top of page


Must I comply? It doesn't have to be perfect

Iowa Psychological Association opposes PSYPACT{Below}

Must I comply? It doesn’t have to be perfect

By Susan C. Litton, Ph.D.

     Yes, you have to comply.

     Not long ago, it was theoretically possible for some mental health practitioners to make a case for not being Covered Entities (CEs), thus not needing to comply with HIPAA. However, that was before COVID. COVID pushed the entire profession toward digital apps. 

hippa health insurance accountability act

To remain protected, we signed BAAs (Business Associate Agreements). BAAs commonly begin with language like:

“This is an agreement between X, a software company and Y, a Covered Entity.”

    As soon as you sign, you’re attesting to the fact that yes, you ARE a Covered Entity. If you’ve signed even one of these legally binding documents, you’re required to comply with HIPAA. 


It doesn’t have to be perfect

    The good news is that HIPAA is fairly forgiving. Although the goal is to work toward 100% compliance, each CE is expected to implement solutions appropriate to their own practice. What auditors look for is evidence that we understand HIPAA laws and that we’re putting forth a good faith attempt to apply them. Some authors refer to this as having a “Good Story.” Keep in mind that “not knowing” is also a HIPAA infraction. So, if you’re audited and asked why you haven’t implemented X, a response of “I didn’t know I needed it” could get you fined. But a response of, “I haven’t implemented that yet because of A and B, but I have plans to implement it by (date)” would probably be considered acceptable.


Tips for avoiding sanctions

Email and texting

    An analysis of data from the OCR Breach Database in 2020 found that healthcare professionals were the worst offenders of Hacking/IT email breaches, coming in at a whopping 82% of posted breaches. Providers were fined for using insecure or partially secure email products such as Gmail, Outlook, Yahoo, AOL, or even Google Workspace. 

    HIPAA rules for email and texting are extremely difficult to understand. They never actually say that we must use encrypted platforms. However, if you DO use insecure email or texting and are unlucky enough to be involved in a breach, HIPAA DOES impose sanctions. This seemingly unfair situation is based on the Security Rule, which requires us to maintain our patients’ medical records securely. Both email and texts are considered part of the medical record. Therefore, if some action you took (or did not take) is responsible for a breach, HIPAA will likely fine you. A good rule to follow is:

IF you choose to text and/or email with your patients, you MUST use encrypted platforms. Your default programs for email or texting should be 100% end-to-end encrypted. (This eliminates Google Workspace unless you add Paubox.) However, if a particular patient reports having difficulty with your encrypted program and requests to use an unencrypted method, you MUST then use their chosen program if possible. This is considered a reasonable accommodation and is part of the Privacy Policy. Such exceptions should be documented by asking the patient to sign a waiver stating that they requested this change, they understand it’s not secure, and will hold you harmless should a breach occur.



    A casual perusal of some of the OCR database entries reveals a surprising number of breaches involving documentation. Documentation is intended to prevent, detect, contain, and correct security violations. In one case, an employee had a thumb drive that POSSIBLY contained PHI stolen from his car. In this case, the fine was levied because the organization did not have adequate policies and procedures that might have prevented or corrected the situation. Documentation is an essential part of having a “Good Story.”


Create a compliance repository

    Many clinicians in private practice think they need to hire experts to get their documentation up to speed. You do not. Remember that HIPAA is scalable. A HIPAA attorney showed me this relatively easy do-it-yourself approach:

Create this set of folders:

1. Policies, Processes and Process Results

2. Workforce Members

3. Business Associates

4. Complaints

5. Security Incidents

6. Breaches

7. Internal Audits and Reviews


    Make sure the place you’re storing your Compliance Repository is HIPAA compliant (with a BAA) and that you maintain at least one backup in a totally different location. Keep ALL your HIPAA documentation in this repository. For example, your Privacy and Security Policies, Informed Consents, Telehealth Policies, Waivers, etc. go in the first folder, documentation on staff members (including yourself) go in folder #2, your BAAs go in #3 and so forth. Don’t be scared about 4, 5, and 6. Documented incidents (including the action you took plus remediation plans you put in place afterward), will look a lot better than things you try to gloss over. And 7? Extremely important. Do this - and document it - regularly.

How do integrated tools make HIPAA easier?

    Integrated tools like Electronic Health Records (EHRs) are typically less expensive, safer, and easier than maintaining separate tools. When you are using separate tools for each task, it’s up to you to figure out how to securely transfer things like payment info, notes, emails, texts, files, etc. from separate software programs to the individual medical records you maintain on each patient. That’s a daunting task even for security experts. In contrast, when an integrated program is done correctly, you are relieved of that responsibility. That work is done for you. 

    Creating and maintaining your Security Policy is also easier with integrated products. A Security Policy must be based on a risk assessment. Part of this is to maintain records on each piece of equipment and/or software we use. If we’re using ten different software programs, we must maintain an entry for each. However, with online EHRs, the software part of your risk assessment can be limited to a single entry, something like this:


    HP Pavilion All-in-One 27-xa0125qe desktop computer. 

Security policy

    I use my XYZ EHR for all practice management tasks. Since XYZ EHR and all data it produces are online, there is never any PHI on any of my devices. XYZ EHR is HIPAA compliant, and I have a BAA with them that is kept in the Business Associates file of my Compliance Repository. 



    Complying with HIPAA is something you can do yourself with maybe only a weekend of solid work to get set up, and then occasional tweaking. It DOES need to be something you stay on top of. It’s not something you set up and forget. Remember the “Internal Audits and Reviews” folder? Plan one of those at LEAST once a year, maybe twice. Each time you add new software or hardware, add it to the risk assessment document in your Security Policy. Train your staff (even if only yourself) as needed or at least once or twice a year and document those trainings in the Workforce Members folder. Learn as you go. You can do this!

National Psychologist CE Quiz

Susan C. Litton, Ph.D., is a psychologist in private practice in Decatur, GA. She also has an IT degree and created the PSYBooks EHR/Portal for mental health professionals. She is an Advisor to Hale Healthcare IT Labs, a tech company devoted to building healthcare products. Her email address is

Iowa Psychological Association opposes


By Paul Ascheman, Ph.D.

Iowa Psychological Association opposes PSYPACT

     In 2018, the Association of State and Provincial Psychology Boards (ASPPB) held a PsyPact pitch meeting in Washington, DC, to recruit additional states needed to enact the interstate compact. Iowa invitees included a state senator and house representative, the chair of the Iowa Board of Psychology, and me, serving at that time as the Iowa Psychological Association’s (IPA) State Advocacy Coordinator. 

We all entered the meeting enthusiastic to broaden access to telepsychology, but some left concerned that aspects of the design needed to be improved. While there is the obvious purported benefit of increasing patient access via telehealth and temporary in-state practice, the Iowa Psychological Association has decided to oppose the passage of PsyPact in the multiple years it has been introduced.

     Interstate compacts for healthcare providers are not new. There are compacts for many professions, including physicians, nurses, social workers, counselors, audiologists, physical therapists, and even emergency medical providers. They come in different styles and qualities. Compacts allow for interstate practice without having to be licensed in multiple participating states. They are a substitute for national licensure or reciprocity agreements. By design, PsyPact requires the participating states to give up some control over the regulation of licensees.            Licensing requirements vary between states, and under PsyPact, someone who wouldn’t qualify for in-person practice in a receiving state could practice telehealth full-time in that state. If a state has specific continuing education requirements (e.g., cultural competence, ethics, or state regulations), a PsyPact psychologist does not have to meet those standards when practicing telehealth in another state. Further, while the current system is limited to doctoral-level psychologists, it has not been guaranteed that rules (governed by the PsyPact Commission) would not be expanded in the future to allow master’s level psychology practitioners to practice across state lines.

     To best understand the nuance of Iowa’s opposition to PsyPact, it is important to be aware of the definitions and rules in the compact’s model legislation (which cannot be amended or modified by individual states). First, it is important to differentiate the “home” state (where the psychologist resides) from the “receiving” state (where the patient is located). PsyPact rules state, “For the purposes of this Compact, the provision of psychological services is deemed to take place at the physical location of the psychologist.” This diverges from other compacts that state the service occurs in the patient’s location (i.e., receiving state). This is where things get muddy. Under PsyPact, although the service is deemed to occur in the home state, the psychologist must abide by the “scope of practice” and “health and safety” rules of the receiving state. If a disciplinary issue arises, the home state is responsible for investigating, asking that board to interpret another state’s rules. If, instead, the provision of service was in the receiving state, it would be more transparent for patients to understand which rules apply and better assure local accountability, driving home the imperative that providers follow the rules of the road wherever they (virtually) travel. This would also better mirror the in-person practice allowed under the Temporary Authorization to Practice (TAP) PsyPact credential and other occupational compacts.

     The health and safety of patients should be paramount in constructing a compact;

it was an afterthought for PsyPact. Interstate practitioners should be demonstrably

knowledgeable of receiving state laws, including required reporting of abuse, duty to

warn/protect statutes, and rules regarding involuntary commitments. Under PsyPact,

psychologists only have to say they are knowledgeable; however, there is neither a

method of ensuring competence of these laws nor a mechanism to track which

providers are practicing in different states. In my experience as IPA’s state legislative

advocate and a liaison to the Board of Psychology, even some resident psychologists

lack adequate awareness of their home state regulations. It seems hard to believe that

a provider working for a nationwide telehealth company could accurately identify these variations across the states where PsyPact is currently in effect. It’s also unlikely that these providers would be aware of the local referrals, social and emergency services, or other resources in the receiving states. For these reasons, regional reciprocity agreements or multi-state licenses may be safer methods of promoting inter-jurisdictional telehealth.

     There are also concerns from the perspective of boards of psychology. While other states may be different, Iowa’s Board of Psychology is solely funded by licensure fees and receives no additional state funding for investigations (like many states, Iowa’s board is underfunded). Though the home state is primarily responsible for investigating the psychologist’s behaviors under PsyPact, the receiving state still has the mandate to protect the public and would likely have expenses with no offsetting license fee to fund such obligations. Even one investigation could stretch resources thin for small state boards. Even without an investigation, there is a cost to the board to participate in PsyPact (a fee paid to ASPPB to use proprietary software).

     Finally, there is the question of whether adopting PsyPact would improve patient’s access to psychologists or just increase psychologists’ access to patients. The greatest beneficiaries of PsyPact may be corporate telehealth platforms that can avoid multiple license fees and access the most affluent patients. Some independent psychologists currently operating brick-and-mortar offices may pivot to virtual-only practices or move out of state. Adopting PsyPact may lead other local psychologists to reduce the number of hours dedicated to patients within the state. Providers may also use PsyPact to seek out high-value private pay markets in other states rather than serve Medicare and Medicaid patients. As a result, if Iowa were to pass PsyPact, it may decrease access and undermine workforce development.

     From Iowa’s perspective, the benefits of PsyPact are outweighed by the risks to patients, workforce retention, lack of tracking, and competency verification. PsyPact ultimately undermines a state’s ability to regulate the practice of psychology within its borders, something the Iowa Psychological Association has advocated zealously to enhance in the public interest. PsyPact could better prioritize patients, reset the location of service, and verify competence of the receiving state rules.

National Psychologist CE Quiz

Paul Ascheman, Ph.D., is a licensed psychologist in Iowa. He is the former Iowa Psychological Association State Advocacy Coordinator, a member of Div. 31 – State Provincial and Territorial Affairs, and currently represents Iowa on the APA Council of Representatives. His email address is

pdresources Ce quiz
follow The National Psychologist on Twitter

Did you know...?
That psychologists can earn 1 continuing education credit per issue for simply reading The National Psychologist? A great reason to 

Subscribe Today!

new 2023 appointment calendar for mental health professionals
Feelings Flips JL619
trust insurance
Emotion Learning Cards at The National Psychologist
How are you feeling today poly chart
emotions and feelings smart poly cards
2024 appointment calendar for mental health professionals
Emotions and Feelings Chart
bottom of page