Privacy and Policies

Use and Disclosure of PHI: Policy

Protected Health Information (“PHI”) may not be used or disclosed in violation of the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule (45 C.F.R. parts 160 and 164) (hereinafter, the “Privacy Rule”) or in violation of California state law.


I am permitted, but not mandated, under the Privacy Rule to use and disclose PHI without patient consent or authorization in limited circumstances.  However, California state law or federal law may supersede, limit, or prohibit these uses and disclosures.


Under the Privacy Rule, these permitted uses and disclosures include those made:

  • To the patient

  • For treatment, payment, or health care operations purposes, or

  • As authorized by the patient.


Additional permitted uses and disclosures include those related to or made pursuant to:

  • Reporting on victims of domestic violence or abuse, as required by law

  • Court orders

  • Workers’ compensation laws

  • Serious threats to health or safety

  • Government oversight (including disclosures to a public health authority, coroner or medical examiner, military or veterans’ affairs agencies, an agency for national security purposes, law enforcement)

  • Health research

  • Marketing or fundraising.


I do not use or disclose PHI in ways that would be in violation of the Privacy Rule or California state law.  I use and disclose PHI as permitted by the Privacy Rule and in accordance with Illinois state or other law.  In using or disclosing PHI, I meet the Privacy Rule’s “minimum necessary requirement,” as appropriate.

Use and Disclosure of PHI: Procedure

The procedures needed to protect PHI are included, consistent with this policy, in the next section, Minimum Necessary Disclosure.


Use and Disclosure of PHI—Minimum Necessary Requirement: Policy


When using, disclosing or requesting PHI, I make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure or request.  I recognize that the requirement also applies to covered entities that request my patients’ records and require that such entities meet the standard, as required by law.


The minimum necessary requirement does not apply to disclosures for treatment purposes or when I share information with a patient.  The requirement does not apply for uses and disclosures when patient authorization is given.  It does not apply for uses and disclosures as required by law or to uses and disclosures that are required for compliance with the Privacy Rule.


Use and Disclosure of PHI—Minimum Necessary Requirement:  Procedure 


The only people who have access to PHI and the patient’s clinical chart in order to carry out their duties are (name of practitioner) and (billing company, if applicable).  Lawyers utilized in the future may also have access to PHI and the patient’s clinical chart.  Additionally, the Business Associates (Billing Service and Accountant) may have access to PHI in order to carry out their duties, but they do not need access to the patient’s clinical chart.  Similarly, any Collection Agencies used in the future would have access to PHI, but not the patient’s clinical chart.


The steps that I take to ensure compliance with the Minimum Necessary Requirement are as follows: A patient is asked complete a form called the (name of consent form; ex. Authorization for Release of Protected Information From Your Clinical Record). On this form, the patient is asked to identify the specific person or agency to whom they want to release the PHI.  The patient is then asked the specific information (and only that information) to be released. The information released is only that which is “reasonably necessary” to accomplish the purpose for which the request is made.  (Non-routine disclosure requests require review on an individual basis). This authorization form is dated and applicable only for a time period identified.


As a psychologist, I limit my request for PHI to the minimum necessary.


  • I may rely, if such reliance is reasonable under the circumstances, on a requested disclosure as the minimum necessary for the stated purpose, if the PHI is requested by another covered entity, by a public official (who represents that the information requested is the minimum necessary), or by a researcher (with appropriate documentation).


  • I may rely, if such reliance is reasonable under the circumstances, on a requested disclosure as the minimum necessary for the stated purpose, if the PHI is requested by a member of my staff or business associate.


  • I will not use, disclose, or request an entire medical record, except when the entire medical record is justified as the amount that is reasonably necessary to accomplish the purpose of the use, disclosure, or request.


A patient has the right to choose not to sign the authorization form; I will then explain to the patient any implications that not releasing information might have on the treatment.


A patient has the right to rescind an authorization for release of PHI. When this is documented on the original authorization form, no further communication will occur.  However, requesting to rescind an authorization will have no effect on PHI which was previously sent while the authorization was valid.


I document and retain all authorizations.


In order for an authorization that I receive to be valid, it:


  • Must be completely filled out with no false information.


  • May not be combined with another patient authorization.


  • Must be written in plain language.


  • Must contain a statement adequate to put the patient on notice of his or her right to revoke the authorization in writing and either exceptions to such right and a description of how to revoke, or a reference to revocation in the notice provided to the patient.


  • Must contain a statement adequate to put the patient on notice of the inability to condition treatment, payment, enrollment, or eligibility for benefits on the authorization.


  • Must contain a statement adequate to put the patient on notice of the potential for information to be redisclosed and no longer protected by the rule.


Further, a valid authorization must contain the following information—


  • A description of the information to be used and disclosed that identifies the information in a specific and meaningful fashion.


  • The name or other specific identification of the person(s), or class of persons, authorized to make the requested use and disclosure.


  • The name or other specific identification of the person(s), or class of persons, to whom the requested use and disclosure will be made.


  • A description of each purpose of the requested use or disclosure.  The statement “at the request of the individual” is a sufficient description of the purpose when a patient initiates the authorization and does not, or elects not to, provide a statement of the purpose.


  • An expiration date that relates to the individual or the purpose of the use or disclosure.


  • A signature (or if signed by a personal representative, a description of authority to sign) and date.


When requested, patients are always provided a copy of the authorization which they have signed.



Use and Disclosure of PHI—Psychotherapy Notes Authorization


While a patient may authorize the release of any of his/her PHI, the Privacy Rule specifically requires patient authorization for the release of Psychotherapy Notes.  Psychotherapy Notes authorization is different from patient consent or authorization of other PHI, because a health plan or other covered entity may not condition treatment, payment, enrollment, or eligibility for benefits on obtaining such authorization.


As defined by the Privacy Rule, “Psychotherapy Notes” means “notes recorded (in any medium) by a mental health professional, documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separate from the rest of the individual’s medical record.”  The term “excludes medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: Diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.”


**Psychotherapy Notes are not utilized for neuropsychological assessment.


Use and Disclosure of PHI—Psychotherapy Notes Authorization: Policy


I abide by the authorization for release of records requirement of the Privacy Rule, unless otherwise required by law.  In addition, authorization is not required in the following circumstances--

  • For my use for treatment

  • For use or disclosure in supervised training programs where trainees learn to practice neuropsychological assessment.

  • To defend myself in a legal action brought by the patient, who is the subject of the PHI

  • For purposes of HHS in determining my compliance with the Privacy Rule

  • By a health oversight agency for a lawful purpose related to oversight of my practice

  • To a coroner or medical examiner

  • In instances of permissible disclosure related to a serious or imminent threat to the health or safety of a person or the public.


I recognize that a patient may revoke an authorization at any time in writing, except to the extent that I have, or another entity has, taken action in reliance on the authorization.


Use and Disclosure of PHI—Psychotherapy Notes Authorization: Procedure Guidance


A patient is asked complete a form called the (Authorization for Release of Information). On this form, the patient is asked to identify the specific person or agency to whom they want to release the PHI.  The patient is then asked the specific information (and only that information) to be released. The information released is only that which is “reasonably necessary” to accomplish the purpose for which the request is made.  (Non-routine disclosure requests require review on an individual basis). This authorization form is dated and applicable only for a time period identified.


Similarly, in order for an authorization that I receive for release of records to be valid, it:


  • Must be completely filled out with no false information.


  • May not be combined with another patient authorization.


  • Must be written in plain language.


  • Must contain a statement adequate to put the patient on notice of his or her right to revoke the authorization in writing and either exceptions to such right and a description of how to revoke, or a reference to revocation in the notice provided to the patient.


  • Must contain a statement adequate to put the patient on notice of the inability to condition treatment, payment, enrollment, or eligibility for benefits on the authorization.


  • Must contain a statement adequate to put the patient on notice of the potential for information to be redisclosed and no longer protected by the rule.


Further, a valid authorization must contain the following information—


  • A description of the information to be used and disclosed that identifies the information in a specific and meaningful fashion.


  • The name or other specific identification of the person(s), or class of persons, authorized to make the requested use and disclosure.


  • The name or other specific identification of the person(s), or class of persons, to whom the requested use and disclosure will be made.


  • A description of each purpose of the requested use or disclosure.  The statement “at the request of the individual” is a sufficient description of the purpose when a patient initiates the authorization and does not, or elects not to, provide a statement of the purpose.


  • An expiration date that relates to the individual or the purpose of the use or disclosure.


  • A signature (or if signed by a personal representative, a description of authority to sign) and date.


When requested, patients are always provided a copy of the authorization.



Patient Rights—Notice


Patient Rights: Policy


As required under the Privacy Rule, and in accordance with state law, I provide notice to patients of the uses and disclosures that may be made regarding their PHI and my duties and patient rights with respect to notice.  I make a good faith effort to obtain written acknowledgment that my patient receives this notice.


Patient Rights: Procedure


The privacy officer in my practice is (insert name).

As privacy officer, I provide notice to my patient on the first date of treatment.  In an emergency situation, I provide notice “as soon as reasonably practicable.”


  • Except in emergency situations, I make a good faith effort to obtain from a patient written acknowledgement of receipt of the notice.  If the patient refuses or is unable to acknowledge receipt of notice, I document why acknowledgement was not obtained.


  • I promptly revise and distribute notice whenever there is a material change to uses and disclosures, patient’s rights, my legal duties, or other privacy practices stated in the notice.


  • Each patient is given a paper copy of the Notice and asked to sign a statement of receipt.  I also post the Notice in a clear and prominent location in the office waiting room. 


Patient Rights—Restrictions and Confidential Communications


Patient Rights: Policy


The Privacy Rule permits patients to request restrictions on the use and disclosure of PHI for treatment, payment, and health care operations, or to family members.  While I am not required to agree to such restrictions, I will attempt to accommodate a reasonable request.  Once I have agreed to a restriction, I may not violate the restriction; however, restricted PHI may be provided to another health care provider in an emergency treatment situation.


A restriction is not effective to prevent uses and disclosures when a patient requests access to his or her records or requests an accounting of disclosures.  A restriction is not effective for any uses and disclosures authorized by the patient, or for any required or permitted uses recognized by law.


The Privacy Rule also permits patients to request receiving communications from me through alternative means or at alternative locations.  As required by the Privacy Rule, I will accommodate all reasonable requests.


Patient Rights: Procedure


  • When a patient makes a verbal request for restriction of the use and disclosure of information, he or she is asked to put such a request in writing.

  • I am not required to accommodate requests to restrict the use and disclosure of information, but once agreed upon, I may not violate the agreement.

  • Restricted PHI may be provided to another health care provider in an emergency treatment situation.

  • A restriction is not effective to prevent uses and disclosures when a patient requests access to his or her records or requests an accounting of disclosures. 

  • A restriction is not effective for any uses and disclosures authorized by the patient, or for any required or permitted uses recognized by law.


  • I permit patients to request receiving communications through alternative means or at alternative locations and I accommodate reasonable requests.  I may not require an explanation for a confidential communication request, and reasonable accommodation may be conditioned on information on how payment will be handled and specification of an alternative address or method of contact.


  • When a patient wants to terminate a restriction, that termination can be accepted orally or in written form and I document such termination.

Patient Rights—Access to and Amendment of Records: Policy


In accordance with Illinois law, the Privacy Rule, and other federal law, my patients have access to and may obtain a copy of the medical and billing records that I maintain.  Patients are also permitted to amend their records in accordance with such law.


Patient Rights—Access to and Amendment of Records: Procedure


At any time, patients may ask for a copy of their medical and/or billing records.  These will be given to the patient (if lengthy, at a cost, commensurate with California law).

I may choose to offer an explanation to what is written or recorded so that the patient can fully understand the clinical or financial material.


If clinically contraindicated or seen as dangerous to the client (eg. to read or receive a copy of their medical and/or billing record would likely put the client at imminent suicidal or homicidal risk), then I may choose to refrain from sharing the information with the patient at that particular time (documenting the reason why).  The information will be shared as soon as it takes for me to prepare the patient to be able to handle the material or for the time it takes for his or her clinical condition to improve enough to be able to read or receive a copy of the medical/ billing record, without it being too risky or dangerous.


Patient Rights—Accounting of Disclosures: Policy


I provide my patients with an accounting of disclosures upon request, for disclosures made up to seven years prior to the date of the request.  While I may, I do not have to provide an accounting for disclosures made for treatment, payment, or health care operations purposes, or pursuant to patient authorization.  I also do not have to provide an accounting for disclosures made for national security purposes, to correctional institutions or law enforcement officers.


Patient Rights—Accounting of Disclosures: Procedure


Patients may request an account of disclosures by submitting a request in writing. The request must state the time period for which the accounting is to be supplied, which may not be longer than seven years. The request must state whether the patient wishes to be sent the accounting via postal or electronic mail.


In order to keep track of, and process requests for disclosure, the following steps are taken:


For each disclosure in the accounting--the date, name and address (if known) of the entity that received the PHI, a brief description of the PHI disclosed, and a brief statement of the purpose of the disclosure that “reasonably informs” the patient of the basis of the disclosure—is provided.  In lieu of the statement of purpose, a copy of a written request for disclosure for any of the permitted disclosures in the Privacy Rule or by HHS for compliance purposes may be provided.


I keep a copy of the accounting and include my name as the person responsible for receiving and processing accounting requests.


In addition:


  • If multiple disclosures have been made for a single purpose for various permitted disclosures under the Privacy Rule or to HHS for compliance purposes, the accounting also includes the frequency, periodicity, or number of disclosures made and the date of the last disclosure.


  • I provide an accounting within 60 days of a request, and I may extend this limit for up to 30 more days by providing the patient with a written statement of the reasons for the delay and the date that the accounting will be provided.


  • The first accounting is provided without charge. For each subsequent request I may charge a reasonable, cost-based fee. I will inform the patient of this fee and provide the patient the option to withdraw or modify his or her request.


  • I recognize that I must temporarily suspend providing an accounting of disclosures at the request of a health oversight agency or law enforcement official for a time specified by such agency or official.  The agency or official should provide a written statement that such an accounting would be “reasonably likely to impede” activities and the amount of time needed for suspension.  However, the agency or official statement may be made orally, in which case I will document the statement, temporarily suspend the accounting, and limit the temporary suspension to no longer than 30 days, unless a written statement is submitted.


Business Associates: Policy


I rely on certain persons or other entities, who or which are not my employees, to provide services on my behalf.  These persons or entities may include accountants, lawyers, billing services, and collection agencies.  Where these persons or entities perform services, which require the disclosure of individually identifiable health information, they are considered under the Privacy Rule to be my business associates.


I enter into a written agreement with each of my business associates to obtain satisfactory assurance that the business associate will safeguard the privacy of the PHI of my patients.  I rely on my business associate to abide by the contract but will take reasonable steps to remedy any breaches of the agreement that I become aware of.


Business Associates: Procedure


  • I enter into and maintain a business associate contract with people or entities that provide services on my behalf, which require the disclosure of individually identifiable health information.


The agreement that I use establishes the uses and disclosures of PHI to my business associates and prohibits use and further disclosure, except to the extent that information is needed for the proper management and administration of the business associate or to carry out its legal responsibilities.  The contracts also provides that the business associate will—

  • Use appropriate safeguards to prevent inappropriate use and disclosure, other than provided for in the contract,

  • Report any use or disclosure not provided for by its contract of which it becomes aware,

  • Ensure that subcontractors agree to the contract’s conditions and restrictions,

  • Make records available to patients for inspection and amendment and incorporate amendments as required under the patient access and amendment of records requirements of the rule,

  • Make information available for an accounting of disclosures,

  • Make its internal practices, books, and records relating to the use and disclosure of PHI available to HHS for compliance reviews, and

  • At contract termination, if feasible, return or destroy all PHI.


  • If I know of a pattern of activity or practice of a business associate that constitutes a material breach or violation of the agreement, I will take reasonable steps to cure the breach.  If such steps are unsuccessful, I will terminate the contract, or if termination is not feasible, I will report the problem to HHS.


Administrative Requirement—Training: Policy


As required by the Privacy Rule, I train all members of my staff, as necessary and appropriate to carry out their functions, on the policies and procedures to protect PHI.

I have the discretion to determine the nature and method of training necessary to ensure that staff appropriately protects the privacy of my patients’ records.



Administrative Requirement—Training: Procedure


  • I train all members of my staff, as necessary and appropriate to carry out their functions, on the policies and procedures to protect PHI.  


  • I train new members of my staff within a reasonable time after joining my staff. 

I also provide training to staff whose function is impacted by a material change in the Privacy Rule within a “reasonable time” from the effective date of the material change.


Administrative Requirement—Safeguards: Policy


To protect the privacy of the PHI of my patients, I have in place appropriate administrative, technical, and physical safeguards, in accordance with the Privacy Rule.


Administrative Requirement—Safeguards:  Procedure


  • I have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI.


  • I reasonably safeguard PHI from any intentional or unintentional use or disclosure that would violate the Privacy Rule.


  • I reasonably safeguard PHI to limit incidental uses or disclosures.


This includes not using any patient sign-in sheets, not using patient names in the waiting room or hallways, not leaving PHI on answering machines unless specifically advised to do so by the patient, keeping all patient charts and patient PHI in locked rooms or locked file cabinets – out of physical view when patients are inside the therapy office.


Administrative Requirement—Complaints: Policy


The privacy of my patients’ PHI is critically important for my relationship with my patients and for my practice.  I provide a process for my patients to make complaints concerning my adherence to the requirements of the Privacy Rule.


Administrative Requirement—Complaints: Procedure


The following is my procedure for a complaint process:


Procedure for a Complaint Process


  1. Patients may file privacy complaints by submitting them in one of the following ways:

a.   In person, using the Privacy Complaint form.

  1. By mail, either on the Privacy Complaint form or in a letter containing the necessary information.  All complaints should be mailed to:

      c.   By telephone at

      d.   By fax at


2.   All privacy complaints should be directed to


3.   The complaint should include the following information:

  1. The type of infraction the complaint involves

  2. A detailed description of the privacy issue

  3. The date the incident or problem occurred, if applicable

  4. The mailing or e-mail address where formal response to the complaint may

               be sent.


  1. When a privacy complaint is filed by a patient the following process is followed:

a.   I validate the complaint with the individual.

  1. If appropriate, I attempt to correct any apparent misunderstanding of the policies and procedures on the patient’s part; if after clarification, the patient does not want to pursue the complaint any further, I indicate that “no further action is required.”  I record the date and time and file under dismissed complaints.

  2. If not dismissed, I log the complaint by placing a copy of the complaint form in both the complaint file and in the patient’s record.

  3. I investigate the complaint by reviewing the circumstances with relevant staff

      (if applicable).

  1. If it is determined that the complaint is invalid, I send a letter stating the reasons the complaint was found invalid.  I file a copy of the letter and form in an investigated complaints file.

  2. If the investigative findings are unclear, I get a second opinion either from my  lawyer, the APA Insurance Trust, or the APA Practice Organization.

  3. If it is determined that the complaint is valid and linked to a required process or an individual’s rights, I follow the office sanction policy to the extent that an individual is responsible.  If the complaint involves compliance with the standards that do not involve a single individual, I then begin the process to revise current policies and procedures.

  4. Once an appropriate sanction or action has been taken with respect to a complaint with merit, or if the response will take more than 30 days, I send a letter explaining the findings and the associated response or intended response.  I document the disposition of the complaint and file the letter and form in an investigated complaints file.

  5. I place a copy of the complaint form in the patient’s record.

  6. I review both invalid and investigated complaint files periodically, to determine if there are any emerging patterns.




Administrative Requirement—Sanctions: Policy


I have and apply appropriate sanctions against a member of my staff, who fails to comply with the requirements of the Privacy Rule or my policies and procedures.  I will not apply sanctions against an individual who is testifying, assisting, or participating in an investigation, compliance review, or other proceeding.


Administrative Requirement—Sanctions: Procedure


Any member of my staff (such as an administrative assistant) who knowingly or unknowingly is not in compliance with protecting patient PHI will be sanctioned relative to the level of noncompliance (could range from a warning to being terminated from his or her position).


Administrative Requirement—Mitigation: Policy


I mitigate, to the extent possible, any harmful effect that I become knowledgeable of regarding my use or disclosure, or my business associate’s use or disclosure, of PHI in violation of policies and procedures or the requirements of the Privacy Rule.


Patient Rights—Access to and Amendment of Records: Procedure


I use my discretion in what I do to mitigate any harmful effect from a violation of these policies and procedures. For example, if my billing assistant inadvertently sent the wrong patient records to an insurer for reimbursement, I might request the records back and inform the patient of the error.


Administrative Requirement—Retaliatory Action and Waiver of Rights: Policy


I believe that patients should have the right to exercise their rights under the Privacy Rule.  I do not take retaliatory action against a patient for exercising his or her rights or for bringing a complaint.  However, I will take legal action to protect myself, if I believe that a patient undertakes an activity in bad faith.


I will not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against a patient for exercising a right, filing a complaint or participating in any other allowable process under the Privacy Rule.


I will not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against a patient or other person for filing an HHS compliance complaint, testifying, assisting, or participating in a compliance review, proceeding, or hearing, under the Administrative Simplification provisions of HIPAA.


I will not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against a patient or other person for opposing any act or practice made unlawful under the Privacy Rule, provided that the patient or other person has a “good faith belief” that the practice is unlawful and the manner of opposition is reasonable and does not involve disclosure of PHI.


I will not require a patient to waive his or her rights provided by the Privacy Rule or his or her right to file an HHS compliance complaint as a condition of receiving treatment.


Administrative Requirement—Retaliatory Action and Waiver of Rights:  Procedure


There are no specific procedures associated with this section.


Administrative Requirement: Policy


To ensure that I am in compliance with the Privacy Rule, I have implemented policies and procedures to ensure compliance with the privacy rule.


Administrative Requirement: Procedure


  • My policies and procedures are a demonstration of my compliance with the Privacy Rule.

  • I will promptly change my policies and procedures that accord with changes to the Privacy Rule.  Notice provided to my patients will also be promptly changed to reflect the change in policy and procedure, unless the change does not materially affect the notice.  The timing of the change in notice and reliance on the change may depend on the terms for such changes in the notice.


Administrative Requirement--Documentation: Policy


I meet applicable California and Tennessee state laws and the Privacy Rule’s requirements regarding documentation.


Administrative Requirement--Documentation: Procedure


  • I maintain policies and procedures in written form.


  • All written communication required by the Privacy Rule is maintained as documentation.


  • If an action, activity, or designation is required by the Privacy Rule to be documented, a written copy is maintained as documentation.


  • Documentation is maintained for a period of six years from the date of creation or the date when it last was in effect, whichever is later.