Your Podcast Hosts
Kathleen Mills, LPC-S,
Phillip Crum, JP
This Week's Guest Mentor
Person Centered Tech
Digital Ethics In The Mental Health Field
Intro: Welcome to Your Practice Mentors, a weekly, on-demand radio show designed to mentor the next generation of mental health care providers, and help them jump start their careers. Listen to Kathleen Mills as she interviews leading experts and tackles the important topics. You’ll learn how to be proactive at protecting what you’ve worked for. She’ll equip you with right tools and framework to grow your business, and teach you how to defend yourself in today’s mental health care environment. Now, let’s join Kathleen.
The following recording was originally made for Kathleen’s on-demand radio show It’s Just Coffee, and it’s being made available to you and her Practice Matrix audience.
Phillip Crum: Did you put the coffee pot on, Kathleen?
Kathleen Mills: I did.
PC: Alright. Well, let’s get cooking then because–
KM: It’s Just Coffee!
PC: This is episode number 47 you know.
KM: I know.
PC: That’s almost a milestone.
KM: Gosh, we’re going to be 50 pretty soon.
PC: Mmm hmm. That’s a good thing, too, so. This is the weekly episode of It’s Just Coffee, and that is Kathleen Mills that you hear and an occasional outburst of Roy Huggins, today’s guest.
Roy Huggins: Hello!
KM: Roy Huggins, how are you, sir?
RH: I’m doing good, thanks.
KM: It’s a couple of hours earlier while we’re recording this, so I hope your coffee is in your hand.
RH: It is. It is in my hand right now in my paper cup.
KM: Excellent. Well, what I’d like to do today is just first, before we get started, is I would like to have you tell our audience about the things– who you are, a little bit about yourself, that kind of stuff.
RH: Okay. My name is Roy Huggins and I do a lot of things. I wear a lot of hats. But the main hat I’m here for is my sort of digital ethics and HIPAA and security in mental health practice, advising, consulting, that kind of thing. I do a lot of continuing ed training and I do consulting and all that. I’m also in private practice in Portland, Oregon. I’m an LPC – licensed professional counselor. That of course is my day job, as you can imagine. Other than that, I’m on the board for the Oregon Counseling Association where I’m the technology chair. I do some teaching at Portland State University’s Counseling program. Yeah, I do a lot of different things.
KM: You are very busy, sir.
RH: I am, yeah. It’s a little unfortunate.
KM: How did you get into the digital ethics part, or were you a digital technology guy first and then you became an LPC, or how did that transition for you?
RH: Yeah, you called that right. Yeah. What happened was– so out of college I went into web development. This was 1999/2000, so you know kind of the scene if you were around then. And that was a big bubble and it burst exactly as I got into the industry, the bubble burst. But that’s okay because honestly, the services were still needed. So I did that for about seven years, but the thing is – I did it because I’m good at it, not because it was really my calling. So my real calling was more human services and when I had my main career crises, I finally figured out that that’s what I wanted to do and I went into the counseling program and many years later my colleagues basically said, “You have no choice, Roy, you have to do tech again because we need it.” And to encapsulate the whole process, right? And from there, so of course I did a lot of research and study on what the law says, you know, the actual regulations around security in mental health – that’s HIPAA. And of course, now it’s more than just HIPAA, which is becoming interesting. In some ways, I think that’s wonderful. In other ways, I worry about the direction of it. But in general I think it’s good. I really want all of us to own security, like I want it to be something we do for professional reasons, not just for legal compliance reasons. So I’m glad that professional orgs are starting to try to get into that. But yeah, that’s a little bit of a tangent, but yeah I started doing that and of course over time it became clearer and clearer how much people do not know these things that should probably be seen as basic. And so I thought, “Okay, I need to get into training and consulting,” and so that’s how I got there.
KM: How long have you been training and consulting, Roy?
RH: I started– you would probably say I started in 2010, so about four years. Actually yeah, is this October so it’s about four years. The first one was– because I was on the board of the Oregon Mental Health Counselors Association and one of those fateful events where we were having our annual meeting and we hired somebody to come do an hour CE presentation and it fell through at the last minute and they suddenly needed somebody and the president said, “Roy, why don’t you talk about email?” and I said, “Okay.” Suddenly I learned that the need was there.
PC: So you’re that guy that in a practice or for the industry, for mental health industry, you’re the guy that knows all about that security requirements and the HIPAA requirements and the gadgets that go with it?
RH: Yes. Yeah, that’s a good way to put it. That’s true.
KM: I want to go back for just a little bit, Roy, and walk me through because I think that there’s a couple of layers here with the HIPAA. A couple years ago, it was just the HIPAA thing and then we’ve got some other layers which you’re talking about on your LinkedIn. Can you walk everybody through what those layers are now?
RH: Yeah. That’s really well put. Yeah. It’s interesting you ask that, because that’s like– I had a presentation about that for a little while and so the interesting thing about HIPAA– HIPAA is weird. It’s a weird beast. I’m sure I’m not saying anything new. Everyone’s like, “HIPAA’s weird? No way.” Like any regulation, it changed and evolved and it’s kind of gotten away from its original purpose. HIPAA original purpose was actually to kind of standardize and streamline insurance payments by making it electronic. It was like 1996 when they envisioned it and they were realizing that the insurance companies wanted to go electronic because it’s a lot more efficient. If you ever have any experience in software, you’ll learn really quickly that a very important thing in software is standardization – where everyone speaks the same language, uses the same code, talks the same way about things. So the HIPAA law actually created a standard way that an insurance company do this electronic communication so that when you use like Office Ally or something like that to bill insurance, Office Ally is speaking the same language that any other program is using and it’s also speaking the same language that the insurance company is using. So the HIPAA law was actually meant to just create that language, just standardize that language. That was the original intention.
PC: So what happened to the whole Obamacare website, then?
RH: Well, that a– (chuckles)
PC: That’s another show?
RH: That’s definitely another show, which is probably completely uninteresting to this audience. For me, it’s fascinating. I’m like, “Oh my god, let me tell you about contracts and highest bidder and lowest bidder okay.”
KM: Punch some buttons here.
RH: “The process of web development. Oh my god, it’s fascinating.” But like, yeah. That’s the federal government hiring boondoggles. There’s a lot of things at the federal level that go like that, they’re just not for public. So yeah, the thing is like when you create something like HIPAA where you’re setting up that kind of system, it’s actually really typical that the law also includes provisions about what you’re supposed to do to protect the information. It’s very normal to have security and privacy rules built into a law like that. Because like, in addition to saying, “Okay, here’s how to do the transition,” they also say, “Okay, here’s how to make sure that you’re doing these electronic things in a way that protects privacy and security.” There’s lots of other laws like HIPAA in other industries that do the same things. They set up some kind of thing for some purpose, and then they say, “Okay, so because this thing we’re trying to do potentially has some privacy dangers to it, we’re going to include in the law some rules about keeping privacy and security.” And so initially for us, that wasn’t a big deal because honestly, HIPAA’s provisions about privacy were actually less interesting than our own ethics.
RH: Our own ethics are like way more tight and way more interested in privacy than the original HIPAA privacy rules. And the security rule, which relates to the actual electronic information, like that rule wasn’t really that relevant because, back in 2003, Kathleen, were you storing records on your computer?
KM: No, we were not.
RH: Were you text messaging with clients? No, you weren’t doing any of those things, right? So if you went to a HIPAA training and they talked to you about the security rule, you were probably like, “I don’t care about that. The closest thing that has any of that is my landline, and my landline is actually exempted from the security rule. So I don’t care. I’m going to let it go.” And so, over time we started using these things more and more after– as an industry, we kind of ditched the HIPAA security rule around 2005/2006 because we realized we don’t care. And then we started using all those things and our clients started using all those things, and then suddenly the security rule mattered. And then, speaking of Obamacare: then in 2009 the High Tech Act comes along and we can see that, well before Obama started working on Obamacare, the federal government is already interested in creating a unified health system. And in 2009 in the High Tech Act, they’re very clear they want medical practitioners – not you and me, not the mental health – but they want medical practitioners using these electronic records systems that talk to each other and that streamline the process of electronic record keeping. And along with that, they realized they really need to put teeth into the privacy and security rules because if we’re going to have every hospital in the country transmitting entire health records across the internet like all day long, we need to have really tight security regulations on that. And so they tightened up the security regulation. And of course, because they’re doing it in the same space as HIPAA, all that affects you and me even though you and I aren’t necessarily doing those big– you know, I’m not sending across the internet my entire set of progress notes about a client. I’m not doing that. But I still have to comply with the new rule they made to kind of tighten up that security.
KM: Right. So with this new wave now that’s, you know, the mental health professional is now having to do, what are you recommending that mental health providers begin to do?
RH: Well, first you should read all of my stuff and then take all of my courses.
KM: And where can they find you, Roy? Absolutely!
RH: They should go to https://personcenteredtech.com. I hear it’s a fantastic website in which you learn– you can get an immense amount of fantastic information for free, or so I hear from my colleagues who are raving about it all day. https://personcenteredtech.com - I hear the guy who runs it is also very handsome.
KM: Would I be talking to him right now?
RH: Maybe, I guess. I don’t know. I haven’t heard.
KM: But I think– here’s what I’m seeing, Roy, and I don’t know if this is what you’re seeing as well. But personally what I’m seeing here is most mental health professionals are continuing to ignore, especially this new wave of all technology needs to be batten down the hatches, and you have to list and have the risk analysis and risk management plan. You know, I’ve done some discussion boards on your stuff.
RH: Yeah, you just did that didn’t you?
KM: Yeah. Mmm hmm. So I’m in the middle of doing that right now.
RH: Yeah, you’re kind of doing it the hard way, too.
KM: Pretty much! So. But what would you recommend to the mental health community, that they start to be aware of and give them a list of things for them to be having an inventory of should I worry about it, should I not?
RH: Okay. So I’m going to talk about this from a little bit of a 10,000 ft. theoretical perspective, and then drill down to the to-do list, the checklist. So I want you to know that because I’m going to get to a checklist but I’m an ethics teacher, I don’t just give you checklists. So I know you, Kathleen, you especially speak to new therapists. I know you’re doing a big program on that, and I love that because when I speak to new therapists versus highly veteran therapists, their experience with this is completely different. Right? So with new therapists I’ve discovered, like what y’all need to know is y’all need to do this thing a lot of you are doing which is great, which is you need to plan ahead and think about big picture about how your practice looks. Now I’m assuming these are people who want private practice, but honestly if you’re going into an agency you should do this, too. If you’re going into an agency, do not trust that the agency is going to guide you as closely as you hope. When it comes to technology right now, educators and supervisors are usually just as cool as the new therapists. And that’s not a denigration of them, it’s just where we are. It’s all very new. They’re not ready to give you close guidance on that. You need to be ready to do that for yourself, hopefully in collaboration with your supervisors and stuff like that. But like, you need to take a close look at what it is you want to do. How do you want technology to fit in? You want to text with your clients. Is this something you think would be appropriate for you? Keeping in mind, of course, your clients are going to be teaching you what they think. Whatever you decide about texting. Is email going to be a part of this? How much are you going to communicate between sessions at all? Do you have an interest in being able to offer to your client remote sessions? Whether that’s just being able to have a phone session, which is very classic, or if you actually want to do online video. Is that something you’re considering doing? Do you want to keep your records in a filing cabinet, classic style, or do you want to go electronic? Is there a reason for you to go electronic? Is there a practical reason for you to do that, or are you just doing it because it’s what you’re used to? These are all things to consider, and then I want you to think about it holistically. How do all these things fit in to each other? How can I streamline them? And streamlining is actually important because the more you do things piecemeal, and the more complex your practice is, the harder the security piece becomes because there’s more for you to manage. Alright? So like– so once you’ve figured that out, you need to then also apply the other factors that affect it, which is going to be 1) your professional ethics. And if you’re a counselor and the American Counseling Association Code of Ethics applies to you, your code of ethics actually has quite a bit to say about the technology used in your practice and you need to be aware of those things. If you’re a social worker or a psychologist, they have a little bit to say. You need to be aware of those things. And then up from there, another thing we all need to think about is HIPAA. And then with HIPAA the first question you need to ask is, “How does HIPAA apply to me?” I don’t mean, “Does it apply to me?” I mean, “How does it apply to me?” If you’re like Kathleen and you’re in Texas, it still applies to you absolutely. Because I’m sure some of your listeners are in Texas, Kathleen.
RH: You know that there in Texas you have a special state law that makes you all covered entities under the federal law. It’s a unique one. I’m about to say something I’m sure you’ve never heard, is that, “Texas is unique this way.” (Laughs) No one ever says that about Texas, right?
KM: Right. There you go. We’re special.
RH: Texas is unique in this way. You’re special. You’re always special and I find this way in which you’re special is interesting because your state legislature decided that HIPAA wasn’t doing enough. You guys had too many weird privacy breaches in the health care sector, so your legislature decided, “Know what we need to do? We need to make sure that everybody that does health care in this state all obeys HIPAA.” And the thing is, you’re not actually legally required to comply with HIPAA unless you do one of those things I was talking about earlier, those insurance transactions. If you don’t do those, if you’ve never done those in your practice in your life, if you’ve never done them and you’ve never done them electronically – because that’s what HIPAA is concerned about – then you’re not actually legally mandated to comply with HIPAA. You’re not a covered entity, which is a weird like sort of artifact of the original intention of HIPAA.
RH: But in Texas, the legislature said, “Nope. None of that. You’re all covered entities. All of you are mandated to comply with the federal law.” Which is unique because there’s a lot of other states where what they’ve done is they just made their own state law that looks a lot like HIPAA. So you end up having to comply with a lot of things about HIPAA, not because HIPAA applies to you, but because your state law does the same thing. They’re actually using state law. In Texas, your actually obeying the federal law, which is weird because Texas usually likes to have their own law, right? I don’t know. You guys are funny down there.
KM: We’re just a little bit different there. But yeah. Well, my– I want you to expand into the technology portion, the EMR and the PHI and the high tech.
RH: Right. So the reason you need to figure out how it applies to you is for those things, right? Because even if– okay, if you’re not legally mandated to comply with HIPAA– like I’m not. I’m not a covered entity. I actually don’t have to comply with the federal HIPAA law and the state of Oregon doesn’t do anything to make me do that. However, my professional ethics state that I have to consider confidentiality and privacy in the digital realm. So what’s the standard of care for doing that? That’s HIPAA, right? So I end up having to comply with HIPAA as a standard of care, not as a legal mandate. That actually matters. The reason that it matters is, okay so let’s say you’re this new therapist and you want to keep records electronically, right? So no matter what you do, you need to do what’s step one of HIPAA compliance. Here’s my checklist: one two three checklist. Step one is to perform what’s called a risk analysis and a risk analysis – that’s what you were talking about, Kathleen. You’ve been doing that with Security Metrics, right? Security Metrics is a company that does a lot of the risk analysis for people. And a risk analysis is where you take a holistic look at your practice. You basically gather together a list of all the things you have in your practice that have some kind of contact with confidential information called Protected Health Information (PHI). That’s what they call it. And like, if it has some contact with that, you put it on the list. And then you go through everything that’s on the list and you examine to try to think about what kind of vulnerabilities they have: ways in which the information could get accessed by the wrong people or the information could get damaged or the information could be lost or you could lose access to the information. These are all the things you consider in your risk analysis.
KM: And this includes all smart phones?
RH: Oh yeah. Yeah. Everythin, especially electronic, right?
KM: Right. Anything electronic.
RH: It includes smart phones if your smart phone has contacts listed with confidential information.
RH: Which many of us do. So one thing people may forget is their clients want to text them. So like, if the smart phone has– if the smart phone is what you’re using for your business, then clients will text you and now your smart phone has Protected Health Information on it, so you need to consider it in your risk analysis. You need to consider the ways in which the confidentiality, those text messages could be breached. You also need to consider the ways in which the integrity or availability could be breached, meaning you need to consider how might those text messages get lost. How am I going to lose access to those text messages? For example, if you lose your phone then you lose those text messages, which is actually a problem, right? You need to have availability of them. Also consider, some people when I do a risk analysis with them, they’re not thinking about all the things that are confidential information like I’ll ask, “How do you keep your calendar?” for example. And they’ll say, “Oh, it’s on my phone.” And I’ll say, “Well, there you are. So your phone contains Protected Health Information.” It contains phone numbers or names of clients, or maybe it just contains client initials, in which case you still need to consider it. It’s still in the scope of your risk analysis.
KM: What’s step two, Roy?
RH: Step two is after you consider your risk analysis and you’ve found all your risks, you do a risk management plan. And what that means is you go through each risk and you find a way that you can make the risk lower. So in the risk analysis, you may have seen, okay this here I see a higher risk. There’s a higher risk that people will, that a bad guy could read emails from my clients if they steal my iPhone, for example. I may have found that in my risk analysis. So my risk management plan, that’s a high risk so I need to reduce that high risk to a low risk. I need to do something that makes it a low risk of happening. And with a smart phone, that would typically be a number of different measures. And it’s very important that people consider not just consider things like passwords, although obviously you need those. You need a password on your phone. You need your phone to have security capabilities for things like if your phone gets lost, you can go to a computer and track where your phone is.
RH: And if you find it, you can click a button that wipes it.
KM: We’ve got about three more minutes. What’s the third one, Roy?
RH: The third one is a policies and procedures manual. So that’s the– after you’ve done the risk management plan, part of your risk management thing is figuring out what policies and procedures you need to do in order to reduce those risks. So with my iPhone for example, one of my policies is that anybody who I don’t know whose not trusted, like officially trusted, can’t handle my iPhone. Like I don’t lend out my iPhone. Which actually around Portland matters because people around here on your street will ask to borrow your phone sometimes. So I have to say to them, “I can’t. It’s not allowed in my job,” is what I say.
KM: Nice. Okay. I know we’ve got probably about two minutes now, but what if the mental health professional just thinks this is a bunch of garbage, what is the potential impact should they not want to do this?
RH: The potential impact is– well I actually want everyone to consider the impact as what’s going to happen to their clients. Like, as much as what’s going to happen to them personally. Because for mental health, the likelihood– you’re very unlikely to be randomly audited. That’s not likely to happen. What is likely to happen is if you have a security problem like if you lose some information or like confidential information gets breached, you have to tell the feds and the feds will then potentially audit you at that point. It’s more likely you’ll get audited if someone complains which also could happen.
KM: Well, the complaint process is a separate– another bailiwick you and I need to talk about. But that goes, for us, through the Department of Civil Rights here in Dallas which anybody can make a complaint which is anonymous and when they call you up, they don’t have to give you the information as to what warranted the complaint. You just have to answer their questions.
KM: So that’s another podcast for us to have so. But anyways–
RH: So for that, that’s why you need your documentation.
KM: There you go. Give us your personal website one more time so people can look you up and all that kind of stuff. Roy, this has been fascinating.
RH: https://personcenteredtech.com and I have lots of the details and free articles. You don’t necessarily need to buy anything to get a lot of good data there.
KM: And if somebody wants to call you, give us your number.
PC: Roy, this has been fascinating stuff.
KM: Very, very helpful.
RH: Oh good. I’m glad.
PC: I’ve got a feeling you’re coming back.
KM: You’re coming back.
PC: Or we’re coming up there to Weatherford.
KM: We’re going to get you down here!
RH: I’d be glad to.
PC: Where can people find you, Kathleen Mills?
PC: And I’m still Phillip Crum, the Content Marketing Coach at www.contentmarketingcoach.us. And give me a holler – my phone number’s on the website if you think something like this could help you grow your business. So Roy, thank you very much. We’ll do it again.
KM: Absolutely, Roy. What a pleasure.
RH: Awesome. Sounds great.
PC: Have a good weekend, and thanks for listening, everybody. We’ll see you next week, and on we go.
Outro: Thanks for listening. If you found something of value in this show, please tell your colleagues about us. If you have a topic you’d like us to address, or know a subject matter authority that we might like to talk with, simply drop us a note to [email protected] and we’ll take it from there. Thanks again for sitting in with us, and we’ll see you next week.