1. What does it mean to electronically transmit protected health information (i.e., What is ePHI)?
The Security and Privacy rule applies to any licensed health care provider who electronically transmits or hires someone to electronically transmit protected health information in one or more covered transactions. All transactions involving communications with insurance, managed care, or third party payer entities are covered. Once an electronic transmission occurs, the Privacy Rule applies to all the provider’s activities involving protected health care information. For now, providers who have not transmitted information electronically in one or more covered transactions may not have to abide by all these Security requirements. However, mental health professionals who receive reimbursement from third-party payers electronically are likely to fall under Security standards in the future if and when electronic billing or electronic utilization reviews are required. For those with entirely self-pay practice or who exclusively engage in non-healthcare activities such as forensic services or coaching, the Privacy Rule will most likely not apply. However, as soon as a provider transmits a bill or other covered protected health information electronically, the entire Privacy Rule will apply to the entire practice. Because it is difficult to abruptly implement the Privacy rule suddenly, we recommend that all providers understand the Privacy Rule and assume that it will apply to the entire practice.
2. I’m just a “small fish”. How can my practice manage all these HIPAA Rules?
HIPAA understands that private practicing health care providers are very small relative to the big health care corporations and hospitals. Government guidelines must be highly detailed and comprehensive enough to protect security and privacy in the biggest and most complicated health care systems. If we try to comply on the level of a hospital, the paperwork, time, cost, and energy would probably drive us out of our minds. HIPAA provides flexibility to adjust their safeguards to these particular practices and circumstances. The Security Rule provides a flexible, scalable, and technologically neutral framework to allow all covered entities to comply in a manner that is consistent with the unique circumstances of their size and environment. In fact, the guidelines are actually designed to promote “administrative simplification”. We must have a written policy for some of the “required” Standards of Security, which can be easily defined and established through TheraPolicy. There are also “addressable” standards, which are not mandatory. We are required to assess whether each addressable specification is a reasonable and appropriate safeguard in our practice with reference to its likely contribution to protecting ePHI. We can, however, determine for ourselves whether to implement the Safeguard. If we don’t implement the entire mandate, we need to define an alternative measure that would be reasonable and appropriate given our size and resources (such as staff size, time, and expense). Sounds difficult, right? TheraPolicy is designed to manage this potentially confusing and stressful process so you can sleep at night with confidence that you have followed the law. If you develop a policy and provide a written rationale for what you’re doing, then all will be fine. TheraPolicy follows HIPAA’s “methodology”, which helps insulate you in an environment of ambiguity and uncertainty. If you find yourself getting stressed or bogged down about particular details and practice policies, rest comfortably knowing that compliance primarily depends on following a well-defined and non-ambiguous “methodology”. You are only required to fulfill the minimum standard, not do everything a hospital should. We are here to help, so you can always consult with us directly if there are questions by contacting firstname.lastname@example.org
3. As a small practice, what is the best strategy for getting compliant quickly?
By completing the basic demographic profile for your organization and generating a generic TheraPolicy, you will be in compliance with Rule #1, even though you have not individualized your policies and procedures. The government knows the manual will always be a work in progress. HIPAA has been in existence for many years (since 1996 in fact) and yet most of us have never been called to account for possible non-compliance. Documentation of consistent effort to achieve compliance is imperative. This is the entire point of the Compliance Manager
; staying compliant. We do things such as updating materials every month so our subscribers can have help to establish compliance with HIPAA, Omnibus Bill, HITECH, and other laws. Following the Compliance Program does not relieve you of the responsibility to investigate and follow all laws, but we help to provide information that you may not be aware of, and give structure to your own compliance program. Individualizing your TheraPolicy thoroughly from start to finish, which should take a few hours, helps to achieve the minimum standards for compliance. Don’t let yourself get bogged down in the process. We suggest you complete the entire manual to ensure minimal standards of compliance with this methodology, and then fine tune your policy over time. Finally, it can be very helpful to make notes of your activities on the “Time-Stamped Activity Log”, which methodically documents this ongoing process.
4. How does Therapractic protect my information?
First of all, Therapractic uses 256-bit SSL encryption on all pages, meaning data transmitted over the Internet is always encrypted. Additionally, the use of SSL encryption preserves data integrity by preventing the tampering with or altering of information stored. Since all protected information stored or collected by Therapractic is backed up and encrypted on our secure servers, it can be recovered in case of an emergency or accidental deletion, which a required by HIPAA. Next, the Therapractic system is only accessible by authorized personnel using unique access controls, specifically usernames and passwords. Therapractic enforces unique, secure logins which ensure that only authorized people can access that data. Although we preserve data so that it can be restored at a later time, such as renewing a canceled subscription, data in the Therapractic system can be permanently disposed of and/or deleted upon request or as necessary. In such cases, media can be overwritten using processes specifically designed to destroy the data, also referred to as data shredding. Lastly, Therapractic has Business Associate agreements with the developers and maintenance personnel that can access the Therapractic system, facilitating the privacy and security of information.
5. Can multiple providers share one subscription, and how do I determine how many users I need?
A subscription can be applied to a single provider, group, or organization according to its legal status. If legally identified as a group practice, such as billing under a shared EIN, then the TheraPolicy can apply to the entire group. Clinicians who share office space but function as separate entities for billing, taxes, etc. would each require their own subscription because they are not legally identified as a group or organization. Sharing a TheraPolicy with someone not legally in your group, may expose you to increased liabilities.
The number of identified users within a subscription depends upon your needs. If there is only one provider with a receptionist and an outside billing consultant, then the basic option of five users would be sufficient for the needs of the practice. This way each of the three individuals would have unique login credentials allowing clear documentation for services such as Training Module completion, Time-Stamped Log entries, and the Secure Messaging System. The administrator of this practice could grant roles to the other users to limit access to certain services. For example, an administrator could restrict a receptionist from editing the TheraPolicy while still allowing him or her access to Training and Messaging. Outside entities may be included, such as a billing company, to grant them access solely to the Secure Messaging System without being bound to the TheraPolicy of the practice. For a larger practice such as small clinic or even a hospital, the number of users would increase depending on who needs access to the system. There is a tiered system for determining monthly cost amounting to $10.00 for every five users in the following structure:
|Number of Users
||Price per Month
For large organizations that require 51+ users, please contact us
for pricing options.
6. What happens if I cancel my subscription?
If your subscription is cancelled, you will no longer be able to receive updates about law changes and new revisions to TheraPolicy . E-mail reminders, secure message system, training modules, downloadable templates and forms, and “My Files” storage area, will discontinue 3 days after the last day of your subscription for that month. We suggest you download the most recent version of your effective TheraPolicy before cancelling your subscription. Currently, we will maintain your most recent manual should you decide to renew the subscription or need a copy of it.
7. How did Therapractic come about, and how can it benefit me?
Has a client suffered from your distractions with the business end of practice? Have you shuffled papers on weekends instead of spending time with family and friends? Do the costs and hassles of practice management wear you down? Is it tough complying with endless regulations that could bring an audit? Join the club of frustrated health care professionals! Therapractic was developed by seasoned therapists with experience in private practice to help you focus on what you like and do best. Our practice management and electronic health records were conceived, tested, and fine-tuned in a large private practice before reaching you. That’s how we can help your clinical practice be more enjoyable and rewarding. With Therapractic you can make a living and have a life.
8. What is TheraPolicy?
TheraPolicy is the name of our Policy and Procedure Manual which helps you get and stay compliant with HIPAA, the Omnibus Bill, HITECH, and other laws. It allows you the flexibility to customize content to meet the needs of your specific practice. To use TheraPolicy, all you need to do is Register
and then access it through the TheraPolicy Manager
. TheraPolicy works best when paired with the Compliance Manager
, which is why we package them together. The Compliance Manager
not only helps you get complaint but stay that way by keeping you updated on new changes to federal laws and regulations regarding the transmission of ePHI and other topics, such as through our training modules.
9. What specific law mandates a Policy and Procedure Manual for my practice and how does this affect the development of TheraPolicy?
HIPAA §164.316 (a) Standard: Policies and procedures. Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in §164.306(b)(2)(i), (ii), (iii), and (iv).
The content of TheraPolicy is structured around mandates of the HIPAA Security Rule of 2005, the HIPAA Privacy Rule of 2003, the HITECH Bill of 2009, and the Omnibus Bill enacted in September 2013. Direct quotes from the law are embedded in the policy manual along with further explanations. They cannot be altered or modified. This helps you stay in compliance and understand exactly what is required and addressable. By going step by step through the content, you can develop the procedural aspects of your personalized manual while reinforcing your understanding of the law and its requirements.
10. What are important requirements from the recently passed Omnibus Bill?
- A modified Business Associate Agreement is required for all business associates providing ancillary services such as: accountants, billing companies, clearinghouses, and cleaning staff. These individuals and entities are now legally and civilly responsible for breaches of client confidentiality and privacy.
- There are new rules outlining the definition of a privacy breach and its possible consequences, which could involve fines or even imprisonment.
- A new Privacy Statement has been adopted to further safeguard the security and privacy of client information. This information must be readily observable and deliverable, in print upon request, to the client.
These requirements are addressed in TheraPolicy, and the Compliance Manager
has templates available to implement many of these items.
11. Why and how is the policy modifiable?
There is a broad spectrum of entities covered under HIPAA, so the law allows for flexibility of implementation in order to provide policies unique to each specific practice. This means a generic policy and procedure manual is not appropriate for best practice compliance. Instead, you should adopt measures to meet the minimum standards, specifically procedural in nature, which have unique applications to the circumstances and conditions of your practice . While governmental mandates are un-editable in TheraPolicy, there are options provided under these rules giving flexibility and shape to your manual. The beauty of TheraPolicy is you can choose to edit our predefined options, or develop your own unique options to fit your practice. We also provide resources and suggested reminders, all of which can be edited by you. With your subscription to the Compliance Manager
, you will receive revised editions of the policy that provide new content and options. Thus, your policy and procedure manual is capable of being as unique as you see fit and editable as needed to meet new standards. See the How To
section for more info on customizing your TheraPolicy.
12. What government rules apply to the Policy and Procedure Manual and how does TheraPolicy address them?
According to HIPAA, a policy and procedure manual must be specific, evolve over time, and be periodically re-evaluated. TheraPolicy was developed by a psychologist and his team of behavioral health providers to be specifically applied to private health care practices. Behavioral health providers have traditionally had the training and experience to uphold the most stringent standards for confidentiality and privacy. This makes them well suited to thoroughly develop a manual that is generalizable to other health care environments. There are numerous resources that reinforce compliance, which could be especially helpful in the case of an audit. For example, HIPAA requires periodic documentation of Risk Analysis and Risk Management activities. Sample templates provided in the Compliance Manager
have been developed in a large private practice to manage risk without you re-creating the wheel. With your subscription we will provide revised versions of TheraPolicy that can blend with your current manual. You can also choose whether or not to implement or ignore these revisions. In addition, you will receive regular training modules and have access to new materials, articles, templates, updates, and other resources to incorporate into your practice as you see fit. Our goal is to help you stay informed and responsive to new laws and practice standards in the field of health care.
We encourage all of our users to educate themselves on federal and state laws regarding the privacy and security of PHI, because in certain circumstances state law may have stricter requirements. One example involves reporting breaches of PHI. In some states, the length of time the provider has to report the breach under state law is less than the federal law mandates. In these instances, the provider should abide by the state law. Generally speaking, it is best to go with the statute that is more restrictive. One way we attempt to address this matter is with the predefined options of TheraPolicy. One such statement reads, "This practice applies the Preemption Constitutional test, meaning it adopts and adheres to the strictest governing laws, whether HIPAA, Federal, State, or other." In addition, it is important to note that most laws consider health care information (e.g., diagnoses, treatments, etc.) to be "highly sensitive". This means PHI in our field is an even higher priority for protective measures than typical PHI (e.g., birthdays, addresses, etc.). Remember, there is no such thing as perfect HIPAA compliance; the law states that we must use reasonable and appropriate measures, but defines no exact manner by which to follow the law.
13. How do I get an updated version of TheraPolicy to work with my existing manual?
It’s simple! The TheraPolicy Manager
automatically does this for you. It saves the customized options from the most recent finalized version of your TheraPolicy then imports them into the latest updated version of TheraPolicy we release. Please note that you are not required to update your effective policy and procedure manual when changes to TheraPolicy are published. If you choose to, you must manually activate and implement these changes. All you need to do is create a new TheraPolicy, verify or alter any changes to your personalized customization, and then activate your newly updated and refined TheraPolicy. See the How To
section for further details.
14. Will my TheraPolicy have the Therapractic name on it?
When you enroll, your information will be automatically transferred to the manual with your name or organization prominently displayed. Our name will be listed inconspicuously at the bottom of the page.
15. How can I stay on top of all the ongoing requirements to remain compliant?
We know you have a lot to think about. You can choose to use our e-mail reminders system, which can automatically send you notifications for items such as HIPAA requirements or meetings. In addition, we have a vast library of templates and resources in the Compliance Manager
for you to use at your discretion. You can choose to use our storage system called "My Files", which could be extremely helpful if you ever have the daunting task of gathering documents for an audit. Our entire system is maintained safely in the cloud so that it's easily retrievable at any time and under any circumstances (including emergencies). You can rest assured that your data is safe and accessible.
16. What all is included in Compliance Manager?
- Templates & Forms designed by Therapractic to keep you practice compliant and up-to-date
- Secure Cloud-based Storage & Retrieval of your own customized templates & forms from anywhere you have internet access
- A Time-Stamped Activity Log to permanently document noteworthy events
- Training Modules to help you keep up to speed with ever-changing rules
- Email Reminder Notifications about upcoming compliance-based events for timely adherence
- Links to information and other resource materials that are helpful and relevant to compliance
There is more information available containing a full set of features
and detailed instructions on how to use
the Compliance Manager.
17. How should I start analyzing risk?
We have designed our system to help guide you through the process of risk analysis and management. The intent is that by thoroughly completing your TheraPolicy
the first time, you have in essence completed the initial phase of your risk analysis. You do this by identifying areas that need further clarification, also known as “gaps”. Additionally we have an in-depth Gap Analysis (available in the Therapractic Files) that is more specifically designed for larger practices. Based on the initial development of your manual, you will become aware of these gaps that need further attention.
By developing policies and procedures first, you are pinpointing the areas that need further assessment. This will help diminish the amount of risk analysis necessary for your practice to perform. We recommend that you identify the gaps and prioritize the highest risk areas, then sequentially perform the risk analysis and management steps. When you do not fully understand or have questions about how to draft procedures for a standard or implementation specification, we recommend you perform a formal Risk Analysis on this area. Nearly all areas of TheraPolicy have specific Risk Analysis & Management Templates as resources for download. These are also available in the Therapractic Files named according to the HIPAA section reference number. Additionally, there are blank Risk Analysis forms for you to use that are differentiated by what you are assessing – a process versus an asset. The major delineation is that a process is more about how to implement reasonable and appropriate measures about a security or privacy area, such as the need for a Business Associate Agreement. On the other hand, an asset would be more applicable to a tangible item or thing, such as assessing the risk or threat to a laptop computer, fax machine, or file cabinet.
After completing a formal Risk Analysis for your gap areas, you can better prepare policies and procedure to address these standards and implementation specifications. This process cannot happen overnight, and you can always revisit these areas at a later time to further analyze or address the issue. As part of the monthly Training Modules, we will routinely offer sample Risk Analysis and Management forms, which are from our behavioral health practice of about 20 clinicians. These will help give you a better grasp of this assessment process and could be modified to suit your individual practice.
18. Can I store protected health information (ePHI) in the system?
Yes. The main areas that you are most likely to store and/or transmit ePHI are "My Files", the "Time-Stamped Activity Log", and "Messaging". We have secured the entire system using 256-bit SSL encryption. Therefore we believe our security measures to be reasonable and appropriate for storing ePHI in our system. In order to reduce your surface area of vulnerability we recommend that you limit the amount and type of ePHI stored. For instance, you may choose to use case numbers rather than client names. You can also use any additional security measures you see fit, such as VPN connections or local encryption for files stored on your devices. As stated in the Terms and Conditions
under the section entitled Limitation of Liability, "...the ultimate responsibility for correct implementation of this information lies with provider of services." This means you must do what you deem necessary to protect the security and integrity of the PHI you handle.
19. Patient-Centered Medical Home
The patient-centered medical home (PCMH) is an increasingly common model of health care
delivery that is patient-centered, comprehensive, team-based, coordinated, accessible,
quality and safety oriented. In keeping with the broad changes in the health care system,
PCMH prioritizes the integration of behavioral and physical health care, providing many
exciting opportunities and excellent prospects for workforce growth among mental health
providers. Up to 30% of primary care patients meet the diagnostic criteria for behavioral
health problems, including anxiety, mood, somatoform, and substance use disorders.
In addition to the traditional focus of mental health intervention, health promotion and
prevention are compelling reasons to integrate mental health services with the PCMH.
Tobacco use, poor diet and alcohol use contribute to half of all premature deaths. Limited
availability of education and coaching to effect diabetes, hypertension and pain
management also contribute to increased morbidity and mortality.
Finally, The NCQA medical home standards require that primary care and specialty practices
support patient’s behavioral health. Totalpsychcare.com is an experimental model designed
to facilitate integrated health care, within the halls of a medical facility or spanning across
the state via telehealth. Our mission is to help mental health professionals lend special
meaning to the word “home” in the PCMH model.
From: Psychologists in Patient-Centered Medical Homes: Roles, Evidence, Opportunities and Challenges. American Psychologist,
2017, Vol. 72