In this section, we will present a basic three-point HIPAA compliance checklist so that you will assess your compliance with HIPAA regulations and avoid crossing any ethical boundaries. These three points of a HIPAA compliance checklist include: Notice of Privacy Practices; Business Associates Agreement; and Correspondence Confidentiality Statements.
As you are aware, HIPAA is continually undergoing scrutiny and revisions. Some states have added additional conditions beyond the federal standard. This course is based on federal requirements that were accurate at the time of publication of this course. If some information appears to conflict with your State or more current requirements, of course that would take precedent.
3 Points of an HIPAA Compliance Checklist
♦ Point #1 - Notice of Privacy Practices
The first point on a HIPAA compliance checklist is a Notice of Privacy Practices (NPP). Also known as NPPs, these forms inform clients of their rights as HIPAA-protected clients. For this form, you can download a copy from the internet. According to HIPAA regulations, these forms must be written in "plain language."
However, this is not always the case, and many clients do not completely comprehend their rights. We will discuss this issue of readability in a later section. The other problem with most samples is that they include a great deal of information that is not applicable to the typical small psychiatric practice. This information can include such statements as informing clients that their documentation might be used for marketing, fundraising, research, client directories, etc.
After providing a client with your NPP, it is necessary that they in turn provide you with an Acknowledgement that states the client received your privacy notice. This can be a simple one-page statement, stating, "I acknowledge that I have received and read Dr. X’s Privacy Notice." Does your Privacy Notice need to be reevaluated?
♦ Point #2 - Business Associates Agreement
The second point on a HIPAA compliance checklist is a Business Associates Agreement. If you contract with an outside company or individual to help you with your practice in such a way that they must see some client information (for example, someone who does your billing), you both have to sign an official Business Associates Agreement. This states that your billing company, or transcriptionist, agrees to keep client information confidential.
Staff employees, like your secretary or other office staff, do not have to sign this form, but you should document that you have given formal training in privacy practices. That way, your clients feel more comfortable sharing private information with your employees and this in turn will save you a great deal of time.
♦ Point #3 - Correspondence Confidentiality Statements
In addition to Notice of Privacy Practices and a Business Associates Agreement, the third point on a HIPAA compliance checklist is Correspondence Confidentiality Statements. This is a statement you place on every correspondence including faxes, emails, and letters that state that information in this document is confidential. Generally, I try to make the word "confidential" as big as possible, writing in all capital letters and sometimes bolding it.
In this section, we discussed a basic three-point HIPAA compliance checklist so that you may be in full compliance with HIPAA regulations and avoid crossing any ethical boundaries. These three points of a HIPAA compliance checklist included: Notice of Privacy Practices; Business Associates Agreement; and Correspondence Confidentiality Statements.
In the next section, we will review the ways in which HIPAA guidelines affect note-taking during client sessions. Ethical boundaries created by HIPAA regarding note-taking include the following three areas: categorization of notes; instances of exemption; and exclusions.
Peer-Reviewed Journal Article References:
Barnett, J. E. (2018). Integrating technological advances into clinical training and practice: The future is now! Clinical Psychology: Science and Practice, 25(2), Article e12233.
Butler, D. J. (2018). A review of published guidance for video recording in medical education. Families, Systems, & Health, 36(1), 4–16.
Campbell, L. F., & Norcross, J. C. (2018). Do you see what we see? Psychology's response to technology in mental health. Clinical Psychology: Science and Practice, 25(2), Article e12237.
Richards, M. M. (2009). Electronic medical records: Confidentiality issues in the time of HIPAA. Professional Psychology: Research and Practice, 40(6), 550–556.
Stiles, P. G., & Petrila, J. (2011). Research and confidentiality: Legal issues and risk management strategies. Psychology, Public Policy, and Law, 17(3), 333–356
Walfish, S., & Ducey, B. B. (2007). Readability level of Health Insurance Portability and Accountability Act notices of privacy practices used by psychologists in clinical practice. Professional Psychology: Research and Practice, 38(2), 203–207.
Ethics CEU QUESTION 1
What are three points on a HIPAA compliance checklist to consider to make sure that you are in full compliance? To select and enter your answer go to .