It’s that time of year: the time to make sure your practice is all in order, that identified needs that got de-prioritized due to navigating the demands and emergent items of practice management and client care get met — or at least that you’ve got an actionable and manageable plan for how to do so — so that your practice starts the new year on a solid foundation, and that you’ve got a roadmap for what (and how!) you’ll be managing and implementing the ongoing processes of practice optimization and fortification going forward. In support of this end-of-year review and wrap-up, here are five practical tips for areas of review for your practice.
Ultimately, these review areas are about supporting you in having the peace of mind as a practice owner that comes from knowing these vital aspects of your practice are being tended to — because safeguarding client info *is* an essential part of client care. This peace of minds frees up bandwidth to be utilized for actual client care, and (for group practice owners) for working *on* your business and leading your team.
Following these tips and performing any to-dos they generate will contribute to and support the efficiency, security, and compliance of your practice.
1. Services and Systems Evaluation:
- Review Your Tech Stack: assess the services and systems your practice relies on for client care delivery and internal operations for functionality, effectiveness, and efficiency
- Review the services in your tech stack thoroughly to ensure they meet your practice’s functionality needs
- Confirm the presence of HIPAA Business Associate Agreements for services requiring them (any third-party service that touches client info/Protected Health Information is a HIPAA Business Associate and a BAA must be in place)
- Document the services that your pracctice utilizes, cost for each service, and presence (and date) of BAAs where service qualifies as a HIPAA Business Associate
- Identify redundancies, system bloat, and assess if the appropriate tier is subscribed to for each paid service
- Evaluate potential cost savings by eliminating unused or un-needed services; downgrading to lower tiers (if functionality & compliance needs are met by lower tier); see if cost savings are available by switching from monthly to annual payment plans, and/or if there are loyalty or lifetime rate locks for longstanding customers
- Group Practices: Survey Your Team
- conduct a survey among your team to identify any unused systems and assess if current systems meet functionality needs efficiently (and through practice provided services — remember, use of personal services to handle client info by workforce is not permissible.)
This is an opportunity to streamline, optimize, and reduce costs — which supports your practice wholistically, not *just* in terms of your compliance.
Resources to Support Your Practice’s Services and Systems Evaluation:
- PCT’s Service Selection Workbook & Worksheets (free!! Step 1 of the PCT Way) — support for reviewing (and selecting) HIPAA-secure, effective, and economical services to meet your practice’s functionality and operational needs
- PCT’s optional accompanying CE trainings and practical application workshops (on-demand)
- Direct support and consultation with the PCT team, provided through Practice Care Premium
2. Training (and Workforce Management/Development:
- Ensure workforce (that’s you if you’re a solo practitioner) has foundational, role-based training on mental health privacy ethics, HIPAA, and teletherapy (if applicable)
- Confirm workforce are trained on practice-specific HIPAA security and teletherapy policies and procedures
- if you’re a solo practitioner, that means doing a review of your policies and procedures to ensure you’re adhering to and implementing them in practice
- if you’re a group practice owner/leader, and your team has received conceptual framework and more ‘generic’ HIPAA training — but not training on your practice’s P&Ps — then devise and implement a plan for training your workforce on your practice’s P&Ps
- Identify and provide/obtain needs-based training for maintaining and furthering professional competencies
- Devise a plan for identifying and meeting 2024 training needs
Training and continuing education that supports professional competencies and legal-ethical practice are requirements for a reason, and support your practice and your clients.
Resources to Support Your Practice’s Training Needs Being Met:
- PCT’s HIPAA, mental health privacy ethics, and teletherapy trainings + topical needs-based continuing education trainings
- Group Practices: assignable (and trackable role-based foundational trainings) for mental group practice clinicians, admins, HIPAA officers, and leadership/owners
- Solo Practitioners: on-demand, engaging, practically-applicable trainings designed specifically for your practice-context and needs
- Not familiar with PCT’s high-quality trainings?
- Solo Practitioners: check out our free CE (1 legal-ethical CE credit hour) training, HIPAA Security Compliance in Mental Health
- Group Practice Leaders: check out our free trainings for you — including a 1 legal-ethical CE credit hour training for group practice leaders, Introduction to HIPAA Security for Group Practice Leaders
3. Device Management
- Assess the security status of all practice-owned devices
- Ensure they are hardened (have the necessary technical security measures configured/implemented) and properly documented as such
- Retire outdated equipment, following appropriate retirement/disposal and documentation procedures
- For Bring Your Own Device (BYOD) scenarios
- Confirm that all personal devices that are used for practice work (to touch, handle, or access any systems/services that contain client info are hardened, registered, and subject to necessary retirements
- Identify if you need any new devices
- This time of year is often a good time to purchase new devices due to sales
- There can be potential tax benefit, depending on your tax scenario, to have the purchase of new devices/equipment in the current calendar/tax year)
- Harden and document new devices when obtained
Device security for any and all devices that touch client info is an essential and required component of safeguarding client info. It is often the largest ‘surface area of risk exposure’ for the modern mental health practice. Tackle this low-hanging fruit and necessary component of in-practice compliance and risk reduction.
Resources to Support Your Device Management:
- PCT’s Device Security (Step 3 of the PCT Way) resources and support, through Practice Care Premium
- Group Practice Care Premium Device Security resources include:
- Assignable staff HIPAA Security Awareness: Bring Your Own Device (BYOD) training + access to Device Security Center with step-by-step device-specific tutorials & registration forms for securing and documenting personal & practice-provided devices (for *all* team members at no per-person cost)
- + Assignable staff HIPAA Security Awareness: Remote Workspaces training for all team members + access to Remote Workspace Center with step-by-step tutorials & registration forms for securing and documenting Remote Workspaces (for *all* team members at no per-person cost)
- Device Security and Bring Your Own Device Group Practice Leaders Orientation (plus template for announcing BYOD process to team)
- Leadership access to PCT team for direct support and consultation through Group Practice Office Hours
- Solo Practice Care Premium Device Security resources include:
- Access to the Solo Practitioner Device Security Center, with step-by-step device-specific tutorials & registration forms for securing and documenting both personal & practice-owned devices
- + Access to the Solo Practitioner Home & Mobile Workspace Center, with step-by-step tutorials to ensure your workspaces are secured, set up for effective care provision, and documented as such
- access to PCT team for direct support and consultation through Practice Office Hours
- Group Practice Care Premium Device Security resources include:
- Computer and Smartphone HIPAA Security Checklist for Therapists
4. Risk Analysis & Risk Mitigation
- Has your practice completed a formal ‘thorough and accurate’ (as required by the HIPAA Security Rule) documented risk analysis?
- If so, is it up to date?
- If not, do one now or schedule when you will
- Have you completed the identified required mitigation measure implentions in your risk mitigation plan?
- If not, are you actively engaged in working through the required mitigation measure implementions? If not, re-engage with tackling the implementation on the basis of order of priority and what is reasonable, appropriate, and feasible
- If your practice’s comprehensive HIPAA Security Risk Analysis is up to date, evaluate if there have since been any changes that necessitate doing a mini risk analysis?
- If so, do one
- If not, check this off your list! (document your good work of having done this evaluation of need, and the rationale for the results)
Conducting and documenting a ‘thorough and accurate’ risk analysis and then generating and implementing a risk mitigation plan are foundational requirements for *all* HIPAA covered entities. Think of the risk analysis as a needs assessment, and the risk mitigation plan as the treatment plan.
Resources to Support Your Practice’s Risk Analysis & Risk Mitigation
- PCT’s HIPAA Risk Analysis & Risk Mitigation Planning (Step 4 of the PCT Way) service for mental health practices
- Care for your practice using our supportive, shame-free risk analysis and mitigation planning service
- Have your Risk Analysis done within 2 hours, performed by a PCT consultant, using a tool built specifically for mental health practice, and a prioritized risk mitigation plan checklist to help you reduce your risks.
- Will identify both your ‘in-practice’ risks and your ‘formal compliance’ (what required written P&Ps are implemented) needs, while also documenting all the good things your practice is already doing!
- Receive ownership of PCT’s proprietary risk analysis tool for mental health professionals to utilize to self-perform future risk analyses as needed
- PCT’s Mini Risk Analysis/Needs Identification ‘Circle’ Tool (free!)
- PCT Article: Why Risk Analysis is a Fundamental Requirement: Highlights Through the Person Centered Tech Lens from the OCR’s Recent Presentation on the HIPAA Security Rule Risk Analysis Requirement
5. Policies & Procedures/HIPAA Manual:
- If your practice has formal HIPAA Security Rule compliance components such as Policies & Procedures and a HIPAA Manual, ensure they are current and implemented in-practice (being followed)
- Review and make any changes/revisions/updates as necessary
- If these components are not yet in place, establish a plan for their development and implementation
- In a group practice, ensure your team knows the contents and are adhering to the requirements of the P&Ps they’re governed by
- If adherance to certain P&Ps is lacking in-practice, do a review with your team of those specific P&Ps
Written HIPAA Security Manuals and Policies & Procedures provide the basis for the codification and operationalization of how client info is safeguarded and the required standards for doing so are being adhered to.
Resources for Your Practice’s HIPAA Manual/Policies & Procedures:
- PCT’s HIPAA Security Policies & Procedures/HIPAA Manuals for Solo Practitioners & Group Practices
- PCT’s Group Practice PCT Way HIPAA Compliance Manual & Materials — comprehensive customizable HIPAA Security Policies & Procedure and materials templates specifically for mental health group practices. with a detailed step-by-step project plan and guided instructions for adopting & implementing efficiently and effectively
- Policies & Procedures include: Customizable templates that address each of the HIPAA Security Rule Standards. Ready for plug-and-play real practice application.
- Computing Devices and Electronic Media Technical Security Policy
- Bring Your Own Device (BYOD) Policy
- Communications Security Policy
- Information Systems Secure Use Policy
- Risk Management Policy
- Contingency Planning Policy
- Device and Document Transport and Storage Policy
- Device and Document Disposal Policy
- Security Training and Awareness Policy
- Passwords and Other Digital Authentication Policy
- Software and Hardware Selection Policy
- Security Incident Response and Breach Notification Policy
- Security Onboarding and Exit Policy
- Sanction Policy Policy
- Release of Information Security Policy
- Remote Access Policy
- Data Backup Policy
- Facility/Office Access and Physical Security Policy
- Facility Network Security Policy
- Computing Device Acceptable Use Policy
- Business Associate Policy
- Access Log Review Policy
- Forms & Logs include:
- Workforce Security Policies Agreement
- Security Incident Report
- PHI Access Determination
- Password Policy Compliance
- BYOD Registration & Termination
- Data Backup & Confirmation
- Access Log Review
- Key & Access Code Issue and Loss
- Third-Party Service Vendors
- Building Security Plan
- Security Schedule
- Equipment Security Check
- Computing System Access Granting & Revocation
- Training Completion
- Mini Risk Analysis
- Security Incident Response
- Security Reminder
- Practice Equipment Catalog
- + Workforce Security Manual & Leadership Security Manual — the role-based practical application oriented distillation of the formal Policies & Procedures
- + 2 complimentary seats of the Security Officer Endorsement Training Program (1 for Security Officer; 1 for Deputy (or future Deputy) Security Officer)
- Policies & Procedures include: Customizable templates that address each of the HIPAA Security Rule Standards. Ready for plug-and-play real practice application.
- PCT’s Solo Practitioner PCT Way HIPAA Manual — customizable HIPAA Security P&P Manual designed specifically for solo practitioner mental health professionals, complete with a set of mini-courses that walk you through customizing and implementing each Policy & Procedure, in the order of priority and need.
- Policies & Procedures include:
- Business Associates
- Contingency Planning
- Devices and Electronic Equipment
- Passwords and Authentication
- Electronic Communications
- Workforce Management Risk Management
- Using Electronic Systems
- Security Training and Awareness
- Workspaces
- Security Incident Response
- Passwords and Authentication
- Forms include:
- Mini Risk Analysis
- PHI Access Management
- Bring Your Own Device Security Form
- Device Security Form
- Workforce Member Security Agreement
- Security Breach Notification Letter Template
- Security Incident Response Form
- Workspace Security Form
- Logs include:
- Security Activity Log
- Device Security Catalog
- Policies & Procedures include:
Bonus Tidying Up Step:
- Digitize paper documents that need to be retained
- Properly dispose of hardcopies of client info that have been digitized or that no longer need to be retained, particularly if they contain sensitive information
- If your practice is a cloud-based/digital practice, digitizing paper documents (e.g. those EOBs!) and destroying the hard copies reduces risk exposure and enhances/maximizes the practice’s physical space.
