A common sense checklist for digital security

The SimplePractice iPhone app is now available! All this month we’re exploring the ways health and wellness professionals use mobile devices to save time and maintain HIPAA compliance.


Digital security can be confusing even for the most tech-savvy therapists among us. Even if you buy the strongest lock for your house, it’s no use if you leave the window open. That’s why at SimplePractice we personally abide by this easy to follow checklist that we learned from Jason Fried at 37 Signals in his book Remote. It’s not an all-encompassing HIPAA security plan for your practice, but it’s the simplest process we’ve found for securing the most common vulnerabilities. You probably spend a lot of time, money and anxiety on HIPAA security. At SimplePractice it’s one of the most critical features of our software. In addition to the potential for fines under HIPAA, we all feel a personal responsibility to protect the privacy of our clients, their Protected Health Information (PHI), and other sensitive information.

1. Hard drive encryption

Sounds complicated but it’s not. If you have a Mac, turn on the FileVault setting for your hard drive. It’ll take just a couple minutes to turn on and you can read the step-by-step instructions here. For Windows users, there are also several options you can find with a simple Google search.

But don’t stop at your computer, SimplePractice iPhone app will provide data encryption for PHI on your mobile devices.

2. Computer and smartphone login passwords

This one’s obvious and many of you probably already have a password that protects your computer and your smartphone. However, make sure the device is set to automatically log you out after falling asleep and after 5-10 minutes of inactivity. You can adjust these settings in the system preferences area of your computer.

This is one of the most important steps you can take to protect your data, so that’s why we make a password mandatory to access PHI in the SimplePractice app.

3. Smartphone data erase

Use an app that can remotely wipe your smartphone if it’s stolen. For iPhone users there’s theFind My iPhone application. For Android, there’s Android Device Manager.

For users of the SimplePractice iPhone app we will recommend installing our security profile which sets your iPhone to automatically erase all it’s data after the 10th failed login attempt. This is extra security incase your phone is stolen.

4. Unique password

Don’t use the same password for every site. If one service gets hacked, all your services are vulnerable. Many people use the same password across all their accounts so if yours is stolen, expect the thieves to try that password on other sites containing sensitive information. We understand that it’s hard to keep track of so many unique passwords. But at the very least, take special care to ensure all passwords protecting PHI are unique. For everything else, you can try using a secure password manager like 1Password.

5. Two-factor authentication for email

This one is required by HIPAA for accessing PHI remotely but it’s still a hole in many therapists’ compliance strategy. This measure requires you to have access to both your computer and your smartphone in order to log in and check email. Every time you log in to your email, a verification code will be sent to your phone. You’ll have to type that code into your computer to prove it’s you before you can access your email data. This way a thief must steal your password and your phone in order to access your email.

This one is particularly important because once a thief has access to your email, he has access to all your accounts through the password reset feature that’s so common on websites today. Gmail offers the best two-factor authentication for web-based email.

That’s the simple checklist we use for all of our personal data at SimplePractice. To review:

  1. Enable hard drive encryption.
  2. Use a computer login password that’s required each time you access your computer.
  3. Use an app that can remotely wipe your smartphone if it’s stolen.
  4. Don’t use the same password for every site.
  5. Enable two-factor authentication for email.

Put this security checklist into practice for all your computers, smartphones, and tablets and you can rest easier knowing you’ve you’ve got the basics covered.

At SimplePractice we want you to have strong digital security without the anxiety of a complicated process. We think that strong security measures made simple are the most effective. When the security process is simple, it’s easier to understand so you can confidently take control of digital security and leave behind the guesswork involved with keeping your PHI private and secure.

The SimplePractice iPhone app is available now.

Popular Articles