A non-intimidating guide to HIPAA-compliant email for therapists
Everything you need to know about HIPAA-compliant email and how to choose a secure email service for your therapy practice.
Wondering what forms you need to be HIPAA compliant? This guide covers the paperwork you need and what to put in it. With recommendations to help you elevate your compliance game.
Forms are a crucial part of every healthcare practice. They collect patient data, share vital information, and help you keep accurate records. But how do you know if you have the right ones to comply with the Health Insurance Portability and Accountability Act (HIPAA)?
Although the HIPAA Privacy Rule does outline required forms and explains what to put in them, it isn’t always easy to wade through the legal lingo to figure out whether or not you have everything you need.
In this article, we’ll give you a helping hand by going over the key HIPAA-required forms and explaining what to include in them. We’ll also recommend additional forms to help strengthen your privacy practices.
👉 It’s always best to consult with a legal expert or compliance professional regarding HIPAA forms to help ensure you’re complying with the HIPAA rules and local laws. |
Table of Contents |
First, let’s review the forms necessary to comply with the HIPAA rules. Skipping one of these documents could be a HIPAA violation and lead to penalties from the Office for Civil Rights (OCR).
For example, a mental health center was investigated by the OCR after it failed to provide a Notice of Privacy Practices (NPP) to a father and his underage daughter, a client at the center. Investigations are nerve-wracking and time-consuming. This center could have saved itself a lot of time and stress by using the form consistently before a complaint was filed.
We’ll go over what an NPP is and how to use it later in this section.
According to the HIPAA Privacy Rule, covered entities, such as healthcare providers, must obtain their clients’ written permission to share protected health information (PHI) in situations that fall outside the allowances in the privacy rule. In these cases, you must ask clients to sign an Authorization to Use and Disclose Protected Health Information form. In some healthcare settings, this may be called a Release of Information (ROI) form.
PHI Information that relates to:
|
So, when do you require an authorization form?
Generally speaking, you don’t need permission to share PHI with:
You do need permission to share PHI in any other way that falls outside of these guidelines. This includes disclosing psychotherapy or substance use disorder notes (which we’ll cover later in this article), sharing information with a client’s employer, for some types of research, or when marketing third-party products or services to clients. In all these cases, and more, you would use this authorization form.
What information should be in an Authorization to Use and Disclose Protected Health Information form? The Privacy Rule spells it out in detail.
Authorization to Use and Disclose Protected Health Information
Include:
What is an NPP? It’s a notice that explains your obligations to protect client information under HIPAA and your practice’s privacy policies.
This is one document that many practices either don’t have or don’t execute properly. A 2016-2017 HIPAA audit found that only 2% of audited organizations fully complied with this requirement. (An update to these stats is coming soon. The OCR launched a new round of audits for the 2024-2025 cycle. An industry report summarizing the findings will be released after the audit is complete.)
The NPP must be given to clients before their first appointment, but clients can request another copy at any time. It must also be displayed in a prominent physical location and be published on your website.
Clients are expected to acknowledge that they received their NPPs in writing. You can either include this on your NPP along with space for a signature or create a separate acknowledgement form. And don’t forget to give a copy to your clients!
The US Department of Health and Human Services (HHS) provides customizable templates of this form free of charge.
If you prefer to make your own, don’t skip these critical elements. For more detailed information, check the NPP rules.
Notice of Privacy Practices
Include:
👉 Note: Does your practice treat patients in the fields of reproductive healthcare or substance abuse?
If so, be aware that the HHS has made amendments to HIPAA to set further protections for client data related to reproductive healthcare. Additionally, the HHS has simplified and aligned the protection of patient records related to the treatment of substance abuse disorder. These changes may require specific statements in your NPP.
If you work with clients being treated for substance use disorder (SUD), then in most cases, you’ll need their permission to share any information related to their treatment.
The privacy rules on SUD information (also sometimes referred to as “Part 2”) treat counseling notes differently than other PHI related to SUD.
General information on SUD therapy (not counseling notes) can be shared without written permission in a few ways:
This means you need authorization to share information for treatment, payment for services, or healthcare operations. A 2024 update to the rules made it possible to obtain a single authorization for these purposes.
If you must share general information for another reason (in legal proceedings, for example), you would require a separate authorization.
What about counseling notes? Disclosures for them are even more limited. They can only be shared as follows:
To share counseling notes in another way, use a written authorization.
What should you include in a Use or Disclosure of Substance Use Disorder Information form? It’s similar to the Authorization to Use and Disclose Protected Health Information, but not exactly the same.
Use and Disclosure of Substance Use Disorder Patient Records
Include:
These forms aren’t strictly required by the HIPAA rules, but they are recommended as a good way to support compliance in your practice.
According to the Privacy Rule, clients have the right to ask you to communicate with them in a specific way, as long as the request is reasonable. Why not make it easy for them with a Communication Preferences form?
This is especially helpful if you use email to communicate PHI. Although the HIPAA Privacy Rule does permit you to email clients, explaining the risks and asking them to sign off on using email may be a useful insurance policy.
According to the Privacy Rule, clients may also give you permission to share their PHI with a legal representative or another individual. A Communication Preferences form is a helpful way to capture this information as well.
Communication Preferences Form
Include:
If your client requests less secure methods of communication, such as unencrypted email or text, you may consider using a Request for Non-secure Communication form.
This form outlines the risks to your clients’ PHI (e.g., being intercepted and read by a third party). It also asks the client to acknowledge these risks and give their permission to be contacted using the less secure method(s).
Request for Non-Secure Communication Form
Include:
Would you like a Request for Non-Secure Communication form that you can use in your practice? Submit your information below and you can start using it with your clients today:
Another important aspect of the HIPAA Privacy Rule is that clients must be able to complain to you if they feel you have not protected their information appropriately.
Even if you explain how to make a complaint in your NPP, it can also be handy to have a form ready for this purpose. This can make life easier for clients and help you track any complaints you receive.
Complaint Form
Include:
With more clients reaching out online, using a Secure Contact form is an excellent way to keep client information safe, right from the beginning of your relationship.
Going above and beyond with a Secure Contact form shows that you take client privacy seriously. It may also be a solid way to demonstrate your compliance with the HIPAA Security Rule, which governs digital PHI.
|
A secure contact form should be encrypted to provide an extra layer of protection for PHI. Hushmail’s Secure Contact Form template is a great example. It doesn’t take long to add to a website and is a snap for clients to use.
Using a Secure File Transfer form is a great way to receive digital PHI from other healthcare providers. As long as the form is encrypted, it’s safe to use.
Using this form can help reduce the faxes you receive, including referrals or sensitive client information. And, like the Secure Contact form, it can also help demonstrate HIPAA compliance.
You can share it with others by adding it to your website or pasting a link to the form in an email.
Sure, when you work in healthcare you have to follow a lot of rules, even when it comes to forms. But at the end of the day, it isn’t about the paperwork—it’s about great communication and keeping your clients safe.
Using the right forms at the right times can help protect your clients’ most sensitive information from falling into the wrong hands. It could also help you avoid an OCR investigation or disciplinary actions. Isn’t the extra work worth it in the long run?
Need HIPAA-compliant forms that are ready to go? Hushmail offers secure online forms you can create in minutes with our customizable templates. You can also make your own, or ask us to build one for you!
Everything you need to know about HIPAA-compliant email and how to choose a secure email service for your therapy practice.
This guide covers everything therapists need to know about secure communication, privacy rules, and when you can legally share client information....
If you work in the healthcare field, there’s a good possibility that you should be using HIPAA-compliant email and web forms. But what does...