Welcome solo and group practice owners! We are Liath Dalton and Evan Dumas, your co-hosts of Group Practice Tech.

In our latest episode, we share concrete steps to take if you’ve discovered staff members using non-approved AI platforms in your practice.

We discuss:

• The misconceptions around what constitutes PHI (and why information used to write a progress note absolutely is PHI)
• Why this is a reportable HIPAA breach
• Why reporting a HIPAA breach is nowhere near as scary or impactful as you may fear 
• The difference between a large breach and a small breach, and reporting deadlines for each
• Client notification deadlines for breaches
• How state law can impact or add to reporting deadlines
• Steps to take after discovering non-compliant AI use in your practice
• What to investigate, how to document, how to mitigate, how to notify clients, and when to consult an attorney

Listen here: https://personcenteredtech.com/group/podcast/

For more, visit our website.

PCT Resources:

• PCT CE Course (on-demand): If you’re navigating exactly what we’re talking about in this episode, our on-demand CE training, HIPAA Security Incidents & Breaches: Investigation, Documentation, and Reporting, provides a clear, structured walkthrough of what to do when something goes wrong. It covers how to determine whether an incident is a breach, how to investigate and document appropriately, and how to handle client notification and reporting requirements—along with strategies to reduce risk going forward. This is a practical, real-world roadmap designed specifically for mental health practices, so you’re not left guessing about next steps when a breach situation arises.
• Breach Report Questions: If you want to understand what breach reporting actually looks like in practice, this resource walks you through the exact information required when submitting a report to the Office for Civil Rights (OCR). It outlines the specific details you’ll need to gather — such as the type and scope of the breach, the number of individuals affected, what kind of PHI was involved, and what actions you’ve taken in response — so you can approach reporting with clarity and confidence rather than guesswork. Reviewing these questions ahead of time can also help guide your investigation and documentation process, ensuring you’re collecting the right information from the start.
• Live (and recorded) PCT CE Course: Beyond Hype and Anxiety: A Practical Framework for Ethical AI Use in Clinical Practice is a 4-hour legal-ethical CE training co-presented by Dr. Maelisa McCaffrey and Liath Dalton, designed to help clinicians move beyond fear and guesswork into confident, responsible AI use. The course provides a structured, real-world framework for integrating AI into clinical workflows while upholding HIPAA requirements, ethical standards, and clinical standards of care. Participants will learn how to evaluate AI tools, understand what constitutes PHI (and the limits of de-identification), implement appropriate policies and safeguards, and maintain documentation quality and clinical integrity. With practical tools, decision-making frameworks, and implementation strategies, this training supports clinicians in making informed, defensible decisions about AI use in practice.
  • Live Webinar Presentation on May 8th, 2026
  • Registration for live training includes receiving ownership of and perpetual access to the on-demand self-study CE training produced from recording of live presentation. Get both the content *and* the CE, even if you can’t join live.
• HIPAA Risk Analysis & Risk Mitigation Planning service for mental health practices — care for your practice using our supportive, shame-free risk analysis and mitigation planning service. You’ll have your Risk Analysis done within 2 hours, performed by a PCT consultant, using a tool built specifically for mental health practice, and a mitigation checklist to help you reduce your risks.
• If you're navigating filing a breach report and you haven't completed a documented "thorough and accurate" HIPAA Security Risk Analysis that meets the foundational Security Rule requirements, this is something you want/need to do so it can be reflected in your breach report to the OCR (HIPAA regulators)
• PCT’s Comprehensive HIPAA Security Compliance Program (discounted) bundles:
  • For Group Practices
  • For Solo Practitioners
    • Comprehensive HIPAA Security Policies & Procedures
    • Forms & Logs for documenting implementation and maintenance of Policies & Procedures in practice
    • Device & Workspace Security Suites
    • Direct Support & Consultation from PCT team + therapist attorney Eric Ström, JD PhD LMHC (live & recorded + searchable library)
    • Includes the Risk Analysis & Risk Mitigation Planning service + tool
  • HIPAA Security & Privacy Ethics training
• Article + 18 Identifier List: De-Identified or Not? The Truth About HIPAA, AI, and Client Data
  • In this article, Person Centered Tech breaks down one of the most misunderstood concepts in HIPAA compliance: de-identification. It clarifies the difference between simply “removing identifiers” and meeting HIPAA’s strict legal standards for de-identification (Safe Harbor or Expert Determination). The piece explains why narrative clinical information is often inherently identifying, why a session transcript cannot realistically be considered de-identified, and how AI systems introduce heightened risks of re-identification. It reinforces a critical takeaway for practice leaders: HIPAA sets the floor — not the ceiling — for protecting client information, and governance must keep pace with emerging technologies.
• PCT CE Course: Law & Ethics of the Clinical Use of Artificial Intelligence: Implications in Clinical Practice
  • If you’re wanting a deeper, structured framework for evaluating AI in clinical practice, this 3-credit legal-ethical on-demand training with Eric Ström, JD, PhD, LMHC, walks through the evolving legal standards, HIPAA considerations, and ethics code guidance that apply to AI use in behavioral health. You’ll gain practical strategies for assessing new technologies, understanding emerging standards of care, and implementing AI tools in a way that is legally defensible and ethically sound.
• Podcast: Episode 608: AI Isn’t the Problem, Lack of Governance Is – A PSA for Group Practice Leadership
• Podcast: Episode 611: The Real Risks of Using Non-Vetted AI Platforms with Client Information
• Group Practice Care Premium
• weekly (live & recorded) direct support & consultation service, Group Practice Office Hours — including monthly session with therapist attorney Eric Ström, JD PhD LMHC
• Device Security Suite: assignable staff HIPAA Security Awareness: Bring Your Own Device training + access to Device Security Center with step-by-step device-specific tutorials & registration forms for securing and documenting all personally owned & practice-provided devices (for *all* team members at no per-person cost)
• Remote Workspace Security Suite: assignable staff HIPAA Security Awareness: Remote Workspaces training for all team members + access to Remote Workspace Center with step-by-step tutorials & registration forms for securing and documenting Remote Workspaces (for *all* team members at no per-person cost) + more

Additional Resources:

• Mintz-Matrix: The Mintz Matrix is a comprehensive, regularly updated overview of U.S. state data breach notification laws, providing a state-by-state breakdown of requirements such as definitions of personal information, what constitutes a breach, and timelines for notification. This is especially relevant in the context of this episode because HIPAA is only part of the picture—state laws often impose additional requirements, including shorter notification timeframes and broader definitions of protected information. Reviewing the Mintz Matrix can help you understand your specific state obligations and ensure that your response to a breach is not only HIPAA-compliant, but also aligned with applicable state laws.
• The HHS Office for Civil Rights (OCR) Breach Portal provides essential guidance on what constitutes a reportable breach and what happens after a report is submitted. It explains that a breach involves the unauthorized acquisition, access, use, or disclosure of protected health information that compromises its security or privacy, and outlines how OCR reviews, investigates, and resolves reported incidents. This is particularly relevant to this episode because it helps demystify what occurs after you file a breach report—reinforcing that reporting does not automatically trigger penalties, but instead initiates a review process that may include technical assistance, investigation, or closure without further action. Understanding this process can reduce fear and support more confident, compliant decision-making when responding to a breach.