Reaching Out to Our Community

First things first, let’s talk about reaching out to our community. Whether it’s through local schools, community centers, or even social media, there are tons of ways we can spread the word about what we do. Hosting workshops, giving talks, or even just setting up a booth at a local event can go a long way in raising awareness. Letting people know we’re here to help is invaluable. So many people don’t know about the wonderful things you do every day. This is your time to shine!

Providing a Variety of Resources

As speech-pathologists, we have a host of resources at our fingertips, and it’s up to us to share them with our community. From brochures and handouts to online guides and toolkits, there’s no shortage of ways we can support individuals and families affected by communication disorders. Even a list of links is infinitely helpful for those looking for more information! Let’s not forget about collaborating with other professionals and organizations, because this provides even more comprehensive care.

Educating Others on Disorders

Educating others about communication disorders is a big part of what we do. It’s super important in breaking down barriers and fostering understanding. Whether we’re giving a presentation at a local school or hosting a webinar for parents, every opportunity to spread knowledge and awareness is a step in the right direction. Plus, by empowering others with information, we’re helping them make informed decisions. Access to the support they need is crucial. The general public simply isn’t aware of all the options available!

Making a Difference in Media Representation

Last but not least, let’s talk about making a difference in media representation. From movies to TV shows, how communication disorders are portrayed in the media can have a big impact on how people perceive them. There’s nothing more frustrating to me than seeing communication impairments misrepresented!  By working with writers, filmmakers, and other media professionals, we can help ensure that these portrayals are accurate, respectful, and free from harmful stereotypes. It’s all about advocating for better representation. This helps give a voice to those who need it most.

In a nutshell, being a speech-pathologist isn’t just about helping individuals—it’s about being an active and engaged member of our community. By reaching out, providing resources, educating others, and advocating for better representation, we can make a real difference in the lives of those affected by communication disorders. So, let’s keep up the amazing work and continue being the superheroes our communities need!

If you’d like a jumpstart on educating your community on communication impairments, check out my BSHM packet on TPT!  It is 41 pages of SLP information in an easy to edit Google Slides format!

Keep rockin’ the world!

Links for more information: 

• American Speech-Language Hearing Association
• Centers for Disease Control and Prevention – Communication with People
• National Institute on Deafness and Other Communication Disorders
• Mayo Clinic
• NIDCD Statistics

Social Media Icons: designed by rawpixel.com – Freepik.com

The post Speech-Pathologists at the Heart of Outreach appeared first on Mrs. Speech Online.

This guide will break down the process into a stress-free experience, making CCC renewal a breeze. Keep reading for a link to a treasure trove of free and low-cost CEU opportunities!

Staying Sharp: Your 3-Year CCC Renewal Checklist

Every 3 years, you’ll need to complete specific requirements to maintain your CCC. Here’s a handy checklist to keep you on track:

Earn 30 Hours of Continuing Education:

This is where ASHA CEUs and PDHs come in.

• 2 hours must focus on cultural competency, diversity, equity, or inclusion to ensure you’re providing inclusive care for all clients.
• 1 hour Ethics training is also required.

Keep track

You must keep track of your PDHs since you can’t submitted them to the registry. I would suggest to keep track of all courses, even CEUs, in case they aren’t submitted properly.

•  ASHA offers a free PDH tracking spreadsheet to help you track your PDHs. 
• You will need a certificate of completion for each course or a college transcript if they are not submitted to the registry, in the case of an audit.
  • If a certificate of completion is not offered, then you can fill out a Verification of Attendance form.

Submit a Compliance Form

When you renew, you simple check that you completed your Continuing Education. This is just you verifying that you completed all hours.

•  ASHA doesn’t require courses to be listed, or supporting documentation, unless you are Audited. Here is the official compliance audit form.

Pay Annual Dues or Fee

• Maintain your ASHA membership, increased to $250 for 2025.
• Uphold the ASHA Code of Ethics: Stay professional and ethical in your practice.

Understanding ASHA CEUs

• The Standard Unit
  • 1 CEU = 10 hours of participation, excluding breaks.
• How to Get Them: Attend an ASHA-approved course and request CEUs. The provider will submit your information to the ASHA CE Registry, which awards the credits and updates your transcript. 
• Important: CEUs can only be earned through the ASHA CE Registry, which is an additional fee on top of the renewal fee.

PDHs: Beyond ASHA CEUs

PDHs track your participation in various learning activities beyond ASHA-approved CEUs. These activities can still enhance your knowledge and skills as an SLP and count toward the continuing education requirement.

• 1 PDH = 60 minutes of active learning or participation.
  • Non-ASHA CEU Activities
  • PDHs for activities that aren’t ASHA courses but approved but contribute to your development (e.g., conferences, workshops, teacher professional development, self-study). Find the full list here: https://www.asha.org/certification/pdhs-for-asha-certification/
• Academic Coursework: PDHs can also be earned through coursework (check conversion rates for semesters and quarters).

Benefits of ASHA CEU registry:

• Convenience: Track your progress easily and securely through the ASHA CE Registry.
• State Licensure: Most state boards accept the ASHA CE transcript for license renewal
  • Important! The requirements may be different (check your state’s specifics).
• CCC Maintenance: ASHA CEUs fulfill the 30-hour requirement for maintaining your CCC without any further documentation.
• ACE Award (see more below): requires CE Registry

Have multiple licensure dates and requirements to worry about? No problem with this Multi-State & Organization CE Tracker | Visual Google Sheet. Designed for SLPs and other professionals, this intuitive tool simplifies compliance with one-time data entry, at-a-glance progress gauges, and smart expiration alerts. Transform your CE tracking from a chore into a simple, stress-free process, saving you invaluable time and boosting compliance.

Free and Low-Cost CEU Resources to the Rescue!

Conquer your CCC renewal without breaking the bank! We’ve compiled a comprehensive list of free and low-cost CEU resources. Check out my Free CEUs page for a mix of valuable options to fit your learning preferences and budget.

The ASHA Award for Continuing Education (ACE): Going the Extra Mile

The ASHA Award for Continuing Education (ACE) recognizes SLPs who go above and beyond by completing 70 hours (7.0 CEUs) of ASHA-approved continuing education courses within 3 years. This prestigious award demonstrates your dedication to lifelong learning and excellence in the field.  However, this only includes courses on the CE Registry.

Note that ASHA says to allow at least 90 days from the date you completed your last course before receiving your notification of the ACE award.   In my experience, courses show up on my CE transcript months before they show up on my ACE transcript.  

Benefits of the ACE Award include recognition on the ASHA website, award documentation, name submission to the state association, and 10% discount on ASHA’s professional liability insurance.

You Got Your ASHA CEUs Handled!

By staying up-to-date with these guidelines and taking advantage of the available resources, you can ensure your CCC remains active and your skills remain sharp! This allows you to continue providing top-notch care to your clients.

Feeling overwhelmed? Share this post with your fellow SLPs, and don’t hesitate to ask any questions in the comments below!

Social Media Icons: designed by rawpixel.com – Freepik.com

The post Conquer your Continuing Education (CEUs): A Stress-Free Guide for SLPs appeared first on Mrs. Speech Online.

Welcome back! Are you ready to dig deep in to AI and client privacy? In our recent ‘HIPAA Compliance At Home‘ article, safeguarding protected health information (PHI) is key. It’s not just a professional guideline; it’s a fundamental ethical responsibility and a legal imperative under laws like HIPAA. Now we narrow our focus on HIPAA and the use of AI tools.

The Critical Importance of Client Data Privacy (HIPAA)

Now, we’ll examine one of the most critical concerns for us as clinicians when dealing with AI: HIPPA and PHI. Specifically, our clients’ sensitive health information must be kept private and secure when interacting with AI tools. As Speech-Language Pathologists, safeguarding protected health information (PHI) is a fundamental ethical and legal responsibility under laws like HIPAA.

The rapid rise of AI brings with it questions about how these models learn from vast datasets. What are the implications for the confidentiality and security of the clinical data we manage daily? Is any interaction with any AI tool a HIPAA violation? How can we ensure our client’s trust isn’t compromised? 

In this post, we’ll unpack these crucial issues of AI and HIPPA for SLPs. We’ll examine how AI actually learns from massive amounts of text and data. Then we’ll tackle how to keep PHI data private and secure with AI use.  

Don’t forget to take our poll at the end!  Results will be shared in Part 8.

The Human Brain and Clinical Data Processing: A Parallel Perspective

As Speech-Language Pathologists, we constantly process and learn from clinical information. From graduate school to continuing education, supervision, and countless client interactions, our brains process vast clinical data. We are immersed in a sea of de-identified case studies, research articles, diagnostic reports, and therapy session data. We absorb this input, identify patterns, recognize clinical presentations, and synthesize effective intervention strategies.

This exposure allows us to develop our clinical judgment, personalize therapy plans, and communicate professionally about our clients’ needs. We don’t memorize every detail of every case. Instead, we internalize the underlying principles and relationships, allowing us to generate our own unique, ethical, and individualized clinical insights. This human learning process involves drawing inferences from numerous, often sensitive, pieces of information.

How AI Learns: Pattern Recognition on a Massive Scale

While humans and AI language models learn differently, they both rely on an immense quantity of input. AI language models are trained on enormous datasets of text and code – encompassing millions of books, articles, websites, and more.

AI Training: Leveraging Vast Datasets

Healthcare AI datasets include anonymized data. This covers research, journals, guidelines, and de-identified clinical records. It’s like they’ve “read” the entire internet and a specialized library of medical and clinical literature.

Beyond Memorization: The Art of Pattern Synthesis

However, during this training process, the AI doesn’t typically “download” and store individual client records or copyrighted works. Instead, AI analyzes data for patterns. It identifies word probabilities, grammar, and style.

It’s not directly copying and regurgitating. Instead, it is learning the underlying rules of language and the common ways information is conveyed, though without real meaning. When text is generated (e.g., a SOAP note), it’s not pulling verbatim from a specific client’s file. Instead, it’s using patterns to construct new sequences of words that are statistically probable and relevant to your prompt. It’s synthesizing information into something novel.

We will dive more into how AI works in Part 3 of the series. However, the key takeaway for SLPs is that the data you input for a specific task may violate privacy and security.

The Imperative of Data Privacy and Security for SLPs (HIPAA and Beyond)

For SLPs, the core legal and ethical imperative is HIPAA (Health Insurance Portability and Accountability Act). This legislation dictates how protected health information (PHI) must be handled, stored, and transmitted. The myth from our next post – that all AI use inherently violates HIPAA – stems from a valid concern about PHI.

This is why it’s crucial to differentiate the tools you use for PHI and non-PHI purposes. Even seemingly “de-identified” notes can still be problematic with AI and HIPAA for SLPs.

Public/General-Purpose AI Tools (e.g., standard ChatGPT, Google Gemini)

These tools are NOT HIPAA compliant by default. They are designed for general use, not for processing sensitive health information. This AI use directly impacts client data security. You must have a BAA to use them to protect PHI.

The “De-identification” Trap

You might believe you’ve removed all identifying information when using AI, by leaving out a name, specific dates, or location. However, HIPAA’s definition of de-identification (the “Safe Harbor” method) is incredibly stringent. It requires removing 18 specific identifiers, and crucially, “any other unique identifying number, characteristic, or code.”

Your session notes, even without a name, contain highly specific clinical details and narrative elements.

For example:

• “Data on /s/ blend in the initial position was 82% accurate.”
• “Discussed pictures from her trip to Chicago.”
• “/k/ sounds 50% accurate at word level.”
• “Cued /k/ by saying ‘in your throat’.”
• “Continues to answer ‘I don’t know’ and look to her parent”).

These specific clinical observations, unique behaviors, and personal anecdotes (like the Chicago trip) ARE PHI. They can, taken together, make a client potentially re-identifiable. Look at it through the lens of someone familiar with your caseload, or who has other publicly available information.

Even if your account is anonymous, or you remove all “obvious” identifiers, you may still violate HIPPA.

Transmitting such detailed, potentially re-identifiable information to a non-HIPAA compliant service constitutes an impermissible disclosure. An anonymous user account doesn’t change the fact that the AI service itself is not operating under HIPAA’s legal framework.

No Business Associate Agreement (BAA)

This is the ultimate barrier. Under HIPAA, covered entities sharing PHI with service providers need a BAA. This includes re-identifiable data. Public (free) AI models like ChatGPT and Gemini do not offer or sign BAAs. Without this legal contract, you are essentially exposing PHI to the AI, an unsecured third party, which is a clear HIPAA violation.

Learn more about BAAs in Navigating Business Associate Agreements as an SLP: Your HIPAA BAA Guide.

Transparency and Due Diligence: Your Role

As AI evolves, so do the guidelines and expectations for its use in healthcare. There are ongoing debates and legal discussions about the broader implications of AI training data. Legislators and leading technology experts are investigating issues of intellectual property and potential re-identification even from de-identified datasets. For SLPs, the immediate action points are:

• NEVER input any PHI into non-HIPAA compliant AI tools like public (free) ChatGPT or Google Gemini.  This is because even your best efforts at de-identification are unlikely to meet HIPAA’s stringent standards for PHI. Therefore, the lack of a BAA creates an immediate compliance risk.
• Exercise extreme due diligence when considering specialized AI tools for your practice. Ask critical questions about security protocols, data handling, BAAs, and data storage and use policies. To help you, in upcoming parts of this series (see below), we’ll delve deeper into finding compliant tools. We will explore what secure AI solutions might look like for SLP practice.
• Stay informed about professional guidelines and emerging legal interpretations regarding AI & HIPPA for SLPs from your governing professional bodies.

We use predictive technology daily, with autofill, grammar checkers, and search engines. While they are are not typically thought of as AI, these tools still demonstrate pattern recognition. Full-fledged generative AI is even more advanced version of these. We must remain vigilant with data privacy and security, especially in a clinical context.

Ready to Navigate AI with Confidence?

The potential of AI is exciting, but vetting tools for HIPAA compliance can feel like deciphering a secret code. To make it easier, I’ve created a free, in-depth checklist! It can help guide you through finding and evaluating AI solutions that truly safeguard your clients’ Protected Health Information (PHI).

Sign up to Download Your Free HIPAA-Compliant AI Tool Vetting Checklist for SLPs!

Conclusion: Responsible Innovation in Clinical Practice

The conversation around AI and clinical data is less about AI “stealing” in a direct sense. Instead, it is more about responsible data governance, robust privacy protocols, and unwavering security measures. AI models learn from patterns, not by directly appropriating individual client files, but the data is still there. Therefore, the ethical and legal burden falls squarely on the SLP to ensure their tools adhere to stringent privacy regulations.

We have to understand how AI learns and, more importantly, prioritize HIPAA compliance and PHI security when using AI. Only then can we harness the potential of this technology while upholding our professional obligations and preserving our clients’ trust.

I want to know!

What are your primary strategies for ensuring client data privacy when using AI in your current practice? Do you have questions about vetting AI tools for HIPAA compliance? What is your take on AI & client privacy for SLPs?

Share your thoughts in the comments below, and then share your perspective in our quick poll! Results will be shared at the end of the series!

AI & Client Privacy Part 1 Poll

To keep the poll fair and ensure unique responses, a Google account sign-in is required. Be assured, however, your email address is neither collected nor visible to me.

The AI & SLPs Series: Your Comprehensive Guide

Welcome to the AI & SLPs Series! Over the next eight weeks, we’ll delve deep into how Artificial Intelligence is shaping the world of speech-language pathology. Here’s what you can expect:

• Part 1: AI & Clinical Data Privacy
  • This foundational post explores AI training data, client privacy, and HIPAA compliance for SLPs, including the non-negotiable role of BAAs.
• Part 2: Separating AI Truth vs Myth 
  • We debunk common AI myths in SLP practice. Get a realistic understanding of AI’s true role and capabilities.
• Part 3: How AI Tools Work 
  • Get a clear, jargon-free explanation of how large language models function. Understand their capabilities and limitations.
• Part 4: AI for Clinical Spark & Efficiency
  • Discover ethical ways to use AI. Brainstorm, overcome planning hurdles, and refine non-clinical communications.
• Part 5: Mastering AI Prompts 
  • Learn prompt engineering. Communicate effectively with AI models to get tailored, useful results for SLP needs.
• Part 6: Compliant AI Platforms & Tools
  • This post guides you through AI tools. Learn key factors for ethically and compliantly selecting platforms for your SLP practice.
• Part 7: Ethical & Responsible AI Use
  • This crucial post delves into broader ethical responsibilities for SLPs using AI. It covers principles beyond data privacy.
• Part 8: The Future of AI
  • This concluding post explores emerging AI trends and future possibilities in Speech-Language Pathology. Prepare to adapt, innovate, and lead responsible AI integration.

Stick around as we keep figuring out this whole AI thing together. By the end of the series, I hope to give SLPs the knowledge they need to help us all find a balance. There is a lot of gray area and strong opinions on this topic. I hope I can provide some facts to help you make informed choices that correspond with your own values.

Keep on clickin’!

Social Media Icons: designed by rawpixel.com – Freepik.com

The post AI & SLPs Series, Part 1: Clinical Data Privacy appeared first on Mrs. Speech Online.

Hey SLP fam!

Let’s talk about HIPAA compliance at home. I know it’s something that might make your brain do a little loop-de-loop! Whether you’re rocking the teletherapy life from your home office, hustling in a school building, or bringing a stack of papers (or digital files!) home to tackle after hours, you’re dealing with sensitive information.

I remember grad school, taking out the black Sharpie to strike through names and addresses on stacks of papers. It’s what we did, back in the day, to share ideas about goals and treatment plans without breaking client confidentiality. Even with extensive redactions like those seen here, simply blacking out information may not be enough to meet HIPAA’s stringent de-identification requirements. And in the digital age… well, let me share with you.

My HIPAA Compliance wake-up call:

I recently had a bit of an “aha!” moment (or maybe more of an “uh-oh!” moment) for HIPAA compliance at home. I don’t even remember how I found out, but I realized my free Google account wasn’t exactly HIPAA-compliant for handling student info. And that got me thinking… if I was a bit fuzzy on this, how many of us are? Especially when we step outside the secure walls of our schools or clinics?

It turns out, even when you’re comfy in your PJs or working from your kitchen table after school, you’re still 100% responsible for protecting your clients’ Protected Health Information (PHI), even from your family members (who could probably care less). HIPAA doesn’t care if you’re in a fancy clinic, a bustling school, or your spare bedroom – the rules are the same for how you handle that information.

To help you navigate this essential topic, I’ve even created a free worksheet to guide you in developing your own HIPAA policies and procedures for your home-based work environment!  Let’s break down some key areas, with a special spotlight on those cloud services many of us use daily.

HIPAA Compliance In The Cloud: Google, Microsoft 365, and the BAA

This is where it gets real. Many of us use Google Workspace (Gmail, Docs, Drive) or Microsoft 365 (Outlook, Word, OneDrive) for our personal lives, and our schools or districts often use them too. They’re super convenient, right?

But here’s the kicker: your personal Google or Microsoft account is NOT HIPAA compliant for handling PHI. Full stop.

Why? HIPAA compliance when dealing with PHI requires a Business Associate Agreement (BAA) with third parties (like Google). A BAA is a legally binding contract that outlines how a third-party service provider will protect PHI on your behalf. Without one, you’re on shaky ground.

Districts Using Cloud Services: A Critical Distinction

So, what about districts using Google Workspace or Microsoft 365? 

This is a critical point. While most paid educational plans (often covered by FERPA – the Family Educational Rights and Privacy Act, which governs educational records) offer robust privacy, FERPA compliance doesn’t automatically mean HIPAA compliance for you. 

PHI in a school setting often includes health diagnoses, medical history, or therapy notes related to health conditions. While these are typically considered education records under FERPA, as an SLP, if you bill Medicaid or other health plans, you are a HIPAA Covered Entity. This means the specific health information you handle is subject to HIPAA regulations, even within a FERPA-governed school environment.

For a district’s Google Workspace or Microsoft 365 environment to be HIPAA compliant for PHI, they need to have specifically configured their accounts for HIPAA. Crucially, they need a signed BAA with Google or Microsoft for that specific enterprise-level service.

Your HIPAA Compliance at Home Takeaway:

Don’t assume. If you’re using a district’s cloud services for anything that involves PHI (even if it’s just student names and health-related goals within an IEP), it’s your responsibility to confirm that the district has a BAA in place with their cloud provider for that specific service. 

And critically, confirm that the specific features and services you use are explicitly covered by that BAA. If they are not, or if no BAA is in place, you need to adjust your practices.  This might mean only using district-approved, HIPAA-compliant EHRs,  purchasing your own subscription, or secure local storage, such as the free LibreOffice Suite (See Technical Safeguards below).

Fortunately, I’d been super cautious and hadn’t used my personal accounts frequently for student information, but it was a good wake-up call!

Beyond the Cloud: Other Key Considerations for HIPAA Happiness

While cloud services are a big piece of the puzzle, let’s not forget the other vital aspects of keeping PHI safe, whether you’re working at school or from home.

Core Pillars for HIPAA Compliance at Home

Risk Analysis (aka “Playing Detective with Your Practice”)

Before you even start working remotely or bringing files home, take a good look at your home setup. Where are the potential weak spots? Is your home Wi-Fi secure? Are your personal devices encrypted? Could your nosy family member or roommate accidentally see your screen? Identify these risks and make a plan to fix them. Document everything!

Workforce Training (Yes, You’re the Workforce!)

Even if it’s just you, train yourself! Stay up-to-date on HIPAA and your own policies. And guess what? Document that training too!

Policies and Procedures (Your Personal HIPAA Rulebook)

You’re the boss of your home workspace, so write down your rules! How do you handle PHI on your personal devices? Where do you store it? What’s your plan if something goes wrong (a “breach”)? Having these written policies keeps you consistent and gives you a roadmap in a pinch. You should also be intimately familiar with your employer’s HIPAA policies, if applicable.

Business Associate Agreements (BAAs)

We talked about this with cloud services, but it applies to almost any third-party service you independently contract that touches PHI. Your teletherapy platform (if you use one), your EHR, your billing service, even encrypted email services – they all need a BAA. Beware of “free” or even personal versions of platforms; they usually do NOT offer BAAs.

Incident Response Plan (Your “Oh Crap” Protocol)

What if your personal laptop gets stolen? What if you accidentally email PHI to the wrong person? Have a clear plan for what to do: contain the issue, investigate, notify affected individuals (and potentially HHS), and prevent it from happening again. Your district should also have a plan; know it!

Physical & Technical Considerations for HIPAA Compliance At Home

Physical Safeguards (Lock it Up!)

• Ensure your home workspace is private.
• Close the door and position your screen away from prying eyes.
• Lock up any physical paper records containing PHI.
• Shred unneeded documents securely when done.
• Never leave PHI visible or accessible to others in your home.

Technical Safeguards (Your Digital Fort Knox)

• Encrypt EVERYTHING: All devices (laptops, desktops, external drives, mobile devices) storing or accessing PHI must be encrypted. This is crucial if a device is lost or stolen.
• Strong Passwords & MFA: Use complex, unique passwords. Enable multi-factor authentication (MFA) everywhere possible for accounts with PHI.
• Antivirus/Firewall: Keep your software updated and firewalls active.
• Secure Network: Use a strong, secure home Wi-Fi connection. NEVER handle PHI on public Wi-Fi. If connecting to your school’s network from home, always use their provided VPN if available.
• HIPAA-Compliant Platforms: For teletherapy, use platforms specifically designed for HIPAA compliance, with end-to-end encryption and a BAA.
• Secure Communication: Stick to secure messaging within your EHR/school system or encrypted email for PHI. Avoid regular email, WhatsApp, or FaceTime for anything confidential.

A Crucial Note on “De-identification” and AI Tools

Here’s a big one that’s becoming more relevant with the rise of AI…

**Simply removing a client’s or student’s name or a few obvious identifiers does NOT make the information safe to use.**

General-purpose, free AI tools like Gemini or ChatGPT, or even education tools like MagicSchool.ai, are NOT HIPPA compliant. Even if you pay for Gemini Pro, there is no BAA unless it comes with a Workspace plan.

HIPAA De-identification is Stringent

HIPAA has very specific and stringent rules for what constitutes truly “de-identified” information. It’s far more complex than just deleting a name. If you use PHI, even seemingly “de-identified,” with a service that doesn’t have a BAA and isn’t designed for PHI, you’re risking a breach. This means:

Do NOT copy/paste session notes, IEP sections, or any other PHI, even with names removed, into general AI tools like Gemini, ChatGPT, or other free online summarizers to help you write notes, develop goals, or for any other purpose. These services do not typically offer BAAs and are not designed to protect PHI.

The data you input into these tools can become part of their training data, meaning your client’s potentially re-identifiable information could be exposed or used in ways you can’t control.

When in doubt, don’t put it in a service without a BAA! This applies whether you’re trying to draft a progress note at home or summarize a student’s history.

Ready to HIPAA-Happy Your Home Office?

Developing comprehensive HIPAA policies and procedures for home can feel daunting, but it’s a crucial step in safeguarding your clients’/students’ PHI. To make it easier, I’ve created a free, actionable worksheet to guide you through identifying your unique risks and writing down your specific policies for working from home.

Sign up to Download Your Free HIPAA Compliance Home Office Policies & Procedures Worksheet!

The Bottom Line

HIPAA compliance in the cloud or at home can feel overwhelming, but it’s crucial for protecting our clients/students and our professional integrity. Take it step-by-step. Conduct that risk analysis, get those BAAs in place for any services you control, and secure your devices and workspace. Always defer to and understand your district’s policies first and foremost.

It’s a journey, not a destination, so stay informed and don’t be afraid to consult legal counsel or your district’s HIPAA compliance officer if you have specific questions about your practice.

Want to know more?  Check out Navigating Business Associate Agreements as an SLP: Your HIPAA BAA Guide.

What are your biggest HIPAA challenges as an SLP, whether in a school or teletherapy setting? Is there anything you’d like to know more about?  Share your thoughts in the comments below!

Coming up next – an 8-part series on AI & SLPs!

Remember, you are awesome because you do the best with what you know – and taking steps toward HIPAA compliance at home is truly doing your best for your clients.

Keep up the amazing work!

Social Media Icons: designed by rawpixel.com – Freepik.com

The post HIPAA Compliance At Home: Cloud, Schools, Teletherapy & PHI Security appeared first on Mrs. Speech Online.

In my last post, HIPAA Compliance At Home: Cloud, Schools, Teletherapy & PHI Security, we got real about HIPAA compliance for home offices and personal devices. We covered that many of us are HIPAA Covered Entities and how crucial it is to safeguard Protected Health Information (PHI) wherever we practice, even at home. Navigating Business Associate Agreements as SLPs is an important piece of that compliance.

Today, we’re zooming in on one of the most critical, yet often overlooked, pieces of that HIPAA puzzle: the Business Associate Agreement (BAA). Think of it as your golden ticket to legally sharing PHI with necessary service providers, while ensuring that data stays locked down.

I’ll be the first to tell you, this is a new topic for me. I was unaware of most of this information just a few weeks ago! My eyes have really been opened and I’m changing the way I work based on this new information. Especially as a teletherapy contractor, I’ve been working to upgrade my services to business grade. (You can read all about it here: My Personal HIPAA Compliance Journey: Steps to Secure Data)

Disclaimer:

The information provided in this blog post is for informational and educational purposes only and is not intended to constitute legal or professional advice. HIPAA compliance is complex and constantly evolving. While efforts have been made to ensure the accuracy of the information presented, it may not reflect the most current legal developments, nor is it guaranteed to be complete or applicable to your specific situation.As a healthcare professional, it is your responsibility to understand and comply with all applicable federal, state, and local laws and regulations, including HIPAA. This content should not be used as a substitute for seeking qualified legal counsel from an attorney specializing in healthcare law, particularly concerning your individual practice, specific vendor relationships, or unique circumstances. Reliance on any information provided in this post is solely at your own risk.

What Exactly IS a Business Associate Agreement (BAA)?

At its core, a Business Associate Agreement (BAA) is a formal, legally binding contract between you (the Covered Entity) and any person or entity (the Business Associate) that performs services for you that involve the creation, receipt, maintenance, or transmission of Protected Health Information (PHI).

Why do I need a BAA as an SLP? 

The BAA is HIPAA’s way of extending the privacy and security obligations beyond just your practice. It legally obligates your Business Associates to:

• Safeguard PHI: They must implement their own administrative, physical, and technical safeguards to protect PHI, just like you do.
• Limit Use/Disclosure: They can only use or disclose PHI as permitted by the BAA and HIPAA regulations.
• Report Breaches: They must notify you if they discover a breach of unsecured PHI.
• Cooperate with Audits/Investigations: They may be subject to direct enforcement actions by the Department of Health and Human Services (HHS).
• Flow-Down Rule: If they use subcontractors who access PHI, they must have a BAA with their subcontractors too!

In short: No BAA, No PHI Exchange. You cannot share PHI with a service provider unless you have a signed BAA in place, or that provider falls under a very narrow exception. Failing to get a required BAA can lead to significant fines and penalties for your practice if a breach occurs.

What Does a BAA Actually Look Like? Key Sections to Expect

While the exact wording of a BAA can vary between vendors, they generally follow a standard structure and include specific clauses mandated by HIPAA regulations, as outlined by the U.S. Department of Health & Human Services (HHS). When you receive one, here’s what you can expect to see:

I. Core Agreement Details

These sections lay out the basic framework and definitions of the Business Associate Agreement.

• Introduction & Parties:
  • Purpose: States the agreement’s goal (to comply with HIPAA by protecting PHI).
  • Effective Date: When the BAA officially begins.
  • Parties Involved: Clearly identifies you (the Covered Entity) and the vendor (the Business Associate) by their full legal names and addresses.
• Definitions:
  • This section will define key HIPAA terms as they apply to the agreement, such as “Protected Health Information (PHI),” “Electronic PHI (ePHI),” “Covered Entity,” “Business Associate,” “Breach,” “Security Incident,” and the “HIPAA Rules” (Privacy, Security, and Breach Notification Rules). This ensures both parties are on the same page legally.

II. PHI Usage & Protection Obligations

This crucial category outlines how the Business Associate is permitted to use PHI and the safeguards they must have in place.

• Permitted and Required Uses and Disclosures of PHI by the Business Associate:
  • This is a core section. It specifies exactly how the Business Associate is allowed to use and disclose PHI to perform the services for which you hired them. For example, an EHR vendor’s BAA would permit them to store, process, and transmit PHI for your charting and billing.
  • It will also outline any disclosures required by law (e.g., to the Secretary of HHS for compliance investigations).
  • Crucially, it will state that the BA cannot use or disclose PHI in any way that would violate HIPAA if done by you, the Covered Entity.
• Obligations of the Business Associate (Safeguards):
  • This section details the security measures the Business Associate must implement to protect PHI. It often references the HIPAA Security Rule and its requirements for administrative, physical, and technical safeguards.
  • Key phrases you’ll see include commitments to:
    • “Implement appropriate safeguards to prevent unauthorized use or disclosure of PHI.”
    • “Comply with the HIPAA Security Rule with respect to electronic PHI.”
    • “Ensure the confidentiality, integrity, and availability of ePHI.”

III. Breach Reporting & Compliance Provisions

This category covers what happens in case of a security incident or breach. It also describes how the Business Associate handles relationships with their own subcontractors.

• Reporting Obligations (Breaches and Security Incidents):
  • A critical component. The BAA will clearly define the Business Associate’s responsibility to report any “Security Incidents” (e.g., failed login attempts, malware attacks that might affect PHI) and, more importantly, any confirmed “Breaches of Unsecured PHI.”
  • It will specify the timeframe for reporting (e.g., “without unreasonable delay,” often 10-15 business days from discovery) and what information they must provide in the breach notification.
• Subcontractors:
  • This clause is essential. It requires the Business Associate to ensure that any of their subcontractors who create, receive, maintain, or transmit PHI on behalf of the Business Associate also agree in writing to the same HIPAA restrictions and conditions that apply to the Business Associate. This is often called the “flow-down” provision.

IV. Client Rights & Agreement Management

These sections ensure client rights regarding their PHI are upheld and define the terms for the BAA’s lifespan.

• Access, Amendment, and Accounting of Disclosures:
  • The BAA will ensure that the Business Associate cooperates with your obligations to individuals regarding their PHI, such as allowing individuals to access, amend, or receive an accounting of disclosures of their PHI.
• Termination:
  • Outlines the conditions under which the agreement can be terminated (e.g., for material breach of contract).
  • Crucially, it details the Business Associate’s responsibilities upon termination, which typically include returning or securely destroying all PHI received from or created on behalf of the Covered Entity, if feasible. If not feasible, they must continue to protect the PHI.
• Miscellaneous Provisions:
  • Standard legal clauses like governing law (which state’s laws apply), notices, and how amendments to the BAA will be made.

Important Note: You won’t usually negotiate a BAA provided by a large vendor like Google or an EHR. Their BAAs are standardized. Your role in a BAA as an SLP is to read it carefully to ensure it meets HIPAA’s requirements and your understanding of the service. If you have any concerns or complex situations, consulting an attorney specializing in healthcare law is always advisable.

• Google has a publicly available HIPAA Compliance help page with a link to their BAA.

Who Do You Need a BAA With? The “Access to PHI” Rule

This is the million-dollar question! The key is whether a service provider, in the course of performing services for you, has “access to” PHI. This “access” is much broader than just storing or directly viewing the data. It includes any service that processes, handles, or routinely interacts with PHI.

Here are common service categories where you absolutely need a Business Associate Agreement as an SLP:

Services Directly Managing Client Data & Communication

Electronic Health Record (EHR) / Practice Management Systems:

• Why: These are the central hubs for all your client data, including diagnoses, treatment plans, notes, and billing information. The vendor maintains and processes all this PHI.
• Examples: SimplePractice, TherapyNotes, TheraPlatform, ClinicSource, or any specialized EHR/PM system you use.

Telehealth / Video Conferencing Platforms:

• Why: When you conduct teletherapy sessions, PHI (audio, video, screen shares, chat messages) is transmitted through and processed by the platform’s servers. Even if they don’t store the video, the transmission involves access.
• Examples: Zoom for Healthcare, Doxy.me, SimplePractice Telehealth, or any specific HIPAA-compliant telehealth solution.
• Crucial Note: Free, consumer versions of platforms like standard Zoom, Google Meet, or FaceTime are NOT HIPAA compliant and will not sign a BAA. Never use these for PHI.

Cloud Storage & Productivity Suites:

• Why: If you save any client notes, reports, scanned documents, or other files containing PHI to a cloud drive, or use cloud-based email/document services where PHI might reside or pass through.
• Examples: Google Workspace (formerly G Suite), Microsoft 365 (formerly Office 365), Dropbox Business.
• Crucial Note: You must have the business or enterprise versions of these services, and you must specifically request and sign their BAA. Standard consumer accounts (e.g., free Gmail, personal Dropbox) do NOT offer BAAs and are not HIPAA compliant for PHI.

Email Marketing & Communication Platforms (if used for client communications):

• Why: If you use an email service to send appointment reminders, share resources, or communicate anything with clients that could be considered PHI (even indirectly), your email provider needs a BAA. Your personal Gmail or Outlook.com accounts are out!
• Examples: Certain secure email providers often bundled with EHRs or business productivity suites.
• Crucial Note: Again, consumer email services are generally not HIPAA compliant for handling PHI, as they typically do not provide the necessary Business Associate Agreements. Ensure your email provider offers a BAA.

Billing & Claims Processing Services:

• Why: These services handle all the financial PHI related to your clients, including diagnoses, procedure codes, and personal identifying information.
• Examples: Any third-party billing company or clearinghouse you use to submit claims.

Infrastructure & Support Services with PHI Access

These services may not directly process your core client notes. However, they have access to the underlying systems, devices, or physical records that contain PHI. This makes a BAA essential for SLPs that use them.

Antivirus and Endpoint Security Solutions:

• Why: This one often surprises people! Antivirus software constantly scans and interacts with all files on your hard drive, including those that may temporarily contain PHI. It monitors network traffic where PHI is transmitted. Many also send telemetry data back to their servers, potentially including fragments of PHI. Because of this direct and persistent access to data on devices that handle PHI, the antivirus vendor becomes a Business Associate.
• Examples: Business-grade versions of solutions like Trend Micro Apex One, Bitdefender GravityZone, ESET Endpoint Security, CrowdStrike, or Symantec Endpoint Protection.
• Crucial Note: Most free or consumer-grade antivirus products (like the version of Avast we discussed) are not suitable for devices handling PHI because they typically do not offer BAAs. (I’m having trouble finding one that offers a BAA for a sole entity.)

IT Support / Managed Service Providers (MSPs):

• Why: If an IT professional accesses your computer systems, servers, or network to perform maintenance, updates, or troubleshooting, and those systems contain or access PHI, they are a Business Associate. They have access to the underlying infrastructure that houses your PHI.
• Examples: Any company or individual you hire to manage your practice’s technology infrastructure.

Physical Document Shredding/Disposal Services:

• Why: If you use a third-party service to shred or dispose of paper records containing PHI, they are handling and destroying that PHI on your behalf.
• Examples: Shred-it or local shredding services.

Who Doesn’t Need a BAA? The “Conduit Exception”

Not every single service you deal with as an SLP needs a BAA (Whew!). The most common exception is for entities that merely act as a “conduit.”  This is a principle often referred to as the “Conduit Exception Rule,” as further detailed by the HIPAA Journal..

• Internet Service Providers (ISPs): Your home internet provider (e.g., Comcast, AT&T, Spectrum) typically does NOT need a BAA with you. Their role is limited to transmitting information, like a digital postal service. Any access they might have to the content of your data is transient and incidental, simply for the purpose of moving the data. They aren’t storing or processing the PHI itself.
  • Important Caveat: While the ISP itself doesn’t need a BAA, you are still responsible for securing your own home network (strong Wi-Fi passwords, updated router firmware, firewalls). The data you send should be encrypted by the services you’re using (EHR, telehealth, etc.) before it travels across the internet.
• The U.S. Postal Service (USPS) or other mail couriers (e.g., FedEx, UPS): If you mail physical documents containing PHI (securely, of course!), these services are considered conduits.

The School SLP, BAAs & Educational Platforms (Google Workspace, Microsoft 365, etc.) Deep Dive:

If you’re an SLP working with a school district that uses Google Workspace for Education or Microsoft 365 Education (or similar educational platforms), here’s your specific action plan for BAAs and handling PHI:

• The School’s BAA with the Platform Provider: Your absolute first step is to confirm with the school district’s IT department or administration if they have a BAA in place. Both Google and Microsoft do offer BAAs for their education editions (from what I could find). However, the school administrator must specifically enable HIPAA compliance settings and accept the BAA for it to be active. Without this, the platform is NOT HIPAA compliant for PHI.
• Your Use within Their System: IYou might be covered under your school’s HIPAA umbrella, provided these conditions are met:
  • The school has a Business Associate Agreement (BAA) with the platform provider.
  • Your use of their provided account (e.g., your school district Google or Microsoft account) falls under their defined, HIPAA-compliant policies. It’s crucial that you adhere strictly to the school’s internal policies and procedures for handling student health information within these platforms.
• No BAA from School? Big Problem! If the school district does not have a BAA in place with Google, Microsoft, or any other cloud service they’re making you use for PHI, you cannot legally use those services for PHI. You would need to advocate strongly for them to become compliant or use alternative, secure methods for your PHI handling that are sanctioned by the school and meet HIPAA standards. Using non-compliant platforms for PHI, even if mandated by a school, could put your personal license and practice at risk if you are a Covered Entity.

Working At Home: SLP Security Beyond a BAA

Taking Work Home/Using Personal Devices

This is a common scenario and a significant HIPAA risk. If you take work home that involves PHI (e.g., student health records, IEPs with medical details, notes with diagnoses) and use personal devices or home networks:

• No PHI on Personal Devices (Unless Controlled): Ideally, avoid storing or processing any PHI on your personal computer, tablet, or phone unless these devices are explicitly managed by the school’s IT department with appropriate security configurations (encryption, remote wipe capabilities, etc.) and covered under their HIPAA compliance program.
• Secure Remote Access: If you must access school-based PHI from home, you should only do so via secure, encrypted channels provided by the school (e.g., a Virtual Private Network (VPN) connection to the school’s server, or accessing cloud-based platforms directly through a web browser on a school-managed or properly secured device).
• Physical Security: If you bring physical documents containing PHI home, they must be stored securely (e.g., in a locked filing cabinet) and never left visible or accessible to others in your household. Any physical PHI you need to dispose of at home must be shredded securely, not just thrown in the trash.
• Home Network Security: Ensure your home Wi-Fi network is password-protected with a strong, unique password and that your router firmware is up to date.

Your Personal Private Practice/Billing (if applicable)

If you, as an individual SLP, have a private practice, even a few hours a month, and bill Medicaid or other health plans electronically, you are unequivocally a HIPAA Covered Entity. If you use any Google Workspace or Microsoft 365 features (even if provided by the school) for your private practice PHI that isn’t part of the school’s “education record” (e.g., your own private therapy notes for direct billing, your own client contact lists), you need to be very clear about how that PHI is handled. It’s often safest and most advisable to maintain entirely separate, fully BAA-covered systems for your SLP work to avoid commingling data and potential compliance issues.

The Risks of Skipping a BAA for SLPs: Why It Matters to YOU

You might be thinking, “This is a lot of paperwork! It’s just little ole me!” But the consequences of not having a required BAA can be severe:

• Hefty Fines & Penalties: The HHS Office for Civil Rights (OCR) can impose significant civil monetary penalties for HIPAA violations. Failing to have a BAA is a direct violation. Fines range from hundreds to hundreds of thousands of dollars per violation, potentially reaching millions annually.
  • Real-World Example: Reports from sources like Paubox highlight documented cases of covered entities facing substantial fines (e.g., hundreds of thousands to millions of dollars) for failing to execute BAAs with vendors who then experienced a breach. For instance, in one case, a medical center paid $240,000 for HIPAA Security Rule failures, including issues with a Business Associate Agreement. Another entity paid $500,000 for PHI exposure due to the absence of a BAA with a medical billing contractor.
• Legal Liability: If a Business Associate mishandles PHI and you don’t have a BAA in place, you (the Covered Entity) can be held directly liable for their actions. This could lead to lawsuits from affected clients.
• Increased Data Breach Vulnerability: Without a BAA, you have no contractual assurance that your vendor is implementing the necessary security safeguards. This leaves your clients’ sensitive information vulnerable.
• Reputational Damage: A data breach or HIPAA violation severely erodes client trust and can lead to significant reputational harm, impacting your ability to attract and retain clients.
• Audit Red Flag: During an OCR audit or investigation, one of the first things they’ll check for is signed BAAs. Missing BAAs are an immediate red flag that can trigger deeper scrutiny and more severe penalties, as discussed by Secureframe and other compliance resources.

Best Practices for Managing Your BAAs

Once you start collecting BAAs, effective management is key:

• Create a Vendor Inventory: Maintain a clear, organized list of all your service providers. For each, note:
  • Vendor Name
  • Service Provided
  • PHI Accessed (e.g., clinical notes, billing data, demographics)
  • BAA Status (Yes/No)
  • Date BAA Signed
  • Date for Next Review (e.g., annually, or upon contract renewal)
  • Location of Signed BAA (digital file path or physical folder)
• Due Diligence is Key: Don’t just get a signed BAA; conduct basic due diligence. While you don’t need to perform a full security audit, ask questions about their security practices (e.g., do they encrypt data? do they have strong access controls? do they perform their own risk assessments?). A good BAA means they’ve agreed to protect PHI, but you should still have a reasonable assurance that they can and do.
• Regular Review and Update: Your practice and the services you use will evolve. Review your vendor inventory and all BAAs annually, or whenever:
  • You change a service provider.
  • A vendor changes the services they provide.
  • HIPAA regulations are updated.
  • There’s a significant change in your practice operations.
• Document Everything: Keep all signed BAAs, vendor communications about security, and your internal review notes meticulously organized. In the event of an audit, documentation is your best friend.

Your Action Steps for BAA Compliance as an SLP:

1. Inventory Your Vendors: Make a list of every service provider (including software and online platforms) that interacts with PHI in your practice.
2. Assess “Access to PHI”: For each vendor, ask: “Does this service create, receive, maintain, or transmit PHI on my behalf, or does it have persistent access to PHI?”
3. Request a BAA: If the answer to #2 is “yes,” contact the vendor and request their BAA. Most legitimate business-grade services for healthcare will have one ready.
4. Read and Understand: Don’t just sign! Read the BAA carefully to understand your and their responsibilities.
5. Document: Keep all signed BAAs on file as part of your HIPAA compliance documentation.
6. Regular Review: Revisit your vendor list and BAAs annually, or whenever you add a new service or there’s a significant change in your practice or technology.

You can do it!

Navigating Business Associate Agreements as an SLP can feel overwhelming, but it’s a critical aspect of being a responsible and compliant healthcare provider. By taking these proactive steps, you’re building a strong foundation of trust and security for your clients and your practice.

Want to know more? Check out these posts!

• My Personal HIPAA Compliance Journey: Steps to Secure Data
• HIPAA Compliance At Home: Cloud, Schools, Teletherapy & PHI Security

What other HIPAA questions are on your mind? Share in the comments!

Don’t forget to download your free HIPAA Home Office Policies & Procedures Worksheet to help you get started on your internal documentation! Sign up below for Exclusive access to my Subscriber Freebies page, newsletter, blog updates, and special announcements!

Disclaimer:

The information provided in this blog post is for informational and educational purposes only and is not intended to constitute legal or professional advice. HIPAA compliance is complex and constantly evolving. While efforts have been made to ensure the accuracy of the information presented, it may not reflect the most current legal developments, nor is it guaranteed to be complete or applicable to your specific situation. As a healthcare professional, it is your responsibility to understand and comply with all applicable federal, state, and local laws and regulations, including HIPAA. This content should not be used as a substitute for seeking qualified legal counsel from an attorney specializing in healthcare law, particularly concerning your individual practice, specific vendor relationships, or unique circumstances. Reliance on any information provided in this post is solely at your own risk.

References:

• U.S. Department of Health & Human Services (HHS).Business Associate Contracts. Retrieved from https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html
• U.S. Department of Health & Human Services (HHS).Business Associates. Retrieved from https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html
• HIPAA Journal. HIPAA Conduit Exception Rule and Transmission of PHI: 2025 Update. (Updated January 2, 2025). Retrieved from https://www.hipaajournal.com/hipaa-conduit-exception-rule/
• Paubox. HIPAA lessons learned: A review of HHS resolution agreements. (Updated January 23, 2025). Retrieved from https://www.paubox.com/blog/hipaa-lessons-learned-a-review-of-hhs-resolution-agreements
• Secureframe. HIPAA Violations: Examples, Fines + 5 Cases to Learn From. Retrieved from https://secureframe.com/hub/hipaa/violations

Social Media Icons: designed by rawpixel.com – Freepik.com

The post Navigating Business Associate Agreements as an SLP: Your HIPAA BAA Guide appeared first on Mrs. Speech Online.

Hey fellow SLPs and healthcare pros! Today, I want to share some insights from my personal journey towards HIPAA compliance.

In my last two posts, we delved into the crucial topic of HIPAA compliance for telepractice. They covered the “what” and the “why.”

• HIPAA Compliance At Home: Cloud, Schools, Teletherapy & PHI Security
• Navigating Business Associate Agreements as an SLP: Your HIPAA BAA Guide

Today, I want to share the “how” – my personal journey of putting these principles into practice! I’ve been diving deep into my tech setup to make sure it’s not just functional, but also rock-solid HIPAA compliant. For example, as a teletherapist, some of my schools don’t invite me into their workspace. This leaves it up to me to securely manage all my client notes and materials. This kind of gap is precisely what drove me to build a truly robust system.

It might sound daunting, but trust me, it’s all about peace of mind for both you and your clients. I wanted to share a rundown of what I’ve done. More importantly, I want to share why I’ve done it, in case it helps you level up your practice too!

The “Why” Behind My Personal HIPAA Compliance Journey

My biggest drive was simple. I needed to know, without any doubt, that I was protecting my clients’ sensitive information to the highest standard. HIPAA isn’t just a checkbox; it’s about building trust. First, conducted a thorough risk analysis of my setup to identify any potential vulnerabilities.

I’ve now meticulously created and am maintaining a detailed “Security Policies and Procedures” document that guides all my practices. Plus, having everything clearly documented helps me sleep better at night!

Honestly, it wasn’t that long ago, a few weeks, that I wasn’t even aware of all of this. I didn’t know about Business Associate Agreements (BAAs), or their critical role. My previous security stance of “just don’t share client info” felt sufficient. Since then, I’ve realized how nebulous and insufficient that really was for both cloud-based and desktop information. 

How It All Started

So, if I wasn’t born with this wealth of knowledge, and it wasn’t covered in grad school, what happened? Well, I discovered that simply removing what I thought was identifying information was not sufficient for HIPAA de-identification. That realization truly sent me down this “rabbit hole” of learning and implementing everything you’re about to read!

Honestly, as a single user, all this might seem like overkill at times. That is, until I really think about the potential cost and repercussions of a HIPAA violation. That quickly puts things into perspective!

Here’s information and tips I’ve learned on this individual HIPAA compliance trek. (No, I’m not affiliated with, or sponsored by, Google in any way, it was just easier to work with.)

The Secure Foundation: My Google Workspace Enterprise Standard

Before even setting up my specific security rules, choosing the right Google Workspace edition was crucial. There are several tiers, and it’s not just about how many emails you can send! For me, picking Enterprise Standard was absolutely essential because of the level of HIPAA security I was comfortable with.

• Pro-Tip on Choosing a Platform: I actually considered Microsoft 365 Business plans, as they also offer BAAs. However, I was already using and familiar with Google’s interface. More importantly, I found it much easier to get clear information about Google’s BAA and HIPAA-included functionality upfront. Microsoft seems to hide their BAA documentation behind a subscriber wall, making it difficult to fully vet before committing. This ease of information access, combined with my familiarity, ultimately swayed my decision towards Google.  Basically, it looks like any paid workspace can have a BAA:   https://support.google.com/a/answer/2888485?sjid=14092164238884574583-NC

Here’s why I landed on it during my own HIPAA compliance trip, and what foundational elements it provides:

The Non-Negotiable BAA

This was the top priority. Enterprise Standard definitely comes with a Business Associate Agreement (BAA). This gives me that crucial legal agreement with Google to handle Protected Health Information. This is absolutely non-negotiable for anyone handling PHI with Google Workspace. (You can find Google’s BAA here: https://workspace.google.com/terms/2015/1/hipaa_baa/).

• Pro-Tip on Choosing a Tier – I actually started with the cheapest business tier (Business Starter $7/mo), which I can confirm offers a BAA. However, after really digging into the features, I chose to upgrade to Enterprise Standard. It offered much better control over information and more robust policy enforcement options. These ultimately felt essential for protecting client PHI effectively.  Google Tiers & Pricing 
• Don’t Forget Your Domain Name! A domain name is an additional, but necessary, cost for any Google Workspace Business account. While Google offers to sell you one directly, I opted to buy my domain through Cloudflare for just $10.44/year. This was a cost-effective choice since I already used Cloudflare for other services.

Serious Pooled Storage

Enterprise Standard offers a massive 5 TB of pooled storage per user. (Just a heads-up: This pooled storage gets released in stages after payments, so my Drive initially showed less!). This is more than enough space for all my therapy materials and client files.

Google Vault for Ironclad Data Retention

This was a game-changer! Enterprise Standard includes Google Vault, which allows me to set an indefinite retention policy for all my Google data. This ensures I meet and exceed HIPAA’s minimum six-year data retention requirement. It’s like a super-secure, always-on backup for everything.

Advanced Data Loss Prevention (DLP)

This tier gives me access to advanced DLP rules for Gmail and Drive, which are central to my security strategy. These are the powerful rules that can warn me if I try to share sensitive files externally.

Comprehensive Security Controls

Enterprise Standard unlocks a lot of the granular administrative controls I needed. This allowed me to configure things like forcing 2FA, setting strong password policies, and disabling third-party apps.

Basically, for handling PHI and needing robust, auditable security features, Enterprise Standard provided the comprehensive toolkit I needed to feel confident and stay compliant. It’s an investment at $27/mo, but one that’s absolutely worth it for peace of mind and professional responsibility.

The Core Pillars of My Personal HIPAA Compliance Policy:

Here’s a look at the specific configurations I implemented (See Google’s HIPAA Implementation Guide:  https://services.google.com/fh/files/misc/gsuite_cloud_identity_hipaa_implementation_guide.pdf):

1. Bulletproof Access Control (Who Gets In? Only Me!)

• 2-Step Verification (2FA) is Mandatory: No exceptions! I enforced 2FA for all account access. This is your absolute best defense against unauthorized logins.
• Strong Passwords, Always: My system enforces strong password policies, requiring a minimum length of 16 characters and prompting for a refresh every 180 days. No weak links here!

• Third-Party Apps? Deny by Default! My policy is strict: all third-party app access is blocked by default. If I ever need an app, it goes through a security review and is force-installed by me, the admin. This prevents unvetted apps from touching my client data.
• Strictly BAA-Covered Services Only: As part of my setup, I went into my Google Admin Console and literally turned OFF any Google services that aren’t explicitly covered by the BAA (like Google Photos, YouTube, etc.). Why? To make sure no PHI accidentally ends up in a non-compliant service. (You can find a list of Google’s HIPAA Included Functionality and BAA-covered services here: https://workspace.google.com/terms/2015/1/hipaa_functionality/).

2. Smart Data Protection (No Accidental Leaks!)

• Gmail Content Compliance: I set up an automated rule in Gmail that quarantines any outbound email containing PHI-related keywords if it’s addressed to a domain not on my pre-approved “Trusted School Districts” list. It’s a huge safety net!
• Drive DLP (Data Loss Prevention) Rule: For Google Drive, I have a rule that gives me a real-time warning if I ever try to externally share a file containing PHI keywords. It’s an extra “Are you sure?” before a potential mishap.
• Always Use Secure Communication Channels: Beyond these automated rules, I always ensure that any direct client communication involving PHI occurs only through secure, HIPAA-compliant platforms (like my employer’s therapy portal). I now avoid using regular email, text messages, or consumer video calls for sensitive information.

3. Endpoint & Browser Security (My Laptop & Chrome)

• My Laptop is Encrypted & Protected: My main computer has full-disk encryption (BitLocker/FileVault) and a robust antivirus solution. I’m currently using Norton Small Business ($59/1st year with $119/year renewal) for this, primarily for its strong endpoint protection. While I’m actively looking into BAA-covered antivirus and endpoint detection & response (EDR) solutions, it’s been a real challenge to find providers willing to work with a single user. For now, Norton Business helps secure my device itself. I had to specifically disable its cloud backup features to prevent any PHI from being stored on non-BAA servers.  I’ve also upgraded my mouse to use Logi Bolt technology for a more secure wireless connection.
• Physical Security for My Home Office: Beyond digital protection, I also ensure any limited physical PHI (like printed notes) is kept in a locked file box when unattended, and my work area is secured to prevent unauthorized access. I’ve even rearranged my office so that my computer screen is not visible from the doorway, even though I always make sure to close the door when I’m with clients.
• Dedicated Chrome Profiles: This is a big one! I have separate Chrome browser profiles. One just for my professional Workspace (where I handle PHI), and others for personal stuff or employer-provided Outlook/therapy portals. This completely isolates data and workflows.
  • Updated to add – I’ve now gone a step farther and added another Windows user to my computer. This way all therapy stuff stays in the therapy user.
• Chrome Policies Enforced: My professional Google Workspace Chrome profile has Enhanced Safe Browse, “Always use secure connections” (HTTPS), and strict extension blocking enforced by policy. This means my browser is secured from the top down.
• Windows Settings Tuned: Beyond the basics, I dove into Windows settings to ensure my device is locked down. Strong PIN/Windows Hello, Dynamic Lock (locks when I walk away), automatic screen lock, firewall active, and app permissions reviewed app-by-app.

4. Tackling Existing Data & Migration

This was a big project, especially for older files, and probably the hardest part in my HIPAA compliance trek!

• Consolidating All My Data (PHI & Non-PHI): I meticulously went through all my files, both on my computer’s desktop and in my Drive. I identified any possible PHI or general therapy materials. That data was then securely moved to my professional Drive, ensuring it was consolidated into my compliant environment.
• No More OneDrive Sync: I’ve also disabled Microsoft OneDrive’s automatic PC folder backup. I’m in the process of moving those files from the OneDrive synced location back to my local user’s root folders. This ensures no client data is inadvertently stored or synced to a non-BAA cloud service.

Google Drive Settings and Workarounds

• Google Drive for Desktop (Strategically!): I used Google Drive for Desktop for efficiency with many files, but with a key rule. I keep it on “stream files” mode. This means files are only downloaded when I open them, minimizing PHI stored locally on my hard drive. I also keep its “offline access” feature for PHI files disabled in the Admin Console to prevent local copies, unless absolutely necessary and then with extreme care.
• Native Google Docs/Sheets/Slides: This was tricky! I learned you can’t just drag-and-drop native Google files between different accounts using Drive for Desktop. For these, especially if they contained PHI, I had to download them in Microsoft Office format from my personal Drive. Then I re-uploaded them to my professional Google Workspace Drive. This ensured ownership transferred correctly and, crucially, kept the PHI handling within my secured processes.
• Unzipping Files: Since Google Drive doesn’t have a built-in unzipper, I securely downloaded ZIP files to my local, encrypted computer. I unzipped them using Windows’ built-in function, and then re-uploaded the extracted files to my professional Google Workspace Drive.
• Disconnecting My Personal Drive: Once the transfer was done, I disconnected my personal Google Drive account from Google Drive for Desktop. Why? Fewer accounts connected equals less potential risk.
• Cleaning Up My Personal Drive (Carefully!): After moving all PHI, I used a cloud cleaner like Norton Cloud Cleaner on my personal Google Drive to remove duplicates and old non-PHI files. NEVER use such a tool on any PHI files or folders due to compliance risks, if it’s not covered by a BAA.

Involving Others in My Personal HIPPA Journey

• Dealing with Shared PHI from Others: I found some old PHI-containing files in my personal Gmail’s “Shared with me” section, shared by a school district. I immediately downloaded these to my professional Google Workspace Drive, securely deleted them from my personal Drive and my local computer. Then I reached out to the owner (politely!) asking them to remove my personal Gmail from the access list. This is an active and ongoing effort where I’m proactively contacting owners to ensure my access is removed. I’m documenting all my attempts as part of my due diligence, especially if I encounter non-responsive contacts or technical difficulties.
• Updating My Employer: I proactively contacted my employer to update my email address for all Google Drive file sharing. I specifically requested that anything with sensitive client info go to my new, secure professional email address (e.g., your.professional.email@yourdomain.com). This helps them send things to the right place from the start.

My Ongoing Commitment:

This isn’t a one-and-one project! I’ve also built in:

• Annual Policy Review: I’ll review my entire security policy document at least once a year.
• Self-Education: Staying informed about HIPAA and cybersecurity is an ongoing task. I’ve even been learning about specific processes like the HIPAA de-identification process.
• Basic Incident Response: I have a plan for what to do if something ever goes wrong, including who to notify.
• Learning Curve: I won’t lie, all these tech skills required some serious reading up and a lot of help (shout out to Gemini! ?). It’s a journey, not a sprint, but totally doable!

Setting all this up has been a journey, but it’s given me immense confidence in my practice’s security. If you’re an SLP (or any healthcare professional) using tech in your practice, I highly encourage you to take a look at your own setup. It’s worth every bit of effort for your peace of mind and, most importantly, for your clients’ privacy!

Here’s to HIPAA Happiness!

Social Media Icons: designed by rawpixel.com – Freepik.com

The post My Personal HIPAA Compliance Journey: Steps to Secure Data appeared first on Mrs. Speech Online.