Simple, Sane and Real Strategies for
HIPAA Security

By Ofer Zur, Ph.D.


In the early days, HIPAA was that annoying little cousin that wouldn’t leave you alone — always butting in, always finding some new reason to bother you. However, HIPAA has grown a lot since we last really turned toward it and paid attention.

Culturally speaking, HIPAA has always come from a techie’s viewpoint. When it makes efforts to attune with clinicians and our culture, it fails awkwardly. It’s confusing and gets overbearing in the way it relates to us.

This is not, however, because HIPAA doesn’t share our goals: safeguarding clients, creating environments where they can thrive, and working to further their interests. On the contrary, HIPAA is fanatical in its support of clients’ autonomy and their rights to pursue health care on their own terms. In the national efforts to digitize and network together every American’s health records, HIPAA is the stubborn holdout that demands we closely consider the security and privacy of those records.

The confusing nature of HIPAA has lead to a lot of misinformation about how HIPAA compliance works. This is especially true around the HIPAA Security Rule, which is the portion of HIPAA that closely governs the security of the electronic gizmos and services that we use to handle clients’ confidential info.

Perhaps the most damaging myth is the pervasive idea that those gizmos and services must be “HIPAA compliant.” I bring up this myth not simply because it is “incorrect,” but because it has caused a great deal of confusion and misunderstanding. We give up our autonomy and ability to control our practices and our relationships to HIPAA by seeking out the “right” tool or the “right” service that will make HIPAA go away and bother someone else. Those “right” tools may be expensive, may reduce our ability to connect with clients, and may even prevent us from actually complying with HIPAA.

Below I offer some facts about HIPAA that can help us to “stop the insanity” and get on the right track to working with HIPAA in simpler, saner, and more productive ways.


Some Facts About HIPAA Security

  • HIPAA Security asks us to examine our particular needs around security and work to meet those needs. It is not intended to prescribe specific practice management approaches or restrict our ability to practice in the ways that work for us and our clients.
  • Similarly, the products and services we buy cannot be “HIPAA compliant” (or non-compliant.) Compliance is a process that we do, and products and services may help us with that process or hinder it. There are differences in how HIPAA Security applies to mental health and how it applies to medical contexts. Not all HIPAA compliance is the same.
  • “Cloud” services, such as online record-keeping services, can help make HIPAA Security easier. But keeping paper files in a locked file cabinet is legitimate, and can also make it easier. It all depends on one’s practice.
  • HIPAA Security requires us to use Risk Management as our legal-ethical decision-making model when considering dangers to client confidentiality.
  • Risk management is a nuanced model that takes into account not only the bad things that can happen in life, but also the harm we can do to ourselves and our clients if we overreact to those possibilities.
  • Compliance with the HIPAA Security Rule can be divided into 3 steps, with an ongoing process that follows them:
    1. Performing a Risk Analysis
    2. Making an appropriate Risk Management plan
    3. Devising a Policies and Procedures “manual” based on the first two steps.
  • The ongoing process that follows is mostly about sticking to those Policies and Procedures.
  • HIPAA requires that we address certain things in our Policies and Procedures, but doesn’t prescribe how we should address them.


Currently Available HIPAA Security Online CE Courses from the Zur Institute

Sign up for topical updates and invitations to participate with Dr. Zur