A Compliance Toolkit for Therapists for Maintaining Record's Privacy and Security, Managing Risk, and Operating Ethically Under HIPAA
by Edward Zuckerman, PhD
Table of Contents
100 Preparing for HIPAA Page
110 What is HIPAA? 11
120 Do I have to comply with HIPAA? A decision tree 13
130 Why you should become HIPAA-compliant ( even if you don't have to) 17
140 Why you shouldn't worry too much about HIPAA 18
150 HIPAA is an opportunity to upgrade your practice 19
160 What will change under HIPAA? 20
170 Privacy issues and views 22
180 How to use this book 26
200 Core ideas
210 Terminology and components of HIPAA 27
220 Implementing HIPAA in your practice 31
221 A To Do list 32
222 List of forms for a HIPAA-compliant practice 34
223 Schedule for implementing HIPAA 35
230 The privacy officer 37
231 Duties of the privacy officer 38
240 Preemption of state laws by HIPAA 39
241 Preemption decision worksheet 43
250 Understanding the way your office handles PHI - Doing a Gap Analysis 46
260 Training employees in privacy practices 50
261 Content and documentation of training 52
262 Confidentiality agreements 54
263 Confidentiality agreement for employees 55
270 What about business associates? 58
300 Records and Billing
301 Records making and keeping 65
310 The two kinds of clinical notes 67
311 Deciding to keep or not keep psychotherapy notes and options 72
312 Format for a routine progress note 74
313 Format for a psychotherapy note 75
320 Billing under HIPAA 77
330 The computerized office 80
331 Your National Provider Indentifier - NPI 82
400 Notices, Consents, Authorizations
410 Introduction to the Notice of Privacy Practices (NPP) 83
411 The complete Notice of Privacy Practices 89
412 The briefer Notice of Privacy Practices 96
420 Informed consent, Consents, and Authorizations 99
430 Consent form 103
431 Consent to use and disclose your health information 105
440 About Authorizations 106
441 Comparison of the contents of Authorization forms 112
450 The Standard Authorization 113
451 The Standard Authorization Form 116
460 The External Authorization 118
470 Authorizations for a research participant 119
480 Authorization to disclose psychotherapy notes 121
490 A Form for revoking an Authorization 122
500 Disclosing PHI 123
510 Agreements to disclosure 123
520 Routine and non-routine disclosures 125
530 Releasing only the minimum necessary information 128
540 Incidental disclosures 132
550 Redisclosure - Releasing information created by others 134
560 HIPAA and Workers' Compensation, Social Security Disability, etc 135
570 Consulting under HIPAA 137
580 Oral communications 139
590 Verifying the identity of those seeking PHI 140
600 Clients rights to control their PHI 143
610 The opportunity to object to the use or disclosure of one's PHI 143
611 Form to request limitations on disclosure of one's PHI 146
620 Client's requests for alternative communication channels 147
621 Form to request alternative communication channels 148
630 Clients' access to their records 149
631 Form to request access to one's health information 154
640 The right to amend one's PHI 156
641 Form to request correction/amendment of one's PHI 161
650 Medical record disclosures log 163
651 Form for a medical record disclosure log 164
652 An Accounting of disclosures 165
653 Form to request an accounting of disclosures 169
654 Form for an accounting of disclosures 170
660 Complaints and reports of privacy violations 172
661 Complaint form 174
700 HIPAA's Security Rule 175
710 Background and contents of the rule 176
720 The office's communication methods 181
730 Controlling the accessibility of PHI 184
740 Coping with disasters 189
750 Disposal and destruction of PHI 190
760 A security and To Do checklist 192
800 A HIPAA Policies and Procedures Manual (HP&PM) 197
801 Developing a policy and procedures compliance manual for HIPAA 197
802 Our HIPAA Policy and Procedures Manual 200
803 Table of contents 201
810 The privacy officer 202
820 Obtaining Consents and Authorizations 203
821 Obtaining consent 203
822 When a Authorization is needed or not needed 203
830 Uses and disclosures of PHI 205
831 Non-routine uses and disclosures of PHI 206
832 Routine disclosures of PHI 206
833 Procedures for requesting records 208
840 Clients' rights to control their PHI 209
841 Clients' access to their records 209
842 Clients' right to request amendment of their PHI 210
843 Requests for an accounting of disclosures 212
844 Requests for restrictions on disclosures 213
845 Requests for confidential communications 214
846 Requests to revoke an Authorization 215
850 Complaints about privacy violations or privacy policy 216
851 Handling complaints 216
852 Anonymous reporting mechanism 216
853 Investigating complaints 217
854 Non-retaliation for the exercise of privacy rights (including "Whistleblowers") 217
860 Corrective actions in response to a complaint 218
861 Sanctions 218
862 Mitigation 218
870 Safeguards 219
871 Staff training in privacy rights 219
872 Monitoring of compliance with HIPAA regulations 220
873 Passwords 220
874 Faxes 221
875 Messages and answering machine 221
876 Encryption and digital signatures 221
877 Disaster recovery plan 222
878 The disposal and destruction of PHI 222
880 Other Policies 224
890 Forms 224
900 Minor (at least for therapists) topics 225
910 Personal representatives and minors under HIPAA 225
920 Using client information for fundraising 229
930 HIPAA's rules about marketing 230
940 Portability and pre-existing conditions 235
950 De-identifying information in the record 236
1000 Resources and References 238
1010 Citations 239
1020 List of HIPAA documents available online 240
1030 Online HIPAA resource providers 241
1040 Glossary, definitions, acronymary 242
1050 What do you think? - Feedback form 248
1060 Comparison of the books HIPAA Help and The Paper Office 249
1070 Index 251
Page revised Dec. 26, 2007