients in case of emergency? Do you realize that such a plan is required by the code of ethics of most health care professionals?  Want to take care of your ethical obligations? We can help.

With growing frequency, vendors market their software, devices, and services as "HIPAA Compliant".  This feeds into the mistaken belief that such beasts exist.  It's somewhat understandable.  After all, it's must easier to say "Our cloud-based software is HIPAA compliant" than to say "As a Business Associate, we adhere to all the rules and regulations of HIPAA and HITECH and will sign a Business Associate Agreement with you in order to help you maintain compliance as a Covered Entity.  There are, of course, multiple other things you need to do to maintain compliance that we can't necessarily help you with."

So, while you may participate in the marketing speak in the interest of easing communication, it's important to note that there is no such thing as compliant software or a compliant device.   Put another way, you cannot maintain HIPAA compliance by simply "only purchasing HIPAA compliant stuff".  Only Covered Entities and Business Associates can be compliant.  They do so by following all of the requirements of HIPAA and HITECH, which are extensive when it comes to technology.  With the deadline long passed for complying with the latest update to HIPAA, it's more important than ever that Covered Entities ensure compliance.

There are multiple pieces to establishing and maintaining compliance.  Especially with technology, you must establish administrative, technical, and physical safeguards that follow HIPAA/HITECH requirements.  The short summary is that:

  • Administrative safeguards refer to doing a risk assessment/analysis and establishing policies and procedures regarding the creation, storage and transfer of PHI and ePHI (electronic PHI)  (Policies can address who has passwords/access to PHI and much more)
  • Technical safeguards mean you use technical means to secure the data  (for example, strong passwords and encryption)
  • Physical safeguards mean you use physical means to protect the data. (for example, keeping devices in a secure location when not in use and restricting who has access).

As always, where HIPAA is concerned it is important that you Document, Document, Document.  Should you ever be audited or investigated, your documentation that you've done due diligence will likely play an important role.  There's a lot more to each of the three steps above.  Feel free to contact us for more information on how we can help, or schedule a consultation.

One specific circumstance, I see this come up is when people say, "You can use GSuite!  It's HIPAA Complaint, and they sign a BAA" the implication being that's all you have to do.  Click here to read why it's not that simple.

Want weekly guidance throughout the year on HIPAA and ethics matters? Want to know if you can remain compliant while using a specific software or service? Person-Centered Tech Support is for you.  Use this link to purchase (and discount code TAMEIT), and you'll receive 20% off a year's subscription while helping to support our ongoing reviews and articles (through our affiliate relationship with PCT).


Rob Reinhardt, LPC, PA

Rob is a Licensed Professional Counselor in private practice and
owner of Tame Your Practice, which provides comprehensive
consulting to mental health and wellness professionals.

©2016 Rob Reinhardt, LPC, PA 

Share This: 


Amanda Heasley's picture
Submitted by Amanda Heasley on Thu, 02/11/2016 - 10:09

Hi Rob,
My husband and his business partner recently opened a small private psychotherapy practice. I'm administering the practice. My question is this, where to I even start with HIPAA? Can you recommend more in depth reading material about the three points to hit on to go someway toward HIPAA compliance. Where can I get an example of a solid policy manual and how do I learn about encryption? Thanks so much.

Rob Reinhardt's picture
Submitted by Rob Reinhardt on Thu, 02/11/2016 - 11:34

Hi Amanda,

Congrats to your husband on getting started in private practice! The best resources for what you're seeking are linked at the end of this article. Roy and I cover a lot of HIPAA topics in our TherapyTech show. There are several topics on my blog that address HIPAA (search HIPAA in the search box) and I highly recommend Roy's Security Compliance workbook that he is developing as it walks you through the three steps and more!

I'm also available for consultation to discuss specific questions and to help you get started!


Add new comment

Note: Anonymous comments are moderated. To better make and track comments, you may create an account.
Read our policies: Comment Policy Terms of Service Privacy Policy