All Things Private Practice Podcast for Therapists

Episode 92: Optimize & Fortify Your Private Practice Using HIPAA [featuring Liath Dalton]

Show Notes

Many mental health practitioners struggle to fully grasp the ins and outs of HIPAA requirements, so they just copy and paste forms from other clinicians, use software that can be easily breached, and think that "as long as the client doesn't mind using Venmo, Gmail, etc., it's fine, right?"

But that's not how HIPAA works or why it exists. And though many therapists find it to be annoying, when implemented properly, it can be a tool to build trust with clients, as well as optimize and fortify your business and systems.

If you are not already running a HIPAA-compliant private practice or maybe just want to know more about how to seamlessly and painlessly implement it into your business, this episode is for you.

In this episode, I talk with Liath Dalton, director of Person Centered Tech, about how to "do HIPAA" the right way.

Top 3 reasons to listen to the entire episode:

  1. Understanding the nuances of HIPAA compliance and how to make sure that you are following it correctly.
  2. See how HIPAA compliance doesn't have to be a headache or complicated and how you can embrace it with ease.
  3. Learn which tools for private practice are reliable and HIPAA-compliant so that you can choose the right ones for your business that are budget-friendly and secure.

It's important to make your private practice HIPAA compliant to protect yourself and your clients, as well as ensure that you have a business that operates smoothly and is trustworthy.

More about Liath:

Liath is the director of Person Centered Tech, home of the PCT Way — a system for optimizing your practice and covering your HIPAA bases in just 5 steps. Liath cares deeply about PCT's purpose of "helping the helpers" through providing direct support, CE training, and resources to mental health practitioners in service of establishing robust and effective practices that meet the needs of your clients and you. Liath is especially passionate about supporting and equipping practice owners in navigating the security compliance process and identifying the specific solutions and processes that meet the particular needs of their practices.

Check out this special offer from Liath:

Discount on the PCT Way system packages (HIPAA Security Risk Analysis & Risk Mitigation Planning, HIPAA Manual, Device Security, Training, Service Selection, and direct support & consultation) for solo practitioners and group practices: Solo Practitioner PCT Way HIPAA Compliance Bundle and Group Practice PCT Way HIPAA Compliance Bundle

Save $100 off a HIPAA risk analysis, exclusive for ATPP listeners at


๐ŸŽ™๏ธListen to more episodes of the All Things Private Practice Podcast here


๐Ÿ—จ๏ธ Join the free All Things Private Practice FB Community 

A Thanks to Our Sponsor: The Receptionist for iPad!

The Receptionist for iPad:

I would also like to thank The Receptionist for iPad for sponsoring this episode.

As you prepare for the new year as a private practice owner, one area of your business where you might be able to level up your client experience is from the moment that they enter your office and check in with you. For many private practices, the client check-in process can be a bit awkward and confusing.

Clients often enter into an empty waiting room. And chances are you're wrapping up a session with someone else, so there's no way of knowing when they arrive. With a visitor management system like The Receptionist for iPad, you can provide clients with a discreet and secure way to check in for their appointment while instantly being notified of their arrival.

What's more, The Receptionist offers an iPad list check-in option where clients can scan a QR code to check in, which negates the need for you to buy an iPad and stand. Go to and sign up for a free 14-day trial. When you do, you'll get your first month free. And don't forget to ask about our iPad list check-in option.



PATRICK CASALE: Hey there, everyone, you are listening to another episode of the All Things Private Practice Podcast. I'm your host, Patrick Casale, joined today by Liath Dalton, the director of Person Centered Tech. And we're going to talk about all things HIPAA compliance, and the pitfalls, and mistakes, the things that often get overlooked, and how to really secure and protect not only your practice but your clientele as well. And I really appreciate you coming on and taking the time today.

LIATH DALTON: It's my pleasure. Thank you so much for having me. I know, you know, HIPAA is not everyone's favorite topic. But hopefully, through our conversation today, we can, kind of, empower folks to recognize the ways it can be used as a tool that supports their practice holistically. That's kind of the PCT approaches. Yes, these are requirements, but it gives us a framework that's actually really useful to optimize and fortify a practice in a more comprehensive sense than just the security components.

PATRICK CASALE: Optimize and fortify, I assume you say that a lot.


PATRICK CASALE: It's so time-bound, for sure, and probably when my VA is going through she's like, "That's going to be the sort of title." It kind of checked. 

So, I like that you frame it that way, though, because I think you're right. Like, HIPAA compliance is certainly not a sexy topic to talk about. But ultimately, it is so, so important. And I know just because I moderate a Facebook group of like 10,000 therapists in practice, like HIPAA compliance questions come up all the time. And I think that Person Centered Tech, personally, in my opinion, has always been like the standout in terms of how you all show up and talk about compliance, how you support practitioners, how you're very mission-focused and driven to protect client information. And I think it's got to be both sides and the best of both worlds. 

But really, in reality, like, a lot of practitioners just don't really fully understand it even to this day when you may have signed some paperwork, you may have a HIPAA compliant doc in your repertoire, you may send it out. But at the end of the day, you're like, I don't know if my email is HIPAA compliant? I don't know if that has to be? I don't know what this is? And like, the questions go on and on. So, feel free to take it away with whatever feels most important.

LIATH DALTON: Yeah. So, I think one concept that we have found is really useful in kind of being like the cornerstone or touchstone for folks in making the rest of the puzzle pieces fall into place is the concept of your security circle, in your practice, right? 

So, your security circle is comprised of the systems, like the services that are in your tech stack that provide for meeting functionality needs, like operationally, internally, but also, for client care delivery, most importantly, inclining communication, the devices that you use to access those systems, the workforce in your practice, and then, also the business associates who are outside your practice but are providing services to your practice. So, it's the combination of those.

Systems should be comprising your security circle, which is what are the appropriate places for handling client information, protected health information. And if we have a clear concept of what it means to be within our circle, then we can construct a solid circle and want to keep its perimeter intact, don't want it to get porous, right? 

And so, if we are always going back to this idea of when trying to select a new service or onboarding a new team member, if it is based on is this going to fit within my security circle? Is this going to support its integrity? Is it going to meet my needs and client needs? And kind of what the ability to construct a solid security circle for your practice or a walled garden kind of is predicated on is having a thorough and accurate understanding of what constitutes protected health information, right? Because that's what we have to keep within the circle, that's what we're entrusted with protecting.

And we're entrusted with protecting that not just because of the HIPAA requirements, but also, and very importantly because of all of the ethics codes and standards that therapists are subject to. 

And, you know, the different codes vary in terms of how explicit they are, but all of them address protecting client information and electronic client information, and can even get more specific in terms of, you know, encryption and how to protect that information. 

But it's important for all providers, whether you are in fact a HIPAA-covered entity or not. And I actually find that HIPAA requirements, and the kind of conceptual framework it provides ends up being a really useful tool to meet those ethical requirements as well. So, it can work synergistically. 

So, now that I've said that kind of all roads lead back to having a accurate understanding of what constitutes PHI, I should probably talk about what that definition or recipe is. 

So, essentially, protected health information is personally identifying info, plus health info, where health info is about any health care services or payment for health care services, past, present, or future. And that future is really the kicker here too because one of the misconceptions that folks have is that PHI only becomes PHI once the clinician/client or provider/patient relationship is established. 

So, that means if that's how you're approaching your security circle or defining when info needs to be within your security circle, you're missing the mark, right? It means you're not thinking about things like having your contact form on your website secured, or how you're managing, you know, the initial contact problem. 

So, understanding that anytime you as a health care provider hold any identifying information of clients or prospective clients, that is protected health information, and it doesn't have to, and HHS and the OCR Office of Civil Rights, who are the HIPAA administrators have actually recently, kind of further clarified [INDISCERNIBLE 00:07:23] that the threshold is for when just holding an identifier, just a phone number, or an IP address. If you as a health care provider, as a HIPAA-covered entity are holding that it is PHI. 

So, when someone submits a, you know, initial contact inquiry through your contact form, even if they're not writing, you know, I have depression, and this is what I'm seeking care for, and here's kind of the context that's bring me to reach out, even if it's just their name, and email address, that's PHI, so it needs to be pulled within the circle, yeah.

PATRICK CASALE: Yeah, and I think one, I love all the imagery, and I love the way that you're talking about this because it makes it more tangible and digestible. I think, you know, in a topic that often even is misspelled, in terms of acronyms, the words H-I-P-P-A. Therapists please don't spell H-I-P-P-A. That makes me cringe more. But nevertheless-

LIATH DALTON: I lost your audio.

PATRICK CASALE: And what ends up happening with these little details, people seem to overlook them as if they're not important, or that there cannot be a breach, or that there cannot be fallout. 

So, you keep mentioning and alluding to the contact form. And I know a lot of clinicians who have just built in a basic contact form into their website, that it comes to their email. And maybe it's not even a HIPAA compliant protected email with encryption. So, we're really creating layers of a problematic area right here where information could be lost or there could be a breach. And because people seem to think like, "Yeah, but it's not a big deal. Like, they're consenting by putting information into this contact form."

Can you talk a little bit about what a potential breach for something like that looks like and what that could create in your practice?

LIATH DALTON: Absolutely. Well, I mean, part of it is that if you are handing over client information to service providers, so you know the service that's providing the contact form functionality, your email service provider, you suddenly have taken client's protected health information, and put it into systems where there aren't safeguards and assurances that all of the safeguards that are required to be in place to protect that are in fact in place. 

And furthermore, if you don't have a business, a HIPAA Business Associate Agreement with the service provider, you're violating the HIPAA Business Associate rule, you aren't upholding the ethical standards as well because you need to be vetting who you are sharing client info with. So, that is technically a violation of the HIPAA standards, and also, really the ethics standards. 

And that's one of the most common violations that occurs, is not having Business Associate Agreements in place when a business associate relationship is present with a service provider, and it is one of the most frequently kind of penalized violations as well. 

And so, there is real risk exposure. And of course, it can range from, you know, small, normally, when we're talking with solo practitioners, there is no such thing as the HIPAA police, right? And that's also a misconception that I think ends up creating a lot of fear, that's not adaptive. We want folks to see the value and benefit in the compliance process, and what it provides to them in terms of, you know, security, as well for your practice and ability to continue to operate. We'd like to say [PH 00:12:38] CYA is self-care, right? And that peace of mind then frees you up to focus on client care, which is why you became a therapist not to jump through regulatory hoops or be lying awake at night thinking, "Oh, no, I don't know, if I'm doing this right, if I've got risk exposure." It's just better to know that you have your bases covered. And then, that frees up a lot of capacity. 

So, we don't want to be trying to mobilize folks to engage the compliance process out of fear of fines or penalties. The reality is that what we typically see for solo practitioners and even group practices, but a little less so with group practices, is that in the instance of being found to have had a HIPAA violation, or have a breach that you need to report, typically, the response is going to be requiring that you get in compliance and full documented compliance, you know? Do you have a thorough and accurate HIPAA security risk analysis?" Do you have a risk mitigation plan that you are implementing? Do you have written policies, security policies, and procedures that specify how your practice is meeting each of the applicable standards?

So. it's typically remedial unless it's, you know, willingly, intentionally negligent, and malicious. But it does have consequences. And the consequences that are, I think, even more impactful than having to go through the process of, you know, discovering there was a breach, filing a breach report, and all the angst that that generates, is having to notify clients that their information has not been secured according to the obligations that you have told them you are subject to and that you're upholding. And that breaks trust, right? And that's a crucial element in having an effective therapeutic lens. 

So, I think it's a lot more mobilizing to engage the compliance process if we're thinking about it in terms of, I don't want to break trust with clients, I don't want to have to tell them that actions I took or lack of actions have resulted in their information being compromised and falling into, you know, the hands of the scum and villainy that exists on the internet, and that I don't know fully what the implications of that information getting out could be. So, that's kind of how we frame it and approach it, typically. 

But I should say, going back to the original question about what kind of violation results from not having Business Associate Agreements with service providers have resulted in and I know there have been some very large penalties, typically, for the larger organizations that have had those massive penalties, but that is, you know, in the realm of possibility.

PATRICK CASALE: So, there's a lot to pick apart there. 


PATRICK CASALE: And one thing I want to say is like, so what I'm hearing you say, right? Very therapeutic term to use, that it's just being proactive so that you don't have to get this email, like, you have to create this plan, you have to do this thing, you have to notify your clients, right?

LIATH DALTON: Mm-hmm (affirmative).

PATRICK CASALE: And ultimately, what you're also doing, when you mentioned trust, like a break of… or a breach of trust, when you have to tell your client like, "Hey, this is what happened, because of…" Whatever the reason may be, it's almost like when you get that email from, "Hey, your credit card information was breached on X amount of sites." Or, "Hey, your personal data was breached on X amount of sites." And you're like, "Fuck, like, okay, like, now, what do I do?"

And it creates panic and anxiety unnecessarily that could have been prevented, and it can create therapeutic rupture. Do you think that a lot of the times it's more of a mentality of like, this just isn't going to happen to me?

LIATH DALTON: I think it's… oftentimes, I'd say there are a couple of factors. One is not understanding what the requirements are. Like, there is confusion and there are misconceptions or misinformation that really get propagated throughout the professional community as well. So, that contributes to it. 

I think that lack of understanding and feeling like, you know, this is more applicable to like a large agency or a hospital organization, it doesn't fit, it's not applicable to my scale, my risk exposures are so small compared to these other entities, right? That it feels, yeah, like it's not really going to occur, or that if it is, it's going to be so minimal, that it's not really going to have any kind of meaningful impact to the practice or to client relationships.

PATRICK CASALE: Yeah, absolutely. I think that's so true. So, you mentioned common misconceptions that happened in the industry, what are some common misconceptions that kind of pop up to you or immediately come to mind?

LIATH DALTON: Well, one of them I already alluded to, which was the fact that PHI only becomes PHI when a clinician/client or a provider/patient relationship is established. And that leads to a whole kind of domino effect of challenges, then. 

Another is that clients can waive HIPAA. And we've been seeing this more and more recently, because of the end of the Federal Public Health Emergency under which there was a temporary notice of non-enforcement when it came to video platforms, specifically. And so the OCR, the HIPAA administrators said we are not going to enforce, we won't penalize folks for using video platforms where you cannot obtain a Business Associate Agreement with the service provider right? 

So now, folks who haven't transitioned yet to a HIPAA-appropriate video platform are saying, "Okay, well, why don't I just get my client to sign a waiver. They like the platform we're using, FaceTime is super convenient. If they just say I understand the risks and accept them, I'm good to go." Right?

That is not something that clients can do. And I know where this misconception comes in, right? Because clients have the ability to request non-secure communications or it's referred to as alternative communications in the HIPAA Privacy Rule. And that means that basically that the transmission security standard, which relates to encryption of data in motion doesn't have to be met. And that requires request and that they be informed of the risks but it's their info, they have the right to waive that if they are properly informed of the risks. 

And I should also note, for folks who are going through the process of obtaining a request for non-secure communications from clients, it's really only an informed and an autonomous choice if you do have a secure communication method available to them. If your only options are non-secure communications, we've kind of got a problem there right now. 

So, while clients can request that they can never ever waive the Business Associate rule, which applies to all HIPAA-covered entities, and the Business Associate rule, in a nutshell, is that if you have a business associate relationship, you must have a HIPAA compliant Business Associate Agreement relationship or agreement in place. 

So, what then creates a Business Associate relationship? Anytime a third party, whether it's a service provider, another organization, or an individual creates, receives, maintains, or transmits protected health information on your behalf. So, business associates are those who are outside your organization, you don't have factors of control over them, they can't be subject to and governed by your PMPs, right? 

So, how do we ensure that the safeguards are in place? That's where the Business Associate Agreement comes in. They're saying, we will uphold these safeguards, we will take not only responsibility but also liability for any failures to do so. 

So, Business Associate Agreements are actually a wonderful thing. I've seen a lot of providers do kind of mental gymnastics or trying to contort themselves a bit to try to justify using services where they don't have Business Associate Agreements because, you know, that seems to maybe open up more options or whatever. And they're like, "Well, I'll keep identifiers out of it, or I'll limit the identifiers." That just creates a lot of cognitive overhead. It's not supporting you in being able to have an efficient and effective practice workflow either, right? And it's prone to error. 

So, we like to say, just identify the tools that are going to provide the right functionality that you need, and there are HIPAA-appropriate options where you can get that BAA in place. You want that BAA because that is them taking liability for it. And be like, why would you want to use a third-party service that won't give you a HIPAA Business Associate Agreement? So, that's one of the big kind of misconceptions and pitfalls that can lead to mistakes that end up just kind of then compounding and creating more distress and more work, usually, for folks in their practice, too. 

So, yeah, clients can't waive HIPAA, know what PHI is, you want Business Associate Agreements in place. And I'll give an example of that. Like when it comes to your contact form, for most folks, if they're not using a secure contact form, they really will limit what questions they're asking on it, right? They aren't going to ask what's your insurance provider? What's your insurance ID? On a contact form if they know it's not secure, right? 

But wouldn't it be great to be able to get that information right at the outset? Isn't that going to speed up your intake process and knowing if they're a fit or not, and checking benefits, and all of that? So, that's one of the ways where if we have the right tool in place, it's benefiting your practice overall, it's giving you the information you need, or the ability to get the information, you need to have a more optimized workflow, and get those clients in, and start providing client care, right?

PATRICK CASALE: It's such a good way to put it. That's such a great reframe because, again, it's one of those topics where people I think, their eyes glaze over sometimes where they're like, "HIPAA, yeah, that's fine." But I think that's so important to recognize the streamlining process to get your clients care or to refer your clients out appropriately if need be. And to make sure you're protecting both parties. 

And so, examples of BAA situations that often get overlooked, right? Like, this is what I see a lot in my circles, and Facebook group, and everything is your virtual assistant, your scheduler, your biller who is not working within your entity, your email provider, especially, those of you out there who I still see with like Hotmail, Yahoo, AOL, whatever. You know, I know the Gmail thing is dicey too, but I know you can get a BAA through Google workspace. So, make sure you're getting those. 

If you're using Zoom, but you don't have the version where you can get the BAA that's problematic too. You know, these encrypted email services that exist like Hushmail, Paubox, etc., why not go the extra mile and just obtain the service even if it's $9 a month for Hushmail instead of saying, like, I'm going to go through, like you said, all these mental gymnastics to create a situation where I think I'm skirting the issue and I think I'm protecting the client information? Like, why not just have the peace of mind and pay the $9 instead of risking potential breach? That's something that I have never been able to come to terms with. and it's a simple fix.

LIATH DALTON: Right, it really is a simple fix. And you hit the nail on the head there in terms of kind of the most typical areas where we see folks utilizing services that aren't appropriate, definitely the contact form on your website, email. Another one is phone service. 

PATRICK CASALE: Yep, absolutely. 

LIATH DALTON: And so free, Google Voice numbers don't cut it. You can't get a Business Associate Agreement. And interestingly enough, the kind of age-old understanding that there was this gentleman's agreement, essentially, where the HIPAA Security Rule didn't apply to classic phone service or plain old telephone service, is really not applicable anymore because even when it comes to a landline because even if you have a landline, the service provider is still doing things all analog, right? which is very rare. Now, they're all using internet and Voice over Internet Protocol to basically still provide landline phone service. 

But even in the analog situation, the phone service provider is keeping an electronic call log, which means that that is protected health info because phone numbers are identifiers. 

So, phone service is an area where we absolutely need to have the HIPAA Business Associate Agreements in place with the providers. And my recommendation there is, generally, to use a HIPAA-appropriate Voice over Internet Protocol phone service provider.

You can get Business Associate Agreements with AT&T, and Verizon, and T-Mobile, and so on. But they're a lot more expensive than, you know, just having to add it on a line to your family plan and using that for your practice. And they have a lot less functionality, a lot less. So, you know, phone services like iPlum, and RingRX, and Spruce Health provide tons of functionality that's really supportive of, again, that optimizing and fortifying your practice workflow.

PATRICK CASALE: Yeah, absolutely. So, please, if you're listening, take that into consideration. If you have a free Google Voice number, and you think that that's protecting your information or that you don't have to, that's not the case, it's very easy to get the BAAs, and it's very easy to sign up with one of the systems that Liath just mentioned. I'm a big Spruce Health fan. I have used them for years. I'm constantly doing webinars with them, but I know they're a little pricier than the other options. So, weigh out your options, but have an option. And I think that's really important. 

The other things that come to mind for me that I see a lot of questions and confusion around are twofold, payment processors and collections/services. So like, what I see a lot of questioning is like, "Hey, my therapist uses Venmo, or PayPal, or Zell and…" I just saw your face [INDISCERNIBLE 00:29:53].

LIATH DALTON: Yes. Well, and so, to kind of unpack this a little bit, there is an exception to the Business Associate Rule, the 1179 exception when it comes to pure payment processing with financial institutions, right? But that pure payment processing exception is super limited. It's just the what does it take to move money from one point to another? It doesn't include invoicing or sending a payment request, right? And that's where the services like Zell, when PayPal suddenly get outside the scope of where it's limited enough usage that the Business Associate rule isn't applicable, right?

And I mean, Venmo was designed as a social media app first and foremost. And I should note that if you are using Venmo because you don't want to be paying the processing fees, you're violating those terms of service because the terms of service are that it's not for business use, it's not, you know, for commercial purposes. I mean, you can make your own decision on risk tolerance there. But it means you are in violation of their terms and conditions and you're using something that's not appropriate for handling client money and payments. And there are tons of options that will provide a Business Associate Agreement, so you don't have to use them in a limited way. 

So, if you're using a standalone payment processing system, our go-to recommendation is going to be Square because they provide a Business Associate Agreement, so you can send invoices through it, you can, you know, leverage all of the functionality that it includes and their processing rates are competitive with the other ones that are intended for business use.

PATRICK CASALE: Yeah, absolutely. So, really long short is what I'm hearing is like, there are always options for you to protect and fortify your practice and your client information. And if you're opting not to go the extra little step then you are putting yourself and your practice at risk.

LIATH DALTON: Exactly. It is creating risk. And I, generally, see that the sense or realization of that risk, even if it's something that's more at a subconscious level, instead of top of mind that that takes a toll that drains people. And in a world where we've got enough cognitive overhead, right? I want to limit that. 

And earlier, you were touching on something that is very much in line with the PCT approach, which is it is so much better to be proactive rather than reactive, right? And so, working to put things in place, it's not a set it and forget it sort of thing. We always like to say compliance is a process, not a product, right? 

But in that process, once you have the foundation in place, you have this rubric that makes it easy to make all the other decisions that come before you as a practice owner, right? And that's why I started talking about the circle as a concept that's really useful because if everything goes back to that of is this something that can be part of my circle? Does it keep the perimeter intact? Or did I just like take a sledgehammer and bash my circle to smithereens, right? That's useful, and that's accessible. 

You know, we want to be framing things in terms that folks can understand that are translating like the legalese, the policies, the tech speak, into what is accessible, what can you kind of conceptualize, and visualize, and then apply in practice because this is all something that really needs to be done in practice, and not just in a performative way. And by performative, I don't say that folks set out with an intention to perform compliance, but not really do it in practice, but that our usual ways of approaching it have been kind of, you know, get a policy and procedure manual template from a colleague or another practice, maybe get a couple and you copy paste and create a new one, and do find and replace with your practice name, and then, you file it away, right? And you're like, "Okay, I did the HIPAA manual thing."

But it's not a living document that's guiding things and it's not really specific to what your practice context is, how you're working with clients, what systems you're using. So, it's not useful, and it does feel kind of arbitrary. 

And so, if instead we're looking at how to make this that foundational piece that is just providing guidance and support, and really holding folks through all of the other decisions and things they need to be making as a practice owner, it's a whole different landscape.

PATRICK CASALE: Yeah, absolutely, was such wonderful information and seriously helpful, tangible action-oriented steps that we can start implementing immediately, especially, if you're listening and you're like, "Oh, shit, I don't have this stuff in place." Well, let's be proactive and get it in place. And make sure that you're protecting yourself, your clients, your information, and your practices, and all the hard work that you've put in to create them. I think that is really just wonderful, wonderful advice. And I hope that all of you can digest that and share that as well. 

Liath, thank you so much for coming on. And just sharing so much helpful information. I definitely learned some stuff today. And really, really excited to share this episode because I think this is one of those things that it's just a constant conversation starter, and it's being asked all the time. So, to be able to just make it really clear and less murky, and just like, hey, this is what it is, then, I think that is helpful in so many different ways. So, thank you so much for that. 

And please share where people can find what Person Centered Tech is doing because I think, again, as I said before, one of my favorite resources in the industry, by far,

LIATH DALTON: Oh, well, thank you so, so much. And we honestly feel really privileged to be able to provide the resources and support that we do. You know, helping the helpers is something we're passionate about, and our team is comprised of helpers themselves. So, that is part of why we approach things the way that we do. 

So, Person Centered Tech, and all of our resources and support can be found at We have a set of resources for solo practitioners, and for group practices because those practice contexts mean that, you know, kind of the scale and scope of things looks a little bit different. So, we have something that's specific for each practice context. 

We have continuing education trainings, we perform HIPAA security risk analyses, and risk mitigation planning. We have customizable policy and procedure templates that we work with you to customize for your practice. And then, a resource that's extremely helpful for a lot of folks, especially, in our current practice context are our device security and remote workspace security resources. And I'll spare the whole overview of what those entail.

But should kind of add that one of the mistakes that I forgot to mention earlier relates to device security. And that is that folks can easily think because they're not, you know, storing notes locally on their actual computer, they're keeping it in a cloud-based system, that device security isn't really a consideration or something they need to be managing if everything is cloud-based, right? That isn't true. We need to be making sure that any device that ever accesses a system that contains client info is secured. And that's easy to do. So, that's one of the resources that we have as well. 

So check out And if you click on the Start Here tab in the top navigation, it'll take you either on the Solo Practitioner path or the Group Practice Leader path and get you to the resources that you want.

PATRICK CASALE: Absolutely fantastic. And all of that stuff will be in the show notes for everyone to easily access as well. Liath, thank you so much for coming on and making the time. This is a really great conversation today and I'm really happy that we got to have it.

LIATH DALTON: Thank you. It's my pleasure. And thank you so much for the invitation

PATRICK CASALE: To everyone listening to the All Things Private Practice Podcast, new episodes are out every single Sunday on all major podcast platforms. Like, download, subscribe, and share. Doubt yourself, do it anyway. We'll see you next week. Thanks, everyone.


Join the weekly newsletter for private practice tips, podcast updates, special offers, & your free private practice startup guide!

We will not spam you or share your information. You can unsubscribe at any time.