HIPAA Notice of Privacy Practices

 
 

Purpose of the Notice

This Notice of Privacy Practices (NPP) explains your rights and RWCC’s obligations under the Health Insurance Portability and Accountability Act (HIPAA), and will give you a clear understanding of the act.  Your privacy is important and the information about how it works is contained in this separate section. The River Wards Wellness Center (RWWC) NPP includes an extensive discussion of HIPAA as those protections relate to your counseling and therapy. 

This notice describes how medical information about you (protected health information) may be used, protected, and disclosed, and how you can get access to this information. Please review it carefully.  Please note that not all information listed below will cover your specific information but is meant as an overview of HIPAA protections in general.

“I”, “We”, and “You”

For this Notice of Privacy Practices and other documents on this website related to counseling services, “We” refers to RWWC and to the collective body of licensed therapy providers, any contractors operating within the services of the RWWC, and any staff or covered entities providing ancillary or administrative services for the RWWC. “You” refers to any potential, current, or past clients of the counseling services provided by RWWC. 

Every therapy practice is required by law to post a notice of privacy practices (NPP). This notice was last updated in February, 2024.

The link below will direct you to video posted by Health and Human Services Office of Civil Rights.  The videos demonstrate why it’s important that you read the notice of privacy practices. Please note that YouTube and the videos found on this link are not HIPAA-compliant applications, which means that when you view a YouTube video, that video appears in your user history if you are signed in to your Google account.

HSS OCR - Youtube Informational Videos

Your Rights: An Overview

You have the right to:

  • Obtain a copy of your paper or electronic medical record

  • Correct your paper or electronic medical record

  • Request confidential communication

  • Request us to limit the information we share

  • Obtain a list of those with whom we’ve shared your information

  • Obtain a copy of this privacy notice

  • Choose/Select someone to act for you

  • File a complaint if you believe your privacy rights have been violated

Your Choices: An Overview

You have choices in the way that we use and share information if we:

  • Tell family and friends about your condition (at your request)

  • Provide mental health care

Our Uses and Disclosures: An Overview

We may use and share your information as we:

  • Treat you

  • Run our organization

  • Bill for your services

  • Help with public health and safety issues

  • Do research

  • Comply with the law

  • Respond to organ and tissue donation requests

  • Work with a medical examiner or funeral director

  • Address workers’ compensation, law enforcement, and other Government requests

  • Respond to lawsuits and legal actions

Your Security: An Overview

You have a right to understand and ask questions about:

  • The meaning of any acronyms you see here

  • The meaning of unfamiliar or unclear terminology

  • What kind of technology we use for your services

  • How you can use the technology as safely as possible

  • What safeguards we have in place to protect you

  • How we protect your payment methods

  • How we communication with you safely and securely

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA requires covered entities such as counselors and other health care practitioners to protect the privacy and security of your personal health information (PHI) while still allowing us to communicate with you and anyone you give us permission to communicate with regarding your care. The HIPAA privacy rule applies to PHI in any medium—paper, electronic, or verbal.

Read the Office for Civil Rights' paper, HIPAA Privacy Rule and Sharing Information Related to Mental Health, to learn whom we are permitted to communicate with and under what circumstances. 

Read about how HIPAA Helps Caregiving Connections for more information on whom I may contact if you are in crisis or intend to harm yourself or others. 

Read about your health information privacy for more details about HIPAA.


PHI: Protected Health Information

Protected health information (PHI) means individually identifiable health information that is:

  • Transmitted by electronic media

  • Maintained in electronic media

  • Transmitted or maintained in any other form or medium.

See page 16 of the HIPAA Administrative Simplification for more details.

Individually Identifiable Health Information

“Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and:

  1. Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and

  2. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and

  • that identifies the individual; or

  • with respect to which there is a reasonable basis to believe the information can be used to identify the individual.”

 Source: Page 15 of the HIPAA Administrative Simplification.


What constitutes PHI?  

Your personal information is classified PHI for the purposes of healthcare if it includes any of the following identifiers:

  • Name (including initials)

  • Address (all geographic subdivisions smaller than state, including street address, city county, and zip code)

  • All elements (except years) of dates related to an individual (including birthdate, admission date, discharge date, date of death, and exact age if over 89) 

  • Email address (if it is associated with any individual identifiers such as your name, initials, birthdate, phone number, or third party accounts)

  • Telephone or fax numbers

  • Social Security Number

  • Medical record numbers

  • Health plan beneficiary numbers

  • Account numbers

  • Certificate or license numbers

  • Vehicle identifiers and serial numbers, including license plate numbers

  • Device identifiers and serial numbers

  • Web URL

  • Internet Protocol (IP) Address

  • Biometric identifiers such as fingerprint, retinal scan, or voice print

  • Photographic image - not limited to images of the face.

  • Any other characteristic that could uniquely identify the individual

  • Your treatment details, including dates, durations, diagnoses, plans, services, assessments, reports, and outcomes; and communications and interactions with your therapist and with any online content.

Read What is Considered PHI Under HIPAA? for more details.

Disclosure of Client Information

Client permission is required for me to disclose client information to third parties, except when using or disclosing PHI for treatment, payment, and health care operations. You will be asked to supply this permission in writing with your signature via a HIPAA-secure form. 

When I send your PHI to other practitioners upon your request, I use HIPAA-secure technology. Depending on the type of technology used by the receiving practitioner, you may be charged a fee for sending these records. Please see HIPAA for Providers and pages 15-17 of the Guide to Privacy and Security of Electronic Health Information for exceptions when permission is not legally required. Please see my records request policy on my policies and procedures page

Information about HIPAA-Compliant Technology

As part of your informed consent agreement, please see my technology and security policies and procedures for my discussion on what makes technology HIPAA-compliant and why it’s important for your technician to use HIPAA-secure practices as well as technologies. Just having the technology is not enough; how the technology is set up and how it’s used can make it secure or render it vulnerable. Learn what can happen when a clinician does not properly understand or implement HIPAA-level security measures. 

Additional Information about HIPAA

You can find more detailed information about how we protect your privacy on these sites.

Where can I find information about HIPAA, health information privacy or security rules?

HIPAA for individuals

The HIPAA Privacy Rule and Public Health

PRIVACY SAFEGUARDS

 Safeguards RWWC takes to protect your security and privacy

  • We use HIPAA-secure technology for record-keeping and storage, communication, video conferencing, computer encryption, and malware protection.

  • We complete annual trainings on HIPAA-compliance, cybersecurity, and risk management.

  • We obtain the Business Associate Agreement required by HIPAA law from any company or professional individual who has access to your PHI.

  • We do not record video sessions without your written permission. We recommend that clients request recordings only after careful thought and discussion with a clinician to determine possible clinical benefits. Because the security risks associated with recording sessions outweigh the possible therapeutic benefits in most cases, I advise against recording video sessions.

  • Text/chat sessions and emails are automatically routed and stored in a HIPAA-secure drive.

  • We follow  the codes of ethics of the American Mental Health Counselors Association (AMHCA), the American Counseling Association (ACA), and the National Board for Certified Counselors (NBCC)

How you can protect your security and privacy

  • Store your login information in a place that no one else knows about.

  • Use multi-factor authentication wherever possible.

  • Do not share your private information/data.

  • Remember that you are responsible for maintaining security on your electronic devices. Do not allow others access to your devices. A good rule of thumb is that if you wouldn't give someone access to your wallet or bank account, you shouldn't give them access to your electronic devices. 

  • Make sure there is no one else present in the room when you are participating in video sessions with me.

  • Do not make video or audio recordings of your counseling sessions or learning content. Doing so is a violation of your service agreement and may violate state law. Violation of this policy will result in termination of the therapeutic relationship and may have legal and/or financial penalties. 

  • Do not take screenshots of your counseling sessions or records. Storing screenshots on a device or cloud that is not HIPAA-secure will compromise your confidentiality, privacy, and security. 

  • Do not take screenshots or video recordings of the therapy and training website or learning materials. Doing so is a copyright violation and can result in legal and/or financial penalties. 

  • Do not bookmark your private counseling website. If someone else accesses your computer, tablet, or phone and you are signed into a bookmarked site, other members of your household or workplace may be able to access your PHI. 

Please be aware that regardless of the safeguards employed by RWWC, it is possible that you may still compromise your privacy by sharing your information or leaving it where someone can see it. The security on your end is your responsibility.