- \n
- HIPAA Compliance At Home: Cloud, Schools, Teletherapy & PHI Security<\/a><\/li>\n\n\n\n
- Navigating Business Associate Agreements as an SLP: Your HIPAA BAA Guide<\/a><\/li>\n<\/ul>\n\n\n\n
Today, I want to share the “how” \u2013 my personal journey of putting these principles into practice! I\u2019ve been diving deep into my tech setup to make sure it’s not just functional, but also rock-solid HIPAA compliant. <\/strong><\/em>For example, as a teletherapist, some of my schools don’t invite me into their workspace. This leaves it up to me to securely manage all my client notes and materials. This kind of gap is precisely what drove me to build a truly robust system.<\/p>\n\n\n\n
It might sound daunting, but trust me, it’s all about peace of mind for both you and your clients. I wanted to share a rundown of what I’ve done. More importantly, I want to share why I’ve done it, in case it helps you level up your practice too!<\/p>\n\n\n\n
The “Why” Behind My Personal HIPAA Compliance Journey<\/h3>\n\n\n\n
My biggest drive was simple. I needed to know, without any doubt, that I was protecting my clients’ sensitive information to the highest standard. HIPAA isn’t just a checkbox; it’s about building trust. First, conducted a thorough risk analysis<\/strong> of my setup to identify any potential vulnerabilities.<\/p>\n\n\n\n
I’ve now meticulously created and am maintaining a detailed “Security Policies and Procedures” document<\/strong> that guides all my practices. Plus, having everything clearly documented helps me sleep better at night!<\/p>\n\n\n\n
Honestly, it wasn’t that long ago, a few weeks, that I wasn’t even aware of all of this. I didn’t know about Business Associate Agreements (BAAs), or their critical role. My previous security stance of “just don’t share client info” felt sufficient. Since then, I’ve realized how nebulous and insufficient<\/strong> that really was for both cloud-based and desktop information. <\/p>\n\n\n\n
How It All Started<\/h3>\n\n\n\n
So, if I wasn’t born with this wealth of knowledge, and it wasn’t covered in grad school, what happened? Well, I discovered that simply removing what I thought was identifying information was not sufficient for HIPAA de-identification<\/strong>. That realization truly sent me down this “rabbit hole” of learning and implementing everything you’re about to read!<\/p>\n\n\n\n
Honestly, as a single user, all this might seem like overkill<\/strong> at times. That is, until I really think about the potential cost and repercussions of a HIPAA violation<\/strong>. That quickly puts things into perspective!<\/p>\n\n\n\n
Here’s information and tips I’ve learned on this individual HIPAA compliance trek. (No, I’m not affiliated with, or sponsored by, Google in any way, it was just easier to work with.)<\/strong><\/em><\/p>\n\n\n\n
The Secure Foundation: My Google Workspace Enterprise Standard<\/h3>\n\n\n
\n![\"Three](\"https:\/\/mrsspeechonline.com\/staging\/2315\/wp-content\/uploads\/2025\/06\/network-3866435_1280.webp\" "\\"Securing")
Establishing a secure digital foundation for Protected Health Information in the cloud.<\/figcaption><\/figure>\n<\/div>\n\n\n Before even setting up my specific security rules, choosing the right Google Workspace edition was crucial. There are several tiers, and it’s not just about how many emails you can send! For me, picking Enterprise Standard<\/strong> was absolutely essential because of the level of HIPAA security I was comfortable with.<\/p>\n\n\n\n
- \n
- Pro-Tip on Choosing a Platform:<\/strong> I actually considered Microsoft 365 Business plans, as they also offer BAAs. However, I was already using and familiar with Google’s interface. More importantly, I found it much easier to get clear information about Google’s BAA and HIPAA-included functionality upfront.<\/strong> Microsoft seems to hide their BAA documentation behind a subscriber wall, making it difficult to fully vet before committing. This ease of information access, combined with my familiarity, ultimately swayed my decision towards Google. Basically, it looks like any paid workspace can have a BAA: https:\/\/support.google.com\/a\/answer\/2888485?sjid=14092164238884574583-NC<\/a><\/li>\n<\/ul>\n\n\n\n
Here\u2019s why I landed on it during my own HIPAA compliance trip, and what foundational elements it provides:<\/p>\n\n\n\n
The Non-Negotiable BAA<\/strong><\/h4>\n\n\n\n
This was the top priority. Enterprise Standard definitely comes with a Business Associate Agreement (BAA)<\/strong>. This gives me that crucial legal agreement with Google to handle Protected Health Information. This is absolutely non-negotiable for anyone handling PHI with Google Workspace. (You can find Google’s BAA here: https:\/\/workspace.google.com\/terms\/2015\/1\/hipaa_baa\/<\/a><\/em>).<\/p>\n\n\n\n
- \n
- Pro-Tip on Choosing a Tier<\/strong> – I actually started with the cheapest business tier (Business Starter $7\/mo), which I can confirm offers a BAA. However, after really digging into the features, I chose to upgrade to Enterprise Standard. It offered much better control over information and more robust policy enforcement options<\/strong>. These ultimately felt essential for protecting client PHI effectively. Google Tiers & Pricing<\/a> <\/li>\n\n\n\n
- Don’t Forget Your Domain Name! <\/strong>A domain name is an additional, but necessary, cost for any Google Workspace Business account. While Google offers to sell you one directly, I opted to buy my domain through Cloudflare for just $10.44\/year. This was a cost-effective choice since I already used Cloudflare for other services.<\/li>\n<\/ul>\n\n\n\n
Serious Pooled Storage<\/h4>\n\n\n\n
Enterprise Standard offers a massive 5 TB of pooled storage per user<\/strong>. (Just a heads-up: This pooled storage gets released in stages after payments, so my Drive initially showed less!). This is more than enough space for all my therapy materials and client files.<\/p>\n\n\n\n
\nGoogle Vault for Ironclad Data Retention<\/h4>\n\n\n\n
This was a game-changer! Enterprise Standard includes Google Vault<\/strong>, which allows me to set an indefinite retention policy<\/strong> for all my Google data. This ensures I meet and exceed HIPAA’s minimum six-year data retention requirement. It\u2019s like a super-secure, always-on backup for everything.<\/p>\n<\/div>
![\"A](\"https:\/\/mrsspeechonline.com\/staging\/2315\/wp-content\/uploads\/2025\/06\/strongbox-154022_1280-1-866x1024.webp\")
<\/figure><\/div>\n\n\n\nAdvanced Data Loss Prevention (DLP)<\/h4>\n\n\n\n
This tier gives me access to advanced DLP rules for Gmail and Drive, which are central to my security strategy. These are the powerful rules that can warn me if I try to share sensitive files externally.<\/p>\n\n\n\n
Comprehensive Security Controls<\/h4>\n\n\n\n
Enterprise Standard unlocks a lot of the granular administrative controls I needed. This allowed me to configure things like forcing 2FA, setting strong password policies, and disabling third-party apps.<\/p>\n\n\n\n
Basically, for handling PHI and needing robust, auditable security features, Enterprise Standard provided the comprehensive toolkit I needed to feel confident and stay compliant. It’s an investment at $27\/mo, but one that\u2019s absolutely worth it for peace of mind and professional responsibility.<\/p>\n\n\n\n
The Core Pillars of My Personal HIPAA Compliance Policy:<\/h3>\n\n\n\n
Here’s a look at the specific configurations I implemented (See Google’s HIPAA Implementation Guide: https:\/\/services.google.com\/fh\/files\/misc\/gsuite_cloud_identity_hipaa_implementation_guide.pdf<\/a>):<\/p>\n\n\n\n
1. Bulletproof Access Control (Who Gets In? Only Me!)<\/h4>\n\n\n\n
![\"A](\"https:\/\/mrsspeechonline.com\/staging\/2315\/wp-content\/uploads\/2025\/07\/secure-access-2fa.png\")
<\/figure>\n- \n
- 2-Step Verification (2FA) is Mandatory:<\/strong> No exceptions! I enforced 2FA for all account access. This is your absolute best defense against unauthorized logins.<\/li>\n\n\n\n
- Strong Passwords, Always:<\/strong> My system enforces strong password policies, requiring a minimum length of 16 characters<\/strong> and prompting for a refresh every 180 days<\/strong>. No weak links here!<\/li>\n<\/ul>\n<\/div><\/div>\n\n\n\n
- \n
- Third-Party Apps? Deny by Default!<\/strong> My policy is strict: all third-party app access is blocked by default. If I ever need an app, it goes through a security review and is force-installed by me, the admin. This prevents unvetted apps from touching my client data.<\/li>\n\n\n\n
- Strictly BAA-Covered Services Only:<\/strong> As part of my setup, I went into my Google Admin Console and literally turned OFF<\/strong> any Google services that aren’t explicitly covered by the BAA (like Google Photos, YouTube, etc.). Why? To make sure no PHI accidentally ends up in a non-compliant service. (You can find a list of Google’s HIPAA Included Functionality and BAA-covered services here: https:\/\/workspace.google.com\/terms\/2015\/1\/hipaa_functionality\/<\/a><\/em>).<\/li>\n<\/ul>\n\n\n\n
2. Smart Data Protection (No Accidental Leaks!)<\/h4>\n\n\n
\n![\"A](\"https:\/\/mrsspeechonline.com\/staging\/2315\/wp-content\/uploads\/2025\/06\/data-2998180_1280.webp\")
Locking down your digital files to prevent accidental data leaks.<\/figcaption><\/figure>\n<\/div>\n\n\n - \n
- Gmail Content Compliance:<\/strong> I set up an automated rule in Gmail that quarantines any outbound email containing PHI-related keywords if it’s addressed to a domain not on my pre-approved “Trusted School Districts” list. It’s a huge safety net!<\/li>\n\n\n\n
- Drive DLP (Data Loss Prevention) Rule:<\/strong> For Google Drive, I have a rule that gives me a real-time warning if I ever try to externally share a file containing PHI keywords. It’s an extra “Are you sure?” before a potential mishap.<\/li>\n\n\n\n
- Always Use Secure Communication Channels:<\/strong> Beyond these automated rules, I always ensure that any direct client communication involving PHI occurs only through secure, HIPAA-compliant platforms (like my employer’s therapy portal). I now avoid using regular email, text messages, or consumer video calls for sensitive information<\/strong>.<\/li>\n<\/ul>\n\n\n\n
3. Endpoint & Browser Security (My Laptop & Chrome)<\/h4>\n\n\n\n
- \n
- My Laptop is Encrypted & Protected:<\/strong> My main computer has full-disk encryption (BitLocker\/FileVault) and a robust antivirus solution. I’m currently using Norton Small Business ($59\/1st year with $119\/year renewal)<\/strong> for this, primarily for its strong endpoint protection. While I’m actively looking into BAA-covered antivirus and endpoint detection & response (EDR) solutions, it’s been a real challenge to find providers willing to work with a single user. For now, Norton Business helps secure my device itself. I had to specifically disable its cloud backup features<\/strong> to prevent any PHI from being stored on non-BAA servers. I’ve also upgraded my mouse to use Logi Bolt technology<\/strong> for a more secure wireless connection.<\/li>\n\n\n\n
- Physical Security for My Home Office:<\/strong> Beyond digital protection, I also ensure any limited physical PHI (like printed notes) is kept in a locked file box when unattended<\/strong>, and my work area is secured to prevent unauthorized access. I’ve even rearranged my office so that my computer screen is not visible from the doorway<\/strong>, even though I always make sure to close the door when I’m with clients.<\/li>\n\n\n\n
- Dedicated Chrome Profiles:<\/strong> This is a big one! I have separate Chrome browser profiles. One just for my professional W<\/strong>orkspace (where I handle PHI), and others for personal stuff or employer-provided Outlook\/therapy portals. This completely isolates data and workflows.\n
- \n
- Updated to add – I’ve now gone a step farther and added another Windows user to my computer. This way all therapy stuff stays in the therapy user.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Chrome Policies Enforced:<\/strong> My professional Google Workspace Chrome profile has Enhanced Safe Browse, “Always use secure connections” (HTTPS), and strict extension blocking enforced by policy. This means my browser is secured from the top down.<\/li>\n\n\n\n
- Windows Settings Tuned:<\/strong> Beyond the basics, I dove into Windows settings to ensure my device is locked down. Strong PIN\/Windows Hello, Dynamic Lock (locks when I walk away), automatic screen lock, firewall active, and app permissions reviewed app-by-app.<\/li>\n<\/ul>\n\n\n\n
4. Tackling Existing Data & Migration<\/h4>\n\n\n\n
This was a big project, especially for older files, and probably the hardest part in my HIPAA compliance trek!<\/p>\n\n\n\n
![\"An](\"https:\/\/mrsspeechonline.com\/staging\/2315\/wp-content\/uploads\/2025\/07\/data-migration-cloud-consolidation.png\")
<\/figure>\n- \n
- Consolidating All My Data (PHI & Non-PHI):<\/strong> I meticulously went through all my files, both on my computer’s desktop and in my Drive<\/strong>. I identified any possible PHI or general therapy materials. That data was then securely moved to my professional Drive<\/strong>, ensuring it was consolidated into my compliant environment.<\/li>\n\n\n\n
- No More OneDrive Sync:<\/strong> I’ve also disabled Microsoft OneDrive’s automatic PC folder backup<\/strong>. I’m in the process of moving those files from the OneDrive synced location back to my local user’s root folders. This ensures no client data is inadvertently stored or synced to a non-BAA cloud service.<\/li>\n<\/ul>\n<\/div><\/div>\n\n\n\n
Google Drive Settings and Workarounds<\/h5>\n\n\n\n
- \n
- Google Drive for Desktop (Strategically!):<\/strong> I used Google Drive for Desktop for efficiency with many files, but with a key rule. I keep it on “stream files” mode<\/strong>. This means files are only downloaded when I open them, minimizing PHI stored locally on my hard drive. I also keep its “offline access” feature for PHI files disabled in the Admin Console to prevent local copies, unless absolutely necessary and then with extreme care.<\/li>\n\n\n\n
- Native Google Docs\/Sheets\/Slides:<\/strong> This was tricky! I learned you can’t just drag-and-drop native Google files between different accounts using Drive for Desktop. For these, especially if they contained PHI, I had to download them in Microsoft Office format<\/strong> from my personal Drive. Then I re-uploaded them<\/strong> to my professional Google Workspace Drive<\/strong>. This ensured ownership transferred correctly and, crucially, kept the PHI handling within my secured processes.<\/li>\n\n\n\n
- Unzipping Files:<\/strong> Since Google Drive doesn’t have a built-in unzipper, I securely downloaded ZIP files to my local, encrypted computer. I unzipped them using Windows’ built-in function, and then re-uploaded the extracted files to my professional Google Workspace Drive<\/strong>.<\/li>\n\n\n\n
- Disconnecting My Personal Drive:<\/strong> Once the transfer was done, I disconnected my personal Google Drive account from Google Drive for Desktop. Why? Fewer accounts connected equals less potential risk.<\/li>\n\n\n\n
- Cleaning Up My Personal Drive (Carefully!):<\/strong> After moving all PHI, I used a cloud cleaner like Norton Cloud Cleaner on my personal<\/em> Google Drive to remove duplicates and old non-PHI files. NEVER<\/strong> use such a tool on any PHI files or folders due to compliance risks, if it’s not covered by a BAA.<\/li>\n<\/ul>\n\n\n\n
Involving Others in My Personal HIPPA Journey<\/h5>\n\n\n\n
- \n
- Dealing with Shared PHI from Others:<\/strong> I found some old PHI-containing files in my personal Gmail’s “Shared with me” section, shared by a school district. I immediately downloaded these to my professional Google Workspace Drive<\/strong>, securely deleted them from my personal Drive and my local computer<\/strong>. Then I reached out to the owner (politely!) asking them to remove my personal Gmail from the access list. This is an active and ongoing effort<\/strong> where I’m proactively contacting owners to ensure my access is removed. I’m documenting all my attempts<\/strong> as part of my due diligence, especially if I encounter non-responsive contacts or technical difficulties.<\/li>\n\n\n\n
- Updating My Employer:<\/strong> I proactively contacted my employer to update my email address for all Google Drive file sharing. I specifically requested that anything with sensitive client info go to my new, secure professional email address (e.g., your.professional.email@yourdomain.com)<\/strong>. This helps them send things to the right place from the start.<\/li>\n<\/ul>\n\n\n\n
My Ongoing Commitment:<\/h3>\n\n\n\n
This isn’t a one-and-one project! I’ve also built in:<\/p>\n\n\n\n
- \n
- Annual Policy Review:<\/strong> I’ll review my entire security policy document at least once a year.<\/li>\n\n\n\n
- Self-Education:<\/strong> Staying informed about HIPAA and cybersecurity is an ongoing task. I’ve even been learning about specific processes like the HIPAA de-identification process<\/strong>.<\/li>\n\n\n\n
- Basic Incident Response:<\/strong> I have a plan for what to do if something ever goes wrong, including who to notify.<\/li>\n\n\n\n
- Learning Curve:<\/strong> I won’t lie, all these tech skills required some serious reading up and a lot of help (shout out to Gemini! \ud83d\ude09). It’s a journey, not a sprint, but totally doable!<\/li>\n<\/ul>\n\n\n\n
Setting all this up has been a journey, but it’s given me immense confidence in my practice’s security. If you’re an SLP (or any healthcare professional) using tech in your practice, I highly encourage you to take a look at your own setup. It’s worth every bit of effort for your peace of mind and, most importantly, for your clients’ privacy!<\/p>\n\n\n\n
Here’s to HIPAA Happiness!<\/p>\n\n\n\n
\n![\"Mrs.](\"https:\/\/i0.wp.com\/vmx.erb.mybluehost.me\/wp-content\/uploads\/2025\/07\/Mrs.-Speech-signature-transparent.webp?fit=810%2C169&ssl=1\")
<\/figure>\n<\/div>\n\n\n\n![\"facebook](\"https:\/\/mrsspeechonline.com\/staging\/2315\/wp-content\/uploads\/2025\/07\/1-e1751811762918.webp\")
<\/a><\/figure>\n\n\n\n![\"Instagram](\"https:\/\/mrsspeechonline.com\/staging\/2315\/wp-content\/uploads\/2025\/07\/4-e1751812074939.webp\")
<\/a><\/figure>\n\n\n\n![\"pinterest](\"https:\/\/mrsspeechonline.com\/staging\/2315\/wp-content\/uploads\/2025\/07\/2-e1751811897435.webp\")
<\/a><\/figure>\n\n\n\n![\"LinkedIn](\"https:\/\/mrsspeechonline.com\/staging\/2315\/wp-content\/uploads\/2025\/07\/5-e1751812160224.webp\")
<\/a><\/figure>\n\n\n\n![\"YouTube](\"https:\/\/mrsspeechonline.com\/staging\/2315\/wp-content\/uploads\/2025\/07\/3-e1751811991232.webp\")
<\/a><\/figure>\n\n\n\n![\"TeachersPayTeachers](\"https:\/\/mrsspeechonline.com\/staging\/2315\/wp-content\/uploads\/2025\/07\/6-e1751812225756.webp\")
<\/a><\/figure>\n\n\n\n![\"Mrs.](\"https:\/\/mrsspeechonline.com\/staging\/2315\/wp-content\/uploads\/2025\/07\/social-icons-1-e1751812692319.webp\")
<\/figure>\n\n\n\n![\"MailTo](\"https:\/\/mrsspeechonline.com\/staging\/2315\/wp-content\/uploads\/2025\/07\/7-e1751813665307.webp\")
<\/figure>\n<\/div>\n<\/div><\/div>\n\n\n\n\n Social Media Icons: designed by rawpixel.com – Freepik.com<\/a>\n<\/p>\n\n\n\n
<\/div>\n\n\nBusiness Associate Agreement<\/a>, <\/span>Google<\/a>, <\/span>Google Workspace<\/a>, <\/span>HIPAA Security<\/a>, <\/span>Home Office<\/a>, <\/span>Insights<\/a>, <\/span>Microsoft<\/a>, <\/span>Personal Journey<\/a>, <\/span>Technology<\/a>, <\/span>Teletherapy<\/a>, <\/span>Tips<\/a><\/div>","protected":false},"excerpt":{"rendered":"How I’m Making My Solo Practice HIPAA-Happy! Hey fellow SLPs and healthcare pros! Today, I want to share some insights from my personal journey towards HIPAA compliance. In my last two posts, we delved into the crucial topic of HIPAA compliance for telepractice. They covered the “what” and the “why.” Today, I want to share the […]<\/p>\n","protected":false},"author":1,"featured_media":2383,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"nf_dc_page":"","footnotes":""},"categories":[914,916],"tags":[958,1022,1023,932,1031,954,1025,1015,1042,946,949],"class_list":["post-8","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-clinical-practice-management","category-compliance-ethics","tag-business-associate-agreement","tag-google","tag-google-workspace","tag-hipaa-security","tag-home-office","tag-insights","tag-microsoft","tag-personal-journey","tag-technology","tag-teletherapy","tag-tips"],"yoast_head":"\n
Personal HIPAA Compliance Journey: My Insights - Mrs. Speech Online<\/title>\n<meta name=\"description\" content=\"Discover the key lessons from my personal HIPAA compliance journey and enhance your telepractice with practical insights.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/mrsspeechonline.com\/staging\/2315\/personal-hipaa-compliance-journey\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"My Personal HIPAA Compliance Journey: Steps to Secure Data\" \/>\n<meta property=\"og:description\" content=\"Discover the key lessons from my personal HIPAA compliance journey and enhance your telepractice with practical insights.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/mrsspeechonline.com\/staging\/2315\/personal-hipaa-compliance-journey\/\" \/>\n<meta property=\"og:site_name\" content=\"Mrs. Speech Online\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/profile.php?id=61556892726241\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/profile.php?id=61556892726241\" \/>\n<meta property=\"article:published_time\" content=\"2025-08-12T17:22:16+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/mrsspeechonline.com\/staging\/2315\/wp-content\/uploads\/2025\/07\/HIPAA-Me-Shield.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1350\" \/>\n\t<meta property=\"og:image:height\" content=\"1350\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Jennifer\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Jennifer\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"14 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"TechArticle\",\"@id\":\"https:\\\/\\\/mrsspeechonline.com\\\/staging\\\/2315\\\/personal-hipaa-compliance-journey\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/mrsspeechonline.com\\\/staging\\\/2315\\\/personal-hipaa-compliance-journey\\\/\"},\"author\":{\"name\":\"Jennifer\",\"@id\":\"https:\\\/\\\/mrsspeechonline.com\\\/staging\\\/2315\\\/#\\\/schema\\\/person\\\/05d8350c5dc28f8b1a02cfd86462c22b\"},\"headline\":\"My Personal HIPAA Compliance Journey: Steps to Secure Data\",\"datePublished\":\"2025-08-12T17:22:16+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/mrsspeechonline.com\\\/staging\\\/2315\\\/personal-hipaa-compliance-journey\\\/\"},\"wordCount\":2614,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/mrsspeechonline.com\\\/staging\\\/2315\\\/#\\\/schema\\\/person\\\/05d8350c5dc28f8b1a02cfd86462c22b\"},\"image\":{\"@id\":\"https:\\\/\\\/mrsspeechonline.com\\\/staging\\\/2315\\\/personal-hipaa-compliance-journey\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/mrsspeechonline.com\\\/staging\\\/2315\\\/wp-content\\\/uploads\\\/2025\\\/07\\\/HIPAA-Me-Shield.png\",\"keywords\":[\"Business Associate Agreement\",\"Google\",\"Google Workspace\",\"HIPAA Security\",\"Home Office\",\"Insights\",\"Microsoft\",\"Personal Journey\",\"Technology\",\"Teletherapy\",\"Tips\"],\"articleSection\":[\"Clinical\",\"Compliance & Ethics\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/mrsspeechonline.com\\\/staging\\\/2315\\\/personal-hipaa-compliance-journey\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/mrsspeechonline.com\\\/staging\\\/2315\\\/personal-hipaa-compliance-journey\\\/\",\"url\":\"https:\\\/\\\/mrsspeechonline.com\\\/staging\\\/2315\\\/personal-hipaa-compliance-journey\\\/\",\"name\":\"Personal HIPAA Compliance Journey: My Insights - Mrs. Speech Online\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/mrsspeechonline.com\\\/staging\\\/2315\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/mrsspeechonline.com\\\/staging\\\/2315\\\/personal-hipaa-compliance-journey\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/mrsspeechonline.com\\\/staging\\\/2315\\\/personal-hipaa-compliance-journey\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/mrsspeechonline.com\\\/staging\\\/2315\\\/wp-content\\\/uploads\\\/2025\\\/07\\\/HIPAA-Me-Shield.png\",\"datePublished\":\"2025-08-12T17:22:16+00:00\",\"description\":\"Discover the key lessons from my personal HIPAA compliance journey and enhance your telepractice with practical insights.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/mrsspeechonline.com\\\/staging\\\/2315\\\/personal-hipaa-compliance-journey\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/mrsspeechonline.com\\\/staging\\\/2315\\\/personal-hipaa-compliance-journey\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/mrsspeechonline.com\\\/staging\\\/2315\\\/personal-hipaa-compliance-journey\\\/#primaryimage\",\"url\":\"https:\\\/\\\/mrsspeechonline.com\\\/staging\\\/2315\\\/wp-content\\\/uploads\\\/2025\\\/07\\\/HIPAA-Me-Shield.png\",\"contentUrl\":\"https:\\\/\\\/mrsspeechonline.com\\\/staging\\\/2315\\\/wp-content\\\/uploads\\\/2025\\\/07\\\/HIPAA-Me-Shield.png\",\"width\":1350,\"height\":1350,\"caption\":\"Securing patient data: My personal journey to HIPAA compliance at home. \u00a9 2025 Jennifer Tillock, Mrs. Speech LLC\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/mrsspeechonline.com\\\/staging\\\/2315\\\/personal-hipaa-compliance-journey\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/mrsspeechonline.com\\\/staging\\\/2315\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Clinical\",\"item\":\"https:\\\/\\\/mrsspeechonline.com\\\/staging\\\/2315\\\/category\\\/clinical-practice-management\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Compliance & Ethics\",\"item\":\"https:\\\/\\\/mrsspeechonline.com\\\/staging\\\/2315\\\/category\\\/clinical-practice-management\\\/compliance-ethics\\\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"My Personal HIPAA Compliance Journey: Steps to Secure Data\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/mrsspeechonline.com\\\/staging\\\/2315\\\/#website\",\"url\":\"https:\\\/\\\/mrsspeechonline.com\\\/staging\\\/2315\\\/\",\"name\":\"Mrs. Speech Online\",\"description\":\"Tips & Resources for SLPs and Educators (Excuse our dust, our gnomes are renovating!)\",\"publisher\":{\"@id\":\"https:\\\/\\\/mrsspeechonline.com\\\/staging\\\/2315\\\/#\\\/schema\\\/person\\\/05d8350c5dc28f8b1a02cfd86462c22b\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/mrsspeechonline.com\\\/staging\\\/2315\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\\\/\\\/mrsspeechonline.com\\\/staging\\\/2315\\\/#\\\/schema\\\/person\\\/05d8350c5dc28f8b1a02cfd86462c22b\",\"name\":\"Jennifer\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/mrsspeechonline.com\\\/staging\\\/2315\\\/wp-content\\\/uploads\\\/2025\\\/07\\\/mrs-speech-online-website-banner.webp\",\"url\":\"https:\\\/\\\/mrsspeechonline.com\\\/staging\\\/2315\\\/wp-content\\\/uploads\\\/2025\\\/07\\\/mrs-speech-online-website-banner.webp\",\"contentUrl\":\"https:\\\/\\\/mrsspeechonline.com\\\/staging\\\/2315\\\/wp-content\\\/uploads\\\/2025\\\/07\\\/mrs-speech-online-website-banner.webp\",\"width\":1920,\"height\":553,\"caption\":\"Jennifer\"},\"logo\":{\"@id\":\"https:\\\/\\\/mrsspeechonline.com\\\/staging\\\/2315\\\/wp-content\\\/uploads\\\/2025\\\/07\\\/mrs-speech-online-website-banner.webp\"},\"sameAs\":[\"https:\\\/\\\/mrsspeechonline.com\\\/staging\\\/2315\\\/staging\\\/2315\",\"https:\\\/\\\/www.facebook.com\\\/profile.php?id=61556892726241\",\"https:\\\/\\\/www.instagram.com\\\/mrs.speechonline\\\/\",\"https:\\\/\\\/www.linkedin.com\\\/in\\\/jennifer-tillock-821999287\\\/\",\"https:\\\/\\\/www.pinterest.com\\\/mrsspeechonline\\\/\",\"http:\\\/\\\/www.youtube.com\\\/@Mrs.Speech-wk4mr\"],\"url\":\"https:\\\/\\\/mrsspeechonline.com\\\/staging\\\/2315\\\/author\\\/jennifer\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Personal HIPAA Compliance Journey: My Insights - Mrs. Speech Online","description":"Discover the key lessons from my personal HIPAA compliance journey and enhance your telepractice with practical insights.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/mrsspeechonline.com\/staging\/2315\/personal-hipaa-compliance-journey\/","og_locale":"en_US","og_type":"article","og_title":"My Personal HIPAA Compliance Journey: Steps to Secure Data","og_description":"Discover the key lessons from my personal HIPAA compliance journey and enhance your telepractice with practical insights.","og_url":"https:\/\/mrsspeechonline.com\/staging\/2315\/personal-hipaa-compliance-journey\/","og_site_name":"Mrs. Speech Online","article_publisher":"https:\/\/www.facebook.com\/profile.php?id=61556892726241","article_author":"https:\/\/www.facebook.com\/profile.php?id=61556892726241","article_published_time":"2025-08-12T17:22:16+00:00","og_image":[{"width":1350,"height":1350,"url":"https:\/\/mrsspeechonline.com\/staging\/2315\/wp-content\/uploads\/2025\/07\/HIPAA-Me-Shield.png","type":"image\/png"}],"author":"Jennifer","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Jennifer","Est. reading time":"14 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"TechArticle","@id":"https:\/\/mrsspeechonline.com\/staging\/2315\/personal-hipaa-compliance-journey\/#article","isPartOf":{"@id":"https:\/\/mrsspeechonline.com\/staging\/2315\/personal-hipaa-compliance-journey\/"},"author":{"name":"Jennifer","@id":"https:\/\/mrsspeechonline.com\/staging\/2315\/#\/schema\/person\/05d8350c5dc28f8b1a02cfd86462c22b"},"headline":"My Personal HIPAA Compliance Journey: Steps to Secure Data","datePublished":"2025-08-12T17:22:16+00:00","mainEntityOfPage":{"@id":"https:\/\/mrsspeechonline.com\/staging\/2315\/personal-hipaa-compliance-journey\/"},"wordCount":2614,"commentCount":0,"publisher":{"@id":"https:\/\/mrsspeechonline.com\/staging\/2315\/#\/schema\/person\/05d8350c5dc28f8b1a02cfd86462c22b"},"image":{"@id":"https:\/\/mrsspeechonline.com\/staging\/2315\/personal-hipaa-compliance-journey\/#primaryimage"},"thumbnailUrl":"https:\/\/mrsspeechonline.com\/staging\/2315\/wp-content\/uploads\/2025\/07\/HIPAA-Me-Shield.png","keywords":["Business Associate Agreement","Google","Google Workspace","HIPAA Security","Home Office","Insights","Microsoft","Personal Journey","Technology","Teletherapy","Tips"],"articleSection":["Clinical","Compliance & Ethics"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/mrsspeechonline.com\/staging\/2315\/personal-hipaa-compliance-journey\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/mrsspeechonline.com\/staging\/2315\/personal-hipaa-compliance-journey\/","url":"https:\/\/mrsspeechonline.com\/staging\/2315\/personal-hipaa-compliance-journey\/","name":"Personal HIPAA Compliance Journey: My Insights - Mrs. Speech Online","isPartOf":{"@id":"https:\/\/mrsspeechonline.com\/staging\/2315\/#website"},"primaryImageOfPage":{"@id":"https:\/\/mrsspeechonline.com\/staging\/2315\/personal-hipaa-compliance-journey\/#primaryimage"},"image":{"@id":"https:\/\/mrsspeechonline.com\/staging\/2315\/personal-hipaa-compliance-journey\/#primaryimage"},"thumbnailUrl":"https:\/\/mrsspeechonline.com\/staging\/2315\/wp-content\/uploads\/2025\/07\/HIPAA-Me-Shield.png","datePublished":"2025-08-12T17:22:16+00:00","description":"Discover the key lessons from my personal HIPAA compliance journey and enhance your telepractice with practical insights.","breadcrumb":{"@id":"https:\/\/mrsspeechonline.com\/staging\/2315\/personal-hipaa-compliance-journey\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/mrsspeechonline.com\/staging\/2315\/personal-hipaa-compliance-journey\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/mrsspeechonline.com\/staging\/2315\/personal-hipaa-compliance-journey\/#primaryimage","url":"https:\/\/mrsspeechonline.com\/staging\/2315\/wp-content\/uploads\/2025\/07\/HIPAA-Me-Shield.png","contentUrl":"https:\/\/mrsspeechonline.com\/staging\/2315\/wp-content\/uploads\/2025\/07\/HIPAA-Me-Shield.png","width":1350,"height":1350,"caption":"Securing patient data: My personal journey to HIPAA compliance at home. \u00a9 2025 Jennifer Tillock, Mrs. Speech LLC"},{"@type":"BreadcrumbList","@id":"https:\/\/mrsspeechonline.com\/staging\/2315\/personal-hipaa-compliance-journey\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/mrsspeechonline.com\/staging\/2315\/"},{"@type":"ListItem","position":2,"name":"Clinical","item":"https:\/\/mrsspeechonline.com\/staging\/2315\/category\/clinical-practice-management\/"},{"@type":"ListItem","position":3,"name":"Compliance & Ethics","item":"https:\/\/mrsspeechonline.com\/staging\/2315\/category\/clinical-practice-management\/compliance-ethics\/"},{"@type":"ListItem","position":4,"name":"My Personal HIPAA Compliance Journey: Steps to Secure Data"}]},{"@type":"WebSite","@id":"https:\/\/mrsspeechonline.com\/staging\/2315\/#website","url":"https:\/\/mrsspeechonline.com\/staging\/2315\/","name":"Mrs. Speech Online","description":"Tips & Resources for SLPs and Educators (Excuse our dust, our gnomes are renovating!)","publisher":{"@id":"https:\/\/mrsspeechonline.com\/staging\/2315\/#\/schema\/person\/05d8350c5dc28f8b1a02cfd86462c22b"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/mrsspeechonline.com\/staging\/2315\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/mrsspeechonline.com\/staging\/2315\/#\/schema\/person\/05d8350c5dc28f8b1a02cfd86462c22b","name":"Jennifer","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/mrsspeechonline.com\/staging\/2315\/wp-content\/uploads\/2025\/07\/mrs-speech-online-website-banner.webp","url":"https:\/\/mrsspeechonline.com\/staging\/2315\/wp-content\/uploads\/2025\/07\/mrs-speech-online-website-banner.webp","contentUrl":"https:\/\/mrsspeechonline.com\/staging\/2315\/wp-content\/uploads\/2025\/07\/mrs-speech-online-website-banner.webp","width":1920,"height":553,"caption":"Jennifer"},"logo":{"@id":"https:\/\/mrsspeechonline.com\/staging\/2315\/wp-content\/uploads\/2025\/07\/mrs-speech-online-website-banner.webp"},"sameAs":["https:\/\/mrsspeechonline.com\/staging\/2315\/staging\/2315","https:\/\/www.facebook.com\/profile.php?id=61556892726241","https:\/\/www.instagram.com\/mrs.speechonline\/","https:\/\/www.linkedin.com\/in\/jennifer-tillock-821999287\/","https:\/\/www.pinterest.com\/mrsspeechonline\/","http:\/\/www.youtube.com\/@Mrs.Speech-wk4mr"],"url":"https:\/\/mrsspeechonline.com\/staging\/2315\/author\/jennifer\/"}]}},"_links":{"self":[{"href":"https:\/\/mrsspeechonline.com\/staging\/2315\/wp-json\/wp\/v2\/posts\/8","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mrsspeechonline.com\/staging\/2315\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mrsspeechonline.com\/staging\/2315\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mrsspeechonline.com\/staging\/2315\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mrsspeechonline.com\/staging\/2315\/wp-json\/wp\/v2\/comments?post=8"}],"version-history":[{"count":16,"href":"https:\/\/mrsspeechonline.com\/staging\/2315\/wp-json\/wp\/v2\/posts\/8\/revisions"}],"predecessor-version":[{"id":2387,"href":"https:\/\/mrsspeechonline.com\/staging\/2315\/wp-json\/wp\/v2\/posts\/8\/revisions\/2387"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mrsspeechonline.com\/staging\/2315\/wp-json\/wp\/v2\/media\/2383"}],"wp:attachment":[{"href":"https:\/\/mrsspeechonline.com\/staging\/2315\/wp-json\/wp\/v2\/media?parent=8"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mrsspeechonline.com\/staging\/2315\/wp-json\/wp\/v2\/categories?post=8"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mrsspeechonline.com\/staging\/2315\/wp-json\/wp\/v2\/tags?post=8"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}} - Self-Education:<\/strong> Staying informed about HIPAA and cybersecurity is an ongoing task. I’ve even been learning about specific processes like the HIPAA de-identification process<\/strong>.<\/li>\n\n\n\n
- Updating My Employer:<\/strong> I proactively contacted my employer to update my email address for all Google Drive file sharing. I specifically requested that anything with sensitive client info go to my new, secure professional email address (e.g., your.professional.email@yourdomain.com)<\/strong>. This helps them send things to the right place from the start.<\/li>\n<\/ul>\n\n\n\n
- Native Google Docs\/Sheets\/Slides:<\/strong> This was tricky! I learned you can’t just drag-and-drop native Google files between different accounts using Drive for Desktop. For these, especially if they contained PHI, I had to download them in Microsoft Office format<\/strong> from my personal Drive. Then I re-uploaded them<\/strong> to my professional Google Workspace Drive<\/strong>. This ensured ownership transferred correctly and, crucially, kept the PHI handling within my secured processes.<\/li>\n\n\n\n
- No More OneDrive Sync:<\/strong> I’ve also disabled Microsoft OneDrive’s automatic PC folder backup<\/strong>. I’m in the process of moving those files from the OneDrive synced location back to my local user’s root folders. This ensures no client data is inadvertently stored or synced to a non-BAA cloud service.<\/li>\n<\/ul>\n<\/div><\/div>\n\n\n\n
- Windows Settings Tuned:<\/strong> Beyond the basics, I dove into Windows settings to ensure my device is locked down. Strong PIN\/Windows Hello, Dynamic Lock (locks when I walk away), automatic screen lock, firewall active, and app permissions reviewed app-by-app.<\/li>\n<\/ul>\n\n\n\n
- Physical Security for My Home Office:<\/strong> Beyond digital protection, I also ensure any limited physical PHI (like printed notes) is kept in a locked file box when unattended<\/strong>, and my work area is secured to prevent unauthorized access. I’ve even rearranged my office so that my computer screen is not visible from the doorway<\/strong>, even though I always make sure to close the door when I’m with clients.<\/li>\n\n\n\n
- Drive DLP (Data Loss Prevention) Rule:<\/strong> For Google Drive, I have a rule that gives me a real-time warning if I ever try to externally share a file containing PHI keywords. It’s an extra “Are you sure?” before a potential mishap.<\/li>\n\n\n\n
- Strictly BAA-Covered Services Only:<\/strong> As part of my setup, I went into my Google Admin Console and literally turned OFF<\/strong> any Google services that aren’t explicitly covered by the BAA (like Google Photos, YouTube, etc.). Why? To make sure no PHI accidentally ends up in a non-compliant service. (You can find a list of Google’s HIPAA Included Functionality and BAA-covered services here: https:\/\/workspace.google.com\/terms\/2015\/1\/hipaa_functionality\/<\/a><\/em>).<\/li>\n<\/ul>\n\n\n\n
- Strong Passwords, Always:<\/strong> My system enforces strong password policies, requiring a minimum length of 16 characters<\/strong> and prompting for a refresh every 180 days<\/strong>. No weak links here!<\/li>\n<\/ul>\n<\/div><\/div>\n\n\n\n
- Don’t Forget Your Domain Name! <\/strong>A domain name is an additional, but necessary, cost for any Google Workspace Business account. While Google offers to sell you one directly, I opted to buy my domain through Cloudflare for just $10.44\/year. This was a cost-effective choice since I already used Cloudflare for other services.<\/li>\n<\/ul>\n\n\n\n
- Pro-Tip on Choosing a Tier<\/strong> – I actually started with the cheapest business tier (Business Starter $7\/mo), which I can confirm offers a BAA. However, after really digging into the features, I chose to upgrade to Enterprise Standard. It offered much better control over information and more robust policy enforcement options<\/strong>. These ultimately felt essential for protecting client PHI effectively. Google Tiers & Pricing<\/a> <\/li>\n\n\n\n
- Navigating Business Associate Agreements as an SLP: Your HIPAA BAA Guide<\/a><\/li>\n<\/ul>\n\n\n\n