Today’s Private Practice Podcast resource:
I’ve been using Skype with screen share to collaborate with a ton of people recently!
Have a question for the show? Leave me a message on Speakpipe
Practice Nation, Meet Roy Huggins
When it comes to digital ethics quandaries, security and privacy in your practice and other tech concerns for therapists, sometimes you need a lot of help. Roy’s happy to be there for you when you do.
Roy consults with helping professionals, one-on-one or in groups, on topics such as these:
- Making your tech setup (computer, smart phone, tablet computer, email, texting, etc.) HIPAA compliant
- Policies and plans for handling client security and privacy in an appropriate way for your practice and your clients
- Ethical quandaries surrounding digital ethics and HIPAA
- Some aspects of online marketing
Roy also can help solo and very small group practices perform a security risk analysis, which is an essential part of HIPAA compliance and just a good idea for keeping you and your clients safe. Risk analysis also lets you get out of the stressful rat race of trying to find “HIPAA compliant” products and services — an activity which is not, ironically, HIPAA compliant. For those with whom Roy consults, risk analysis can be performed via phone and takes anywhere from 2 hours to 8 hours depending on the complexity of your practice.
What you’ll discover in this podcast
- 9:15 Something Joe should have done already
- 18:53 When you don’t need to worry about digital security
- 29:06 The questions that made Roy laugh out loud
- 37:07 What Roy is doing next for the audience
Resources/Actions from this podcast
Music from the Podcast
Silence is Sexy
Joseph R. Sanok, MA, LLP, LPC, NCC
Joe Sanok is an expert on achieving ambitious results! He is a private practice business consultant and counselor that helps small businesses and counselors in private practice that are starting a private practice. He helps owners with website design, vision, growth, and using their time to create income through being a private practice consultant. Joe was frustrated with his lack of business and marketing skills when he left graduate school. He loved helping people through counseling, but felt that often people couldn’t find him. Over the past few years he has grown his skills, income, and ability to lead others, while still maintaining an active private practice in Traverse City, MI. To link to Joe’s Google+ .
Photo by Jeroen Bennink
Here is the Transcription of This Podcast
Digital Security and Private Practice An Interview with Roy Huggins
This is the Practice of the Practice Podcast with Joe Sanok, Session 65. I’m Joe Sanok, your host. Welcome, welcome, welcome. I’m so glad you’re here. I’m sorry, I’m taking my headphones off. I was just doing a conference call over Skype with Zoe, my assistant, and we did a walkthrough on GarageBand, and it went really well.
So I’m training her how to do post-production of GarageBand to hopefully take a few things off my plate, also help her continue to grow as a professional, and the more that I just focus on what are the best uses of my time, I mean, honestly, I’m hoping that then, I can work on things that directly impact the bottom line to bring in more money and bring in more of an impact. So that whole idea of “how do I increase income and increase impact” is really part of my ambitious results I’m going after this year.
So I hope you’re doing awesome today. Today, I have — well, I usually do a resource at the beginning, but I think the resource I’m going to share is probably just using Skype with screen share. Obviously, you don’t want to use Skype because it’s not HIPAA-compliant for client counseling, but in talking with other professionals, to just use Skype, you can click on this little plus button at the bottom and you can do share screen, and it’s just a great way if you’re having a meeting with someone, if you’re collaborating. So often, we get isolated in private practice and don’t think big. And you know? You can reach out to people in different States and try to make something. You can put on a conference around depression. You can put on a conference around angry kids. You can work on an E-book together. There’s a million ideas within your specific niche.
So, I’d say my resource of the week, is going to be Skype and using it for screen share. That’s what I used with Zoey to train her on GarageBand. So in the future, I might actually show you that video because I recorded it so that she could go back to it over and over.
So yeah, I’m drinking some coffee. It’s in the afternoon. A lot of you know that I’ve been cutting myself off at noon or 10:00 a.m., depending on the day, but it’s been wild. I have a late night of supervision going till 9:30 tonight. So I probably shouldn’t drink as much coffee as I am today, but in honor of my guest, Roy Huggins, I’m going to drink some coffee. He’s from Portland. That guy is just freaking awesome. Roy, he started a website called Person-Centered Tech, and he’s a former I.T. guy, and in a previous episode — I don’t remember the number off the top of my head, but it’s going to be on the show notes, which will be practiceofthepractice.com/session65.
He talked all about HIPAA Compliance, digital security, all sorts of things, and he has some great updates to — just ways to implement things, things that I didn’t know, things that I didn’t implement and that I need to implement, and yeah.
So without any further ado, I give you the amazing tech guru and friend of mine, Roy Huggins.
Joe Sanok: Well, Roy, welcome back to the Practice of the Practice Podcast. Really glad you’re here.
RH: Thank you, sir. I’m glad to be here.
Joe Sanok: Yeah, yeah. Well, I wanted to invite you back for a number of reasons. Your website continues to grow, there’s a lot of really big names that have been promoting it. You are the guy to go to when it comes to kind of digital security, HIPAA Compliance and all of that, and you’re such a great example of just finding a niche, owning it, and doing it really well. So thanks a lot for coming back into the program.
RH: Thank you, sir, and thanks for recognizing it that — it’s hard to see the forest from the trees sometimes.
Joe Sanok: Well, maybe for those that didn’t listen to your past podcast — and I’ll link to that on the show notes, tell us a little bit about who you are and what you do.
RH: Well, I do a lot of consulting and training and kind of writing about general technology in mental health, but the big niche that I really get into is security, meaning — most people will call that the HIPAA stuff, and a big part of my mission is to change that. I want security to be something that we take on as our own professional task. I want us to own — the way we do it. We used to own those stuff ourselves, and we kind of let it get away from us and HIPAA wants to take over. So I want it to be our thing.
But for now, it’s the HIPAA stuff, and I do a lot of advising on how mental health clinicians can approach that in our way and in a way that’s effective for us and is also HIPAA-compliant. That’s my big thing.
Joe Sanok: That’s awesome. So a lot of what we talked about last time were some of those basics, and people can go back to that, but let’s start with like what’s changing, because I think that this is always a moving target. So what regulations are changing? What are some States doing? I know there are certain specific States that are doing certain things, and then maybe just — what is it that we should know heading in 2015?
RH: The Feds haven’t changed anything since 2013, thank goodness. I’m going to like knock some wood on that. I don’t know, but like — except that the Office of Civil Rights, the HIPAA people have made all kinds of statements. They got to do their random audit program; however, our audience, which is private practitioners in mental health, I really don’t think the audit program is going to affect us. I think it’s very unlikely we’ll be randomly audited.
I mean, I think we should take it seriously. We want to know what they’re doing and know what they’re saying, but I’m all about managing risks, and I don’t think the risk of being randomly audited is one that we really should be spending our energy on. I think we should be spending it on just making sure we’re protecting our clients’ information, which will have the added effect of being HIPAA-compliant.
In terms of States though, there is interesting stuff happening. Like in Minnesota, they’re unfortunately under the gun right now because the State decided, back in 2009, that every clinician in Minnesota of any kind, no matter what you do, needs to start using an interoperating electronic health record system, meaning everyone has to start using electronic health records that actually talk to other systems, talk to hospitals, talk to a central system, and that of course requires that they be HIPAA-compliant, and yada, yada, yada, and it’s a big mess. And so of course, all of the mental health clinicians in Minnesota are currently scrambling to figure out how to do that.
If you’re in Minnesota, if you somehow are under [? 06:41] and haven’t heard about this one yet, you want to make sure you know — you should go to vodacounseling.com, V-O-D-Acounseling.com as Annie Schwain, in 20 cities, she is spearheading, helping everybody get on top of that.
Joe Sanok: So does that include if you’re a private pay, a private practice, people hand you money like —
Joe Sanok: Wow!
RH: That’s what’s weird about it. Many of us outside of Minnesota are kind of breathing a sigh and going, “God, I hope this experiment in Minnesota fails.” But we don’t think it’s a — it’s not, in my opinion, the best approach in Minnesota, but I know they’re trying something out over there and we’ll see what they do.
Joe Sanok: Well, Minnesotans, let us know how that goes in the comments section of the podcast. Okay, so then, what sort of things — maybe if people have implemented some basic security, what should they start thinking about, what should they start doing to just maybe firm things up a little bit?
RH: Yeah. I have a great answer to that. You should encrypt your computer and you should make your passwords good. Oh, that’s going to cover so much stuff, right? So if you look at like the idea of risk management, real risk management not the kind of weird risk management we keep getting and told about where you’re supposed to run away from risks but where you just sort of — and we look at what the biggest bulk of security risks are for our clients, like how are our clients going to get messed over by us using Tech. The biggest one is your computer gets stolen or damaged, and the other is like your email or other — like internet service; services you use, like a bad guy gets into it because they guessed your password.
Those are our biggest risk. That’s like 90% of it. If you follow this to encrypt your computer and you use password management programs, like LastPass or 1Password, programs that help you keep track of your passwords and use really strong passwords and then make it really easy to do that, that’s the whole point. They make it easy. That’s how you can do it, right? Encrypting your computer, using those things, oh my God, you’re going to cover like 90% of those risks. And even if you don’t get HIPAA-compliant, you end up reducing even the risk of that becoming an issue, because if you really reduced the risks of anything happening to your clients’ info, you really reduce the risks of running into the Feds. So encrypt your computer, get a password management program and use them.
Joe Sanok: Okay. So for those that don’t know what it means to encrypt their computer, take us through what that means and how to do it.
RH: Sure. Okay, so for Macintosh, it’s extremely complicated. You got to go into your security settings and press the button, right?
Joe Sanok: All right, so walk me through that. Let me just click mine while you’re talking.
RH: Sure, yeah. Joe’s going to encrypt his computer.
Joe Sanok: Everybody, make sure it’s all encrypted.
RH: Right, right.
Something Joe should have done already
Joe Sanok: So I go into my — just for demonstration purposes, so I would go into my system preferences and —
RH: System preferences, go to the security pane, and then inside that, one of those tabs will say “file volt”. Not “fire volt”, but “file volt”, and then you turn it on.
Joe Sanok: Oh, okay.
RH: I mean, do it a little later because you need to pick a good password for your encryption. It’s going to give you a little key that you want to break down somewhere in case you have to recover it, and it’ll take about — probably, it will take you most of a day for your computer to finish the process, but you could still use your computer while it’s doing that.
Joe Sanok: Hypothetically, if mine wasn’t encrypted.
RH: Right, because [? 9:56], Joe, because we’re so on top of it.
Joe Sanok: Because we talked back in March, and —
RH: That’s right. [? 10:02]
Joe Sanok: All right. So people that don’t have Macs, so you want to set some time aside, if you have a Mac to do that, what Roy just said. So, if they don’t have a Mac, how do they encrypt it?
RH: Well, it can be as simple, but you got to get those software. So like if you’ve got a Windows 8, you can go get the Windows 8 Pro Pack. And if you got Windows 7, you need to upgrade your Windows to Windows Enterprise. Before Windows 7, you can’t do this, particular kind, but what it is, is you want to get a program called BitLocker, B-I-TLocker, from Microsoft. That’s Microsoft’s version of what you have already got on your Macintosh that you’ve activated so many months ago. It doesn’t come with like a home version of Windows. You have to go get it. But you can’t just buy it. You have to like upgrade your Windows to do it.
Joe Sanok: Now, is there typically a cost to upgrade that in Windows?
RH: Yeah. The Windows 8 Pro Pack, I believe, is $99. I think it’s similar to upgrade your Windows 7 to Windows 7 Enterprise. It’s Windows which is always a little more complicated. My LinkedIn group does a wonderful discussion thread where a whole bunch of awesome people wrote out all of their experiences and instructions for being able to do that. So go to the LinkedIn group and you’ll find that.
Joe Sanok: That’s awesome, and I’ll put that on the show notes too. So you’ve encrypted your computer, obviously, in March when I met you. So then the other side was the password stuff. So walk us through — like you had mentioned a few resources there.
RH: Yeah. Well, I use a program called 1Password, the numeral one password, all one word, a lot of people like something called LastPass, L-A-S-T P-A-S-S, and I think that one is just like internet-based, if I’m not mistaken. There’s an open-source one called KeePass, K-E-E-P-A-S-S, that’s free and open-source, but because it’s open-source, some people might find it a little harder to install, but it actually is quite easy to use once you’ve got it installed. And what these do, these are programs that store your passwords. That’s all they do. It’s very simple, like it’s just a program that keeps a list of your passwords. But the beautiful thing about them is that they’re written to be very, very secure themselves. Like it keeps your passwords heavily encrypted, and you need your own master password.
So your master password needs to be a nice, strong password, but it’s the only one you have to memorize, because then, what you do is every time you need to enter a password into a website or something, you go over to your password program, click “copy”, go over to the website, click paste, and it pastes in your password. And so that way, you have a different password for every site. All my passwords are like 30-characters long. There are ridiculously long strong passwords, and that they’re all different for every single site, I can change them easily. I just go to my password program and say, “Make me a new password,” that I go copy then to the website, and I have — I mean, that is — I can’t tell you how incredibly strong it is to be able to do that. And the way we use passwords is so bad. It’s actually a huge security issue on the whole internet.
Joe Sanok: So what makes a bad password versus a good password?
RH: Well, I’ll tell you, it’s not just the issue of being short and easy to guess. That, of course, is important, but I’ll tell you the big thing that makes it bad is that you use the same password on every site, but then you use the same password on lots of sites, because if one site is attacked and they get your password, and then they can use it everywhere else.
So like Bob’s Discussion Emporium, which is kind of a low-risk side where you go and then like you talk about wood shipping or something, like because we all have our hobbies, you go over there and you’ve got your password for that site, but you use the same password for Bob’s Wood Shipping Emporium that you do for PayPal or your online banking, and Bob’s Wood Shipping Emporium, like emails is your password to you, which is one of the dumbest things the website can do, and a hacker intercepts that, sees your password, they go try that same password on PayPal, boom! They’re in your PayPal account.
Now, in our case, it’s even worse. They go try that same password on your electronic health record system or on your practice management system, and now, they’re in that system, and they’re actually reading your clients’ records. So like you want to use a different password in all of those systems. Password-managing programs actually make it really easy, and that’s a huge part of the security, actually is making security as easy as it can be for yourself. So password-management programs are A+. Absolutely use one of those.
Joe Sanok: So like “password123” isn’t a good password?
RH: No, unless you only use it on Bob’s Wood Shipping Emporium. If you only use it there, it’s not quite as bad.
Joe Sanok: I love it that that’s your example, Bob’s Wood Shipping Emporium.
RH: I have to make up something. We all have hobbies. There are a lot of sites out there.
Joe Sanok: Well, and that you visualize someone that wood shipping is their hobby just tells me so much about you, Roy. I love that.
RH: What it tells you, Joe, is that I’ve been on the internet for a long time.
Joe Sanok: Well, you know? I’ve noticed that the whole lumberjack look is really coming back with all the [? 14:59] and the hats and the boots, so you’re probably like the head of like really looking like hip and cool, and you’re the trend setter.
RH: That actually could have been you, Joe. I live in Portland. [? 15:11] city, so that’s why. I’m like, “Why wouldn’t you be in the wood shipping, Joe?” What are you talking about?
Joe Sanok: Just put a bird on it.
RH: Put a bird on it and then what you think.
Joe Sanok: Okay, so back to encrypting your computer, like what does that even mean? Like what’s going on in your computer when it’s encrypted?
RH: Well, we’re using a cryptographic algorithm, Joe, to — oh. Sorry. Well, what that means is it’s all about the computer’s hard drive, to get really specific, but to not get too technical, it just means the computer’s archive, like the backroom where it stores all its data. That’s the hard drive.
So when you say you’re encrypting your computer, really, what it means, you’re encrypting that one bit of your computer, that little piece of it, but that’s the piece where all your information is, all the information the computer has. All of it is in that one piece. It’s all of that backroom with all the file boxes.
And so what encryption does is it basically takes out the giant Jupiter-sized decoder ring. You got a decoder ring or decoder badge from the old Ovaltine. You can send in the five Ovaltine packs and you get a decoder badge, and your computer takes that decoder badge and encodes every single last bit of information in that storage space. And so what that means is the only way you can decode that information is with the decoder badge. Now, in this analogy that the decoder badge is your password. So it needs your password in order to be able to read its own self. The computer becomes trapped in its own mind, unable to do anything to take action, to have any type of mobilization or self-actualization of any kind until you type your password. Without your password, it is incapable of action.
Joe Sanok: Wow! So what does that mean in regards to — like say I don’t — what does that mean in regards to — like if I do just hand-written progress notes, do I need to encrypt my computer if I don’t have digital progress notes on my computer or client information?
RH: Well, this is why talking to people about security can get kind of hard because it’s all dependent on situations, like if you ask me like, “Roy, what should I do?” I’ll be like, “You should do a risk analysis and make a risk management plan to develop a manual of policies and procedures for yourself.” And everyone’s like, “What is that about?” I’m like, “Well, if you don’t want to do that, at least encrypt your computer.”
So like you only need to encrypt your computer if your computer is handling health information. If your computer is just where you’d check an email and your clients don’t email you, like it’s like your personal email and you’re going to Bob’s Wood Shipping Emporium and that’s all you’re doing with your computer, then clearly, it has nothing to do with your practice. There’s no reason to encrypt it. If you just keep paper records, your technical needs are reduced a lot, but this is why a risk analysis is the beginning of the HIPAA requirement. Make sure that you really aren’t using your computer for health information. A lot of people, when I talk to them about risk analysis, when I do it with them, as I ask them questions and drill down, I realize, “Wait –” they’re like, “Wait, I actually do use this thing for health information. I’m checking emails. I actually write up reports about my clients. I type them up and then I print them out,” but the report still sits there, I don’t delete it. I don’t scrub it off the computer. So my computer has this sort of [?18:37] gathering of old reports or [? 18:42] me or something on those lines. So actually, there’s health information all over my computer in random little spots.
When you don’t need to worry about digital security
Other people, their computer never touches their health information at all, and what those people are like, “Don’t worry about the computer. We’re putting that outside of our whole discussion. Don’t worry about the other stuff. Worry about your paper.” But those with the scattering of reports and things, that’s where folders encryption is great because folders encryption is like a big fish net that just catches everything all at once. You don’t have to think about it, you don’t have to worry about it. You just put it into place and it protects it.
Joe Sanok: So it sounds like people may think they’re not using their computer for their business. They may not be doing progress notes, but if they’re even just checking email and emailing their clients, that’s a reason enough to encrypt their computer.
RH: Yeah, it’s certainly a reason enough to seriously consider it, and considering what I just showed you, how easy encrypting your computer is and how inexpensive it is, it would be kind of silly not to, especially this day of age. I mean, honestly, it’s something that — it’s kind of like washing your hands before you eat honestly. At this point in life — I mean, except it’s very techy to know that part, I’m sure there’s a time in the world where it was very techy to be aware of germs, right, that you shouldn’t eat germs or whatever. There was a point when you had to be very techy to know that. So now, I think encrypting your computer is kind of a similar thing.
Joe Sanok: Okay. So it’s one of those super easy things that dramatically drops your risk.
RH: Precisely, Joe. Thanks. Yes, that’s right.
Joe Sanok: Super. Okay, so what are some kind of next-level things in regards to technology security? So people have encrypted, they’ve got good passwords, they’re really careful with how they have their client records whether it’s online or paper, what are other things that maybe are just blind spots for most people that you talk to?
RH: Viruses, malware. Yeah, you need anti-malware. That’s actually a huge blind spot. At this point, at least within the circle of people who read my stuff and listen to my rambling, they’re starting to get the encryption, especially because it turns out to not be that hard to do. Even if a Windows computer — I mean, there are more steps, but in the long run, really cheap and easy.
So they’ll encrypt their computer, but not really think about the importance of anti-virus or anti-malware, probably because they’re not in my techy world where I’m reading these websites where what they do is talk about what’s happening in the world of — it has something to do with a virus, a computer virus.
And so it’s actually really a huge part of what we need to protect against, and once again, it’s simple to protect against. You just get some anti-malware software. And you also want to have a policy for yourself about how you use the internet. You want to avoid — this is the phrase I love using. Everyone knows a lot of this: untrusted pornography websites. Don’t go to untrusted pornography websites.
Joe Sanok: So Roy, would you like to list your pornography-approved —
RH: My trusted pornography —
Joe Sanok: I’m just kidding. What are Roy’s approved pornography web — no I’m just —
RH: Yeah, I know. Everyone always asks. They’re like, “Can you give me your list of the trusted pornography websites?”
Joe Sanok: So okay. So untrusted pornography websites. Now, I’ve heard from people that are not as smart as you that people just don’t write viruses for Macintosh-type things because Mac is just so hard to hack. Is there any truth to that?
RH: That was kind of true in 1995. When I had a Mac+ that was pretty true. Well, the problem is, people who are writing viruses for fun, which used to be the main source of viruses, which is 99% of them now, oh yeah. There’s a lot of Macintoshes out there, and they’re happy to invade them. They are harder to write a virus for because in some ways — partly because with a Macintosh as being very standardized, and the fact that you can just press the button and get folders encryption as a side effect to the fact that Apple can just trust that all Macintosh computers will be like this. Windows isn’t like that, like any random company can make a computer that runs Windows.
So it’s easier to find ways to get in there — it is more vulnerable, but I go to those websites where they’re talking about security threats, and it’s like, “Bla-bla for Macintosh.” “Oh, there’s the brand new interesting security exploit for Macintosh. Check out how terrible this one is, guys,” because that’s how they talk about it, and like — yeah, this is not meant to be scary. It shouldn’t be scary. Actually, they really aren’t that high-risk, but it’s simple enough to go get anti-virus.
Apple has told a lot of my consulting clients — the customer support has told them, “You don’t need anti-virus,” and they really want to just wring their necks and just be like, “Look –”
Joe Sanok: Roy, there’s a little bit of —
RH: Yes. Obviously, you need anti-virus on your Macintosh. It actually is low-risk.
Joe Sanok: The voice is cutting out a little bit here. Let’s turn off our video and see if that helps just for — are you on Ethernet, or are you on Wi-Fi?
RH: I’m on Wi-Fi. Ethernet is so 1999.
Joe Sanok: Well, let’s turn this off for a second.
RH: All right, sounds good.
Joe Sanok: Okay, so what about cellphones? Like what should people know about cellphones and security?
RH: So I assume you mean like smartphones, right?
Joe Sanok: Yeah. Or a flip phone that you’re texting with your client — no, just kidding. Yeah, smartphones.
RH: Well, I don’t know. I text with my clients.
Joe Sanok: Okay. So how do you — I guess — okay. How do you do texting with your clients safely and securely?
RH: I got you, Joe! Well, safely, so I mean a lot of it is about what you text about. This is why “risk management” is the word of the day, and I mean a real risk management, not the run away from risks, risk management that we tend to hear about. Like the actual risk management that HIPAA requires that the security world does, which is you look at what the real risks are, decide if those risks are acceptable or not, and if they are, don’t worry about them. If they aren’t acceptable, try to reduce them.
So with texting and email, the risks are really two kinds. There’s the internet risk of its — the internet being kind of like the highway, it’s delivering the text and emails, and there are various bandits on the highway that can take a look at that stuff. And then there’s [? 24:55], like there’s my phone. My wife could theoretically pick up my phone and read my texts. It means my client has the same thing. Someone in their home could pick up their phone and read their texts.
And so for the internet stuff, we know from data we have evidence-based information that says that generally, the hackers on the internet that can see this stuff go by, they’re looking for passwords, they’re looking for identity information, like Social Security numbers, place of birth, mother’s maiden name, that kind of stuff, they’re looking for credit card numbers and they’re looking for insurance info. We actually learned that recently. That’s become a big black market item, is the insurance ID numbers and things of that nature.
So other than that, there is very little incidence of them actually reading these emails or text messages. So if you leave that stuff out of the messages, the risk of the hackers on the internet is almost zero. We know this from evidence. However, then I got to look the risk of what’s on my client’s end. So I actually have a risk questionnaire on my website. Like if you go subscribe my newsletter, one of the things you can download is my little email and texting risk questionnaire that you can look at with your client to help you both decide how safe or unsafe texting would be for you guys, or say for unsafe email would be for you guys, and ask questions like, “Is there somebody who can access your phone who you wouldn’t want to see texts from me?” like an abuser in your home or just someone that you don’t want to know as — you want them to know you’re in therapy. “Is there something like that?” “Are you using your work email address?” in which case, be aware your employer could potentially read my emails too. And they go, “Oh, I am using a work address. I don’t want my employer reading those emails.” I say, “Okay, do you have another address that’s not your work address?” and we switch.
There’s a lot of collaboration with the client on this one, and this is actually a huge part of my — that in my CE Program, my webinar, that’s a huge part of the first webinar, is talking about how he has met the health clinicians, we are actually very involved with our clients, and we collaborate very heavily with our clients, and we can collaborate with them on their own security so that we can use our technology in ways that work for us and are also secure and are also HIPAA-compliant.
Joe Sanok: That’s awesome. And I think that it sounds like with all of this, it’s — okay, what could happen realistically, and let’s kind of get that low-hanging fruit out of the way first.
RH: Yeah, exactly. Right.
Joe Sanok: So if you’re seeing a client that is living with an abuser and you text them, “When do you want to do counseling next?” probably not the smartest thing to do —
RH: Not the smartest move, no. And you don’t have to have HIPAA to know that, right, Joe?
Joe Sanok: Right.
RH: You just tell them, look at the circumstance and go figure that out, yeah.
Joe Sanok: But I think that often what I see happens is the things that come to light, whether it’s through a lawsuit or other things, is people not really just thinking through, “Okay, what could happen here if I do this?” and so taking that time to think through whether that’s a risk analysis or going even deeper into some of the teaching you’re doing. I think it’s training your mind that seems like to think in a way of, “How do I keep worst-case scenarios that are easy to solve totally out of the way?”
RH: Yeah, absolutely, Joe, and that’s really true. And I think that’s a lot of what I’m really — I find myself wanting to kind of transform a paradigm in our whole industry. No pressure, right, to do exactly that, exactly what you’re saying. I mean, I’m just talking to you right now and you’re getting it. On your phone, goes right along as far as I can see. You’re saying back to me something that tells me you totally understand, and you’re going to go back and say, “Oh, right. Well, what is on my computer? Oh man, I should have encrypted it a while ago. Okay, I’m going to do that. Oh, I’m going to go get an anti-virus, too.” Risk analysis would be what you would need to do if you want to step back and get a metaperspective and take a big perspective on everything, and it’s something probably we all should do, and I’m sure you advised, Joe, as private practice consultant, I’m sure you advise people to do a similar thing with their business plan.
Joe Sanok: Oh yeah, absolutely.
RH: Right. I mean, it’s the same thing, just for the security part. It’s basically like a business plan.
The questions that made Roy laugh out loud
Joe Sanok: Well, and this is more of a personal question, but do you ever feel like you’re shaking people and they — like why is this so hard, because what you’re saying to me makes perfect sense, but do you ever feel that way like you’re shaking people and they’re like, “Why are you shaking me?”
RH: I did at first, but then I — I’m not a counselor so I’ve gotten rapport with what’s going on and figure it out what it is, and actually, it didn’t take long to get that rapport because it’s so clear. All the things that prevent people from just ground going, “Yep I’m going to a risk analysis then, no problem.” And a lot of it is things that make a lot of sense, like there aren’t really materials that make risk analysis make perfect sense for the average mental health clinician.
As much as the HIPAA law is written to change with your size — so it’s different for a small group than it is for a big group, and that’s on purpose, they still didn’t really think of the situation where you’ve got this solo person who does everything. They always assume you have somebody.
Joe Sanok: So when you say small versus large, is there a specific number like when you have this many clinicians, or is it — how do they determine that?
RH: Well, the HIPAA security rule, which is the part of HIPAA that I really concentrate on, that’s the technology stuff. That actually is written to be like any other just sort of good security standards. Like it actually just echoes the general sort of academic field of security. And in that field, when you’re doing security, everything’s a balance of risks and like cost-benefit analysis. So like you may see, “Okay, here’s a risk and I got to do these things to prevent that risk,” but for an entity like myself, an organization of my size, that thing is too expensive, so I can’t do it.
So for example, back in 2003 when the HIPAA administrated simplification was released, that’s when people really got the HIPAA law in 2003, at that time, encrypting your computer was basically something — you basically had to be like an intelligence agency to do that. And then the intelligence agencies make sure of that. It was like against the law to use encryption.
So that time, if someone said, “You need to encrypt your computer,” that’s going to be the standard for protecting the information, you say, “I’m a solo dude. I can’t afford that.” In the security world, we say, “Okay, you can’t afford that.” So what we’re going to do is we’re going to find some other way to manage the risk, and we might have to accept some of the risk. We might just have to sit with it and accept it.
Joe Sanok: And does that mean that you somehow document that? Like I know that I should do this for $100 a month, I can only afford this that’s 10 and you write that out?
Joe Sanok: Or do you just have it in your head?
RH: No, you write it up — no — yeah, because that’s part of the risk analysis process, is you can consider what risk management measures you got to use, like encrypting as a risk management measure. Making a policy that says, “I always turn off my computer when I’m not using it,” that’s a risk management measure. Policies are actually a huge part of risk managements, not just passwords and encryption and stuff. You can say that these are my risk management measures or we could do this risk management measure. Our cost benefit analysis tells us that the benefit we’ll get from it is not worth the fact that it costs us so much, like so much of our capability. Like it doesn’t get us enough benefit to be worth doing that, so we’re not going to do it.
And this is part of why doing a risk analysis is so hard for you and me. You know, I’m a big techy. It still can be hard because I have to kind of figure out, like HIPAA is saying to me I have to do — and I’m going to throw a big phrase at you, “You don’t worry about it.” Just let it slide over, right? I call it “The Information System Activity Review”. That’s one of the things that the HIPAA law says that you’re supposed to do, like you’re required to do. And I’ve been struggling with that for years. Like how do I tell people how to do this, because the way you do this is you get out these cryptic logs of like network activity, and somebody like scans through them looking for suspicious activity, and I’m like, “I can’t even give — I’m not going to tell the counselor to do that. Like, how am I supposed to do that?”
Joe Sanok: Well, it’s kind of humorous to think of, “Okay, I am going to get a log of what I have been doing so I can hold myself accountable to myself.”
RH: Well, but that’s the point. You’re supposed to look in the log to see if somebody else did something.
Joe Sanok: Okay.
RH: Right. That’s what you’re looking for, but I don’t even know how to look for that, or I could learn to look for that, but it’s a pain in the ass. [? 33:40] counseling.
And there are other things about Information System Activity Review. I can do a port scan, like hire a tiger team to scan your ports and try to break into your system, and like blah-blah-blah, and I’m like, “No, we’re not doing that. It’s not going to work.” And it took me a couple of years to kind of get into understanding that. What it is, is for our size of organization, you and me, that’s the one person, maybe the one person with a couple of helpers, that’s just outside our reach. When we do the cross benefit analysis, we just say, “Well, that’s too costly.” Like I would have to have hire stuff whose entire purpose is to do that, and the benefit I would gain from it is so minimal, it’s not worth it, because if it’s just you and me using our laptops and we log in to like an online record system or an online email system, like some other company is doing that for themselves, they’re doing it for our accounts, I just need to cover my laptop. Spending the resources to do those big, elaborate things that HIPAA mentions is not worth the benefit, which is practically nothing. Like we don’t get a lot of benefit from doing that with our own computers.
So in the materials I’m working on — by the way, I’m working on a workbook to help individual practitioners do all this stuff, Joe, did you know that?
Joe Sanok: Did you mention that in one of your emails that you’re working on that?
RH: I did, yeah. A couple of days ago.
Joe Sanok: Yeah, I saw it in there. So I do read your stuff that you send out.
RH: Awesome, Joe. Glad to hear it. So in that one — so like I’m building these template policies for people to use because as part of the problem is I’m like if I really sat down with you, you could come up with your own policies. You totally could, but I’d have to sit down with you to help you understand what you need to address and how to address this. So instead, I’m giving these templates of policies, and then you guys can then sort of figure out what little customizations you need for you circumstance.
Joe Sanok: Nice.
RH: So for the Information System Activity Review — there’s your big jargon again, for that one, my discussion just has a discussion of these parts of this process are just outside the scope of this group’s capabilities. It’s like the cost is not worth the benefit, and that actually is a normal thing in the security realm. And I didn’t make that up. I’ve talked to like certified security experts about that one, and that’s generally the agreement, is that’s just not really reasonable for us.
Joe Sanok: Well, Roy, I feel like we could talk forever, and that’s why it’s good you have your webinar and so many resources on Person-Centered Tech. One question I always end the interview with is, if every counselor in America were listening right now, what would you want them to know?
RH: I would want them to know that we are offering a whole package — no.
Joe Sanok: Today only.
RH: Today only — no. What I want them to know, I want them to know that they can do what HIPAA is asking them to do without it being about HIPAA forcing them to do it. And they can do it because they want to help their clients, because they want their practice to be solid, because they want their business to run well, and they want to take care of the people who’ve entrusted their health to you, that you can do all of the HIPAA stuff for those reasons and be totally HIPAA-compliant.
Joe Sanok: Awesome. And if people want to get a hold of you, what’s the best way for them to connect with you?
RH: Go to personcenteredtech.com and you can find contact or find info or read articles, all kinds of free stuff.
What Roy is doing next for the audience
Joe Sanok: Awesome. And Roy is going to be one of the first consultants with the new How to Become a Consultant podcast I’m launching later in 2015, so you want to listen in when he’s on for a whole week. So Roy, thank you so much for being on the show again. You always give us so much value, and we just appreciate your time.
RH: Well, thank you, Joe. I’m always glad to be here.
Joe Sanok: All right. Have a good one.
RH: You, too.
Joe Sanok: Well, thank you so much for tuning in today. Again, the resource that I have been finding useful is Skype, using that with screen share to collaborate with people and come up with new ideas. Roy, how much awesome information — I hope you were mentally taking notes. If you were running while you were listening, if you were driving or snow blowing, or whatever it is that you do while you listen, just know that you can always go to our show notes, practiceofthepractice.com/session65, and all the links will be there in that blog post. You can also listen to it live, you can share that with your friends. I would love for you in the comments section to just let Roy know what you think of this interview. It was just — he took some time out of his day to just give us so much information. It’s so awesome.
So thanks for letting me into your ears and into your brain. I’m so glad you’re part of this community. Have an awesome week.
Special thanks to the bands Silence is Sexy and Kellee Maize. We really like your music.
This podcast is designed to provide accurate and authoritative information in regard to the subject matter covered. It is given with the understanding that neither the host nor the publisher nor the guests are rendering legal, accounting, clinical or other professional information. If you need a professional, you should find one.