HIPAA Compliance for Touch of Wholeness Psychological Services

This HIPAA Business Associate Agreement (the "Agreement") is entered into between Touch of Wholeness Psychological Services ("Business Associate") and the Covered Entity ("Client"), and is effective as of the date the Covered Entity provides Protected Health Information (PHI) to Touch of Wholeness Psychological Services in connection with the clinical and administrative services rendered.

This Agreement supplements the existing services agreement between the parties to comply with the federal standards for privacy and security of health information under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH Act).

HIPAA Regulations Relevant to Psychological Services

1. Privacy Rule
   1. Patient Privacy Rights: The Privacy Rule under HIPAA guarantees that personal health information (PHI) is protected. For Touch of Wholeness Psychological Services, this means that any patient data, whether it's collected in person, over the phone, or via telehealth sessions, must be securely handled and stored.
   2. Sharing of Information: Patient information cannot be shared without the explicit consent of the patient. For example, when collaborating with other professionals or institutions, written consent must be obtained for sharing PHI.
   3. De-Identifying Information: Practices should ensure that any non-essential patient information is de-identified before sharing it with others for research or data analysis purposes.
2. Security Rule
   1. Electronic Health Records (EHR): The EHR system (Theranest) used by Touch of Wholeness must ensure that patient records are stored in a secure, encrypted format. It must be protected from unauthorized access both on-site and remotely, particularly since the practice offers telehealth services where patient data is transmitted electronically.
   2. Data Security Measures: Implementing robust password protection, data encryption, and multi-factor authentication for accessing EHRs is a must. In addition, secure email communications and patient portals should be used for transmitting sensitive data.
   3. Telehealth Security: As 70% of appointments are telehealth-based, it's essential that the telehealth platforms used by Touch of Wholeness are HIPAA-compliant, ensuring end-to-end encryption of patient communications during virtual appointments.
3. Breach Notification Rule
   1. Timely Reporting: In case of a breach of patient information, HIPAA mandates that healthcare providers notify patients within 60 days of discovering the breach. Touch of Wholeness must have a clear process for identifying, investigating, and reporting breaches.
   2. Incident Response Plan: Developing a response plan for security incidents is vital. This includes immediate reporting to patients and the Department of Health and Human Services (HHS) if the breach involves more than 500 individuals.
4. Business Associate Agreements (BAAs)
   1. Third-Party Providers: If Touch of Wholeness works with third-party vendors (e.g., billing companies, EHR service providers, or cloud storage providers), HIPAA requires that a Business Associate Agreement (BAA) be in place to ensure that these parties will also comply with HIPAA regulations. This agreement outlines the responsibilities of each party regarding the handling and protection of PHI.
      Example: The practice must have a signed BAA with its EHR provider, Theranest, ensuring that they will meet the standards required by HIPAA.
5. Patient Rights Under HIPAA
   1. Access to Records: Under HIPAA, patients have the right to access their health records. Touch of Wholeness must provide a process through which patients can request copies of their therapy notes, assessment results, or treatment plans.
   2. Amending Records: Patients have the right to request corrections to their health records if they believe there are inaccuracies. The practice must have a clear and transparent process in place for handling such requests.
   3. Confidentiality of Therapy Notes: Psychological services often involve sensitive and detailed therapy notes. These notes are considered highly confidential under HIPAA and can only be shared under certain conditions, such as with patient consent or as required by law.

Practical Steps for HIPAA Compliance at Touch of Wholeness

• Staff Training and Awareness
  • Regular training sessions should be conducted for all employees on HIPAA compliance, focusing on the protection of patient information and the legal obligations related to the handling of PHI.
  • Confidentiality Policies: Staff should understand and adhere to strict confidentiality guidelines, including the prohibition of discussing patient details in public or unsecured areas.
• Secure Communication Channels
  • Use HIPAA-compliant communication methods for patient interactions, especially for telehealth. Ensure that video conferencing platforms, email communications, and text messages are encrypted.
  • When communicating with patients, avoid sending sensitive information via non-secure platforms like standard email or SMS.
• Physical Safeguards
  • Offices should be equipped with locks, restricted access areas, and secure filing systems to protect physical records containing patient information.
  • Ensure that electronic devices used by the practice (e.g., laptops, tablets, and desktops) are password-protected and encrypted, particularly when used to access or store PHI.
• Regular Audits and Risk Assessments
  • Conduct regular HIPAA audits to assess compliance with all relevant regulations. This will help identify potential vulnerabilities in your practice’s security infrastructure.
  • Perform risk assessments annually to evaluate possible threats to patient data security and implement corrective actions as needed.
• Updating Privacy and Security Policies
  • Review and update the practice’s privacy policies to ensure they reflect current HIPAA regulations and the specific practices.
  • Update consent forms and other documents that patients sign to ensure that they acknowledge their rights under HIPAA, including their rights to access, amend, and share their health records.
• Disposal of Patient Records
  • Properly dispose of outdated or unnecessary patient records by using secure methods, such as shredding physical documents or permanently deleting electronic files.
  • This applies to both active and inactive patients' records to ensure that sensitive data is not exposed.

Telehealth and HIPAA: Specific Considerations

Since the practice offers a large volume of telehealth services, ensuring that these services comply with HIPAA is crucial:

• Secure Platforms: Use telehealth software that is HIPAA-compliant, ensuring that patient sessions are encrypted, and there are no risks of unauthorized access.
• Confidential Environments: Both the practitioner and the patient should be in private, secure environments during virtual consultations. This reduces the risk of accidental exposure of sensitive information.

Amendments and Modifications

Touch of Wholeness Psychological Services reserves the right to amend or modify this HIPAA Business Associate Agreement to comply with any changes in HIPAA regulations, the HITECH Act, or other relevant laws. Such amendments are necessary to ensure continued compliance with privacy and security standards for Protected Health Information (PHI).

If changes are made, Touch of Wholeness will notify the Covered Entity within 30 calendar days. The Covered Entity will have 30 days to review and either accept the amendments or request termination of services if they do not agree with the new terms. Continuing the services will constitute acceptance of the updated Agreement.

The amendments may address:

• Changes in federal or state regulations
• Technological updates for better data security
• Adjustments to risk management protocols

Touch of Wholeness will work to ensure that any changes align with legal requirements, and the Covered Entity is encouraged to review these modifications promptly.