5 Things Every Therapist Should Have in Their Privacy Policies

The Health Insurance Portability & Accessibility Act (HIPAA) requires healthcare providers to maintain written policies and procedures, which are commonly called a “privacy manual.” The privacy manual governs how your practice safeguards protected health information or in HIPAA-speak “PHI.” Regulators have increasingly targeted smaller practices for HIPAA audits, knowing that they struggle the most with compliance and are less likely to maintain a privacy manual. In fact, the first thing that regulators will do if you’re audited is ask to review your privacy manual. An inability to produce those required policies is itself is a HIPAA violation, which may subject your practice to fines and penalties.

Here are 5 of the most important items your privacy manual should contain.

1. Your most recent risk assessment

HIPAA generally requires providers to perform periodic risk assessments. A risk assessment helps you evaluate your compliance with HIPAA’s three main required categories: privacy, security, and breach notification. For most providers, your HIPAA policy manual’s risk assessment questions will correlate directly with the requirements as they’re outlined in the law.

Your risk assessment informs the contents of your privacy manual and the policies and procedures by which you safeguard patient privacy. It allows you to assess the actual risks posed to your patients’ privacy, and the procedures you implement at your practice will depend upon your answers to its questions. Your most recent risk assessment should be stored in your HIPAA manual—although you’re required to hold on to your old ones, too.

2. Your practice’s records release form

It’s crucial that you maintain a uniform process for reviewing and processing patients’ requests for their records. Your policy manual should contain a copy of your records release form, but you should also include policies that address:

• How quickly you’ll respond to a request for a patient’s records
• How you’ll handle requests for a minor patient’s record
• How you’ll treat patient information that’s subject to heightened privacy requirements

The latter includes psychotherapy notes, substance abuse disorders, and HIV diagnoses, even if you don’t typically encounter these types of records in day-to-day operations.

3. Your password requirements

HIPAA requires that providers maintain written policies about how they will create, change, and safeguard passwords. Be sure that your HIPAA policies specifically identify your practice’s password requirements, the frequency with which they should be changed, and a prohibition against writing them down or sharing them.

4. Your patient data breach notification plan

HIPAA has three major components: privacy, security, and breach notification.

While many providers adequately address the privacy and security of their practice’s PHI, they are often confused about how to create a breach notification plan. Even the most compliant practice may experience an inadvertent breach of records. Breaches can occur in many ways, including when a provider’s laptop is stolen from their briefcase, a hacker accesses an employee’s email account, and a power outage impacts the practice’s security protocols. While your privacy and security policies will guide your responsiveness to these situations (and hopefully help you avoid them), you must also maintain a regimented written policy to govern your management of a breach. A breach notification plan can be complicated, so consult with a healthcare attorney to prepare one.

5. Your Notice of Privacy Practices

The purpose of your Notice of Privacy Practices is to summarize and inform your patients about your practice’s privacy policies and procedures. This is often the first document you present to new patients at your practice. Be sure that it reflects the written policies that you’ve actually implemented to protect patient information.

For example, it’s not uncommon for small or solo practices to rework a Notice of Privacy Practices they found online, believing it will satisfy their privacy obligations. However, if it isn’t supported by written policies, it may cause even bigger problems with regulators, since it shows you adhere to policies that you don’t actually maintain. You should offer it to each patient and obtain their written acknowledgement that it was offered. If a patient refuses to acknowledge a copy of this document or declines to accept a copy, you should document their refusal, too.

HIPAA compliance is mandatory for the vast majority of healthcare providers, and noncompliance can burden practices with hefty fines, intensive government audits, and increased regulatory scrutiny. To avoid these outcomes, all healthcare providers—especially mental health providers, given the sensitive nature of your work—should collaborate with a healthcare attorney to create a privacy manual that serves the needs of your practice and the requirements of the law.