State Leadership Conference

Are your electronic patient records secured in case of a fire or office theft? How will you ensure that your electronic patient information is completely deleted if you dispose of an old computer system? Do you communicate with clients on your cell phone or BlackBerry? If so, what steps have you taken to ensure that information is secure?

These were just a few of the questions posed by presenters at the State Leadership Conference continuing-education session, "HIPAA security rule: The next step in compliance." Session presenters sought to help state leaders ready their members for the April 20 deadline of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. The rule is designed to protect personal health information contained in electronic media--such as patient notes, e-mail with or about patients, and financial records with identifying patient information--from damage, theft or unauthorized access.

To do so, the Security Rule requires a psychologist to conduct a documented "risk analysis"--that is, an evaluation of security threats and vulnerabilities of his or her administrative activities, office space and technology, noted presenters. For example, practitioners need to ensure staff are trained to guard protected health information--such as patient records--that is transmitted or maintained in electronic media, that their billing service employs security measures and that computer screens with patient information aren't viewed by casual observers. The rule also requires a psychologist or practice to recurrently document and re-evaluate their safeguards and security policies.

"Though taking the concrete steps to implement security measures is important, also critical is the risk analysis process itself," said Billie Hinnefeld, JD, PhD, senior director of legal and regulatory affairs for the APA Practice Organization.

To help psychologists ready their practices, the APA Pracice Organization has developed a HIPAA Security Rule Online Compliance Workbook that includes a step-by-step analysis of security threats and vulnerabilities, compliance options and an automated process that captures a psychologist's chosen compliance options and generates needed policies and procedures, noted APA's David Nickelson, PsyD, JD, at the session.

The workbook--made available through the Practice Organization Web site at in early April--also offers a resource guide providing links to potential compliance tools, technical reports and "how-to" guides, and will carry continuing-education credits, said Nickelson, assistant executive director of technology policy and projects for the Practice Organization. The Practice Organization has also developed a free primer on the security rule, also available on the Practice Organization Web site.

Complying with the security rule is "just good business," in an age of identity theft and society's reliance on technology, noted presenter Sally Cameron, longtime executive director of the North Carolina Psychological Association (NCPP). Cameron--who along with NCPP member Charles Cooper, PhD, has been helping North Carolina psychologists comply with HIPAA--pointed to some actions psychologists need to take to comply with the rule:

  • Designate a security officer to assess security risks and other vulnerabilities. "In many cases, that person will be you," said Cameron.

  • Create a training program to bring administrative staff up to speed on security rule requirements and security policies.

  • Document everything, including the risk analysis, security policy and procedures, rationale for security choices, security updates and staff training.

  • Frequently re-evaluate security policies and procedures to ensure continued compliance.

  • Consult a technology expert, who can help put technical safeguards, such as encryption software, in place.

Presenters emphasized that while meeting the HIPAA Security Rule requirements may seem daunting, the requirements lay out safe computing and other electronic practices and are measures that any business should take to secure its data.

"Finance, banking and other industries are required by law to secure confidential information," added Nickelson. "The security rule extends this trend to health care and provides an opportunity for professional psychology to apply good security practices as well."

Further Reading

For more information and to access the HIPAA Security Rule Online Compliance Workbook, visit