My Personal HIPAA Compliance Journey: Steps to Secure Data

How I’m Making My Solo Practice HIPAA-Happy!

Hey fellow SLPs and healthcare pros! Today, I want to share some insights from my personal journey towards HIPAA compliance.

In my last two posts, we delved into the crucial topic of HIPAA compliance for telepractice. They covered the “what” and the “why.”

• HIPAA Compliance At Home: Cloud, Schools, Teletherapy & PHI Security
• Navigating Business Associate Agreements as an SLP: Your HIPAA BAA Guide

Today, I want to share the “how” – my personal journey of putting these principles into practice! I’ve been diving deep into my tech setup to make sure it’s not just functional, but also rock-solid HIPAA compliant. For example, as a teletherapist, some of my schools don’t invite me into their workspace. This leaves it up to me to securely manage all my client notes and materials. This kind of gap is precisely what drove me to build a truly robust system.

It might sound daunting, but trust me, it’s all about peace of mind for both you and your clients. I wanted to share a rundown of what I’ve done. More importantly, I want to share why I’ve done it, in case it helps you level up your practice too!

The “Why” Behind My Personal HIPAA Compliance Journey

My biggest drive was simple. I needed to know, without any doubt, that I was protecting my clients’ sensitive information to the highest standard. HIPAA isn’t just a checkbox; it’s about building trust. First, conducted a thorough risk analysis of my setup to identify any potential vulnerabilities.

I’ve now meticulously created and am maintaining a detailed “Security Policies and Procedures” document that guides all my practices. Plus, having everything clearly documented helps me sleep better at night!

Honestly, it wasn’t that long ago, a few weeks, that I wasn’t even aware of all of this. I didn’t know about Business Associate Agreements (BAAs), or their critical role. My previous security stance of “just don’t share client info” felt sufficient. Since then, I’ve realized how nebulous and insufficient that really was for both cloud-based and desktop information. 

How It All Started

So, if I wasn’t born with this wealth of knowledge, and it wasn’t covered in grad school, what happened? Well, I discovered that simply removing what I thought was identifying information was not sufficient for HIPAA de-identification. That realization truly sent me down this “rabbit hole” of learning and implementing everything you’re about to read!

Honestly, as a single user, all this might seem like overkill at times. That is, until I really think about the potential cost and repercussions of a HIPAA violation. That quickly puts things into perspective!

Here’s information and tips I’ve learned on this individual HIPAA compliance trek. (No, I’m not affiliated with, or sponsored by, Google in any way, it was just easier to work with.)

The Secure Foundation: My Google Workspace Enterprise Standard

Before even setting up my specific security rules, choosing the right Google Workspace edition was crucial. There are several tiers, and it’s not just about how many emails you can send! For me, picking Enterprise Standard was absolutely essential because of the level of HIPAA security I was comfortable with.

• Pro-Tip on Choosing a Platform: I actually considered Microsoft 365 Business plans, as they also offer BAAs. However, I was already using and familiar with Google’s interface. More importantly, I found it much easier to get clear information about Google’s BAA and HIPAA-included functionality upfront. Microsoft seems to hide their BAA documentation behind a subscriber wall, making it difficult to fully vet before committing. This ease of information access, combined with my familiarity, ultimately swayed my decision towards Google.  Basically, it looks like any paid workspace can have a BAA:   https://support.google.com/a/answer/2888485?sjid=14092164238884574583-NC

Here’s why I landed on it during my own HIPAA compliance trip, and what foundational elements it provides:

The Non-Negotiable BAA

This was the top priority. Enterprise Standard definitely comes with a Business Associate Agreement (BAA). This gives me that crucial legal agreement with Google to handle Protected Health Information. This is absolutely non-negotiable for anyone handling PHI with Google Workspace. (You can find Google’s BAA here: https://workspace.google.com/terms/2015/1/hipaa_baa/).

• Pro-Tip on Choosing a Tier – I actually started with the cheapest business tier (Business Starter $7/mo), which I can confirm offers a BAA. However, after really digging into the features, I chose to upgrade to Enterprise Standard. It offered much better control over information and more robust policy enforcement options. These ultimately felt essential for protecting client PHI effectively.  Google Tiers & Pricing 
• Don’t Forget Your Domain Name! A domain name is an additional, but necessary, cost for any Google Workspace Business account. While Google offers to sell you one directly, I opted to buy my domain through Cloudflare for just $10.44/year. This was a cost-effective choice since I already used Cloudflare for other services.

Serious Pooled Storage

Enterprise Standard offers a massive 5 TB of pooled storage per user. (Just a heads-up: This pooled storage gets released in stages after payments, so my Drive initially showed less!). This is more than enough space for all my therapy materials and client files.

Advanced Data Loss Prevention (DLP)

This tier gives me access to advanced DLP rules for Gmail and Drive, which are central to my security strategy. These are the powerful rules that can warn me if I try to share sensitive files externally.

Comprehensive Security Controls

Enterprise Standard unlocks a lot of the granular administrative controls I needed. This allowed me to configure things like forcing 2FA, setting strong password policies, and disabling third-party apps.

Basically, for handling PHI and needing robust, auditable security features, Enterprise Standard provided the comprehensive toolkit I needed to feel confident and stay compliant. It’s an investment at $27/mo, but one that’s absolutely worth it for peace of mind and professional responsibility.

The Core Pillars of My Personal HIPAA Compliance Policy:

Here’s a look at the specific configurations I implemented (See Google’s HIPAA Implementation Guide:  https://services.google.com/fh/files/misc/gsuite_cloud_identity_hipaa_implementation_guide.pdf):

1. Bulletproof Access Control (Who Gets In? Only Me!)

• Third-Party Apps? Deny by Default! My policy is strict: all third-party app access is blocked by default. If I ever need an app, it goes through a security review and is force-installed by me, the admin. This prevents unvetted apps from touching my client data.
• Strictly BAA-Covered Services Only: As part of my setup, I went into my Google Admin Console and literally turned OFF any Google services that aren’t explicitly covered by the BAA (like Google Photos, YouTube, etc.). Why? To make sure no PHI accidentally ends up in a non-compliant service. (You can find a list of Google’s HIPAA Included Functionality and BAA-covered services here: https://workspace.google.com/terms/2015/1/hipaa_functionality/).

2. Smart Data Protection (No Accidental Leaks!)

• Gmail Content Compliance: I set up an automated rule in Gmail that quarantines any outbound email containing PHI-related keywords if it’s addressed to a domain not on my pre-approved “Trusted School Districts” list. It’s a huge safety net!
• Drive DLP (Data Loss Prevention) Rule: For Google Drive, I have a rule that gives me a real-time warning if I ever try to externally share a file containing PHI keywords. It’s an extra “Are you sure?” before a potential mishap.
• Always Use Secure Communication Channels: Beyond these automated rules, I always ensure that any direct client communication involving PHI occurs only through secure, HIPAA-compliant platforms (like my employer’s therapy portal). I now avoid using regular email, text messages, or consumer video calls for sensitive information.

3. Endpoint & Browser Security (My Laptop & Chrome)

• My Laptop is Encrypted & Protected: My main computer has full-disk encryption (BitLocker/FileVault) and a robust antivirus solution. I’m currently using Norton Small Business ($59/1st year with $119/year renewal) for this, primarily for its strong endpoint protection. While I’m actively looking into BAA-covered antivirus and endpoint detection & response (EDR) solutions, it’s been a real challenge to find providers willing to work with a single user. For now, Norton Business helps secure my device itself. I had to specifically disable its cloud backup features to prevent any PHI from being stored on non-BAA servers.  I’ve also upgraded my mouse to use Logi Bolt technology for a more secure wireless connection.
• Physical Security for My Home Office: Beyond digital protection, I also ensure any limited physical PHI (like printed notes) is kept in a locked file box when unattended, and my work area is secured to prevent unauthorized access. I’ve even rearranged my office so that my computer screen is not visible from the doorway, even though I always make sure to close the door when I’m with clients.
• Dedicated Chrome Profiles: This is a big one! I have separate Chrome browser profiles. One just for my professional Workspace (where I handle PHI), and others for personal stuff or employer-provided Outlook/therapy portals. This completely isolates data and workflows.
  • Updated to add – I’ve now gone a step farther and added another Windows user to my computer. This way all therapy stuff stays in the therapy user.
• Chrome Policies Enforced: My professional Google Workspace Chrome profile has Enhanced Safe Browse, “Always use secure connections” (HTTPS), and strict extension blocking enforced by policy. This means my browser is secured from the top down.
• Windows Settings Tuned: Beyond the basics, I dove into Windows settings to ensure my device is locked down. Strong PIN/Windows Hello, Dynamic Lock (locks when I walk away), automatic screen lock, firewall active, and app permissions reviewed app-by-app.

4. Tackling Existing Data & Migration

This was a big project, especially for older files, and probably the hardest part in my HIPAA compliance trek!

Google Drive Settings and Workarounds

• Google Drive for Desktop (Strategically!): I used Google Drive for Desktop for efficiency with many files, but with a key rule. I keep it on “stream files” mode. This means files are only downloaded when I open them, minimizing PHI stored locally on my hard drive. I also keep its “offline access” feature for PHI files disabled in the Admin Console to prevent local copies, unless absolutely necessary and then with extreme care.
• Native Google Docs/Sheets/Slides: This was tricky! I learned you can’t just drag-and-drop native Google files between different accounts using Drive for Desktop. For these, especially if they contained PHI, I had to download them in Microsoft Office format from my personal Drive. Then I re-uploaded them to my professional Google Workspace Drive. This ensured ownership transferred correctly and, crucially, kept the PHI handling within my secured processes.
• Unzipping Files: Since Google Drive doesn’t have a built-in unzipper, I securely downloaded ZIP files to my local, encrypted computer. I unzipped them using Windows’ built-in function, and then re-uploaded the extracted files to my professional Google Workspace Drive.
• Disconnecting My Personal Drive: Once the transfer was done, I disconnected my personal Google Drive account from Google Drive for Desktop. Why? Fewer accounts connected equals less potential risk.
• Cleaning Up My Personal Drive (Carefully!): After moving all PHI, I used a cloud cleaner like Norton Cloud Cleaner on my personal Google Drive to remove duplicates and old non-PHI files. NEVER use such a tool on any PHI files or folders due to compliance risks, if it’s not covered by a BAA.

Involving Others in My Personal HIPPA Journey

• Dealing with Shared PHI from Others: I found some old PHI-containing files in my personal Gmail’s “Shared with me” section, shared by a school district. I immediately downloaded these to my professional Google Workspace Drive, securely deleted them from my personal Drive and my local computer. Then I reached out to the owner (politely!) asking them to remove my personal Gmail from the access list. This is an active and ongoing effort where I’m proactively contacting owners to ensure my access is removed. I’m documenting all my attempts as part of my due diligence, especially if I encounter non-responsive contacts or technical difficulties.
• Updating My Employer: I proactively contacted my employer to update my email address for all Google Drive file sharing. I specifically requested that anything with sensitive client info go to my new, secure professional email address (e.g., [email protected]). This helps them send things to the right place from the start.

My Ongoing Commitment:

This isn’t a one-and-one project! I’ve also built in:

• Annual Policy Review: I’ll review my entire security policy document at least once a year.
• Self-Education: Staying informed about HIPAA and cybersecurity is an ongoing task. I’ve even been learning about specific processes like the HIPAA de-identification process.
• Basic Incident Response: I have a plan for what to do if something ever goes wrong, including who to notify.
• Learning Curve: I won’t lie, all these tech skills required some serious reading up and a lot of help (shout out to Gemini! ?). It’s a journey, not a sprint, but totally doable!

Setting all this up has been a journey, but it’s given me immense confidence in my practice’s security. If you’re an SLP (or any healthcare professional) using tech in your practice, I highly encourage you to take a look at your own setup. It’s worth every bit of effort for your peace of mind and, most importantly, for your clients’ privacy!

Here’s to HIPAA Happiness!

Social Media Icons: designed by rawpixel.com – Freepik.com