Show Notes

In today’s episode, Samantha Schalk, compliance strategists and founder of Guardian Clinical Essentials, will share things therapists need to know to be HIPAA compliant.

Hi, Samantha. Welcome to the show. I’m so glad to have you here today.

Thank you so much for having me. I’m happy to be here.

Samantha, before we dive into today’s episode, please introduce yourself, where you’re from, and tell us a little bit about what you do in your business.

Like you said, I’m Samantha Schalk. I am a licensed clinical social worker and I am a compliance strategist. So I founded Guardian Clinical Essentials not too long ago, really. Mostly because of a huge need I saw. And so I am based in Michigan and I work with therapists all over the country and beyond. And I have been a therapist for 24 years now. I have spent a lot of that time doing supervisory and administration work. Really in multiple levels in my career in different agencies. And then I went into private practice about 10 years ago and about five years ago branched into group practice as well.

I have consistently had a lot of friends and colleagues who would come to me with compliance questions. And these were great therapists. They were really highly skilled and I found that there was not a lot of education from more of an operational lens. There’s a lot of focus in grad school. And in supervision when you’re getting your full licensure, or even afterward when you’re just working and continuing to get supervision and consulting, that a lot of that is so focused on clinical and there’s not a lot of focus on HIPAA or on operational use of compliance.

Even a lot of the trainings out there for us, speaking for how things are regulated here. Because I know you’re in Canada. But for us, they don’t have a requirement for licensure to have actual HIPAA training. So it’s something that unless your agency is providing it or unless you’re seeking it out on your own, which for a lot of people, HIPAA isn’t the most exciting oh, I’m so excited to go take a HIPAA training. A lot of people aren’t really hyped about doing that, and since it isn’t something that’s part of our licensure requirements, it’s something that sometimes just gets pushed to the side.

And as people were coming to me with questions and I noticed more and more gaps. I’m like I actually am a HIPAA nerd, so if this is something that people are looking for, I will invent the wheel for mental health, because so much that was out there was really the medical model. And that became really difficult for people in a clinical mental health setting to transition that information that was really more for a medical mentality into a more mental health setting, and have it be practical and make sense for us.

Absolutely. And you said a few things there that I’d like to highlight is, first of all, as you mentioned you are in the US and HIPAA is specifically for practitioners working in the US. If you’re a Canadian listener who’s only practicing in Canada you would be following either PIPEDA legislation or provincial legislation in your province. Not necessarily HIPAA.

So this particular episode is definitely for those who are practicing in the US. Just wanna give that kind of disclaimer. But I also wanna give a caveat here too, that even if you are Canadian, some of the discussions that Samantha and I are gonna have today are going to be great conversations, regardless of whether you’re in Canada or the US, but the specific information that Samantha is sharing will be HIPAA focused.

Okay, Samantha. So let’s talk about what are the most common misconceptions therapists have about HIPAA compliance.

Okay, so the biggest HIPAA mistake I see is thinking compliance is about forms instead of systems. HIPAA is not a checklist, it is an ecosystem. It’s big and it’s integrated and it is so much more than confidentiality.

And a lot of therapists do know a lot about confidentiality itself and a lot of our focus even in school or in practice when you’re working out in agencies is talking about an informed consent and a notice of privacy practices. And so people are really familiar with those and they’re familiar with the releases of information. They get the confidentiality piece.

And so having those forms in place is something that most people have, but they don’t have all of the other operational things that is an ecosystem. So everything ties into all the other pieces. And a lot of that is that they’re really honed in on one part and they’re missing, like not seeing the forest for the trees kind of thing.

I can absolutely appreciate that. So why does using EHRs alone not fully cover HIPAA compliance requirements?

So an EHR is basically one spoke of the wheel. It is not the whole wheel of compliance. An EHR will protect what is inside of it, but we do a lot of things that are not inside of an EHR. So now of course that is taking into consideration that what is inside of the EHR, like the client record any of the other messaging and things that go on that are usually part of the EHR system.

And EHR a lot of times will provide templates for their policies. And one of the things that’ll happen a lot is that they’ll have a little notice on the template saying, Hey, customize this or here’s an example of what you can use. And a lot of times therapists will see that and they’ll be like, that looks great to me. Let me put my logo on there. Looks pretty, let me, customize my contact information on this template. Looks great, I’m good to go.

And what they’re a lot of times missing is so much more information. Like the templates that are usually provided are skeletons of what is needed and sometimes it might be a skeleton without legs. So there can be a lot of things missing.

And a huge part of that is that for the US all of the states have different requirements of what you need to have in all of these policies. And that’s a piece that a lot of clinicians miss is, even if they are focused on the federal level, HIPAA, they sometimes miss their state level HIPAA requirements and all the states have all these different tiny nuance. As far as how long you need to retain paperwork or how you can provide services to minors or all of these different things, and you need to have all of that spelled out in your paperwork because if you don’t, your policies aren’t specific enough to protect you or to protect your clients. So you’re running around doing all of your therapy stuff without policies that are really representative of your practice itself. So that can be a huge issue.

EHRs also don’t train staff on HIPAA I did notice just recently that the EHR that I use has a new onboarding process. For people, but it isn’t teaching them hipaa, it’s teaching ’em how to use the system, how to use the EHR. So that’s a huge thing.

And so then if we look at all the things that happen outside of an EHR, your EHR is gonna have no idea what your policies and procedures are for your specific practice. How do you dispose of documents that you get with a client name on it, whether it’s coming in the mail or a client brings you in a list of medications, or they even email you a list of medications and then you have to download it? When you download it, where does that go? And so that’s not HIPAA compliant if now you’ve downloaded it out of the system. It’s not in your EHR anymore. Now it’s in whatever. It might be Adobe or it might be Microsoft or whatever different kind of platform you’re using. It could be in any of those types of things.

And so you have to make sure that all of those different things, including the devices you’re using itself. So if you’re using a laptop, a phone devices are one of the huge pieces that have potential for non-compliance because we’ve be all become so dependent on devices that with that we can access our EHRs from our phones, we can access our email from our phones. So we can look at those things from our phones. And are our phones encrypted? Are our devices encrypted? And it’s not enough just to have one of those like four digit passwords on your laptop and be like, oh, it’s password protected. That’s not nearly enough.

So there’s a lot that goes on outside an EHR that has to do with compliance, a lot of moving pieces that all are those other spokes of the wheel.

I love that you highlighted all those pieces because, Yeah, there’s so many pieces of technology that we’re using really any given day that we’re just like, oh, is my EHR compliant, and that’s a big piece of it. We need to make sure that’s compliant. But then all of those other pieces connect to it. Our emails, our like actual device, right?

So there’s so many different pieces of technology that we need to consider, beyond that. And this actually makes me think about social media platforms when we’re using social media every day. And I’m gonna specifically talk about therapist groups on social media platforms. What you think when it comes to therapists using social media platforms to discuss client information.

From a compliance standpoint, when people are posting, maybe it’s sharing an experience that happened with a client. Maybe it’s looking for feedback or consultation. A suggestion for a book or a resource. It could be many different things that people will post if the person is describing the client enough that the client could identify themselves by reading it and could even make the assumption that they’re talking about them. So that doesn’t necessarily mean. And I don’t see anybody putting names, like nobody’s putting client names in these posts like nobody’s going that far and people recognize that obviously that would be breaking confidentiality. But as soon as you get into more descriptors, like even saying a general age. Even saying that somebody’s in their twenties or saying that they’re a college student, and then going into giving a very detailed, circumstantial situation of what is happening for the client and what the client is facing, and then trying to get direction based on that. So once you give that much information that a client could read that and identify themself from that description. That’s where it crosses the line for HIPAA.

I appreciate that and I also want to say for any Canadian listeners who are still listening to this episode, that would also apply to PIPEDA as well. When we think of confidentiality and privacy while they often overlap. There’s definitely some distinct differences or at least more information we can take from privacy legislation. And even if we’re not putting client names to a post, by sharing a story and putting enough descriptors in there is likely breaching privacy legislation, even if you put anonymous name behind it.

The other thing I wanna highlight about the anonymous name as well, and I don’t know if all listeners know this, but even when you use the anonymous filters and social media groups you’re not actually anonymous. And the reason is because anyone who moderates that group can see your name. So Even though you might think that putting anonymous means that no one would ever determine that it came from you. And a moderator can, and Facebook knows who you are. So Facebook still knows who you are and you are now releasing your name to the descriptors that you’re saying.

Yeah. That isn’t a cloak that hides everything. So you have to really be careful with that. Another thing that I have come across quite a bit in practice is that people will assume that. Because they’re in consultation, doing case consultation within a practice that practice setting being allowed to do case consultation on their own clients, people who are all clients of that practice itself, that they can freely talk about those things because they’re consulting on a case. So that’s one thing that you have to be really careful of when you’re consulting, is that you’re not giving more information than is required to get the information needed to help with whatever the consultation information that you’re seeking. So there is the minimum necessary rule for HIPAA, which means you only share as much as absolutely required. The rule of thumb that I use and that I have suggested to others is that if a client could hear you talking about them, would they be offended or would they feel like, oh yeah, this is useful, helpful information that is gonna guide my treatment and this gives that my therapist who I love working with more details on where to take my treatment. Or would they be mortified because they heard what you were saying? Or would they even be embarrassed because like, why does somebody need to know that I’m dealing with that and know that it’s me? Why do they need to know that? That’s something that comes up a lot.

And another piece of that too is that when there are multiple family members going to treatment at the same place, you have to be very careful when you’re doing case consultation in those situations too, because a lot of times no longer anonymous who you’re talking about, other people in the room, because even when you’re doing case consultation at a clinic, it should be anonymous. You should not be sharing the client’s name of who you’re asking this information about. And when other people are providing direct care to the same family members, it is often obvious who you’re talking about. And now this other clinician will have. Additional information about the family that maybe there wasn’t a release of information, maybe they shouldn’t have known. Now maybe they know that a teenager in the home is sneaking out at night and they’re working with the parent. So now they’re in a situation where they have information that might not be a good thing for them to have.

So you have to be super careful sharing that kind of stuff, even during consultation and making sure that if you are going to be disclosing information because it’s needed, that you might even want to go that extra step and get a release of information on file, even for the same agency. So that it protects the client and it protects the clinicians who are involved.

I love that. And if I think about both scenarios, there are ways that we can ask for both consultation in an agency setting and ask for resources in a Facebook group that you know, doesn’t really focus on the client at all. And actually what I tell people is focus more on the therapist. Does anybody have any resources on workplace stress instead of giving a large story about what’s happening and then ending with anybody have any resources. And if we think about changing the client specific approach when we’re using these platforms, but focusing more on the therapist that, I need these resources. And that way you are not giving the client information. What do you think about that?

Absolutely you can get a lot of information and a lot of tools from asking general questions and staying away from anything that could be considered oversharing or could even feel like gossiping about a client’s situation. Like you don’t need to go into that much detail.

Absolutely. So what is a business associate agreement and what types of tools or services might require this type of agreement?

So a business associate agreement or a BAA is required any time that a different entity that you’re working with touches PHI. Personal health information. If some other agency is working with you and they have access to any of your client information at all, you would want to have BAA in place, which means that they are adhering to your confidentiality standards and , what I’ve described it before is the BAA is the bestie vault of the professional world. So they will keep all of your secrets and all of your clients’ confidentiality for you and keep everything secure in whatever systems you’re using. So things like email platform, or um, EHRs, any place you would have cloud storage as we mentioned earlier, if you’re downloading things on Word or Adobe or anything like that, or even creating letters for clients in Word or whatever kind of tool that you are doing, like word processing things with. So if you have any platforms you’re using anybody who has involvement within your office. So if you have a va, a virtual assistant, or tech support, because if somebody has access to your computer, how can you prove that they didn’t look at other things on your computer? How can you prove that they didn’t go in and bring up any of your files and you would want to have those encrypted on your computer and make sure that everything is locked down. But you also want to have a BAA in place for anybody who has that kind of relationship with your professional business. In that way, you want to also make sure that your BAAs are up to date, because sometimes they expire and you would want to annually review them and make sure that they’re still relevant for your practice.

I absolutely love that. So I think this is really important for therapists who are growing a group practice or scaling their practice beyond a private practice? How does compliance change when a therapist starts either hiring or scaling their practice?

Compliance shifts from personal responsibility when you’re just solo to an organizational liability because now you have all of these other people potentially as you scale all of these other people working for your business. Some might be clinicians and some might be other types of support staff, but when all of that happens, you have to make sure that HIPAA and your compliance is scaling at the same time. So you need to make sure that you have policies and procedures to support all of your additional staff and even the additional things you might put into place to help your business grow. So there might be other platforms that you’re using to market or different tools to even keep track of people’s hours and things that are keeping your devices secure. ’cause now it’s not just your own personal devices or your devices that you’re using for yourself in your office, but you could have an entire army of little devices everywhere. So all of these things have to be tracked. You have to have a policy put into place basically on everything. You need to have logs when it comes to training, when it comes to even keeping track of different devices, and that includes thumb drives or different like technology that you’re using to keep track of any kind of client information. So if it touches PHI, you would want that on your device log. So you need to have all of these systems, and this is where the ecosystem really comes into place as you scale as well. So you need to have all of these systems put in as you scale and as your practice grows, because otherwise you can get to the point where you’re like, oh, wow, I don’t have systems set up for all of this, and in the liability piece. You know what you have done for yourself and for your clients. You know what you have done to maintain their confidentiality and privacy, and you need to have a basically a paper trail for policies and logs to show what your staff is doing, because now they’re all working independently of you, and a lot of times because of how big practices can grow, which I love. I love when people are expanding into group practice and offering more services to their community. This is fantastic, but when that all happens, you can’t be at the practice 24/7. So you need to make sure that you have the system set up in a way where it can run compliantly without you there.

I love that. There’s actually a little side thing to this, and this might be outside of HIPAA because I know HIPAA speaks specifically to health information, but here in Canada, PIPEDA also covers employment information. So when we’re thinking of hiring individuals, their information is also covered under PIPEDA. But are you aware of any legislation in the US that, covers the personal information of employees or independent contractors that are being hired on?

So if you’re talking about from an HR standpoint, a lot of times, yes, it’s still called HIPAA. Our schools call it FERPA, so there’s a different for education with schools, things like IEPs and different things that help support the student to keep those things confidential. But yes, for workplace, HR, human resource kind of things. Yeah. It would still be covered under HIPAA because they are trying to protect the employee’s personal health information as well.

So what are the risks therapists face when HIPAA compliance is incomplete? So we talked about, what could be missing or what we should include. But what will happen if these things are missing?

So if things are missing when it comes to HIPAA and compliance it really becomes a layering issue. So with the risk becomes layered and even cumulative. When it comes to things not being complete and what we’re talking about when it comes to that is that there can be client privacy issues where their personal information can be exposed. You can have breaches, you can have financial penalties and those financial penalties can be pretty serious from even a hundred to $50,000 per violation. So it can add up very fast, especially if, for instance, you had a lot of client information on a thumb drive and the thumb drive was lost and you’d been using this thumb drive for a while, so it could have 20, it could have 50 different client letters or copies of insurance cards on it, and each one of those is its own violation. It’s not that the thumb drive is a violation. It’s each one of those client pieces of detail and files that are on there that would be a violation. So it can add up really fast. There can also be board involvement if it is a more extreme situation. And sometimes it even starts at that. If a client or somebody else reports somebody, sometimes they are become reported to the board versus being reported to the office of civil rights where a HIPAA violation would go. So people don’t always know exactly where to report things. And so sometimes they do reach out to the board to report something so they can even get involved right away in that kind of an issue.

And then there’s also concern for reputation damage because when there is a violation and you have to report a breach somewhere, so you’ve identified that there was something that went on, you have a time limit to report a breach, and you would also want to evaluate, is this something that is violation, breach, reportable.

So you would want to do a breach assessment to determine if it was something that you do need to report to the office of civil right. Reporting yourself. And also reporting whatever happened to the client who was involved. And when that happens, you can get posted on the Office of Civil Rights: wall of shame is what they call it. So any violation, including the agency, what happened, what the issue was, where the agency is even located, that goes up for public knowledge on their wall of shame. So there can be multiple layers of concern that can come up in violations and things that can come out of compliance not being complete.

 I know that there might be some listeners thinking about, I do not want to be on this wall of shame. What are the risks of not reporting a breach?

Not reporting a breach can result in much larger fines because if you didn’t report it. Yourself, it can then jump up a whole nother tier in how severe it was. And if you didn’t report it, you also maybe aren’t doing enough to address the issue or how do you even prove what you’ve done to address the issue. So if you are trying to keep that secret, there are additional fines for not reporting yourself and not reporting yourself within the required timeframe.

Samantha, tell us a little bit about your services and how it can help listeners. I know you also have a freebie, can you share a little bit about that freebie and how listeners can get access to it?

Absolutely. My services are really built around developing compliance materials that are practical and realistic for people to use within their practice settings for both solo and group practices. So I have taken all of these questions, I’ve been asked over years. I’ve even taken a lot of the questions and the things that I see posted on social media and I have developed tools around those things, and sometimes even freebies around those things that people have the most questions about or things that are often missed, like security risk analysis, which is a requirement of HIPAA. You have to be doing a security risk analysis minimal once a year or anytime things change. So for instance, I have those kinds of tools that are completely set up in a professional way for mental health practices. And my tools are not templates. They’re not generic, they’re not over generalized. They’re something that are completely honed into the state you live in. And depending, it might even be build in with a lot more details about the specific practice that you have. I have certain tools that even have you fill out a questionnaire so that I get a full spectrum of knowledge of your particular practice, the licensure that you have in the practice, who you serve, what kind of treatment you provide and all of that. And so some of my tools are incredibly customized exactly to the specifications of your practice.

So you can get all of my information through guardianclinicalessentials.com.

You can go to guardian clinical essentials.com/get-freebies for all of my freebies that are on there. Particularly, you would want to probably look for the, are you really HIPAA compliant freebie, which goes along with our conversation today.

And that checklist can help the therapist and the practice owner look for any type of gaps in their compliance for their agency so they know what to focus on and they have a way to really hone in on what they might be missing and we have to make sure that all the spokes in the HIPAA wheel are covered and that there aren’t any gaps.

Amazing. So to sign up for Samantha’s, Are you really HIPAA compliant checklist, head to guardianclinicalessentials.com/get-freebies, or you can simply scroll down to the show notes and click on the link.

Samantha, thank you so much for joining us on the podcast today to share the things therapists need to know to be HIPAA compliant.

Thank you so much for having me, Kayla. I really appreciate being here and sharing all of this because there’s so much misinformation out there. I just want people to have a safe practice for themselves and for their clients.

Absolutely. And thank you everyone for tuning into today’s episode, and I hope you join me again soon on The Designer Practice Podcast.

Until next time, bye for now.

Credits & Disclaimers

Music by Denis Pavlov Music from Pixabay

The Designer Practice Podcast and Evaspare Inc. has an affiliate and/or sponsorship relationship for advertisements in our podcast episodes. We receive commission or monetary compensation, at no extra cost to you, when you use our promotional codes and/or check out advertisement links.