Welcome solo and group practice owners! We are Liath Dalton and Evan Dumas, your co-hosts of Group Practice Tech.

In our latest episode, we share what we know about the proposed HIPAA Security Rule and steps to take to safeguard your practice in the meantime until we know more.

We discuss:

• The current status of the proposed HIPAA Security Rule
• How regulatory uncertainty does not equal security uncertainty
• Takeaways from OCR Director Paula Stannard's comments at the National HIPAA Summit that give insight into the rationale behind the proposed rule
• Risk analysis, encryption, reasonable and appropriate safeguards, and meaningful protection of client information
• Our recommendation for building your compliance strategy
• Four steps practice owners should take right now to safeguard your practice
• PCT resources that can help you take those steps

Listen here: https://personcenteredtech.com/group/podcast/

For more, visit our website.

• Article: Feds Are Still Assessing Proposed HIPAA Security Rule Update

• PCT's Free Mini-Risk Assessment Tool
  • Wondering whether your practice's safeguards are reasonable and appropriate for today's threat landscape? Our free Mini Risk Analysis Tool provides a quick, practical way to evaluate your security circle, identify potential gaps, and determine where to focus your attention next. While not a substitute for a full HIPAA Security Risk Analysis, it's an excellent place to begin.
• HIPAA Risk Analysis & Risk Mitigation Planning service for mental health practices — care for your practice using our supportive, shame-free risk analysis and mitigation planning service. You'll have your Risk Analysis done within 2 hours, performed by a PCT consultant, using a tool built specifically for mental health practice, and a mitigation checklist to help you reduce your risks.
• PCT's Comprehensive HIPAA Security Compliance Program (discounted) bundles:
  • • For Group Practices
  • For Solo Practitioners
    • Comprehensive HIPAA Security Policies & Procedures
    • Forms & Logs for documenting implementation and maintenance of Policies & Procedures in practice
    • Device & Workspace Security Suites
    • Direct Support & Consultation from PCT team + therapist attorney Eric Ström, JD PhD LMHC (live & recorded + searchable library)
    • Includes the Risk Analysis & Risk Mitigation Planning service + tool
  • HIPAA Security & Privacy Ethics training
• Group Practice Care Premium
  • weekly (live & recorded) direct support & consultation service, Group Practice Office Hours — including monthly session with therapist attorney Eric Ström, JD PhD LMHC
  • Device Security Suite: assignable staff HIPAA Security Awareness: Bring Your Own Device training + access to Device Security Center with step-by-step device-specific tutorials & registration forms for securing and documenting all personally owned & practice-provided devices (for *all* team members at no per-person cost)
  • Remote Workspace Security Suite: assignable staff HIPAA Security Awareness: Remote Workspaces training for all team members + access to Remote Workspace Center with step-by-step tutorials & registration forms for securing and documenting Remote Workspaces (for *all* team members at no per-person cost) + more

Welcome solo and group practice owners! We are Liath Dalton and Evan Dumas, your co-hosts of Group Practice Tech.

In our latest episode, we have an important update for practice owners who bill insurance.

We discuss:

• Why the change from CAQH to DataSpring is not just an administrative rebrand, as DataSpring is trying to position it
• Why this change is a big deal for practice owners who bill insurance
• The action steps recommended by The Group Practice Exchange
• Additional PCT-recommended action steps
• Who owns the infrastructure that healthcare depends on?
• Looking at this change from a risk management perspective

Listen here: https://personcenteredtech.com/group/podcast/

For more, visit our website.

• PR Newswire article: Leading Health Plans Become CAQH Owners to Shape the Future of Healthcare Data
• The Group Practice Exchange's informational post & action items
• More context & takeaways from the Group Practice Exchange
• Mental Health Insurance Reform Task Force's post

• Group Practice Care Premium
  • weekly (live & recorded) direct support & consultation service, Group Practice Office Hours — including monthly session with therapist attorney Eric Ström, JD PhD LMHC
  • Device Security Suite: assignable staff HIPAA Security Awareness: Bring Your Own Device training + access to Device Security Center with step-by-step device-specific tutorials & registration forms for securing and documenting all personally owned & practice-provided devices (for *all* team members at no per-person cost)
  • Remote Workspace Security Suite: assignable staff HIPAA Security Awareness: Remote Workspaces training for all team members + access to Remote Workspace Center with step-by-step tutorials & registration forms for securing and documenting Remote Workspaces (for *all* team members at no per-person cost) + more
• PCT's Comprehensive HIPAA Security Compliance Program (discounted) bundles:
  • • For Group Practices
  • For Solo Practitioners
    • Comprehensive HIPAA Security Policies & Procedures
    • Forms & Logs for documenting implementation and maintenance of Policies & Procedures in practice
    • Device & Workspace Security Suites
    • Direct Support & Consultation from PCT team + therapist attorney Eric Ström, JD PhD LMHC (live & recorded + searchable library)
    • Includes the Risk Analysis & Risk Mitigation Planning service + tool
    • HIPAA Security & Privacy Ethics training
• HIPAA Risk Analysis & Risk Mitigation Planning service for mental health group practices — care for your practice using our supportive, shame-free risk analysis and mitigation planning service. You'll have your Risk Analysis done within 2 hours, performed by a PCT consultant, using a tool built specifically for mental health group practice, and a mitigation checklist to help you reduce your risks.

Welcome solo and group practice owners! We are Liath Dalton and Evan Dumas, your co-hosts of Group Practice Tech.

In our latest episode, we have exciting updates for cross-jursidictional and multi-jurisdictional practice.

We discuss:

• The Counseling Compact, and the states in which it is live
• The ETA for the Social Work Licensure Compact going live
• Access MFT's licensure portability effort
• Portability-friendly laws and how they differ from rights for temporary practice
• PSYPACT updates
• Physical location restrictions and requirements for providers under compacts
• Details of our upcoming CE training: Legal-Ethical Cross-Jurisdictional Telemental Health in 2026: Interstate, International, and Complex Practice Considerations

Listen here: https://personcenteredtech.com/group/podcast/

For more, visit our website.

• New on-demand CE training: Legal-Ethical Cross-Jurisdictional Telemental Health in 2026: Interstate, International, and Complex Practice Considerations Presented by Eric Ström, JD, PhD, LMHC and Liath DaltonA 3-hour legal-ethical CE training for clinicians navigating the realities of modern telemental health practice, where clients travel, relocate, attend college out of state, split time between households, or receive care while physically located somewhere other than the clinician's primary licensing jurisdiction.

  This updated training moves beyond a basic "am I allowed to practice there?" analysis into advanced practical application. Participants examine practice-authority pathways, temporary practice allowances, PSYPACT, the Counseling Compact, the Social Work Licensure Compact, MFT portability developments, clinician-location versus client-location issues, international practice considerations, payer and malpractice concerns, emergency planning, confidentiality and mandatory reporting conflicts, minor consent and parent/guardian access issues, and documentation of due diligence.

  Participants also receive practical worksheets to support jurisdictional verification, international due diligence, and mapping applicable laws, risks, and practice implications — helping clinicians move from identifying a possible permission pathway to evaluating the conditions, conflicts, capacity, documentation, and risk-management steps needed to make a grounded practice decision.

  Recommended for any clinician providing teletherapy, as well as practice owners, supervisors, clinical directors, compliance leads, and other practice leadership responsible for supporting cross-jurisdictional care decisions. This training can also be assigned to team members through PCT's free team training management system (Group Practice Care basic.)

  As one participant shared: "Thank you for an absolutely excellent presentation! The presentation is a home run, and I will recommend it to my colleagues… I have a somewhat unique perspective on teletherapy and licensure mobility from working on these issues at the state, national, and international regulatory levels. The information that you provided is clear, direct, easy to follow, and accurate."

• PCT's free (!) Teletherapy Practice Rules by State Tool Whenever teletherapy sessions occur when the client -- or therapist -- are physically located outside the state of the clinician's licensure at the time of session, cross-jurisdictional practice is occurring. It is necessary to answer the question of whether it is permissible for you to work with that client in that state, regardless of whether the presence in another jurisdiction is temporary or not.In addition to the fundamental question of whether practice is permitted, and the particulars of how it is permitted, it is important to identify rules of practice, and training requirements, in order to be equipped with the information you need to follow for navigating legal-ethical cross-jurisdictional practice.This tool is a supportive resource to help you identify that information, link you to the authoritative source, and document your performance of due diligence when conducting cross-jurisdictional practice within the United States.
• PCT's Clinical Staff Teletherapy Training
• PCT's Teletherapy Director and Supervisor Training for Group Practices
• PCT's Teletherapy Manuals and Forms for Group Practices
• HIPAA Risk Analysis & Risk Mitigation Planning service for mental health practices — care for your practice using our supportive, shame-free risk analysis and mitigation planning service. You'll have your Risk Analysis done within 2 hours, performed by a PCT consultant, using a tool built specifically for mental health practice, and a mitigation checklist to help you reduce your risks.
• If you're navigating filing a breach report and you haven't completed a documented "thorough and accurate" HIPAA Security Risk Analysis that meets the foundational Security Rule requirements, this is something you want/need to do so it can be reflected in your breach report to the OCR (HIPAA regulators)
• PCT's Comprehensive HIPAA Security Compliance Program (discounted) bundles:
  • For Group Practices
  • For Solo Practitioners
    • Comprehensive HIPAA Security Policies & Procedures
    • Forms & Logs for documenting implementation and maintenance of Policies & Procedures in practice
    • Device & Workspace Security Suites
    • Direct Support & Consultation from PCT team + therapist attorney Eric Ström, JD PhD LMHC (live & recorded + searchable library)
    • Includes the Risk Analysis & Risk Mitigation Planning service + tool
  • HIPAA Security & Privacy Ethics training

• PSYPACT
• Counseling Compact
• Social Work Licensure Compact
• Access MFTs

Welcome solo and group practice owners! We are Liath Dalton and Evan Dumas, your co-hosts of Group Practice Tech.

In our latest episode, we share a cautionary tale about a Talkspace client whose healthcare information was weaponized against them.

We discuss:

• Venture capital firms buying therapy practices, monetizing, and weaponizing client data to make more money
• A recent case where a Talkspace client's data was read aloud in court
• Platforms using client communication to train LLMs and AI platforms
• How these platforms are profoundly detrimental to clients, therapists, and the profession
• Why when something seems too easy and convenient, you are often the product (and your clients are the product)
• How these companies operate outside of HIPAA Security Rule standards
• The importance of vetting platforms and having BAAs for safeguarding client information

Listen here: https://personcenteredtech.com/group/podcast/

For more, visit our website.

• Story referenced in episode re: employee termination and litigation using all their session data/content from Talkspace chatbot
• Story regarding AI models failing ethics standards and standards of care

• Live (and recorded) PCT CE Course: Beyond Hype and Anxiety: A Practical Framework for Ethical AI Use in Clinical Practice is a 4-hour legal-ethical CE training co-presented by Dr. Maelisa McCaffrey and Liath Dalton, designed to help clinicians move beyond fear and guesswork into confident, responsible AI use. The course provides a structured, real-world framework for integrating AI into clinical workflows while upholding HIPAA requirements, ethical standards, and clinical standards of care. Participants will learn how to evaluate AI tools, understand what constitutes PHI (and the limits of de-identification), implement appropriate policies and safeguards, and maintain documentation quality and clinical integrity. With practical tools, decision-making frameworks, and implementation strategies, this training supports clinicians in making informed, defensible decisions about AI use in practice.
  • Live Webinar Presentation on May 8th, 2026
  • Registration for live training includes receiving ownership of and perpetual access to the on-demand self-study CE training produced from recording of live presentation. Get both the content *and* the CE, even if you can't join live.
• PCT's recommended/curated collection of role-based foundational and topical needs-based staff trainings, including HIPAA and Privacy Ethics for clinical staff, admins; leadership trainings; clinical staff teletherapy training; director/supervisor training; and topical trainings on documentation, rights of access, suicidality, accessibility, countertransference, and much more.
  • Nationally respected, role-based HIPAA and privacy ethics and teletherapy training built for mental health staff
  • On-demand trainings are accessible in perpetuity and do not expire.
  • APA, NBCC, and multiple state licensing board CE provider approvals mean that CE courses count towards licensure renewal requirements for your clinical team.
• Group Practice Care Premium
  • weekly (live & recorded) direct support & consultation service, Group Practice Office Hours — including monthly session with therapist attorney Eric Ström, JD PhD LMHC
  • Device Security Suite: assignable staff HIPAA Security Awareness: Bring Your Own Device training + access to Device Security Center with step-by-step device-specific tutorials & registration forms for securing and documenting all personally owned & practice-provided devices (for *all* team members at no per-person cost)
  • Remote Workspace Security Suite: assignable staff HIPAA Security Awareness: Remote Workspaces training for all team members + access to Remote Workspace Center with step-by-step tutorials & registration forms for securing and documenting Remote Workspaces (for *all* team members at no per-person cost) + more
• PCT's Comprehensive HIPAA Security Compliance Program (discounted) bundles:
  • • For Group Practices
  • For Solo Practitioners
    • Comprehensive HIPAA Security Policies & Procedures
    • Forms & Logs for documenting implementation and maintenance of Policies & Procedures in practice
    • Device & Workspace Security Suites
    • Direct Support & Consultation from PCT team + therapist attorney Eric Ström, JD PhD LMHC (live & recorded + searchable library)
    • Includes the Risk Analysis & Risk Mitigation Planning service + tool
  • HIPAA Security & Privacy Ethics training

Welcome solo and group practice owners! We are Liath Dalton and Evan Dumas, your co-hosts of Group Practice Tech.

In our latest episode, we talk about the importance of proficiency and competency with any tool or modality used in your practice.

We discuss:

• Why training is necessary with any tool or modality used in your practice, not just AI
• What the professional ethics codes say about competence and proficiency for tools and modalities used
• How PCT evolved to help clinicians manage the advent of new technology
• Our upcoming CE training on how to evaluate AI and incorporate it into your practice and workflow ethically and effectively
• How training can set you apart and strengthen the therapeutic alliance

Listen here: https://personcenteredtech.com/group/podcast/

For more, visit our website.

• Live (and recorded) PCT CE Course: Beyond Hype and Anxiety: A Practical Framework for Ethical AI Use in Clinical Practice is a 4-hour legal-ethical CE training co-presented by Dr. Maelisa McCaffrey and Liath Dalton, designed to help clinicians move beyond fear and guesswork into confident, responsible AI use. The course provides a structured, real-world framework for integrating AI into clinical workflows while upholding HIPAA requirements, ethical standards, and clinical standards of care. Participants will learn how to evaluate AI tools, understand what constitutes PHI (and the limits of de-identification), implement appropriate policies and safeguards, and maintain documentation quality and clinical integrity. With practical tools, decision-making frameworks, and implementation strategies, this training supports clinicians in making informed, defensible decisions about AI use in practice.
  • Live Webinar Presentation on May 8th, 2026
  • Registration for live training includes receiving ownership of and perpetual access to the on-demand self-study CE training produced from recording of live presentation. Get both the content *and* the CE, even if you can't join live.
• PCT's recommended/curated collection of role-based foundational and topical needs-based staff trainings, including HIPAA and Privacy Ethics for clinical staff, admins; leadership trainings; clinical staff teletherapy training; director/supervisor training; and topical trainings on documentation, rights of access, suicidality, accessibility, countertransference, and much more.
  • Nationally respected, role-based HIPAA and privacy ethics and teletherapy training built for mental health staff
  • On-demand trainings are accessible in perpetuity and do not expire.
  • APA, NBCC, and multiple state licensing board CE provider approvals mean that CE courses count towards licensure renewal requirements for your clinical team.
• Group Practice Care Premium
  • weekly (live & recorded) direct support & consultation service, Group Practice Office Hours — including monthly session with therapist attorney Eric Ström, JD PhD LMHC
  • Device Security Suite: assignable staff HIPAA Security Awareness: Bring Your Own Device training + access to Device Security Center with step-by-step device-specific tutorials & registration forms for securing and documenting all personally owned & practice-provided devices (for *all* team members at no per-person cost)
  • Remote Workspace Security Suite: assignable staff HIPAA Security Awareness: Remote Workspaces training for all team members + access to Remote Workspace Center with step-by-step tutorials & registration forms for securing and documenting Remote Workspaces (for *all* team members at no per-person cost) + more
• PCT's Comprehensive HIPAA Security Compliance Program (discounted) bundles:
  • • For Group Practices
  • For Solo Practitioners
    • Comprehensive HIPAA Security Policies & Procedures
    • Forms & Logs for documenting implementation and maintenance of Policies & Procedures in practice
    • Device & Workspace Security Suites
    • Direct Support & Consultation from PCT team + therapist attorney Eric Ström, JD PhD LMHC (live & recorded + searchable library)
    • Includes the Risk Analysis & Risk Mitigation Planning service + tool
  • HIPAA Security & Privacy Ethics training

Welcome solo and group practice owners! We are Liath Dalton and Evan Dumas, your co-hosts of Group Practice Tech.

In our latest episode, we share concrete steps to take if you've discovered staff members using non-approved AI platforms in your practice.

We discuss:

• The misconceptions around what constitutes PHI (and why information used to write a progress note absolutely is PHI)
• Why this is a reportable HIPAA breach
• Why reporting a HIPAA breach is nowhere near as scary or impactful as you may fear
• The difference between a large breach and a small breach, and reporting deadlines for each
• Client notification deadlines for breaches
• How state law can impact or add to reporting deadlines
• Steps to take after discovering non-compliant AI use in your practice
• What to investigate, how to document, how to mitigate, how to notify clients, and when to consult an attorney

Listen here: https://personcenteredtech.com/group/podcast/

For more, visit our website.

• PCT CE Course (on-demand): If you're navigating exactly what we're talking about in this episode, our on-demand CE training, HIPAA Security Incidents & Breaches: Investigation, Documentation, and Reporting, provides a clear, structured walkthrough of what to do when something goes wrong. It covers how to determine whether an incident is a breach, how to investigate and document appropriately, and how to handle client notification and reporting requirements—along with strategies to reduce risk going forward. This is a practical, real-world roadmap designed specifically for mental health practices, so you're not left guessing about next steps when a breach situation arises.
• Breach Report Questions: If you want to understand what breach reporting actually looks like in practice, this resource walks you through the exact information required when submitting a report to the Office for Civil Rights (OCR). It outlines the specific details you'll need to gather — such as the type and scope of the breach, the number of individuals affected, what kind of PHI was involved, and what actions you've taken in response — so you can approach reporting with clarity and confidence rather than guesswork. Reviewing these questions ahead of time can also help guide your investigation and documentation process, ensuring you're collecting the right information from the start.
• Live (and recorded) PCT CE Course: Beyond Hype and Anxiety: A Practical Framework for Ethical AI Use in Clinical Practice is a 4-hour legal-ethical CE training co-presented by Dr. Maelisa McCaffrey and Liath Dalton, designed to help clinicians move beyond fear and guesswork into confident, responsible AI use. The course provides a structured, real-world framework for integrating AI into clinical workflows while upholding HIPAA requirements, ethical standards, and clinical standards of care. Participants will learn how to evaluate AI tools, understand what constitutes PHI (and the limits of de-identification), implement appropriate policies and safeguards, and maintain documentation quality and clinical integrity. With practical tools, decision-making frameworks, and implementation strategies, this training supports clinicians in making informed, defensible decisions about AI use in practice.
  • Live Webinar Presentation on May 8th, 2026
  • Registration for live training includes receiving ownership of and perpetual access to the on-demand self-study CE training produced from recording of live presentation. Get both the content *and* the CE, even if you can't join live.
• HIPAA Risk Analysis & Risk Mitigation Planning service for mental health practices — care for your practice using our supportive, shame-free risk analysis and mitigation planning service. You'll have your Risk Analysis done within 2 hours, performed by a PCT consultant, using a tool built specifically for mental health practice, and a mitigation checklist to help you reduce your risks.
• If you're navigating filing a breach report and you haven't completed a documented "thorough and accurate" HIPAA Security Risk Analysis that meets the foundational Security Rule requirements, this is something you want/need to do so it can be reflected in your breach report to the OCR (HIPAA regulators)
• PCT's Comprehensive HIPAA Security Compliance Program (discounted) bundles:
  • For Group Practices
  • For Solo Practitioners
    • Comprehensive HIPAA Security Policies & Procedures
    • Forms & Logs for documenting implementation and maintenance of Policies & Procedures in practice
    • Device & Workspace Security Suites
    • Direct Support & Consultation from PCT team + therapist attorney Eric Ström, JD PhD LMHC (live & recorded + searchable library)
    • Includes the Risk Analysis & Risk Mitigation Planning service + tool
  • HIPAA Security & Privacy Ethics training
• Article + 18 Identifier List: De-Identified or Not? The Truth About HIPAA, AI, and Client Data
  • In this article, Person Centered Tech breaks down one of the most misunderstood concepts in HIPAA compliance: de-identification. It clarifies the difference between simply "removing identifiers" and meeting HIPAA's strict legal standards for de-identification (Safe Harbor or Expert Determination). The piece explains why narrative clinical information is often inherently identifying, why a session transcript cannot realistically be considered de-identified, and how AI systems introduce heightened risks of re-identification. It reinforces a critical takeaway for practice leaders: HIPAA sets the floor — not the ceiling — for protecting client information, and governance must keep pace with emerging technologies.
• PCT CE Course: Law & Ethics of the Clinical Use of Artificial Intelligence: Implications in Clinical Practice
  • If you're wanting a deeper, structured framework for evaluating AI in clinical practice, this 3-credit legal-ethical on-demand training with Eric Ström, JD, PhD, LMHC, walks through the evolving legal standards, HIPAA considerations, and ethics code guidance that apply to AI use in behavioral health. You'll gain practical strategies for assessing new technologies, understanding emerging standards of care, and implementing AI tools in a way that is legally defensible and ethically sound.
• Podcast: Episode 608: AI Isn't the Problem, Lack of Governance Is – A PSA for Group Practice Leadership
• Podcast: Episode 611: The Real Risks of Using Non-Vetted AI Platforms with Client Information
• Group Practice Care Premium
• weekly (live & recorded) direct support & consultation service, Group Practice Office Hours — including monthly session with therapist attorney Eric Ström, JD PhD LMHC
• Device Security Suite: assignable staff HIPAA Security Awareness: Bring Your Own Device training + access to Device Security Center with step-by-step device-specific tutorials & registration forms for securing and documenting all personally owned & practice-provided devices (for *all* team members at no per-person cost)
• Remote Workspace Security Suite: assignable staff HIPAA Security Awareness: Remote Workspaces training for all team members + access to Remote Workspace Center with step-by-step tutorials & registration forms for securing and documenting Remote Workspaces (for *all* team members at no per-person cost) + more

• Mintz-Matrix: The Mintz Matrix is a comprehensive, regularly updated overview of U.S. state data breach notification laws, providing a state-by-state breakdown of requirements such as definitions of personal information, what constitutes a breach, and timelines for notification. This is especially relevant in the context of this episode because HIPAA is only part of the picture—state laws often impose additional requirements, including shorter notification timeframes and broader definitions of protected information. Reviewing the Mintz Matrix can help you understand your specific state obligations and ensure that your response to a breach is not only HIPAA-compliant, but also aligned with applicable state laws.
• The HHS Office for Civil Rights (OCR) Breach Portal provides essential guidance on what constitutes a reportable breach and what happens after a report is submitted. It explains that a breach involves the unauthorized acquisition, access, use, or disclosure of protected health information that compromises its security or privacy, and outlines how OCR reviews, investigates, and resolves reported incidents. This is particularly relevant to this episode because it helps demystify what occurs after you file a breach report—reinforcing that reporting does not automatically trigger penalties, but instead initiates a review process that may include technical assistance, investigation, or closure without further action. Understanding this process can reduce fear and support more confident, compliant decision-making when responding to a breach.

Welcome solo and group practice owners! We are Liath Dalton and Evan Dumas, your co-hosts of Group Practice Tech.

In our latest episode, we explain why free email providers are inherently not HIPAA compliance compatible.

We discuss:

• Why it's necessary to have a Business Associate Agreement with your email service provider
• Why clients can't opt out of HIPAA
• What requests for alternative or non-secure communication actually mean under the HIPAA Privacy Rule
• What counts as Protected Health Information (PHI)
• Why a free email address might be a red flag for prospective clients
• How to get a BAA protected email, with a domain name or without

Listen here: https://personcenteredtech.com/group/podcast/

For more, visit our website.

• PCT Article: 3 Kinds of Email Security: How to Make an Informed and HIPAA-Aware Choice
• PCT CE Training: Smooth and Secure Use of Phone, Text, Email, and Video to Meet Modern Clients Where They Are: Legal-Ethical and Real-World Considerations
  • Learn about the legal-ethical considerations of modern communication channels in the context of real world practice and client needs. 3 Legal-Ethical CE credit hours. On-demand.
• PCT's Comprehensive HIPAA Security Compliance Program (discounted) bundles:
  • For Group Practices
  • For Solo Practitioners
    • Comprehensive HIPAA Security Policies & Procedures
    • Forms & Logs for documenting implementation and maintenance of Policies & Procedures in practice
    • Device & Workspace Security Suites
    • Direct Support & Consultation from PCT team + therapist attorney Eric Ström, JD PhD LMHC (live & recorded + searchable library)
    • Includes the Risk Analysis & Risk Mitigation Planning service + tool
  • HIPAA Security & Privacy Ethics training
• HIPAA Risk Analysis & Risk Mitigation Planning service for mental health group practices — care for your practice using our supportive, shame-free risk analysis and mitigation planning service. You'll have your Risk Analysis done within 2 hours, performed by a PCT consultant, using a tool built specifically for mental health group practice, and a mitigation checklist to help you reduce your risks.
• Group Practice Care Premium
  • weekly (live & recorded) direct support & consultation service, Group Practice Office Hours — including monthly session with therapist attorney Eric Ström, JD PhD LMHC
  • + assignable staff HIPAA Security Awareness: Bring Your Own Device training + access to Device Security Center with step-by-step device-specific tutorials & registration forms for securing and documenting all personally owned & practice-provided devices (for *all* team members at no per-person cost)
  • + assignable staff HIPAA Security Awareness: Remote Workspaces training for all team members + access to Remote Workspace Center with step-by-step tutorials & registration forms for securing and documenting Remote Workspaces (for *all* team members at no per-person cost) + more

Welcome solo and group practice owners! We are Liath Dalton and Evan Dumas, your co-hosts of Group Practice Tech.

In our latest episode, we continue our series on AI use within therapy practices by sharing how to explain to your team members why using non-vetted AI platforms is not permissible.

We discuss:

• What counts as Protected Health Information and a breakdown of the often misunderstood 18th identifier under HIPAA
• How therapy progress notes and clinical notes are inherently identifying
• AI re-identification risk and why this is possible
• Why AI use involving client information must be vetted and HIPAA compliance-compatible
• What happens when you input data into personal AI platforms
• What we mean by AI governance, and why personal AI platforms can't be governed
• Why lack of AI governance is a significant liability
• Impermissible disclosures under HIPAA
• Why proving low probability of compromise is difficult after the fact, and what this means for your ability to mitigate risk
• Managing the emotional pieces of identifying risk and risk mitigation in your practice

Listen here: https://personcenteredtech.com/group/podcast/

For more, visit our website.

PCT Resources:

• Live (and recorded) PCT CE Course: Beyond Hype and Anxiety: A Practical Framework for Ethical AI Use in Clinical Practice is a 4-hour legal-ethical CE training co-presented by Dr. Maelisa McCaffrey and Liath Dalton, designed to help clinicians move beyond fear and guesswork into confident, responsible AI use. The course provides a structured, real-world framework for integrating AI into clinical workflows while upholding HIPAA requirements, ethical standards, and clinical standards of care. Participants will learn how to evaluate AI tools, understand what constitutes PHI (and the limits of de-identification), implement appropriate policies and safeguards, and maintain documentation quality and clinical integrity. With practical tools, decision-making frameworks, and implementation strategies, this training supports clinicians in making informed, defensible decisions about AI use in practice.
  • Live Webinar Presentation on May 8th, 2026
  • Registration for live training includes receiving ownership of and perpetual access to the on-demand self-study CE training produced from recording of live presentation. Get both the content *and* the CE, even if you can't join live.
• Article + 18 Identifier List: De-Identified or Not? The Truth About HIPAA, AI, and Client Data
  • In this article, Person Centered Tech breaks down one of the most misunderstood concepts in HIPAA compliance: de-identification. It clarifies the difference between simply "removing identifiers" and meeting HIPAA's strict legal standards for de-identification (Safe Harbor or Expert Determination). The piece explains why narrative clinical information is often inherently identifying, why a session transcript cannot realistically be considered de-identified, and how AI systems introduce heightened risks of re-identification. It reinforces a critical takeaway for practice leaders: HIPAA sets the floor—not the ceiling—for protecting client information, and governance must keep pace with emerging technologies.
• PCT CE Course: Law & Ethics of the Clinical Use of Artificial Intelligence: Implications in Clinical Practice
  • If you're wanting a deeper, structured framework for evaluating AI in clinical practice, this 3-credit legal-ethical on-demand training with Eric Ström, JD, PhD, LMHC, walks through the evolving legal standards, HIPAA considerations, and ethics code guidance that apply to AI use in behavioral health. You'll gain practical strategies for assessing new technologies, understanding emerging standards of care, and implementing AI tools in a way that is legally defensible and ethically sound.
• Podcast: Episode 608: AI Isn't the Problem, Lack of Governance Is – A PSA for Group Practice Leadership
• HIPAA Risk Analysis & Risk Mitigation Planning service for mental health group practices — care for your practice using our supportive, shame-free risk analysis and mitigation planning service. You'll have your Risk Analysis done within 2 hours, performed by a PCT consultant, using a tool built specifically for mental health group practice, and a mitigation checklist to help you reduce your risks.
• Group Practice Care Premium
  • weekly (live & recorded) direct support & consultation service, Group Practice Office Hours — including monthly session with therapist attorney Eric Ström, JD PhD LMHC
  • Device Security Suite: assignable staff HIPAA Security Awareness: Bring Your Own Device training + access to Device Security Center with step-by-step device-specific tutorials & registration forms for securing and documenting all personally owned & practice-provided devices (for *all* team members at no per-person cost)
  • Remote Workspace Security Suite: assignable staff HIPAA Security Awareness: Remote Workspaces training for all team members + access to Remote Workspace Center with step-by-step tutorials & registration forms for securing and documenting Remote Workspaces (for *all* team members at no per-person cost) + more

Welcome solo and group practice owners! We are Liath Dalton and Evan Dumas, your co-hosts of Group Practice Tech.

In our latest episode, we share information about the recent Darksword iPhone exploit, and what that means for therapy practice owners regarding device security.

We discuss:

• What you need to know about this exploit
• Device hardening within your security circle
• Device security gaps we see in everyday practice
• Pairing technical security measures with behavioral security measures
• PCT's resources around risk management and device security

Listen here: https://personcenteredtech.com/group/podcast/

For more, visit our website.

• Group Practice Care Premium
  • weekly (live & recorded) direct support & consultation service, Group Practice Office Hours — including monthly session with therapist attorney Eric Ström, JD PhD LMHC
  • Device Security Suite: assignable staff HIPAA Security Awareness: Bring Your Own Device training + access to Device Security Center with step-by-step device-specific tutorials & registration forms for securing and documenting all personally owned & practice-provided devices (for *all* team members at no per-person cost)
  • Remote Workspace Security Suite: assignable staff HIPAA Security Awareness: Remote Workspaces training for all team members + access to Remote Workspace Center with step-by-step tutorials & registration forms for securing and documenting Remote Workspaces (for *all* team members at no per-person cost) + more
• PCT's Comprehensive HIPAA Security Compliance Program (discounted) bundles:
  • For Group Practices
  • For Solo Practitioners
    • Comprehensive HIPAA Security Policies & Procedures
    • Forms & Logs for documenting implementation and maintenance of Policies & Procedures in practice
    • Device & Workspace Security Suites
    • Direct Support & Consultation from PCT team + therapist attorney Eric Ström, JD PhD LMHC (live & recorded + searchable library)
    • Includes the Risk Analysis & Risk Mitigation Planning service + tool
    • HIPAA Security & Privacy Ethics training
• HIPAA Risk Analysis & Risk Mitigation Planning service for mental health group practices — care for your practice using our supportive, shame-free risk analysis and mitigation planning service. You'll have your Risk Analysis done within 2 hours, performed by a PCT consultant, using a tool built specifically for mental health group practice, and a mitigation checklist to help you reduce your risks.

• Wired Article: Apple Will Push Out Rare 'Backported' Patches to Protect iOS 18 Users From DarkSword Hacking Tool
• PC Mag Article: 'DarkSword' Attack Is Now Targeting Vulnerable iPhones Via Phishing Emails
• Malwarebytes Labs Article: [updated] A DarkSword hangs over unpatched iPhones

Welcome solo and group practice owners! We are Liath Dalton and Evan Dumas, your co-hosts of Group Practice Tech.

In our latest episode, we discuss HHS's new model Notice of Privacy Practice for Part 2 programs, what has changed, and what that means for your practice.

We cover:

• The Part 2 Final Rule from 2024
• Why the Feb. 16th enforcement deadline has been so confusing
• The model Part 2 NPP and Patient Notice from HHS, and the function of each document
• Who is considered a lawful holder and what that means
• Whether you need to switch to the HHS templates
• What to do if you already used our decision guide and resources ahead of the deadline

Listen here: https://personcenteredtech.com/group/podcast/

For more, visit our website.

• Updated HHS Model Notice of Privacy Practices
• Model Part 2 Patient Notice
• HHS Part 2 Final Rule Fact Sheet
• PCT decision guide and sample language resource

• Episode 605: 42 CFR Part 2, HIPAA NPPs, and the February 16 Deadline: What Actually Needs to Change
• Group Practice Care Premium
  • weekly (live & recorded) direct support & consultation service, Group Practice Office Hours — including monthly session with therapist attorney Eric Ström, JD PhD LMHC
  • + assignable staff HIPAA Security Awareness: Bring Your Own Device training + access to Device Security Center with step-by-step device-specific tutorials & registration forms for securing and documenting all personally owned & practice-provided devices (for *all* team members at no per-person cost)
  • + assignable staff HIPAA Security Awareness: Remote Workspaces training for all team members + access to Remote Workspace Center with step-by-step tutorials & registration forms for securing and documenting Remote Workspaces (for *all* team members at no per-person cost) + more