HIPAA “Beefing-Up” Enforcement

Is your practice at risk?

Are your HIPAA forms and procedures in compliance?

Most physical therapy practices are falling short and don’t even know it. HIPAA regulations are serious and not just mere technical compliance anymore. Patient privacy and protecting health information is a hot topic t200452424-001oday and the U.S. Department of Health and Human Services said they will strengthen patient privacy protections, give patients greater control over their health records, and beef up the government’s ability to enforce the regulations.

I. What You Must Know – VERY IMPORTANT

Your HIPAA forms need to be updated ASAP. And your procedures need to be compliant. You have until September 23, 2014 to bring all your forms, notices and procedures into conformance with the new rules*.

Changes That Must Be Made (Short Version)

In your Notice of Privacy Practices…

  • Include a description of the types of uses and disclosures of PHI that require a separate authorization, specifically, a statement on disclosure policy on psychotherapy notes (if your practice records or maintains such notes)
  • Include a statement informing the patient that authorization will be obtained prior to using and/or disclosing PHI for marketing purposes, or sale of PHI.
  • Add a statement that informs the patient that other uses and disclosures not described in your NPP will be made only with authorization.
  • If your practice engages in fundraising activities, explain that the patient may be contacted to raise funds, but has the right to opt-out of such communication.
  • Add a statement regarding the patient’s right to request a restriction on certain disclosures to their health plan if the disclosure is purely for carrying out payment or health care operations and the requested restriction is for services paid out-of-pocket.
  • Provide a statement that the practice is required to notify affected individuals of breaches of their unsecured PHI.

A Deeper Explanation

1. Breach Notifications

Obligations to notify patients of a breach of their protected health information (PHI) has been expanded and clarified under the new rule. Under the previous rule, a breach was not presumed reportable and was determined by whether or not there was a likelihood of “harm to the individual.” Under the new rule, a breach is presumed reportable unless a covered entity can demonstrate low probability that the patient’s privacy or security of PHI was compromised based on a four-factor risk analysis (learn more here). The new rule does not change the actual reporting and timeframe requirements.

2. Notice of Privacy Practices (NPPs)

Practices must amend their NPPs to reflect the changes to privacy and security rules, including those related to breach notification, disclosures to health plans, and marketing and sale of PHI. In addition, if a practice participates in fundraising, an amendment will also need to be made to the NPP to inform patients of their right to opt-out of those communications.

3. The new rules eliminates some old requirements

You no longer need to include communications concerning appointment reminders, treatment alternatives, or health-related benefits or services in NPPs. However, the rules do not require this information be removed either.

4. Amended Notice of Privacy Practices (NPPs) need to be posted on your website

-Amended NPPs also need to be posted in the office.

-Copies should be provided to all new patients and do not need to be redistributed to existing patients.

-Copies should be made available to anyone by request.

5. Business Associate Agreements

The new rules expand the list of individuals and companies who are considered business associates to include:

    • Patient Safety Organizations and others involved in patient safety activities
    • Health information organizations, including health information exchanges and e-prescribing gateways, personal health record vendors, and any other individual or company involved in the transmittal and maintenance of PHI

*On March 26, 2013, the Health Information Technology for Economic and Clinical Health (HITECH) expanded the scope of the privacy and security provisions of HIPAA.

6. Designate a “Compliance Officer”

It can be anyone, but make sure to assign it to someone who will be around with the company for awhile since their name will be on the NPP and other documents. If the person changes, you will have to update all your forms. This person will be the contact person for any patient that has questions, complaints, etc. so they should understand the in’s and out’s of HIPAA law and compliance. Training is available at the IndeFree Private Practice Secrets course and in the members only section of their website.

7. HIPAA Compliance Manual

You are required to have a HIPAA compliance manual that indicates your policies, procedures, safeguards, and when you conduct HIPAA trainings, meetings, and more. If you need the manual and training, contact support@indefree.com for pricing.

**Members who have purchased the “CD of Tools” before have two options for obtaining the updated HIPAA manual and forms; they can get the NEW CD of Tools for FREE by attending any future course -or- they can purchase the CD at IndeFree.com at 50% discount. If you choose to retake any course it’s only $49 per day (this rate will increase in 2015).

 II. “Where do I get these new forms?

You may purchase the “HIPAA Made Easy Tool Kit” that is customized for PT/OTs (includes the Compliance Manual, all required forms, and step-by-step training guide). Beware, don’t spend $2,000 on consultants to develop one for you. Our tool kit is a fraction of the cost and much more comprehensive.

Purchase here.


  1. What should I do when a patient refuses to sign the acknowledgement of receiving our Notice of Privacy Practices (NPP)?
  2. Can I send patients marketing or promotional materials informing them of other products or services via mail, email, or text?
  3. What do I do if I lose a chart or patient information?
  4. If my computer gets hacked (and I have patient information on the computer) do I have to notify all the patients?
  5. Can I use a Sign-In sheet?
  6. Can I call their name in the lobby when other patients are around?
  7. Can I leave a message on their answering machine or phone reminding them of an upcoming appointment?
  8. What are the different ways in which I have to make my NPP available?
  9. Must I have my billing company, software company, registry or contract therapist complete the Business Associates Contract? How about consultants or computer repair persons?
  10. Do I really need a compliance officer?
  11. What other procedures are required?
  12. What’s an easy way to get patients to acknowledge they were presented with our Privacy Notice?
  13. Do I have to get patient’s consent to send their Protected Health Information (PHI) to their insurance company or referring physician?
  14. Is there a special way I have to handle their information if they have or had psychotherapy or AIDS/HIV?

All these questions will be answered at the next “Private Practice Secrets” course at a city near you! Learn more at www.indefree.com.

Have a question that is not listed under our FAQ? Ask me in the comments section below.

Share with Colleagues
James Ko

I believe... "It's not the strongest practices that survive and grow, nor the most intelligent, but the ones most adaptable to change." I'm a physical therapist, private practice owner, and founder of IndeFree Association. I like reading James Patterson, Nicholas Sparks, enjoy golfing and playing guitar. I love playing with Mac and Cozy! For over 15 years, I've helped thousands of practices grow and succeed. This is my dedication.

Click Here to Leave a Comment Below 1 comments