Hear from a Peer: Simplifying HIPAA Compliance in a Counseling Practice

This discussion is part of Virtru's Hear from a Peer series, where we speak with organizational leaders about the important work they do in the technology and data protection space. I'm Brett McCrae, Senior Director of Customer Success for Virtru. And joining me today is Lance Clark, Founder, Director and counselor at Clark Christian Counseling in Cary, North Carolina. Lance, thank you so much for joining me today.

How are you? I'm very well, Thank you, and yourself? Doing Great. Doing great. Thanks again and great to be with you.

Lance, I wanted to start our conversation by just talking to you and have you sort of illustrate for our audience what your organization does? Can you provide just an overview of your organization and what led you and your group to Virtru? Sure so we are a group practice of licensed clinical mental health counselors, licensed by the state of North Carolina. There are two of us that are licensed and there are two that are presently Master's level interns, and there'll be a third joining us in a month or two.

And at that point, I think we'll be full for a while since I'll be providing all the supervision. We deal with every mental health diagnosis that appears in the psychiatric DSM, the Diagnostic and Statistical Manual put out by the American Psychiatric Association. And since we are Christian counselors, there are also those who come to us because they want to explore issues of faith. And in that particular cross section of people, it might be considered a form of pastoral counseling or spiritual direction, or spiritual formation.

And obviously, there's an intersection from our world view vantage point of mental health issues and matters of the soul and spirit, and people often seek integration and understanding of that intersection. We came to Virtru because I'm pretty much the Grand Poobah who does most everything. I do all my own graphic design and marketing and everything for the company, and I was an engineer in a former occupation, a former career. And I was looking for something that was going to be easy to use for the consumer, easy to use for me as the chief administrator of the practice and would meet all HIPAA compliance concerns without me needing to become a masterfully expert and versed and hypervigilant constantly in meeting all those criterion.

Awesome, and that's great, and it seems like, as you said, you do do it all, that's really impressive. You know, Lance, you talked about, you know, some of the things that made Virtru the right choice to you, or for you and for your organization. But could you talk about some of the use cases, you know, like what, What exactly you're using Virtru for on a day to day basis? Yeah, absolutely.

This may be something that comes up a little later in the interview. I'm not sure, but the thing that I have tried to use as much open source free software as is possible that maintains HIPAA compliance with encryption standards and again, ease of use. So when I went looking for an email option, Virtru really stood out. It's the only thing that I've found that offers a plug-in for Microsoft Outlook, which is how I've become accustomed to running not only my professional life, but my personal life as well.

So I didn't want a learning curve. I didn't want new softwares. I wanted to just go as a one-man show for a lot of years. I needed something that wouldn't get in my way, but would fit in the flow of how my brain already thinks, the way I already work.

And having a plug-in for Microsoft Outlook was absolutely a blessing to me. With the ease right there in Outlook without needing to go outside of the application or to some proprietary portal that I've got to constantly log into and access indirectly or directly. My staff liked it because there's a Virtru app that they can use on their phone. We use, I like to email most everything in my practice, both with clients and with my staff.

There's thus a record of correspondence for any number of legal or clinical reasons, as well as just good oversight of a practice where people are having to administer different moving pieces at different times. And texting, as it stands, as most people understand texting, is not HIPAA compliant and I don't have access to my phone when I'm in session, but I keep live notes. So when I'm in session with somebody, I've got my laptop up. I'm entering things directly into the record.

And if there's an emergent or an urgent need that a client has, which happens more often that you might think, I get an email that I can then push out to my staff to help cover the need while I'm still engaged with the person in front of me or as a clinical supervisor. I've got counselors who are in with other clients who are needing assistance either emergently or urgently, and I'm able to handle the clinical need in the background via an email correspondence. And so I think I've answered your question as to the robustness of Virtru and why it's so appealing to us, because really, of all the different forms of communication, email is absolutely the backbone of how we get things done in my practice.

You know, Lance, that makes a ton of sense. And I think one thing that you just highlighted that really stood out to me and is, you know, the emergent or urgent needs that you highlighted that sometimes things happen and some of your patients need access to you right away. And you know, how do they get in touch with you? And that made me think, too, and I would I'd be curious to get your thoughts on this, that you mentioned how easy Virtru is for you and for your practice to use.

Could you talk a little bit about what your experience has been with those patients? I mean, I imagine if something is complicated at a time when they have a lot going on, they, you know, they want something simple and easy, right? They need to just get the information or get access to you or one of your, you know, one of your other counselors on your team. Yeah, absolutely.

The consumer feedback, the user feedback of our clients has been remarkable. I think I think one of the things that surprises them and impresses them is the fact that we even have anything. So the fact that, you know, when I get contacted to consider somebody as a new client, I tell them, before we're even off the first conversation, we use encrypted email. If you don't see something in your inbox from me, you might want to check for where encrypted emails might go in your own mail recovery system and will often ping out an email to establish a connection with them.

And then I convert leads via email. I mean, there's a warm touch on the phone, but I've got so much going on that after that first warm touch, They are impressed with, you know, getting a secure, professional styled email from me. And we do all the back and forth through the Virtru protocol. The ease of use for them is again, it's a 2-step verification process, if they like that, which normally goes off without a hitch.

And then there's a one-click feature that you guys have implemented that for, and I don't mean to be unkind, but for the elderly demographic that we serve, I've found that the one click feature is very beneficial for them. They can use that feature because a lot of times the 2-step thing could get confusing for them. And I think that's got more to do with the technology learning curve than a Virtru learning curve. But I think that it leaves an impression.

I think it builds confidence immediately, and in a way, it sends a sort of an indirect message that I take very seriously, the quality of communication that I expect in return, because their mental health and their well-being and their spiritual growth is something that I take dead seriously, and they're investing time and money into it. And I'm communicating that out of the gates with a professional, easy to use product like Virtru. You know, Lance, that's great feedback, as you know, as someone who's responsible for our customers. You know, the way I look at it is it doesn't do our customers any good if their customers can't interact with you.

And so you know that feedback is great for me to hear. So thank you. You know, Lance, it's very clear to me that, you know, the amount, the level of professionalism and security. And just around, you know, some of the most sensitive data you could have about a person, you know, is something you take very seriously.

And I know, from some of our conversation before, you know, one sort of compliance regime, if you will, that you, you are constantly thinking about is HIPAA and one that, you know, is relevant to many of our customers. I think a lot of times that some of the quote, small or even single person practices that are in the health care field that we're working with. Sometimes that can feel like a really heavy burden and really confusing for folks. You know, could you talk about just how you know, when you think of HIPAA in your practice, how you're, you know, maintaining compliance with Virtru and some of the core requirements that you're thinking of when you know, when HIPAA comes to mind.

Wow sure. First of all, I very much understand that feeling of being overwhelmed, you know, coming into the health care industry as a second career and being green and then going directly into private practice for the most part, it was a steep learning curve on HIPAA. As I referenced earlier, I was looking for anything that was succinct and trustworthy that I didn't have to be hyper vigilant about. And there wasn't a steep learning curve on knowing that Virtru has done their homework behind the scenes so that I can basically plug and play, and all I have to maintain is my conscientiousness as a user.

I don't have to be worried about the integrity of the product that I'm using. That might put me in the crosshairs of future liabilities was a huge again, blessing for me. The one HIPAA-compliant feature that I have been most grateful for is the ease of being able to revoke the emails that I've talked about that I send en masse, because user error: I get tired like anybody else. I click wrong or too early, just like anybody else.

Sometimes things get mislabeled and I put the wrong attachment in the wrong email just like anybody would. And the moment that I become aware of that, I'm able to go into the plug-in, in Outlook and simply hit the revoke button. And it's that simple. Like they lose access to being able to read it even if they've read it once, which, of course, we would hope wouldn't happen.

And there are policies in place for what you do if you do breach HIPAA, but that's been the single greatest feature for me is the ability to revoke readability rights on an email because it gives me another measure of grace and another layer of protection if I make an error as a user. That's that's great to hear as well, I mean, know, I think that, you know, our revoke feature is at times underused, so it's great to hear that that's something that, you know, you get a lot of value out of and also something that, you know, important for the line of work that you're in and the type of information that you're sending to your, you know, to your patients.

You know, and Lance, I want to bring us back a little bit. It kind of all weaves this together. But you know, you mentioned trust in your last answer. And you know, I think that that's something that we recognize at Virtru, but not always something that's thought about, you know, when you're in necessarily, you know, the IT or the security space.

But it's a really important concept. And I imagine that this is really important for you, you know, as you're building a relationship with your clients and your patients. This this idea of trust, do you find that Virtru or have you experienced that Virtru sort of ups that trust initially or throughout your, you know, your relationship with your patients? Yeah, I really do.

You know, as I said, I think it leaves an immediate impression up front because a lot of times there have been so used to interacting with other health care providers, maybe not mental health providers, but health providers who don't do HIPAA-compliant things. You know, you can go anywhere online and read that one of the greatest areas of HIPAA non-compliance and data breaches is at the reception desk of any provider, whether it's a massage therapist, your dentist or your doctor's office, I mean, just the sign-in sheet in and of itself is actually a HIPAA violation. So, yeah, I think I think it impresses people and establishes trust at a far greater rate of immediacy than otherwise.

I mean, in the mental health field, one of the things that we work with so often is this dynamic of shame, where a person feels like somehow they're just not worth enough or anything. And so for me to take them and their information seriously communicates that I expect them to take themselves seriously. And I'm sort of modeling how to begin to esteem them just through using something like Virtru. Saying, "Your data is, not as important, but similarly important to you, the person, and I'm going to treat both with respect."

That's that's great to hear and great, you know, really interesting concept of how something that you're using in your tech stack can help you build that trust. And you know, in a way, it sounds like an I don't, you know, tell me if this is off, but almost helps that person build their own value, which at times I imagine is really important in the Counseling and that you're doing. Yes, sir. You know, Lance, we've talked about some of the ways that Virtru has been helpful.

You know, but I know there's also still challenges out there, right with, And you, as you mentioned at the beginning being do it all guy you know it graphic design, marketing, you name it. That's you. Could you talk a little bit about some of the biggest, you know, data protection issues that you're still seeing or that you know, the issues— Or, I'm sorry, organizations similar to yours are facing today. It sure, I think well, I think the first is still this idea of the acceptability of texting.

The second, I think, would be that, One of the concerns that I have is our cloud-based systems, there are any number of different brands of counseling portals that sort of advertise, "We do it all." But my concern with that is that there's data stored somewhere that That somebody else has access to. And, you know, unfortunately, we need only look at the headlines at least once a year and there are significant data breaches in every sector. My clients are not at risk with that because of what I put in place, which is private and I'm not going to share, except for how I use Virtru.

Sure so that end-to-end encryption, that Virtru offers, the verification processes, the ability to revoke, you know, readability. There's not stuff floating around out there unless it's on my system, which my staff doesn't even access to because we don't have an internal server or it's in your email box. And at that point, you have control over that. You and whomever else you let get into your phone or read your email or whatever privacy settings you've got set up with Google or Hotmail or Yahoo or whoever your email provider is.

But Virtru has done their job on that end, and I've done my job on my end, and it's then up for the client to take seriously their protection and do their part. And I feel like I go a long way to helping my uneducated client do their part by using a product like Virtru. When I was getting versed on HIPAA, the thing that stood out again and again and again was the culpability. The onus is on the provider because they're supposed to be the ones that are trained and compliant.

If I have a client that says I'll just send me an unencrypted emails, I say "No," because the burden is on me to be compliant. You can't just give consent for me to break HIPAA, it doesn't work that way. So I've done my part by, again, using products like Virtru to make it easy on them and easy on me and keep everybody happy and protected. Yeah and Lance, I think you hit on something that we're seeing a ton of and that's what do you do with the cloud, right?

Like what? What's going, you know? And it's a, you know, for folks that aren't in the IT world or — it's an interesting concept, right? It's new to them, and, you know, one thing that we've been really focused on, and I think you did a great job of highlighting it is, you can...

There's all these different ways to implement and Zero Trust is a very growing and popular and very thoughtful approach to data security. And there's a lot of ways to do that. But what we are doing at our core at Virtru and I think you just highlighted this, is putting that concept on the data itself, which, as you said, is ultimately the thing that you want to really protect. It is the core of that, you know, of HIPAA, right?

Is is the data, the PII, the PHI. So really cool to hear how you're implementing that and how you're thinking about that. You know, I want to go back on a similar vein into this, into this area that, you know, you've been able to do a lot of this yourself. It's hard and it requires a lot of, you know, a lot of time.

And I'm just wondering, you know, as you think about the person who's just starting their own practice or the single practitioner, you know what, as they're thinking about compliance and data security and, you know, software partners, what advice do you have for them? What should they be thinking about? Yeah I don't know what I can tell you, that's a lot to think about. You know, I don't want to bring back some memories.

I don't want to pretend that everybody is wired the way I am. But I think we all share something in common and that would be time, energy and money. And so I don't like to reinvent the wheel. I like to find people that make really good wheels and make it worth my dollar and then let them work for me.

So for a person that's just starting out, I would say that a lot of the, as we said, the out-of-the-box, the software-does-it-all. models are overkill. I've test-driven a few of them. And as my practice has grown, as I said, we're going to be up to five in a month or two here.

I still am opting to not use one of those. I think that there are things that are more cost effective, not as cluttered, and something like Virtru fills only very inexpensively, in my opinion, and very versatilely and with robust credentials for HIPAA compliance. So again, you know, buy a good wheel and implement it and don't brain yourself otherwise. So I think for the person who's just starting out or a small practice, you're going to want to look at conserving your energy, your money, and your time.

And I think you get the conservation of all three of those with Virtru's product. That's why I mean, I'm going to be honest with you. I shop about every year for everything. I look at everything because I don't want to get behind the curve in the marketplace.

I don't want to have antiquated tools. And I mean, I've been with you guys for years. I keep coming back, like, you guys are our leading and doing it well. Well, thank you, Lance.

It's very, very kind of to say, and that's what we're, you know, that's our goal. That's what we're trying to do is sort of stay at the head of the pack and just also while providing the best possible product, the best possible security combined with the ease of use. You know, if it's if, no matter how secure it is, if you can't use it, it doesn't do anyone any good, right? So, you know, I really appreciate you saying that, you know, I — Lance, we've talked about a lot today.

Is there anything that we haven't covered that just, you know, that comes to mind or that you'd like to share on this series? Wow, Yeah, Actually. Your customer support team is amazing. Oh, great!

I love hearing that. Yeah I mean, this is not going to send the wrong message. But you know, when you journey with somebody through growth, you're going to end up pinging out to their support people. The number of different times, either because you're an idiot or your computer has gotten old now it's having trouble.

And so I always get a response, in my estimation, what feels like immediately, comparatively. I don't feel like I've ever been left hanging in a real need, I can let somebody know it's urgent and somebody on it. The follow-up is amazing. I'm constantly getting emails saying, you know, is somebody on this, is somebody looking at this, was the answer satisfactory?

And we recently had an issue which seems to be idiosyncratic to our particular systems. Whatever I have hobbled together to do things the way I do it. I created an anomaly and but, you know, Virtru didn't say, you're just a little guy, you're inconsequential. We're not seeing this anywhere else, so we're going to ignore it.

They took it to heart. They promoted it up the chain of command. They investigated it. They did their due diligence and they came back and said, it's just an idiosyncrasy with whatever you have cobbled together on your system.

We're so sorry. Is there anything you'd like to do, and actually offered me some customer satisfaction measures that I didn't feel were necessary. I was impressed that things were taken seriously. And since it's me in the way that I'm approaching the way that I do my workflow, I'm willing to accept that.

And I felt blessed by the customer satisfaction offer. But I chose to stay with you guys because, like I said, in my opinion, you're the only game in town. I mean, coming back to that conservation of time, money and energy, there's nothing else that even comes close. Well, Lance, thank you for saying that.

Yeah, kudos to your customer service peeps. They're incredibly diligent and hardworking, and I'll pass that feedback to them. They love hearing things like that. So thank you.

You know, Lance, this has been great. Thank you so much for joining me today to share your story and your experience with Virtru. It's been awesome to hear about the great work that you're doing with your organization and really how data protection is really, you know, I won't say at the core, but adjacent to the core of what you're doing in the service you're providing and just how important it is as part of that trust building and confidence building piece with your clients. To our audience, Thank you so much for watching.

For more videos, you can check out our website, Virtru.com, select Resources or visit our YouTube channel. Thank you so much for joining us today.