You’ll hear episode 7 of The Practice of Therapy podcast with Roy Huggins in this throwback. He talks about tech, HIPAA, self-care, and the business side of private practice. First, Roy reveals details about his private practice journey and how he was able to use his business and technology background to start Person-Centered Tech. Roy also discusses the ethics of using technology and doing it in a way that protects clients and keeps their information secure. Later, we chat about the differences between being “HIPAA compliant” vs. “HIPAA secure.” Tune in for the importance of financial self-care in private practice and why clinicians must prepare for the constant technology changes in running a private practice.
Meet Roy Huggins
As both a tech expert and mental health counselor, Roy Huggins is the bridge from the digital world to real-world client care. His clear translation of legal and technical jargon into clear and actionable information will help you apply tech and security information directly to your business and your clients’ care.
His team of PCT experts (meet them here!) are here to show you what happens when you truly understand and integrate technology into your practice. Over and over, we’ve helped clinicians find increased efficiency and effectiveness in their practice management. The weight is off their shoulders and they can step confidently into their practice decisions.
Roy Huggins died suddenly and unexpectedly in his home in Portland, Oregon. He is survived by his wife, Electra Allenton.
He deeply loved finding his life’s purpose in helping others. One of the largest ways he helped others was helping others help others. That was the founding purpose of Person-Centered Tech. He derived deep joy from this work, right through to his very last moments.
If you would like to share what Roy meant to you, please do so on the memorial page for celebrating Roy’s life.
Financial Self-Care In Private Practice
Technology and the financial side of private practice overlap. In particular, there is a constantly changing landscape in technology, and how practitioners need to be financially prepared to handle those changes as they come up. Be sure from the get-go to start creating a financial buffer for yourself. Put away at least three, six months, or even a year’s worth of money that will support you if you didn’t see a single client.
This emergency money should not go into your savings account. Instead, this money needs to go into your buffer account. Many people may view this account as greedy; well, it’s not! You want to get out there as a therapist to help people, not to be rich or to be a money-grubber. It has nothing to do with greed and has everything to do with financial self-care. Having a profitable practice only serves to help clients.
HIPAA Secure vs. HIPAA Compliant: What You Need To Know
One of the distinctions we need to understand about HIPAA (Health Insurance Portability and Accountability Act) is that it provides rules around keeping patient information private. HIPAA secure means that we put things like encryption on our devices and make sure that client information is stored securely. In other words, if someone were to hack one of your devices, they could not read any of the information stored there.
While on the other hand, HIPAA compliant means you are following the rules that have been put in place around protecting our clients’ personal information. In particular, having measures in place should there ever be a breach or making a breach difficult for someone to do. For example, if someone were to steal your computer, none of the information on that computer would be readable or valuable to the thief. Read more here: https://practiceoftherapy.com/hipaa-anxiety-private-practice/.
Ways To Protect Your Information
- Fully encrypt your devices
- Use two-step authentication
- Use robust passwords- 10 or more characters using letters (upper and lower case), numbers, and special symbols
- Store your information in the cloud (for example, you can set things up to keep your client records safe, and HIPAA secure using G-Suite.
HIPAA, Texting, and Using Signal
Phones sort of fall into a HIPAA gray area. Phone providers, at least the traditional “Ma-bell” companies, are not required to give BAA’s. But there is an app for texting called “Signal” that is more secure, and the best part about it is it’s free! Signal provides state-of-the-art end-to-end encryption. Privacy isn’t an optional mode — it’s just how Signal works. Learn more about them here.
When it comes to HIPAA and phones, something to keep in mind is always to keep it ethical. Keeping in mind with any communication with clients is that you disclose to them the risks of communicating or sending any information over the internet. Certainly, they have the right and the prerogative to take those risks, but they need to be fully informed. Ethically, we need to do everything possible to protect confidentiality.
Gordon Brewer Hello, uncaught in Brewer, and welcome to the practice of therapy podcast, where we explore the business and clinical sides of running a private practice. Well, hello, everyone. This is episode number 231 of the practice of therapy Podcast. I'm Gordon Brewer. Glad you join me for this very special episode. You know, in the last few weeks, I've had a conversation with my good friend, Dr. David Hall. And we were just talking about podcasting and throwing around some ideas. And he planted this idea in my head doing some throwback episodes. One of the things about this podcast that's still hard for me to get my head around is that I've been doing this since 2017. And so it's got a lot of episodes under the belt. And for those of you might be newer to the podcast or just discovering how to invite you to go back and listen to some older episodes. But in this particular episode, I'm doing a throwback. And what makes this also very special is that I'm going back going here we're going back all the way to episode number seven for you to hear my interview with light Roy Huggins and Roy was is was the person behind Person Centered tech, which person centered tech is still going. But unfortunately, we lost Roy in November of 2021. And so in many ways, this is my way, a small way of kind of honoring him and honoring his legacy. And all that he has contributed to our profession. I know that his wife, Elektra and his team are still working hard with Person Centered tech, which really is one of the best resources I know of for the tech side of private practice. And Roy was just really kind of my go to person, one of my go to people for learning about the tech side of private practice. The other person that I'll have to do a little quick shout out here because he Roy's story. And my friend Rob Brian Hart's story intersect a lot because Roy and Rob were doing a podcast called therapy tech. And they immediately thought of Rob when I found out of Roy's passing, but he was having a conversation with Rob here recently, just remembering Roy and just his wicked sense of humor and, and his dry sarcasm, which was never never malicious in any way. But Roy was just a gem of a person. And so looking forward to you hearing this interview. And Roy and I talk about in this interview about HIPAA, and the financial side of your business and some great wisdom that is still true today. Even though it's been, oh my gosh, how many years now almost five years since I interviewed Roy for the practice of therapy. But anyway, looking forward to hearing this throwback episode and getting to hear again, my interview with Roy Huggins. And also before we get to my interview with Roy, I'd love for you to, to love to hear from you what you would like to get more of from the practice of therapy. And, you know, I think one of the things that's really always important when you're in a space like this is to check in with people and just see what is it that they need? What is it they're looking for? What are the resources that you're, you're you're wanting and how we can be of support here at the practice of therapy. And so if you'll go over to practice of therapy.com/survey and just take this very short survey and I promise is very short, it only take you just a few minutes to do that will let me know what you're needing and how I can better serve you and really start pulling more and more resources together because I think that is something that we're all needing. We're all looking for ways to do different stuff. So anyway, be sure to check that out and also So while you're over there at practice of therapy.com, be sure and check out our resources. In particular, the free webinars that we've got out right now gotten a lot of requests for more and more free resources. And I get a lot of comments around that. But we've got the webinars that are out now that are automated webinars, and you pick the time that you want to participate in the webinar. So go to practice of therapy.com/webinars To find out more about what we have off what our offerings are there. So before we get to my interview with Roy, I'd love for you to hear from our sponsor of the podcast therapy notes. Rachel Bond Gordon Brewer Roy Huggins Gordon Brewer Roy Huggins Gordon Brewer Roy Huggins Gordon Brewer Roy Huggins Gordon Brewer Roy Huggins Gordon Brewer Roy Huggins Gordon Brewer Roy Huggins Gordon Brewer Roy Huggins Gordon Brewer Roy Huggins Gordon Brewer Roy Huggins Gordon Brewer Roy Huggins Gordon Brewer Roy Huggins Gordon Brewer Roy Huggins Gordon Brewer Roy Huggins Gordon Brewer Roy Huggins Gordon Brewer Roy Huggins Gordon Brewer Roy Huggins Gordon Brewer Roy Huggins Gordon Brewer Roy Huggins Gordon Brewer Roy Huggins Gordon Brewer Roy Huggins Gordon Brewer Roy Huggins Gordon Brewer Roy Huggins Gordon Brewer Roy Huggins Gordon Brewer Well, I hope you enjoyed getting to hear that episode with Roy. You know, I'm thankful for his life and what he represented in our profession, and the fact that he was such a caring person and really, truly wanted to help people. So, again, rest in peace, dear Roy, and, you know, be sure and check out Person Centered tech, if you don't know about them, they do have some of the best resources around the tech side, and HIPAA and all of that. And just, you know, Roy lives on through that organization. And also go back and I think you can still find them on in your pouch. Cat catchers is the therapy Tech with Robin Roy. And so Roy and Rob, I can't remember how it goes. But again, you'll get to hear some more of just the spirit of Roy through those through those mediums. So again, I'm grateful for Roy and his life. Also, be sure and check out our sponsor, therapy notes, you can find out more about them by going to practice of therapy.com/therapy notes. And also be sure and let me hear from you on the survey around what resources you're looking for. Again, I'm always looking for new stuff to do to really kind of help people out in our professions. And it's good to hear from you too, about what you're looking for and how we can kind of pull those things together. And also, before we cut out here, if you'll be sure and take time to follow us, or subscribe to the podcast wherever you might be listening to us. Now that way that just kind of boosts our ratings, but also leave us a review and a ranking again, that helps us boost our ratings. Last I looked we are getting a little over 5000 downloads a month which is just blows my mind. So thank you for following me. Thank you for listening to the podcast, and looking forward to many more great episodes to come. You have been listening to the practice of therapy podcast with Gordon Brewer, part of the psych craft network of podcasts. Please visit us at practice of therapy.com For more information, resources and tools to help you in starting building and growing your private practice. And if you haven't done so already, please sign up to receive the free private practice startup guide and practice of therapy.com. The information in this podcast is intended to be accurate and authoritative concerning the subject matter covered. It is given with the understanding that neither the host guests or producers are rendering legal accounting or clinical advice. If you need a professional, you should find the right person for them.
This episode is brought to you by therapy notes. You can check them out by going to practice of therapy.com/therapy notes. They're the leading electronic health record system for private practices. And they're who I use in my practice and couldn't do without them. So be sure and check them out therapy notes.com.
As your practice grows, the systems and processes you have in place will keep your practice running smoothly. That is why it is important to have an electronic health record system that is specific to mental health providers therapy notes is a complete practice management system with everything you need to manage patient records schedule appointments meet with patients remotely great rich documentation and bill insurance right at your fingertips. Their streamlined software is accessible wherever and whenever you need it. They are who Gordon uses in his practice. And did I mentioned that they are one of the top rated EHRs for mental health private practices. Their support is also second to none. Be sure to check them out at practice of therapy.com/therapy notes. Be sure to use the promo code Gordon to get two months free.
I'm so happy to have Roy Huggins with me today. Roy, for those of you that don't know, don't know about ROI, you really need to find out about ROI ROI is the he is the ultimate guru when it comes to tech and counseling and private practice and any sort of mental health counseling. He's my go to person, Roy Roy is the person behind Person Centered tech. And I'll get Roy to tell us more about that. But Roy is as a licensed professional counselor with an NCC designation. He before going into the mental health field. He was a web developer and was trained and all things tech. He is an instructor and advisor in several different capacities. He's affiliated with the Zurich Institute. He teaches ethics at Portland State University in their counseling program. He's been an advisor for several different boards and licensing agencies. And well Roy glad you're with me today.
Yeah, yeah. Thanks for having me.
Yeah. So you know, one of the things that I know that I have always worried about when I went into private practice, or made the transition into private practice, was was doing things right. But also the big, big green monster out there we call HIPAA and nothing. Although it's, you know, I shouldn't have such a negative spin on HIPAA. But I think for a lot of people, it's very intimidating. But yeah, tell us about your private practice journey and how you gotten to be where you are, and a little more about yourself. And, yeah, and some stuff that you would tell people want people to know.
Yeah, I mean, the good. I'm glad you asked the private practice journey part, because that tells us a little bit about how it came to understand HIPAA and why. It's actually not as scary as it is. It should be right. Yeah, okay. So I mean, yeah, I was a web developer before grad school and I was a contractor, I was independent. So I've actually been self employed since I finished college. Except for the brief, like the three year stint when I taught in Japan, I was employed by them, of course, but that's the only time I had been an employee. And other than teaching, you know, the part time like teaching at PSU, for example. But the so for me, private practice, the business side was like natural, it was like, of course, you're gonna go into private practice. That's what I always right. And that made a huge difference. And a one thing part of my journey to Consulting has been learning, kind of understanding how not everyone has the business outlook. I do, for example. And that's been very important because private practice is certainly available to all of us, but some of us are not built for are not naturally Kline inclined towards business, and that's something that I've had to recognize because I really need to be able to help people with that. Even if I'm just with HIPAA, I still need to help them understand. In the business aspects of that, yes, yes. So So for me, I got back from Japan, it's time to start my private practice the business sides easy for me. So that's faster. But you know, of course I got my I have a fantastic supervisor at the time and he was extremely helpful and supportive. So a lot of things went well, because partly just my background partly just got lucky. I had a great advisor and great peers to help me through it. Portland's a good town to go into private practice in lots of Portlanders love their therapy. It's not hard to get clients here. It may be hard to get wealthy here. Not actually not hospital, but like you Bay, certainly you can live on a private practice here. And I get lots of clients. It's very easy to make that kind of practice here.
Yeah. Step Portland is definitely on my bucket list to come to I have not done that part of the country yet.
Yeah. It's a well, you know, obviously, it's beautiful. Here. You're in. I want to guess you're in North Carolina.
I'm in Tennessee, Tennessee. I knew that. Northeast Tennessee. Yeah. Beautiful place here to mountain. Yeah.
So but yeah. Oh, sorry.
Go ahead. No, I was just gonna say what, tell us to about person centered tech and how you got that started? And, and the purpose behind that?
Yeah, I mean, it's interesting, because it does relate to the private practice journey, because essentially, what happened was one of my first clients, and of course, we have this situation where I'm working for, I'm charging peanuts, because I'm more concerned about getting my hours to finish my license. And so of course, what happens is the people who need the most expert counseling go to the newest counselor. Right? Yeah. Which is, I think, a big problem we have, because these are people who are falling through the cracks in public services. So they need it, they end up going to outpatient private practice, but really need a lot of help. Luckily, these days in Oregon, that's a lot better than it was when I started. But you know, they're still wonderful people, I wanted to help one of this young woman who diagnosed with borderline personality disorder, who's just an immense amount of pain all the time. And she really couldn't communicate my office, and I wasn't good enough yet at all this to really understand it. And that's the too bad. I mean, I think I helped her but in the way that a caring person does not an expert at helping somebody with that kind of disorder. So but I think I did, you know, I think it did, okay, but it could have done better, but I was new. But the important thing was, she would not really be able to talk about what you want to talk about in session. But she could text me. Wow. Right. And she would text me like, enormously long messages that are that are actually really just what I was asking her to talk about in the session. And she'd do it on a flip phone. You know, I mean, this was, you know, smartphones are still new. I didn't have one. I did have one. But I was kind of you know, because I was like, Ooh, I love smartphones. And you know, she'd be doing boop, boop, boop, boop, boop. Like, that's like her comfort item. And I asked her about it. And she's like, I can't sit here across from you and like, talk about the inner hell. Yeah, but, but my phone's great. It's my comfort item, I can do that. So one of the challenges for me, I mean, there's they're kind of, you know, I know, knew enough to be self dangerous, because I knew enough about the internet and electronic transmissions and texting, having had that technical background, that I knew that this is the confidentiality risks involved. And of course, coming from just the ethical perspective, it was, if there's a confidentiality, breach or disclosure, that's unethical. That's all there is to it. And I was like, this has to be unethical. Right. But is it really ethical if I don't let her do what helps her get better? Yes. Uh huh. And that's when I started to study it. And that's basically, in a nutshell, the rest is you know, how Person Centered tech came to be.
Wow, wow, that's a great. I had, I had read up a little bit about how your I didn't know that story. Hadn't heard that story. One of the things too, I wanted to mention is that you and Rob Reinhardt also started a podcast. And I've been listening to it. And it's therapy Tech, I believe is the name of the podcast. Yeah. Therapy Tech with Robin Roy. Yeah. And it's, it's, it's really great stuff. And I'm looking forward to what's coming down the road with that. Just covering everything tech so far, right?
Yeah, and every episode is it's we only do it once a month because each episode is meant to be kind of a deep resource. Yeah, right. Yeah. So yeah, it's really fun to do.
Yeah. So if someone were to, were going into private practice, maybe they're working for an agency or thinking about delving into it, what are the I know this is going to be a very broad topic, but what what things would they need to know about on the tech side of things, okay, in terms of Do you know how to set up their computer? And, you know, I know you're a big fan of G Suite and Google and just being because it's something that we can use. That's the tip. Right secure. And here's something I'm going to point out that I learned from Roy, saying HIPAA compliant is really not a very good descriptive way of saying things. About a product about a product. Yeah. So, but tell us some about that. Oh, but the HIPAA compliant thing? Yeah, the HIPAA compliant yet secure. And then just, you know, if somebody were new to this, what would they want to take into consideration and think about?
Yeah, I'll just hit the compliant piece first, and then kind of get to the, you know, the tech list, because that's actually the topic of the first podcast with Rob is just me kind of checklist, you also have an article about it, your show notes can be full of useful links, trust me. But the thing that HIPAA compliant, and I'm noticing more and more finally, finally, I'm starting to see people out there talking correctly about it. And it makes me so much happier, because you still see experts saying, I mean, this is stuff that like in 2010, when I started doing all this, you started seeing you saw people being like, oh, you should use a product that does a business associate agreement, which is accurate, of course. And they should claim to be HIPAA compliant. And I was like, after I really started to understand what it's about and see how that impacted people. I it just makes me shudder every time. Because what happens is, when you say your product is HIPAA compliant, what happens is like, like, let me just ask you, Gordon, like, if you see a little seal on the website, where they're like, We got Caduceus and this is HIPAA compliant? What is the implied meaning of that to you? What does it make you think about this product?
Well, it makes me think that I can use it, and I'm not going to have big brother breathing down my neck. Right? Yes.
Yeah. Yeah, that's a really good way of putting it right. Because your mind, right, it just takes it all off your mind and you're fine. You don't worry about it. And something that you may not voice, what you may be thinking is that it implies that there's probably some sort of either certification process, or a checklist that the government releases that vendors can use to make sure they're compliant. Right. So like, it's a safe harbor checklist. And it's not at all unreasonable for you to assume that when you see this, because that's true of a lot of others similar regulations. Right, right. Because there's, you know, like PCI DSS, for example, which is a, it's not a sign of law. It's a industry standard, but the industry actually does have certification programs for making products PCI DSS compliant, certified, right. And that's a really normal thing you see out there, like you look at electronics, and they'll say they're like, FCC, they pass FCC regulations, and there's an actual certification for that. Right. So like, when you look at HIPAA compliance, there's nothing like that. It has zero meaning. Yeah, or a 00. actual technical meaning.
You write right? Yeah. And, yeah,
so what happens is you you get the feeling that use of the product requires no no new efforts or new considerations on your own part, which is an accurate, and you end up doing something non compliant, because you end up using the product in a non compliant way.
Right, right. Yeah. And I think it's, you know, one of the things that was helpful for me in learning about this is just really understanding how the internet works. And I believe it was you I was listening to maybe on with Joe Sanok, on the practice of the practice, probably, yeah, I think is where I heard this, but it's almost like a like this analogy of, you know, when you're, when you're sending something on the internet, it would be kind of like me going out the front door of my office, and I say, see somebody walking down the street, and I say, hey, what, are you going this way? Would you take this file folder or that direction? But don't look inside. But if you're taking it this way, you know, could you take it down to the next person, you see going where this is supposed to go? And so that was a that was important? I think a good visual for me, I'm thinking about that. So how can we how can we how can we protect ourselves? And, you know, you know, all of that, but really, ultimately protect our clients. That's, that's what it's all about.
Well, the big thing, and it's kind of funny. You're asked about tech, and that's absolutely right. So tech, and it still comes back to that business piece, which I'm sure you talk about all the time, because you know how important that is. Right? Right. And the and the thing I'd say there that I encounter all the time, is people don't and this is a generic This is a generic, generic fact, that just impacts the tech. And so we got to talk about it, which is that people going into the private practice, don't give themselves enough financial or temporal time buffer to To take care of the punches they gotta roll with, right or to take care of, you know, when things shift and change, and they got to make a shift or a change, like, you know, when they suddenly realized that, you know, if someone starts to get into the tech for their practice without thinking about it's the ethical implications or legal implications of what they're choosing. Suddenly later, they find themselves having to pivot. Having already gone in one other direction, they got momentum going this way. Now, you got a pivot another way. And so it's even harder at that point to change what you're doing. And it cost you time and money. And you haven't given yourself enough time and money to do that. And so suddenly, you find that, you know, you're doing it wrong, and you can't change it. And it feels terrible.
Right, right. Yeah, that's, and so I think, yeah, it's all all that more important to set it up. Right. And really do your research on the on the front end. You know, how to set things up.
Yeah. Also charge enough that you make more than you need.
Yes, yeah. Yeah, you got to know your numbers. Yeah, I really do. I think that's something that, you know, and I think I know, at least the way that I did it. When I went into private practice. Oh, gosh, 10 years ago, I kind of worked backwards. I kind of said, Okay, this is what I need to survive tomorrow. Yeah. And then just kind of work backwards from that and, and figure that out.
Good for you. What's your background? I mean, do you have a background in business? Well,
yeah, well, what's interesting is I did work in another industry. I was a funeral director, and, and I worked in the business for years. And plus, I walked at worked, and then in the nonprofit sector after that in, in the mental health field, but I learned a lot about business, believe it or not working at the funeral home. That makes sense. But then also working in the nonprofit sector, and particularly when I was a supervisor being having to make budgets and all that sort of thing. So that was kind of how I learned it. And then, but as far as running a small business, I've had to learn a lot of stuff the hard way.
Oh, of course, yeah. But the it's a big difference. As I'm sure you know, when you're consulting with people coming out of the agency, meaning coming out of employment life and the solvent, life right now, just just knowing that basic idea of, there's actually pretty simple math that does that just that doesn't require anything beyond you know, what's on your basic calculator. Right? Yeah, that can actually help you like that can be like, the miracle from heaven in terms of helping you figure out what you need, which is to just figure out how much money you need, add a little bit. Right, because, and then divided by the number of clients you can work with.
Right. Right. And I would say also, like you alluded to earlier is, be sure from the get go to start creating a financial buffer for yourself. Exactly. Yeah. You know, I would say, at least in my way of thinking, put away at least two or three, six months or years even better net worth of money that will support you if you didn't see a single client.
Yeah. And that's not money. And that's not like in your savings. That's that's your buffer for living. Right, right. Yeah. Yeah, that's really, that's really important. I think a lot of our colleagues see that as greedy. Right? Like, because if I mean, back off on that, and kind of look at it from that perspective, it makes perfect sense. Because like, you want to get out there to help people not to be rich, or to be a money grubber or something along those lines. And that certainly, definitely our social work colleagues, that's their, where they come from very much even no matter how, even if they don't come from that personally, they've, they sort of develop that sense of social workers. And and that's fine. This is there's nothing wrong with that at all. And neither of us is trying to tell someone to be greedy or money oriented. What we're trying to tell you is to do financial self care, right? Yeah, the same way I tell you to do your yoga or whatever you need so that you're not burned out when you see your clients, right. You have to see it the same way. Because if you don't, you will get burned out and you will not serve clients.
Yeah, yeah, you're exactly right. And that's, I think, you know, self care is something that sometimes gets Pardo put on the backburner and, and I would say financial self care as well. Making sure that so,
so, okay, so back to tech, the thing I'm so yeah.
So yeah, so with tech, what I know, you could probably spend hours just talking about things that people could need and the tools they can use and that sort of thing. But what, you know, obviously, we've got to have a computer but just pull out computer out of the box and start going to it. We need to do a little more than that.
Right? An Apple TV is a good computer to start with, because it's nice. No actually I'm sorry. Apple TV, it's from like, 1981. Okay, I'm going to nerdy sooner.
Okay, that's fine. That's fine.
It's a bit heavy to carry around. But yeah, it's kind of funny is I might be like, do you really need a computer and it's like he kind of it is a bit hard to operate a practice that's going to use electronics at all without having a real computer, which can mean a laptop or a desktop. Like some people, I worked with some people who do everything with tablets, like iPads or Android tablets. And there they are okay with that, but there's a lot of limitations. They just accept limitations and work with them. And but for most people, you want to have a real computer, in addition to whatever handy mobile devices you have, because a real computer is necessary for the the more heavy lifting work you might need to do even even if you only need to do it occasionally. But they're definitely people who prefer to do their note taking, and all their practice management system stuff on a tablet. And they like work. So that's great. That's with me. But at some point, there's some feature you need to do, or some tasks you need to do that can't be done on a tablet, that does happen, which is why I recommend people strongly consider getting a computer. And so at that point, we've looked at the fact that so okay, you gave the great that analogy about the internet, where you're handing a file folder to somebody and saying, Hey, take this, se until you're not going se anymore in the hands of the next person who's going se until it makes its way to Miami. Right? Right, right? And then, and then so you're like, don't look inside. Right? So of course, the thing we do on the internet to actually, instead of just saying don't look inside, which is what we used to do on the internet before about 9095 Don't look inside is now what we do, because we can't trust that anymore, is we encrypt and that means that you scramble the data. So like, if you encrypted that folder, literally what it would mean is that you rewrite all the contents of the folder in a secret code. That's exactly the same thing. And I'm not even simplifying, I'm actually saying exactly what it is. Right. And again, encryption is that is no more complex than that. I really want everyone to know that. And so at that point, someone can look inside all they want, and they see a secret code that they can't break, because encryption is easier to make than it is to break. Right? So this comes back to the computer thing, because if you're going to put any client information on your computer, you want it to be encrypted. Right. And so how do you how does the encryption get unlocked? Well, it should be only your password that can unlock the encryption. That's the and so people ask. Okay, so how do I get encryption on my computer? What software do I use? That's the logical next question. And so this is where I specify that we don't actually mean you should just encrypt those files, we mean, your computer should set itself up so that every single bit byte and whatever that goes onto the hard drive every single thing it puts into into its long term memory, every single one should be encrypted, before we get into long term memory before it gets stored, right, and we refer to that as encrypting your computer, even though that that phrase is confusing, because the only information can be encrypted, a computer can't be encrypted. But it's It's okay. It's just a shorthand that we use to mean computers set up so that it doesn't save anything, anything at all, not even one bit, without encrypting it first. Yeah. And what that means is that if someone gets your computer, they can even like open it up and pull out the hard drive. And the information on it would be encrypted. So all their efforts would be for naught, they will be unable to see anything you do. And the beauty here is that HIPAA is Breach Notification Rule, which is the rule that governs, like, if you have a security breach, what do you do? Right? That's the rule for that. Right, actually, as a safe harbor that says, if you do that thing I just described, which is called full disk encryption or full device encryption, the safe harbor states that when you do that, you can assume that a breach did not occur. Yes. Right. So like, that's the advantage, it's very cheap, very easy to give yourself this massive protection with that computer you use.
Right? So I know that it's done different differently on different devices. But where could they work? Could someone get the information about how to do that?
Well, they can go to person centered tech.com. And go up to free articles and down to the HIPAA, the HIPAA article series we have we have five series of articles that give a the educational introduction to these five topics. And it's for free, you can just read all of them. And if you want to sign up for our newsletter, we can actually email the articles to you and these sort of two week increments so that you can read them slowly over time, which some people prefer to do. But yeah, we have one of the articles in there is about that safe harbor in the HIPAA rule and how you encrypt your devices, right? You know that it's really easy. The software you need for the Mac is built into it. For Windows it's built in if you get the pro version, Android phones, you just flip a switch iPhones, you just set a strong passcode it's all really actually very easy and inexpensive.
Yeah, yeah. So, so tell, tell. Tell us more about past codes and passwords. And yeah, I know. Like, with my iPhone, it's got a, it recognizes my thumbprint. And, and I remember, I can't remember exactly how you put it one time, but it was something like something you know, something you have. Oh, yes. Yeah.
even pay attention to everything I do. Oh, yeah. Yeah. Listen,
listen intently.
Well, okay, yeah. So that that's that three part phrase is kind of the the industry statement about different ways to do what we call authenticating, rather than ticketing. You know, when we give a password, we're authenticating, we're saying, I'm proving I'm Roy Huggins, because I'm giving you Roy Huggins, his password. And hopefully you can already see the problems with that scheme. Right. But the Yeah, the password is in the classic jargon, it's something you know. And the other two things you could potentially use is something you have, or something you are. And something you have was usually an object like your your smartphone is a great something that we all almost all have. And so that becomes a useful item for authenticating, which is where we get the thing we call two factor authentication, where after you enter your password, the site you're getting into then also send you like a text message, write the code in it, and you got to enter that code. Right? And that that works. Because only you have your phone, right? There's something you are is that thumbprint. Or are they an Apple just announced that the iPhone X? Yes. Oh nine, we're just gonna write the iPhone X. Facial recognition. So you just look at your phone screen, and it unlocks. I'd rather still have the thumbprint myself. But that's just me. It just be that I'm old. I don't know. But the great thing about this something you are the biometric is the term you know, there's something you are stuff on the iPhone or the Android phones is that it means you can set a ridiculously strong password on your phone. Because you don't have to type it all the time. You only have to type it every couple of days. time you use your thumbprint or coming soon your face. And but a bad guy would have to guess the 20 character. alphanumeric character code that I have on my iPhone, if they want to get into it. Right. And because I learn encrypted, the only way they can get to my data is to guess the passcode.
Yeah, yeah, yeah. Wow. So if someone were to be worried about, for example, there there being a security breach or whatever, what steps should they take?
If they're, they're worried that they've had one? Yes. Uh huh. Yeah. Well, let's start with what's called a security incident. That's where we started. And that's a good way to think about it. Because you want to remember that when you notice something has gone awry. What you're doing first is trying to determine, did we actually have a breach or did just something go awry, or look like I want to write? Right. And so we call it an incident, and you take some time to investigate the incident. Now, the thing is, if it starts to look like you're pretty sure some clients were impacted by this incident, or even if you're not entirely sure, but it's pretty likely, you might want to go ahead and inform them about it soon. Right. And in fact, we just saw with Equifax how they lost the right extremely deep information of like half of the adult population, the United States. They didn't do that. And that has turned out to be really bad. Yes. Yeah. Like they took a couple of months to tell us anything. Wow. And they're getting lambasted for that by the security community, because that was not the right move. Right. So for you do the right move. If you think if you think someone may have been impacted, go ahead and tell them that you think they may have been impacted? And you're gonna let them know when you know more? Yeah, give them details. Until you know details, though.
Yeah. It's kind of the way I think about it. It's kind of like the duty to inform that we're all and you know, familiar with. And so I think that's the same thing goes for tech stuff. Well, Roy, I know one of the one of the tools that you're a fan of at least what I gather from hearing you and reading your stuff is G Suite and Google. Yeah. So why why is it you like that?
Well, I like and I should point out that Ms. 365. Microsoft is a competitor that is equally good. I just happen to use G Suite. And the reason I talk about G Suite all the time is because so many of us use Free Gmail and use the free Google tools all the time, right? And so we're already used to them. And so that's actually why I specifically talked about G Suite is because our people are already very accustomed to it. But in fact, if you wanted to use Microsoft 365, it's just as valuable. So from there, I'll say, Why are those things valuable? The the G Suite is a powerful set of tools that will do business associate agreements. And it's by a company that has a very strong security track record, and also integrity track record. As much as we can be afraid of Google, and we probably should be. Because they know everything. They've you know, they're all the motto of don't be evil. From a relative perspective, it's all relative. From a relative perspective, they've actually done that pretty well. They've been a pretty good corporate citizen of the world, which is good, because as soon as they stopped doing that, we're all in big trouble, right? And that's, you know, I don't think SSA they're where they're going. But so the company is very trusted. When it comes to security. The business associate agreement is in place. And the tool is powerful. I mean, it gives you the ability to put your file somewhere to have a team share information, to have an email service, where it's legal for you to receive emails, and to keep client contacts, all this kind of stuff. It's a very, very useful thing to have. It doesn't do what we call like secure messaging or secure email services, the way something like Hushmail does, right. But in a situation where a client wishes to exchange unsecured emails with you G Suite is one of the options that you can legally use for that. Right.
Right. Yeah, that I think that's something I think is important to remember with folks. And I just, you know, and I have it in my disclosure agreements with, with clients, just giving me permission to email with them, but also specify in that disclosure agreement that I'm not going to talk about their case, in the email, we talk about when we're changing our appointment time to or, you know, just, you know, that sort of thing. But not to go into any detail there. And so, I know there's a, there's another, you had mentioned early on the, the client that you had that wanted to text, what are some recommendations for texting that you tell people about?
Yeah, so texting the so up until kind of the last year or so, I would have talked about regarding texting the same way I do email. But you know, except for the fact that phone companies like the the classic model oriented phone companies, so 18, t Verizon, Sprint T Mobile, those guys, there's this strange atmosphere around HIPAA where you just don't really do business associate agreements with those guys. Right? Right, you just get your services. And that's always confusing. When I asked experts about it, it's just sort of, maybe we will be, we just don't, kind of thing. And it's partly because when you use do a voice phone call, like just a normal, you pick up the phone and make a call that actually is not covered by HIPAA security rule that explicitly is not the law, for dumb reasons, but also practical ones. So we're gonna go with it. But the rest of it is, is really, really stretching that, but that's just where we stand. And so that's where we get into one of the kind of harder to keep up with aspects of all this, which is that one thing about what is HIPAA compliant one factor is not is actually just what kind of technology is available to us. Right? Like if you're going to use the phone company texting that comes with your service. Right, right. Is there a better alternative? Right? Now back when I had this client, there was not. Right, that was that's what we had. And also the client had a flip phone, she didn't have a smartphone. So even if we did have the cool apps like we have now we wouldn't, she would not have been able to use them. So in her case, I would be like, Okay, these are the risks involved. And she's like, trust me, I know the risks involved. I'm sure she did, because she knows that someone really well. And then we and then I just, you know, have her sign that we've talked about it, and that she still wants us to text. Let me go ahead and do it. And, and also, I'm with you, I only text about appointments, but with that client, I might actually even stretch that because she needs it. Right and right. Available tech is only what works with our flip phone. And we actually have a loss of clinical benefit if we don't allow that. Right. And that's a more, that's a more kind of edge case. Although there may be some people listening to this for whom not an edge case at all. It's the basic case. But for most of us, it's an edge case. That kind of shows you the way you stretch this all comes down to what the client wants and what the client can understand and what risks they can accept and the ones thing there is that with as being a phone company thing, we don't do the business associate agreements for which we're taking a liability risk. It's just at this point of small liability risk. Okay. Yeah. Right. But for the rest of us, what I do is I use signal. Okay. Yeah, that's it. Yeah.
And I believe it's a free free app. And
yeah, it's an open source free. Yeah. Yeah. It's highly secure and super private. And in my analysis, qualifies as what HIPAA calls a conduit, which is why you don't need a business associate agreement. For that one. Can you please put in the shownotes? A link to my review of signal? Yeah, sure. Well, because I need people to read that before they use it. You got to understand the, the the things you got to do in order to make sure you don't lose important documentation. Okay. Because signal is pretty prone to losing your messages. Okay. Not by design, but by just part of how it protects your stuff means that there's a number of circumstances in which you could just lose all your messages.
Right, right. Boy, Roy, we could go on for hours. I know. And you don't have hours, and I don't have hours. But I'm hoping that we can get back together and talk more about all this stuff. I'm just, I'm a bit of a tech geek myself. I always say though, I know just enough to be dangerous. So yeah, yeah. Yeah. So again, folks, go over to Person Centered tech, and look at Roy's stuff. It's a great, by the way, it's it's a great place to get some good continuing education stuff. That's very useful. Thank you, sir. Okay, thanks.
Being transparent… Some of the resources below use affiliate links which simply means we receive a commission if you purchase using the links, at no extra cost to you. Thanks for using the links!
Roy’s Resources
Person-Centered Tech
Remembering Roy
Easy Safe Harbor From HIPAA Breach Notification
Signal and HIPAA Compliance
Free Articles on Technology in Mental Health
HIPAA Staff Training for Group Practices
Group Practice Tech Podcast
Resources
Use the promo code “GORDON” to get 2 months of Therapy Notes free.
Take The Survey!
Practice of Therapy Launch Club
Kindness and Compassion
Free Webinars
Be A Podcast Guest
Cool Resources
Google Workspace (formerly G-Suite) for Therapists Users Group on Facebook
The Course: Google Workspace for Therapists
Follow @PracticeofTherapy on Instagram
Meet Gordon Brewer, MEd, LMFT
Gordon is the person behind The Practice of Therapy Podcast & Blog. He is also President and Founder of Kingsport Counseling Associates, PLLC. He is a therapist, consultant, business mentor, trainer, and writer. PLEASE Subscribe to The Practice of Therapy Podcast wherever you listen to it. Follow us on Twitter @therapistlearn, and Pinterest, “Like” us on Facebook.