loader

HIPAA Compliance for Touch of Wholeness Psychological Services

This HIPAA Business Associate Agreement (the "Agreement") is entered into between Touch of Wholeness Psychological Services ("Business Associate") and the Covered Entity ("Client"), and is effective as of the date the Covered Entity provides Protected Health Information (PHI) to Touch of Wholeness Psychological Services in connection with the clinical and administrative services rendered.

This Agreement supplements the existing services agreement between the parties to comply with the federal standards for privacy and security of health information under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH Act).

HIPAA Regulations Relevant to Psychological Services

  1. Privacy Rule
    1. Patient Privacy Rights: The Privacy Rule under HIPAA guarantees that personal health information (PHI) is protected. For Touch of Wholeness Psychological Services, this means that any patient data, whether it's collected in person, over the phone, or via telehealth sessions, must be securely handled and stored.
    2. Sharing of Information: Patient information cannot be shared without the explicit consent of the patient. For example, when collaborating with other professionals or institutions, written consent must be obtained for sharing PHI.
    3. De-Identifying Information: Practices should ensure that any non-essential patient information is de-identified before sharing it with others for research or data analysis purposes.
  2. Security Rule
    1. Electronic Health Records (EHR): The EHR system (Theranest) used by Touch of Wholeness must ensure that patient records are stored in a secure, encrypted format. It must be protected from unauthorized access both on-site and remotely, particularly since the practice offers telehealth services where patient data is transmitted electronically.
    2. Data Security Measures: Implementing robust password protection, data encryption, and multi-factor authentication for accessing EHRs is a must. In addition, secure email communications and patient portals should be used for transmitting sensitive data.
    3. Telehealth Security: As 70% of appointments are telehealth-based, it's essential that the telehealth platforms used by Touch of Wholeness are HIPAA-compliant, ensuring end-to-end encryption of patient communications during virtual appointments.
  3. Breach Notification Rule
    1. Timely Reporting: In case of a breach of patient information, HIPAA mandates that healthcare providers notify patients within 60 days of discovering the breach. Touch of Wholeness must have a clear process for identifying, investigating, and reporting breaches.
    2. Incident Response Plan: Developing a response plan for security incidents is vital. This includes immediate reporting to patients and the Department of Health and Human Services (HHS) if the breach involves more than 500 individuals.
  4. Business Associate Agreements (BAAs)
    1. Third-Party Providers: If Touch of Wholeness works with third-party vendors (e.g., billing companies, EHR service providers, or cloud storage providers), HIPAA requires that a Business Associate Agreement (BAA) be in place to ensure that these parties will also comply with HIPAA regulations. This agreement outlines the responsibilities of each party regarding the handling and protection of PHI.
      Example: The practice must have a signed BAA with its EHR provider, Theranest, ensuring that they will meet the standards required by HIPAA.
  5. Patient Rights Under HIPAA
    1. Access to Records: Under HIPAA, patients have the right to access their health records. Touch of Wholeness must provide a process through which patients can request copies of their therapy notes, assessment results, or treatment plans.
    2. Amending Records: Patients have the right to request corrections to their health records if they believe there are inaccuracies. The practice must have a clear and transparent process in place for handling such requests.
    3. Confidentiality of Therapy Notes: Psychological services often involve sensitive and detailed therapy notes. These notes are considered highly confidential under HIPAA and can only be shared under certain conditions, such as with patient consent or as required by law.

Practical Steps for HIPAA Compliance at Touch of Wholeness

Telehealth and HIPAA: Specific Considerations

Since the practice offers a large volume of telehealth services, ensuring that these services comply with HIPAA is crucial:

Amendments and Modifications

Touch of Wholeness Psychological Services reserves the right to amend or modify this HIPAA Business Associate Agreement to comply with any changes in HIPAA regulations, the HITECH Act, or other relevant laws. Such amendments are necessary to ensure continued compliance with privacy and security standards for Protected Health Information (PHI).

If changes are made, Touch of Wholeness will notify the Covered Entity within 30 calendar days. The Covered Entity will have 30 days to review and either accept the amendments or request termination of services if they do not agree with the new terms. Continuing the services will constitute acceptance of the updated Agreement.

The amendments may address:

Touch of Wholeness will work to ensure that any changes align with legal requirements, and the Covered Entity is encouraged to review these modifications promptly.

Book Now Call Us