HIPAA Compliance for Therapists: What You Need to Know

Use and Disclosure of PHI

A significant component of HIPAA regulates the proper uses and disclosures of protected health information (PHI). Generally, the use and disclosure of PHI is allowed for treatment, payment, and healthcare operations. This means that PHI can only be shared for these purposes unless the patient provides written authorization for another use or disclosure.

To be HIPAA compliant, therapists must provide patients with a Notice of Privacy Practices upon intake that outlines how the practice will use and disclose their PHI.

HIPAA also allows therapists to discuss information relevant to a person’s care with other members of their healthcare team. HIPAA permits the sharing of factual information, such as names of medications, symptoms, appointment start and end times, and diagnosis. 

Under HIPAA, therapists may share pertinent information (information directly related to treatment) with people involved in a person’s care if the person in treatment:

• Has agreed
• Has been given an opportunity to object and has not objected
• Has indicated they want the other person’s involvement, by, for example, bringing the other person to treatment, or having the other person help schedule sessions and pick up prescriptions
• Is incapable of making decisions as a result of being unconscious, delirious, or otherwise unable to object or agree

HIPAA Release Forms

If your practice requires a disclosure of PHI not covered by payment, treatment, or healthcare operations, then you must ensure that you obtain a HIPAA release form BEFORE any PHI can be disclosed. This is essential to both maintaining the privacy of your patients and protecting your practice from potential HIPAA violations and fines.

Some instances when a HIPAA waiver form is required include for:

• Disclosure of PHI to a third party for any reason other than treatment, payment, or healthcare operations
• PHI used in marketing or fundraising efforts
• PHI shared for research purposes
• Disclosure of any psychotherapy notes
• PHI disclosed or shared for monetary compensation

Psychotherapy Notes Under HIPAA 

Psychotherapy notes under HIPAA are subject to slightly different rules. Psychotherapy notes contain particularly sensitive information. These notes constitute the therapist’s personal notes – notes that usually are not required or useful for treatment, payment, or healthcare operations purposes (other than by the mental health professional who created the notes).

HIPAA Psychotherapy Notes Release Form

HIPAA psychotherapy notes release forms are generally required to be signed by patients for any reason, including disclosure for treatment purposes to a healthcare provider other than the originator of the notes. 

However, a therapist does not need authorization to use or disclose psychotherapy notes:

• For its own training 
• To defend itself in legal proceedings brought by the individual
• For HHS to investigate or determine the covered entity’s compliance with the Privacy Rule
• To avert a serious and imminent threat to public health or safety
• To a health oversight agency for lawful oversight of the originator of the psychotherapy notes
• For the legal activities of a coroner or medical examiner

HIPAA Right of Access

The HIPAA Right of Access requires therapists to provide patients with copies of their medical records upon request. To comply with the right of access standard, requested records must be provided within 30 days of request, in the format the patient requests them in. Therapists are also limited to charging a reasonable cost-based fee to supply the records (i.e., you may charge a patient for the cost of a CD but not for the time it took your staff to gather the records). 

Psychotherapy notes are expressly excluded from the right of access.

HIPAA Compliance for Therapists: Implementing an Effective Compliance Program

HIPAA compliance for therapists also requires you to implement an effective HIPAA compliance program that follows HIPAA Privacy, Security, and Breach Notification Rule standards.

Elements of an effective HIPAA compliance program can be found below.

Security Risk Assessments, Gap Identification, and Remediation

HIPAA requires therapists to conduct security risk assessments to uncover weaknesses and vulnerabilities in security practices. After you complete your assessments, HIPAA requires you to create remediation plans. Remediation plans list your identified deficiencies and how you plan to address them, including actions and a timeline.

Compliancy Group provides clients with all required risk assessments, with support from Compliance Coaches to instruct you on completing them. Once the assessments are completed and added to our software, gaps in compliance are automatically identified. To close these gaps, the software creates remediation plans specific to your practice, which, once implemented, allow you to meet HIPAA safeguard requirements.

HIPAA Policies and Procedures

To meet HIPAA Privacy, Security, and Breach Notification requirements, your practice must implement written policies and procedures. These policies and procedures must be customized for your practice’s specific needs, applying directly to how it operates. Any changes in your business practices must be included in your policies and procedures where appropriate.

Compliancy Group provides clients with policies and procedures specific to your practice. Each policy also includes a summary section to simplify procedures into language that all employees can easily understand.

HIPAA Training

Any employee that has the potential to access PHI must receive annual HIPAA training. Employees must legally attest that they understand and agree to adhere to the training material. 

Compliancy Group’s HIPAA training consists of a series of short educational videos to keep your employees engaged. Administrators can quickly check individual employee training progress and attestations through the software platform.

Business Associate Agreements

You likely work with business associates to run your practice. HIPAA defines a business associate as any entity that performs a service for your practice that gives them the potential to access PHI. Common examples of business associates include electronic health records platforms, email service providers, online appointment scheduling software, and cloud storage providers. 

Business associate agreements must be signed with each of your business associate vendors. 

Compliancy Group allows practices to send each of their business associates BAAs easily. It also assigns them a vendor questionnaire, similar to your self-audits, to assess their compliance. Once vendors have completed both, their responses are recorded, and agreements are stored in the software platform.

Incident Management and Audit Support

The HIPAA Breach Notification Rule requires practices to have a system to detect, respond to, and report breaches. Employees must also have the means to report incidents anonymously and know what to do if they suspect a breach has occurred. Healthcare organizations that suffer a breach and cannot prove their HIPAA compliance are often audited and fined. 

Compliancy Group’s software makes it easy for employees to report suspected incidents anonymously. Clients that suffer a breach are provided with breach support from our on staff regulatory attorneys. We also offer audit support to clients, providing all of the documentation required by the Office for Civil Rights (OCR) to prove their “good faith effort” towards HIPAA compliance. No client that has completed our process has ever failed an audit!

HIPAA Compliant Resources for Therapists

To aid in your efforts to comply with HIPAA, we have provided a list of free HIPAA compliant resources for therapists.

HIPAA Compliance Checklist

HIPAA Webinar

HIPAA Compliant Sign-in Sheet

HIPAA Compliant Screensaver

Free HIPAA Training