Advocacy Alert: October 2013

Bobbie_CBy Bobbie Celeste, PhD, OPA Director of Professional Affairs

HIPAA Privacy Rules were written and became effective in 2003. The privacy rules were followed by the HIPAA Security Rules, and the HITECH Act which brought us the “breach notifications.” Now we have the HIPAA Omnibus or Final Rules, which took effect September 23, 2013. This OPA webinar gives a quick overview of the rules and latest changes.

You need to comply with both the privacy rules and the security rules. This applies to anyone who has done anything with an electronic device such as a flash drive, disc, laptop, cell phone or computer. In other words, most of us will need to follow the HIPAA procedures unless you always and only have done paper records and you plan to retire in the next year or two. If you are starting from scratch I recommend the APA products found at For a fee, it provides separate privacy and security electronic versions of notebooks that you can personalize for your practice. Alternatives are to hire an attorney or work with colleagues who will assist you.

Privacy Rule:

  1. Notification of the Privacy Rights of Patients (updated in Final Rule).
  2. Keep a notebook with all your HIPAA information, rules and procedures you follow.
  3. Train your staff in privacy and security procedures and rules.
  4. Always use two separate release of information forms if you keep separate “psychotherapy notes” i.e. one for the general record and one for the more protected “psychotherapy notes.”
  5. Know who to call when you have a breach of security or privacy. (OPA, APA and your liability insurer are good places to start).

Review this good basic update on HIPAA Privacy Primer updated in 2013

Security Rule:

  1. Requires a risk assessment of your office and procedures which is ongoing. Keep these in a separate notebook.
  2. Requires that the office and files be secure.
  3. Requires that your personnel staff is screened and trained in security.
  4. Requires the protection of all computer screens, data and discs.
  5. Recommends back-ups for your data and the development of disaster plans.

For a good understanding of the security rule click here.


Part of your HIPAA privacy and security procedures should include evaluating what type of encryption you need for your hard drive, software, storage discs or flash drives and email.

The recommendation of APA Practice Organization is to encrypt as much of your email as you can. The HIPAA Security Rule recommends but does not require this, but you could be penalized if emails go to the wrong patient or include protected health information. Notification and consent from the patient that they understand that email is not secure might help, but is not true protection from having to give a “breach notification” if information gets out inappropriately. The security rule recommends that you double check the address of an email recipient and that you limit the amount and type of information that it includes.

For general information about encryption, visit this link.

Encrypting Computers: A few resources that are recommended by The Trust (but not endorsed)
BestCrypt Enterprise
PGP Whole Disk Encryption

This website leads you to the information from HHS about storing and destroying data. However, the information contained in the links is technical and very complicated. It is intended for the techie vendors. If a reputable vendor claims that they meet government encryption standards, you could ask for their written confirmation of that in your business associate contract with them.

This resource from the Office of Civil Rights discusses more about the Privacy Rule. Question three may be most applicable on emails. It also states that it is okay to receive patient initiated email, but the patient should be reminded that it may not be secure and be given the option to stop using email.

This resource provides more information about security rule compliance for the small provider.


Comments are closed.