Forms: wouldn’t it be nice if they were much simpler?
Private practice is a funny thing, because we go into it expecting to be independent therapists but actually become independent businesspeople whose business is doing therapy. So we spend time trying to figure out how to get all the logistics of business nailed down and out of the way so we can do what we care about: therapy.
To that end, we’ve come up with a list of sources where you can get some help with those forms — at least the HIPAA-related ones. And at least the ones you need when therapy begins.
This list is the culmination of numerous answers to questions that start with, “Where can I get a…?”
We hope it helps!
Notice of Privacy Practices (“The HIPAA Form”)
Most of us already have a “HIPAA form,” more formally known as a “Notice of Privacy Practices.” What many of us don’t have, however, is an NPP form that reflects our own practice’s policies around privacy, or a form that reflects our state laws.
The NPP should reflect not only the privacy practices that HIPAA requires, but also the privacy practices that you employ. Privacy practices are things like what information you’ll disclose about clients, when, and to whom. Not everyone does this the same way and not every state has the same laws around it. That is why Person-Centered Tech has never released a sample NPP of our own making.
The Feds themselves created and released a model Notice of Privacy Practices after they released the 2013 HIPAA Omnibus Final Rule. They have multiple versions, including a layered one, in both English and Spanish. These model forms give you spaces in which to write specific information about your own practice.
You’ll need to ask your attorney, or possibly your state professional organization, about any state law items that need to be added to the form or modified in the form.
Special note: The 2013 HIPAA Omnibus Rule made it a rule that if you have a website, you need to post your NPP on the site. You can make it a whole web page on the site or make it a downloadable file — perhaps along with your other blank intake forms. Either way, it needs to be conspicuously easy to find.
Release of Information Forms
This is generally one of the first things we get when we start a practice, so there are tons of options out there.
It’s worth noting, though, that HIPAA defines a special kind of consent called “authorization.” This gets confusing easily, because many states will refer to simple consent as “authorization” in their laws. Also, some documents will refer to HIPAA authorization as “consent.” So if you get confused, don’t worry. You’re in good company.
We won’t go into the details of what “authorization” is according to HIPAA. You can read about it here→.
Many of the release forms we pass around amongst private practitioners are built to be HIPAA-style authorizations. So you might already have what you need for this one.
To be sure, however, we tracked down a good example of an authorization for release of information that is made by an authority. This one is built to address both HIPAA and Massachusetts state law. So unless you practice in Massachusetts, be sure not to use it as-is, but rather as a model for your own forms.
That link goes directly to the PDF of the form. The state of Massachusetts lists it on this page here→.
Business Associate Agreement Contracts
If you’re not sure what this is, then you probably haven’t been reading our stuff for very long. 🙂 In that case, welcome to Person-Centered Tech! We invite you to familiarize yourself with the hugely important topic of HIPAA Business Associates before moving on:
We implore you to remember that any third party with whom you need a BAA should already have one of these agreement contracts prepared. Those who act as HIPAA Business Associates for health care providers need to also comply with HIPAA, just like we do. So if they’re not prepared to do so, you probably don’t want to work with them.
There are occasional times when finding your own BAA contract is useful, however. Perhaps you have someone you want to hire as a biller. They haven’t done their professional responsibilities around due diligence, but for various reasons you want to work them anyways. That is a common time when finding a BAA contract becomes necessary.
Enter the fabulous, lovely people of HIPAACOW. HIPAACOW is a volunteer organization in Wisconsin that produces utterly amazing, highly professional work that should by all rights cost us thousand of dollars. They give it out for free, though. So take advantage!
One of the many items they offer is a sample Business Associate Agreement contract. Be sure to download the one that is updated for the 2013 HIPAA Omnibus Rule:
Risk Analysis Tools
Risk analysis is one of our most favoritist topics to talk about around here. Many of our colleagues don’t know what it is, however, which is a huge HIPAA compliance issue for our entire field.
So if you haven’t yet read our orientation articles on the subject, please do so now. We’ll wait for you to get back:
- Mental Health Pros’ 3 Steps to (Actually) Be HIPAA Security Compliant
- Risk Analysis and Risk Management Planning: Can You Do It Yourself?
BTW, “risk analysis” is the term used in the HIPAA Security Rule language. You can also say “risk assessment.” They’re interchangeable in this case.
Risk analysis is a process. And the initial work of it is a big process (it gets easier after you’ve got it started, though.) So there isn’t a form or even a set of forms for risk analysis. There are, however, tools to help guide you through it. We feature a couple of them here:
- Security Risk Assessment Tool→ from Health and Human Services.
- California’s Risk Assessment Toolkit→
Both of those are well-known tools, but they are also both very technical and broad. In other words, most clinicians don’t find them useful. You can try them out, however, to get an idea of where you’re going and to decide for yourself if they really are too vague and technical or if they’re just fine for you.
We also provide extensive support for risk analysis to our paid support service members. See Person-Centered Tech Support for details.
HIPAA Security Rule Compliance Prep
In addition to risk analysis, the HIPAA Security Rule just includes a bunch of stuff you need to address, including policies and procedures.
Your own policies and procedures need to match your own practice’s needs, but it’s very useful to have models from which you can figure out what you need. Enter again the wonderful, stupendous, fantastic people of HIPAACOW!
Forms Around Using Tech With Clients
Clients often want to use email and texting with their therapists. There are a number of risks involved, and our professional ethics are actually much more restrictive on this point than HIPAA is. There are processes (and forms!) involved in the process of addressing those risks, though.
We never found good paperwork materials for the process of using non-secure tech with clients, so we made our own. We make them freely available to all our (also free) newsletter subscribers. Those forms include the:
- Email and Texting Risk Questionnaire
- Consent for Non-Secure Communications Forms (e.g. email and texting are both “non-secure communications”)
We also offer an Electronic Records Disclosure form, but that is not needed for HIPAA compliance. It’s needed for the ACA Code of Ethics’ requirement around electronic records disclosure→.
Please, please, please get educated before using these forms! We have at least one article that helps explain their use but it’s just the tip of the iceberg. We also offer education on the issue of communicating with clients over the Internet and with everyday gear in the Level I session of our Digital Confidentiality course series.
- Clients Have the Right to Receive Unencrypted Emails Under HIPAA→
- Digital Confidentiality Course Series→
Those forms are free for our (also free) newsletter subscribers:
As with all things private practice, the need for tools will keep evolving. We’ll update this space as the need arises!