Zur Institute
HomeSign InContact

Updated to include the changes to the Security Rule, Electronic Health Records, ICD-10, and other changes which were introduced in 2016.
Table of Contents

Introduction to the Kit

Disclaimer, Copyrights, and Liability Statements

Introduction to 8th Edition

List of abbreviations

Section I: How to Use This Kit

1. What is the goal of the Kit?

2. How is the Kit organized & what terminology does it use?

3. How can I best use this Kit?

4. What this Kit is not

Section II: HIPAA - The Basics

5. Generally, what is HIPAA?

6. What is a Covered Entity (CE) and am I one?

7. Do I need to comply even if I do not own a computer?

8. What does "scalable compliance" mean for me?

9. What is and who is the Privacy Officer in a solo, private practice?

10. How easy is it to become compliant?

11. What are the basic requirements for compliance?

12. What is Protected Health Information?

13. What happens if I did not meet any or some of the original deadlines?

14. What are the Privacy Rule and the Security Rules?

15. What is the Breach Notification Rule?

16. What can trigger the Privacy Rule or HIPAA compliance audit?

17. What will happen if I do not comply with HIPAA?

18. What does HIPAA not do?

19. What do we not yet know about HIPAA?

Section III: The Privacy Rule: Consents, Notice & Releases

20. What is the HIPAA Privacy Rule?

21. What do I need to know about consents and authorizations?

22. What is TPO?

23. What about the consent for TPO?

24. Can a patient revoke his/her consent for TPO?

25. If a patient revokes his consent for TPO, can the therapist still be paid?

26. What about the federal amendment to consent for TPO?

27. What are the issues around authorizations?

28. Which basic forms must I have?

29. What is compound authorization?

30. When is neither consent nor authorization required?

31. What about HIPAA's Notice of Privacy Practices?

32. Should I post the Notice on my website or send it electronically?

33. What about patients' rights to request privacy?

34. If I have an Informed Consent, do I also need a HIPAA consent?

35. What is the difference between "use" and "disclosure"?

36. How do I deal with the judicial system and administrative proceedings?

37. How do I deal with law enforcement agencies?

38. What about disclosure where there is a threat or danger?

39. What rights do patients have to access their records?

40. When do patients NOT have the right to access their records?

41. What is the time frame for a patient's request to review his/her records?

42. Must patients pay for copies they request?

43. What rights do patients have to amend their records?

44. What about minors' records?

45. What about consultation?

46. Can a therapist disclose records created by other providers?

47. What about disclosures for research purposes?

48. What are the considerations surrounding substance abuse disclosures?

49. What are the considerations for an account of disclosures?

50. What is the "need to know" requirement?

51. What is the "minimum necessary" requirement?

52. Can therapists disclose to their professional liability insurance?

53. Does the Privacy Rule create a government database of individuals?

54. Can therapists call out the names of patients in their waiting rooms?

55. What about disclosure to collection agencies?

56. Can clearinghouses and health plans use PHI?

57. Can one have joint consents?

58. Can one have combined consents?

59. What are re-disclosures?

60. What is a Disclosure Record?

61. What does de-identifying mean?

62. What are limited data sets?

63. What does HIPAA say about marketing?

Section IV: Records & Access

64. How is therapist-patient privacy protected?

65. What about keeping two sets of records?

66. What are Psychotherapy Notes?

67. What do the Psychotherapy Notes include?

68. What is excluded from the Psychotherapy Notes?

69. Can I see an example of the two types of notations?

70. Do individuals have a right to review their Psychotherapy Notes?

71. Do managed-care companies have the right to review Psychotherapy Notes?

72. Does Medicare have the right to review the Psychotherapy Notes?

73. What about sharing Psychotherapy Notes with other treating clinicians?

74. Can a client authorize disclosure of the Psychotherapy Notes?

75. Can Psychotherapy Notes be disclosed without the patient's authorization?

76. What is the Supreme Court 1996 Jaffee v. Redmond decision all about?

77. What about re-disclosure of Psychotherapy Notes?

Section V: HIPAA and Insurance Billing

78. What about uniformity of electronic claims?

79. Which ICD, DSM or CPT codes are required under HIPAA?

80. Does HIPAA mandate therapists to use electronic claims?

81. What are my general choices in regard to billing?

82. What is the role of a clearinghouse?

83. What about the identification standards and what is NPI?

Section VI: The Security Rule

84. What is HIPAA's Security Rule?

85. What are the differences between the Privacy and Security Rules?

86. What is the good news about the Security Rule?

87. What are the three elements of the Security Rule?

88. How about protection from disasters?

89. What is included in Risk Analysis?

90. What is included in Risk Management?

91. What needs to be included in the Security Policies and Procedures Manual?

Section VII: HIPAA Business Associates

92. What is a HIPAA Business Associate (BA)?

93. What is a Business Associate Agreement, or "BAA?"

94. Who isn’t a BA?

95. What legal protections does a BA provide for me?

96. What about the conduit exception?

97. What about financial institutions?

98. What about client consent to waive the BAA requirement?

Section VIII: The Breach Notification Rule

99. What is the Final Breach Notification Rule?

100. How do I assess when a breach has happened?

101. What about the safe harbor in the Final Breach Notification Rule?

Section IX: HIPAA and Offices

102. What does HIPAA require of office staff? Building staff?

103. How shall I physically arrange my office so I stay HIPAA compliant?

104. What about general computer security and protection?

105. What about general smart phone and tablet security and protection?

106. What do I need to consider regarding phones and phone messages?

107. What do I need to consider regarding WiFi?

108. What do I need to consider regarding fax machines?

109. What do I need to consider regarding copiers, scanners, and printers?

110. Does HIPAA allow home offices?

Section X: HIPAA and Personal Devices and Spaces

111. Can I use my personal devices in my practice?

112. What about protecting my computer, smart phone, or tablet that is used for both work and personal needs?

113. What about WiFi?

114. Do I have to have a locked room in my home for work devices?

Section XI: HIPAA and Internet-Based ("Cloud") Services

115. What is a "web browser?"

116. What is a "cloud" service?

117. What is my role in the security of my "cloud" services?

118. What do I need to consider regarding security of email and texting with clients?

119. What do I need to consider regarding security of email and texting with colleagues and others besides clients?

120. What about email signatures?

Section XII: HIPAA and Your Online Presence

121. Does HIPAA allow me to have a presence on social media?

122. What does HIPAA require for websites?

123. Can I post forms for clients on my website?

124. Can I post helpful materials for clients on my website?

125. What do I need to consider regarding communication with clients via social networking sites?

Section XIII: HIPAA and Electronic Health Records

126. What is the difference between EHR and EMR?

127. Does HIPAA require me to use electronic records?

128. What does HIPAA require me to do to protect electronic records?

129. Does HIPAA have special rules for electronic records?

Section XIV: HIPAA and Online Therapy/Telemental Health

130. How does HIPAA address online therapy/telemental health?

131. What does HIPAA require for online video software like Skype?

132. What about the conduit exception?

Section XV: HIPAA, Ethics, Preemption Analysis and State Law

133. What is the preemption analysis?

134. Under what conditions does HIPAA preempt state law?

135. What happens when state law conflicts with HIPAA?

136. What happens when state law and HIPAA are not comparable?

137. What is the relationship between HIPAA & the Codes of Ethics?

Section XVI: HIPAA and California Law

138. What are the relationships between HIPAA and California law?

139. Can you provide me with examples of HIPAA regulations that preempt California laws?

140. What are some of the instances where California laws preempt HIPAA?

141. Where can I find online resources for implementing HIPAA in California?

Section XVII: Ready-to-Adapt Forms

Form I: HIPAA Compliance Checklist

Form II: HIPAA Notice of Privacy Practices

Form III: Authorization to Release Information

Form IV: Request for Amendment of Health Information

Form V: Tracking of Releases

Form VI: Account of Disclosures

Form VII: Denial of Access to PHI

Form VIII: Denial of Request for Amendment

Form IX: Complaint Form

Form X: Acknowledgment of Receipt of Notice

Form XI: Breach Assessment

Form XII: Authorization/Consent to use unencrypted e-mail and text

Form XIII: Patient's Right for Confidential Communications

Form XIV: Patient Request for Restriction on Use and Disclosure of PHI

Section XVIII: Risk Analysis Resources

Section XIX: HIPAA Updates


© 1997-2018 Zur Institute, Inc. All rights reserved.
Privacy Statement, Disclaimer & Terms of Use.
Site design/maintenance by R&D Web