HIPAA Security & Mental Health Professionals

By Ofer Zur, Ph.D.

Hipaa Security


Did you know that HIPAA security requirements work out differently for a hospital than for mental health professionals in independent practice? Modern technology brings new challenges to mental health practice. Clinicians and experts often become conservative around these challenges — even at the risk of alienating clients or reducing quality of care.

The HIPAA security rule is meant to “scale”; it adjusts for the differing capabilities of a small solo practice vs. a hospital. The difficulty lies in navigating technology and HIPAA.

For example, does HIPAA forbid texting? No, it does not. It does, however, require us to consider the risks and costs closely and to provide security where needed. Would your client be harmed if you didn’t text with him or her? That’s a big cost, and when that comes up it’s time to consider new ways to handle the security risks. This may include collaborating with the client to simply accept those risks and proceed with texting. This can be done by informing the client of the risks and obtaining authorization to use texting.


See our course offered for 11 CE Credit Hours

HIPAA and Technology in Mental Health Practices
Developed by Roy Huggins, LPC, NCC

Explore the ways that security, privacy and technology fit into the heartful work we do on a day-to-day basis. Learn how to stay in compliance with the HIPAA security rule and the 2013 updated regulations.

The course includes video interviews and a Resources page which includes details of how to make the technology in your practiceHIPAA-compliant.

View the FREE Resources page

This course is part of a HIPAA Savings Package, Save $$.


Did You Know?
  • You’ve been practicing “security” for your whole career. For instance, you only reveal client info on a “need to know” basis. Your records are “top secret.” You protect your sessions from “surveillance”: e.g. you close doors and shades as needed; maybe you use a white noise generator or play music in the waiting room. And so on.
  • You can secure your computer to “Safe Harbor” levels without spending a dime.
  • The term “risk management” is often erroneously interpreted to mean “eliminating risks.” In fact, “risk management” refers to balancing risks with costs, prioritizing risks, and taking steps to reduce risks to “reasonable and appropriate” levels.
  • Using electronic communications with clients or keeping records electronically does not, by itself, make you a HIPAA “covered entity.”
  • Modern mobile products — i.e. smartphones and tablet computers — come with excellent security features or you can add such features cheaply and easily.
  • The 2006 HIPAA regulations do not mention email, texting, Skype, or any other digital communication tools. The 2013 HIPAA final rule mentions email mostly as an example of one tool that clinicians could use to send certain information to patients (with authorization), or that patients could use to send certain information to clinicians.
  • Products and services cannot be “HIPAA compliant.” There is no HIPAA certification process for products. Of course, products and services can be more or less helpful to our HIPAA compliance.
  • Expensive security reviews are generally not necessary for solo and small group practices to attain HIPAA compliance. HIPAA security requirements adjust according to our capabilities and the actual levels of security risks we face.



Additional Resources:


Top of Page

Sign up for topical updates and invitations to participate with Dr. Zur