HIPAA for therapy staff

Health Insurance Portability and Accountability Act or HIPAA therapy rule adherence is a requirement of almost all rehab providers. These regulations help to maintain client privacy and confidentiality, which are the pillars of the ethical guidelines for all licensed therapists.

Summary

• All administrative staff who handle protected health information (PHI) must follow HIPAA regulations and receive proper training to maintain compliance.

• Phone calls, emails, texts, and in-office conversations must meet HIPAA standards. Only HIPAA-compliant tools and platforms like EHRs should be used for transmitting PHI.

• Both digital and physical records must be stored securely and disposed of properly. Administrative staff must also verify signed releases before sharing client information.

• Even unintentional HIPAA violations can lead to fines, job loss, or legal action. Staff must report potential breaches to the designated HIPAA compliance officer immediately.

→ Click here to enroll in your free on-demand HIPAA and Security in Telehealth video course [Enroll Now]

Streamline your practice with One EHR

• Scheduling
• Flexible notes
• Template library
• Billing & payments

• Insurance claims
• Client portal
• Telehealth
• E-fax

Learn More

However, not every clinician works in a solo practice. Many therapists have support staff who assist with scheduling, billing, and other administrative tasks. Do these staff members also need to comply with HIPAA regulations? Do they need to take the same precautions as therapists or have special rules for interacting with protected health information (PHI)?

Let’s examine HIPAA therapy laws and what steps therapy staff need to perform to maintain it.

What is HIPAA?

HIPAA is a federal law that sets the standards to ensure the privacy of medical records and clients’ protected health information (PHI). Any HIPAA-covered entity or business associate must follow HIPAA regulations. This includes almost all therapists and support staff.

Therapists who are not considered covered entities will also likely want to adopt HIPAA therapy standards to ensure best practices and compliance with ethical licensing guidelines.

Why is HIPAA in therapy important?

Every therapist and staff member has the ethical obligation to protect the confidentiality of their clients. Maintaining client privacy helps establish trust and builds the rapport necessary to conduct effective therapy. Clients must trust their therapists if they are expected to share sensitive information and be emotionally vulnerable. By following HIPAA therapy guidelines, therapists ensure they are taking the necessary steps to protect client confidentiality.

What is PHI?

PHI, or protected health information, is any aspect of treatment information that makes a person identifiable. Obvious examples include someone’s name, address, and social security number.

Less obvious sources of PHI may include a URL to a client’s website or a computer IP number. PHI pertains to all forms of communication, including written, electronic, and verbal. Clients can provide written authorization to release PHI to other parties, including family members and helping professionals.

Practice Management + EHR + Telehealth

Mange more in less time in your practice with TheraPlatform

Start Free Trial

Key components of HIPAA therapy

HIPAA has three main principles: privacy, security, and breach notification.

Privacy Rule

The privacy rule protects health records and PHI by regulating how therapists can use and disclose client information. This is exemplified by the need for consent to share client information with others. A main part of the privacy mandate is the “minimum necessary rule,” which requires therapists and staff to reasonably limit the use or disclosure of PHI to only what is necessary for a client’s treatment.

Security Rule

The security rule focuses on protecting electronic PHI (ePHI) through administrative, physical, and technical safeguards. The goal is to prevent unauthorized access to client data and ensure confidentiality. This is why therapists need to use HIPAA-approved platforms for virtual sessions, document storage, and client communication.

Breach Notification Rule

The breach notification rule says that the therapist must notify people whose PHI has been breached within 60 days. Clients must be notified in writing, either by classified mail or e-mail. The therapist must also notify the U.S. Secretary of Health and Human Services by completing the appropriate form on the official website. Breaches of HIPAA in a therapy setting may include leaving a client’s record unattended on a computer screen, sharing client PHI on social media, and performing a virtual session on an unsecured video conferencing platform.

HIPAA and therapy staff

According to best practices, and the law, therapy staff must adhere to HIPAA regulations. Therapists should take into account the following considerations when ensuring HIPAA compliance among staff:

Training

Therapy staff who have access to PHI are required to receive annual HIPAA training. Both Easy Llama and teachmehipaa offer extensive online training for therapy organizations. If you want comprehensive resources about HIPAA, two good places to start are the United States Department of Health and Human Services and the HIPAA Journal.

Each therapy practice or agency must have a HIPAA compliance officer. This person will be designated by the head of the organization and be responsible for making sure all staff receive proper HIPAA training and follow regulations.

Communication of HIPAA

Office staff frequently communicate with clients about scheduling, billing, and other matters. Those methods of communication must adhere to HIPAA standards.

E-mail and text

E-mail and texting are not inherently HIPAA-compliant. When you sign up for a simple e-mail account with Google or Yahoo, for example, that e-mail does not possess the security measures to ensure client confidentiality.

Similarly, standard SMS texting does not meet security standards. However, certain e-mail and texting services are considered HIPAA compliant (e.g., MailHippo, Hushmail, Klara)

Additionally, you are allowed to send texts and e-mails that don’t contain a client’s PHI. Further, most practice management software, such as Theraplatform, contain HIPAA-compliant methods of communication included in their platforms.

Phone calls

Therapy staff still use the phone for many interactions. When talking on the phone, the staff member must identify the caller as the person they are authorized to contact. Phone calls should be as brief as possible and the “minimum necessary rule” certainly applies. If clients, family members, or insurance companies want to discuss sensitive information, therapy staff can refer them to the appropriate therapist. Physical offices need to be organized such that phone calls are not easily overheard by clients or unauthorized personnel.

Free Resources for Therapists

Click below and help yourself to peer-created resources:

• Ready-to-use worksheets, checklists, assessments & more!
• Master insurance billing with our expert-led course
• Telehealth 101: On-demand videos
• Curious how TheraPlatform solves private practice pain points?

Office talk

Therapy staff in office environments often talk with therapists and other staff throughout the day. They should never discuss PHI except for professional purposes and must be careful not to speak in loud voices for people to overhear.

Maintaining records and HIPAA therapy

Storing and disposal of electronic records

Most therapists now store client information digitally. Many services have been created that provide HIPAA-compliant ePHI Storage. DropBox and Google Drive are both options, along with most practice management platforms. When disposing of electronic documents, clearing or purging is recommended.

Physical records

Although most offices have gone digital, some still keep physical documentation. Physical records must be kept under double lock and key and shredded for disposal.

Request for disclosure

Administrative staff frequently handle requests for disclosure, especially when clients want access to their records or want them sent to other professionals. Staff must ensure that clients have signed a release of information before releasing any records.

It is also recommended that the staff member discuss with the therapist exactly what information they want to share with the client or another professional. Often, therapists do not want to disclose a client’s full record due to sensitive content.

HIPAA breaches

A staff breach of HIPAA standards should be treated with the utmost seriousness. Although most transgressions are unintentional, severe violations can result in lawsuits and criminal charges. The Office of Civil Rights also has the authority to administer fines up to $50,000. Common staff breaches may include: Gossiping about a client, talking loudly on the phone so that people in the waiting room can hear, and improper disposal of electronic records (e.g., a simple deletion).

Staff should report a potential breach to the organization’s HIPAA compliance officer. Depending on the severity of the behavior, they may be internally reprimanded or even fired. Intentional acts, such as concealing a data breach, tend to be met with more extreme consequences.

Therapy staff are integral to HIPAA compliance

Administrative staff are the lifeblood of any therapy practice. They may have different duties from therapists but—as far as HIPAA is concerned— are to be held to the same privacy standards. Therefore, therapy staff must receive comparable HIPAA training and support. Additionally, breaches in HIPAA compliance must be handled similarly for both therapists and staff. HIPAA is a requirement for all employees who manage client PHI, and none are more important for compliance than therapy staff.

Streamline your practice with One EHR

• Scheduling
• Flexible notes
• Template library
• Billing & payments

• Insurance claims
• Client portal
• Telehealth
• E-fax

Learn More

Resources

TheraPlatform is an all-in-one EHR, practice management, and teletherapy software built for therapists to help them save time on admin tasks. It offers a 30-day risk-free trial with no credit card required and supports mental and behavioral health, SLPs, OTs, and PTs in group and solo practices.

More resources

• Therapy resources and worksheets
• Therapy private practice courses
• Ultimate teletherapy ebook
• The Ultimate Insurance Billing Guide for Therapists
• The Ultimate Guide to Starting a Private Therapy Practice
• Mental health credentialing
• Insurance billing 101
• Practice management tools
• Behavioral Health tools

Free video classes

• Free on-demand insurance billing for therapist course
• Free mini video lessons to enhance your private practice
• 9 Admin tasks to automate in your private practice

References

Alder, S. (2024, September 2). The HIPAA Journal. What is HIPAA? https://www.hipaajournal.com/what-is-hipaa

Compliancy Group. What is protected health information (PHI) & how do I protect it?. https://compliancy-group.com/protected-health-information-understanding-phi

United States Department of Health and Human Services. Health Information Privacy. Submitting notice of a breach to the secretary. https://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html

United States Department of Health and Human Services. Office for Civil Rights. Frequently asked questions about the disposal of protected health information. https://www.hhs.gov/sites/default/files/disposalfaqs.pdf