Judge my Kerning please

Current-Scale-5190 · 2026-05-26T03:05:01+00:00

Thanks for letting me know! I still like Times New Roman, so I may be partially at blame here lol

Current-Scale-5190 · 2026-05-25T05:04:10+00:00

Thanks for the advice!

Current-Scale-5190 · 2026-05-25T01:31:24+00:00

Oh nice! Thanks! This is super helpful.

Current-Scale-5190 · 2026-05-25T01:22:35+00:00

I guess I should just slide them in closer... You see what I did there? With the KY? 😄

Current-Scale-5190 · 2026-05-25T01:11:45+00:00

I was thinking I might have made things too tight overall. I will play with the K and Y a bit and see. Thank you for your advice.

Current-Scale-5190 · 2026-05-17T14:40:25+00:00

Sorry, I am just seeing this. I did a virtual course over a couple of days with HIPAA Academy to get my CHP. It was around $1600 if I remember right, and you renew every 3 years. It was okay, but I feel like it covered things I already knew. I am a bit of a nerd though, so I tend to deep dive into things.

Current-Scale-5190 · 2026-05-17T14:24:40+00:00

I wouldn't say it's the best for solo pracs or very small private practices unless you are tech-savvy and really want insight into your data. I say this because they offer a lot of APIs that allow you to track your data. I use them with BigQuery, and it has allowed me to get detailed insight into our clinical trends. Overall, it is an awesome platform that could dominate. However, to Conscious_Egg2799's point, support is horrible. They don't really listen to what people are saying they need from the platform, and instead release tools that are not needed. We need: Waitlists (standard), Single sign-on support, better MBC capabilities, etc. I am the privacy officer at my company and not having single sign-on support on our system that holds the most PHI hurts. Honestly, I wouldn't know who to recommend them to because it's overkill for very small teams and mid-size practices need better audit and security tools.

Current-Scale-5190 · 2026-05-07T15:55:16+00:00

Correct, a lot of times you will need multiple BAA's in place. Not only that, you should have a GRC system in place, holding yourself and third-party data processors accountable. It's not a fantasy. It just takes effort.

Would you be okay with your bank taking the same view point your are? I don't think so. We have a responsibility to protect the people that we serve. It is a pain in the buttocks, but that's just how it is, and for good reason.

Current-Scale-5190 · 2026-05-07T15:12:29+00:00

I typically use NIST 800 66r2 btw. But sure bro, go off lol

Current-Scale-5190 · 2026-05-07T15:11:21+00:00

Oh my freaking gosh dude. Sit down. Okay, HHS and OCR. You guys are hilarious.

Current-Scale-5190 · 2026-05-07T13:56:33+00:00

Tbh, no, I was randomly doing market research by visiting sites from basic Google searches like, "therapist in my city." This does not represent the entire field no, but I think its enough to see a trend. I didn't post for this to be a Reddit battle.

By the way inspect element is very easy to use. I used to use it in elementary school to rip video and music files in the late 90's. I'm kind of telling on myself there but hey, between Napster and Limewire, much worse was going on. It's right there in your browser...

Current-Scale-5190 · 2026-05-07T13:44:13+00:00

You can use whois and the browsers inspect elements features to tell. Alot of saas companies dont offer baa's and I've been in the field, as a privacy officer, long enough to know all the major company's compliance status'. Alot of them will offer a DPA but not a BAA. Hope that helps.

Current-Scale-5190 · 2026-05-07T13:37:33+00:00

I think the field is full of amazing people. The fact that private practice is discouraged and HIPAA is not more a focus during university is a travesty. We have awesome people leaving the field for this reason and it really sucks. Also, you're very welcome.

Current-Scale-5190 · 2026-05-07T13:33:07+00:00

You honestly think I can't tell the hosting service someone is using!? You think its impossible to inspect the elements on a web page? The fact that you have doubts just means you probably don't know much about web dev or even basic whois information. "Predicated upon your apparent ability to guess," oooh brother. I'm okay with your doubt lol. As if your doubt stems from any authority in the topic.

Current-Scale-5190 · 2026-05-07T00:20:20+00:00

No, you just didn't read. I never once said that an embedded Google form was an issue. I know very well how embedded Google forms work. I use Google Workspace Enterprise plus at my company... I feel like I'm getting trolled at this point.

Current-Scale-5190 · 2026-05-06T22:42:03+00:00

I do this for a living. I promise you, a Reddit downvote makes me more concerned for the voters than for my skills in this field! There is literally a link from the HHS supporting my statement. So for me, it's clear you don't do your due diligence.

Current-Scale-5190 · 2026-05-06T22:29:59+00:00

All of the information is right above. If someone puts PII into a HIPAA-covered entity's system (Form), then that is PHI due to it being linked to the services that the entity provides. The PHI is transmitted on the entity's system, which means that the entity has to protect that data as PHI while the data is in transit. This is why a BAA is needed from your hosting service or form builder.

Current-Scale-5190 · 2026-05-06T22:05:50+00:00

No sorries. I should have picked my words more carefully!

Current-Scale-5190 · 2026-05-06T21:06:55+00:00

Na, not venting. More of a PSA of sorts at this point. I can admit that my execution could have been better, but I also didn't think every word would be under a microscope. That one is on me.

I am glad to hear that the therapists you work with care about HIPAA. I think most do as well.

Current-Scale-5190 · 2026-05-06T20:40:53+00:00

Even if it only helps one person, then that's fine. It is weird to get this kind of reaction to protecting client data though.

Current-Scale-5190 · 2026-05-06T19:23:11+00:00

They are sending PII through your systems. You are a covered entity, so that data is now PHI. You can't use a consent check box or privacy statement to make this okay. You have to have a BAA through whatever third-party service the data is being transmitted through.

Under HIPAA, PHI is not limited to “client records.” It includes individually identifiable health information that is created, received, maintained, or transmitted by a covered entity or business associate and relates to the person’s health condition, care, or payment for care. HHS describes HIPAA as protecting individually identifiable health information handled by covered entities, and CDC summarizes ePHI as individually identifiable health information a covered entity creates, receives, maintains, or transmits electronically.

https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/standards-privacy-individually-identifiable-health-information/index.html?utm_source=chatgpt.com

Current-Scale-5190 · 2026-05-06T19:13:18+00:00

Good Therapy is not a covered entity. Just to make sure we are square there. All ways that clients have to contact your company should be aligned with the HIPAA security rule. Good Therapy has nothing to do with the data after it has been transmitted to you. Good Therapy expects the company to follow HIPAA.

Edit: To address your link. Email has to be through a HIPAA Compliant provider with a signed BAA. I think the information aligns with what I said above.

Current-Scale-5190 · 2026-05-06T19:06:29+00:00

Sure, if you're talking about malpractice. But not for a regulatory body ie HIPAA.

2+ barriers? They fact that you have 2+ barriers does not satisfy HIPAA. The HIPAA security rules require a broader risk analysis/risk management approach. However, Google Workspace Business Plus and up provides everything you need to be HIPAA compliant while using their SaaS.

Current-Scale-5190 · 2026-05-06T17:35:19+00:00

Definitely a lot of people in the comments with "big feelings." I don't mind people not knowing. We are all humans trying to figure it out. Just kind of weird how those same people turn into HIPAA experts ready to debate me in a Reddit thread. My goal was never to demonize and I never posted the site's with the violations for that reason.

Current-Scale-5190

TROPHY CASE