The HIPAA Kit and HIPAA Forms are available online in pdf format with links to the forms in word doc. You can access them instantaneously online. You can copy the HIPAA Forms to your word processing program, insert your letterhead and name, make other necessary changes, adapt them to your particular practice, and you’re all set. The HIPAA Kit and Forms are not available in hard copy. You can also purchase the HIPAA Kit and Forms along with the Essential Clinical Forms below.
The Kit provides you with the most basic and practical understanding of HIPAA regulations and offers many practical ways to achieve compliance. The Kit does not provide a state-by-state preemption analysis, which you can obtain from your state board or national professional organization. The kit uses parts of California law as an example of some of the preemption analysis and provides a summary of the important aspects of the preemption analysis for California. You must modify the forms included in the Kit according to your personal and professional needs and requirements.
“Ingeniously combining his extensive knowledge of practice with his keen understanding of HIPAA with all its implications, Dr. Zur has compiled a practical, readable guide that addresses the potentially most impacting and disruptive force to confront psychotherapy. No mental health practitioner can afford to be without it as your practice may depend on it.”
Nicholas A. Cummings, Ph.D., Sc.D.
Distinguished Practitioner, University of Nevada, Reno
President, Cummings Foundation for Behavioral Health
Former President, American Psychological Association
The Kit will aid psychotherapists in private practice with:
Understanding HIPAA’s basic facts and requirements.
Implementing a simple step-by-step process towards HIPAA compliance.
Acquiring checklists and ready-to-use, user-friendly forms, which you will be able to personalize and employ right away.
Avoiding the severe penalties and other risks associated with non-compliance.
Learning low-tech ways to use billing services and clearinghouses to continue receiving insurance company reimbursements.
1. What is the goal of the Kit?
2. How is the Kit organized & what terminology does it use?
3. How can I best use this Kit?
4. What this Kit is not
5. Generally, what is HIPAA?
6. What is a Covered Entity (CE) and am I one?
7. Do I need to comply even if I do not own a computer?
8. What does “scalable compliance” mean for me?
9. What is and who is the Privacy Officer in a solo, private practice?
10. How easy is it to become compliant?
11. What are the basic requirements for compliance?
12. What is Protected Health Information?
13. What happens if I did not meet any or some of the original deadlines?
14. What are the Privacy Rule and the Security Rules?
15. What is the Breach Notification Rule?
16. What can trigger the Privacy Rule or HIPAA compliance audit?
17. What will happen if I do not comply with HIPAA?
18. What does HIPAA not do?
19. What do we not yet know about HIPAA?
20. What is the HIPAA Privacy Rule?
21. What do I need to know about consents and authorizations?
22. What is TPO?
23. What about the consent for TPO?
24. Can a patient revoke his/her consent for TPO?
25. If a patient revokes his consent for TPO, can the therapist still be paid?
26. What about the federal amendment to consent for TPO?
27. What are the issues around authorizations?
28. Which basic forms must I have?
29. What is compound authorization?
30. When is neither consent nor authorization required?
31. What about HIPAA’s Notice of Privacy Practices?
32. Should I post the Notice on my website or send it electronically?
33. What about patients’ rights to request privacy?
34. If I have an Informed Consent, do I also need a HIPAA consent?
35. What is the difference between “use” and “disclosure”?
36. How do I deal with the judicial system and administrative proceedings?
37. How do I deal with law enforcement agencies?
38. What about disclosure where there is a threat or danger?
39. What rights do patients have to access their records?
40. When do patients NOT have the right to access their records?
41. What is the time frame for a patient’s request to review his/her records?
42. Must patients pay for copies they request?
43. What rights do patients have to amend their records?
44. What about minors’ records?
45. What about consultation?
46. Can a therapist disclose records created by other providers?
47. What about disclosures for research purposes?
48. What are the considerations surrounding substance abuse disclosures?
49. What are the considerations for an account of disclosures?
50. What is the “need to know” requirement?
51. What is the “minimum necessary” requirement?
52. Can therapists disclose to their professional liability insurance?
53. Does the Privacy Rule create a government database of individuals?
54. Can therapists call out the names of patients in their waiting rooms?
55. What about disclosure to collection agencies?
56. Can clearinghouses and health plans use PHI?
57. Can one have joint consents?
58. Can one have combined consents?
59. What are re-disclosures?
60. What is a Disclosure Record?
61. What does de-identifying mean?
62. What are limited data sets?
63. What does HIPAA say about marketing?
64. How is therapist-patient privacy protected?
65. What about keeping two sets of records?
66. What are Psychotherapy Notes?
67. What do the Psychotherapy Notes include?
68. What is excluded from the Psychotherapy Notes?
69. Can I see an example of the two types of notations?
70. Do individuals have a right to review their Psychotherapy Notes?
71. Do managed-care companies have the right to review Psychotherapy Notes?
72. Does Medicare have the right to review the Psychotherapy Notes?
73. What about sharing Psychotherapy Notes with other treating clinicians?
74. Can a client authorize disclosure of the Psychotherapy Notes?
75. Can Psychotherapy Notes be disclosed without the patient’s authorization?
76. What is the Supreme Court 1996 Jaffee v. Redmond decision all about?
77. What about re-disclosure of Psychotherapy Notes?
78. What about uniformity of electronic claims?
79. Which ICD, DSM or CPT codes are required under HIPAA?
80. Does HIPAA mandate therapists to use electronic claims?
81. What are my general choices in regard to billing?
82. What is the role of a clearinghouse?
83. What about the identification standards and what is NPI?
84. What is HIPAA’s Security Rule?
85. What are the differences between the Privacy and Security Rules?
86. What is the good news about the Security Rule?
87. What are the three elements of the Security Rule?
88. How about protection from disasters?
89. What is included in Risk Analysis?
90. What is included in Risk Management?
91. What needs to be included in the Security Policies and Procedures Manual?
92. What is a HIPAA Business Associate (BA)?
93. What is a Business Associate Agreement, or “BAA?”
94. Who isn’t a BA?
95. What legal protections does a BA provide for me?
96. What about the conduit exception?
97. What about financial institutions?
98. What about client consent to waive the BAA requirement?
99. What is the Final Breach Notification Rule?
100. How do I assess when a breach has happened?
101. What about the safe harbor in the Final Breach Notification Rule?
102. What does HIPAA require of office staff? Building staff?
103. How shall I physically arrange my office so I stay HIPAA compliant?
104. What about general computer security and protection?
105. What about general smart phone and tablet security and protection?
106. What do I need to consider regarding phones and phone messages?
107. What do I need to consider regarding WiFi?
108. What do I need to consider regarding fax machines?
109. What do I need to consider regarding copiers, scanners, and printers?
110. Does HIPAA allow home offices?
111. Can I use my personal devices in my practice?
112. What about protecting my computer, smart phone, or tablet that is used for both work and personal needs?
113. What about WiFi?
114. Do I have to have a locked room in my home for work devices?
115. What is a “web browser?”
116. What is a “cloud” service?
117. What is my role in the security of my “cloud” services?
118. What do I need to consider regarding security of email and texting with clients?
119. What do I need to consider regarding security of email and texting with colleagues and others besides clients?
120. What about email signatures?
121. Does HIPAA allow me to have a presence on social media?
122. What does HIPAA require for websites?
123. Can I post forms for clients on my website?
124. Can I post helpful materials for clients on my website?
125. What do I need to consider regarding communication with clients via social networking sites?
126. What is the difference between EHR and EMR?
127. Does HIPAA require me to use electronic records?
128. What does HIPAA require me to do to protect electronic records?
129. Does HIPAA have special rules for electronic records?
130. How does HIPAA address online therapy/telemental health?
131. What does HIPAA require for online video software like Skype?
132. What about the conduit exception?
133. What is the preemption analysis?
134. Under what conditions does HIPAA preempt state law?
135. What happens when state law conflicts with HIPAA?
136. What happens when state law and HIPAA are not comparable?
137. What is the relationship between HIPAA & the Codes of Ethics?
138. What are the relationships between HIPAA and California law?
139. Can you provide me with examples of HIPAA regulations that preempt California laws?
140. What are some of the instances where California laws preempt HIPAA?
141. Where can I find online resources for implementing HIPAA in California?
Form I: HIPAA Compliance Checklist
Form II: HIPAA Notice of Privacy Practices
Form III: Authorization to Release Information
Form IV: Request for Amendment of Health Information
Form V: Tracking of Releases
Form VI: Account of Disclosures
Form VII: Denial of Access to PHI
Form VII: Denial of Request for Amendment
Form IX: Complaint Form
Form X: Acknowledgment of Receipt of Notice
Form XI: Breach Assessment
Form XII: Authorization/Consent to use unencrypted e-mail and text
Form XIV: Patient’s Right for Confidential Communications
Form XV: Patient Request for Restriction on Use and Disclosure of PHI
DISCLAIMER: The HIPAA Compliance Kit does not intend to be a substitute for legal, ethical, or clinical advice or consultation. State laws may supersede HIPAA regulations and you must check with the laws and regulations of your state and your professional association. The very latest revision of the federal regulations may not be included in this Kit. The Kit intends to give psychotherapists a basic understanding of HIPAA regulations and is not intended to provide a complete compliance manual. It is not intended to serve as the ultimate or definitive guide to HIPAA regulations. It does not provide a state-by-state preemption analysis. It does not contain details for performing a security risk analysis or for securing any given set of computers and other electronic devices. This Kit expresses only Dr. Zur’s and Mr. Huggins’ opinions and understanding of the regulations and does not claim to give definitive or comprehensive answers, nor the “right” interpretation of many of the complex and often ambiguous questions which are raised by the lengthy, new HIPAA regulations. Additionally, many regulations may still be changing and this Kit does not reflect any of the changes contained in the new regulation updates. State laws also change continuously and the result will be that guidelines for your practice will have to change, too. Contact your professional association, an attorney, your malpractice insurance carrier, boards and other state or federal agencies for the most current guidelines and information.