Privacy (GDPR)

How to Make Your Mental Health Practice HIPAA Compliant?

As a mental health provider, you have to deal with lots of patients’ sensitive information on a daily basis. You can lock your cabinet, put the records in the safe box and switch on the alarm, but these security measures are only a part of what you should do to protect the data that is stored in your electronic system.

Each year we read about cases connected with health records compromising.  When it turns out that the system used by a medical organization was not HIPAA-compliant, the penalties are increasing. 

How to stay on the safe side and make your system protected following HIPAA guidelines? We know how overwhelming it can be to read all the HIPAA rules and moreover implement them in practice, being sure that everything is correct. That’s why we jointly with our partner Greenice created this guide that will explain the main regulations and give you a structured understanding of how to prevent the data breach.

Why Does Mental Health Practice Need to Comply with HIPAA?

HIPAA is the Health Insurance Portability and Accountability Act signed by President Bill Clinton in 1996. In brief, this is a scope of rules for individuals and organizations that must be fulfilled to protect patient information. The set of documents explain how medical organizations and individuals should treat their patient information, what information should be protected, what the patient's rights are, when it is possible to disclose information, etc.

Source: Unsplash

If you handle patient data and bill insurance, then most likely you need to be HIPAA-compliant. To be sure, however, do not hesitate to check using the official tool here

The worst thing is that only the fact that your organization is not HIPAA-compliant can lead to a penalty. In case of government checks or investigations, a mere suspicion that the data was left unprotected (like a laptop left open unsupervised) can be regarded as a violation. Even if no breach has happened yet. 

By 2019, OCR audits have resolved over 27,015 cases and fined organizations with a total amount of $102,681,582. To escape any fines, you need to study HIPAA rules and implement them into your electronic records solution. The Act is big enough to demotivate anyone to start, so we elaborated it into step-by-step instructions that should explain to you what to do to become HIPAA compliant. Let’s start with data collection.

How to Correctly Collect Mental Health Data 

Note: “Protected Health Information (or PHI) is any information that is held by a covered entity or its business partners regarding health status, provision of health care, or health care payment that can be linked to any individual”.

What does it mean when we talk about the data that needs to be protected? Here is the example list of what it can mean when we talk about mental health practice:

  1. records on person’s state, behavior, feelings, the progress of treatment and alike;
  2. information about relationships between the psychotherapists and patient (appointment scheduling, list of services provided to the patients, records of online sessions); 
  3. prescriptions of medications;
  4. email and other electronic communications;
  5. assessments and reports of the patient’s state and progress;
  6. psychotherapy notes;
  7. sums of payments for services and payment details, receipts and invoices; and
  8. back-up copies of all stored patient data.

Before setting up a practice, register for National Provider Identifier (NPI) and Employer Identification Number (EIN). These two identification numbers need to be received at respective government agencies and used in contracts and transactions with patients and employees respectively. 

When collecting PHI, stick to the following basic rules:

  1. Do not ask for extra data. Follow the principle “less is better”. Minimum collected data means minimum data loss in case of a breach. If you do not need some personal data for providing your services, for example, address details, better escape asking for it. 
  2. Ask for a patient’s permission. It means that if you are going to use patient data for purposes other than treatment (e.g., marketing), you should receive the patient’s written authorization for collecting and processing the patient’s data.
  3. Create Privacy Notices. This document should explain to a patient all your conditions of collecting and using PHI. This will include explanations on how you are going to collect, store, protect and use it, what are the patient’s rights, in what cases the data can be disclosed, what are your legal duties, etc. Make this document short and intelligible, using clear and plain language, so that a patient could quickly read it and understand.

Security of Information

Now that the data is collected, you need to provide secure storage and transfer methods. Here HIPAA describes Administrative, Physical and Technical safeguards that should be fulfilledLet’s review all of them.

Administrative Safeguards include:

  1. Risk assessment and mitigation. You need to identify all possible risks and prepare a risk management plan on how you will mitigate the discovered risks. Create rules for employees to explain to them the responsibilities and consequences in case of a data breach. Make revisions of data security rules compliance regularly.

  2. Security official and privacy officer. These team members should be responsible for executing HIPAA rules in practice. These roles can be fulfilled by one or several people and can be either assigned to your employees or delegated to a specially hired people.  
  3. Data access management. Make sure that only authorized people have access to electronic records. If necessary, separate the access roles to provide different levels of data access. Prevent access to the employees who terminated the contract with your company.
  4. Employee security. All employees should be instructed on how to provide and execute the security measures and regularly trained and reminded on security measures.
  5. Security incident procedures and contingency plan. You should create a step-by-step guide on what to do in case of an attempt or successful unauthorized access to data. Create a document that will cover instructions on what to do in case of an emergency incident, e.g., in a power outage cases. It should include Data Backup rules and Disaster Recovery plan. The procedures should be tested and revised from time to time.
  6. Testing, reassessment, and evaluation. All the above-mentioned measures should be regularly revised for HIPAA-compliance by Security Officer. 

Physical safeguards include:

  1. Facility Access Controls. Make sure that only authorized people have access to facilities and equipment. Computers are kept in a locked location, all employees have personal IDs and do not share the passwords, people responsible for disaster recovery have access to all necessary facilities.

  2. Workstation Use. By workstation, we mean any device like PC, laptop or smartphone, engaged in your practice. All the deceives containing sensitive data should be securely protected and allow authorized access only. 
  3. Device and Media Controls. There should be ruleson how all hardware(hard drives, memory cards, CDs)that storeePHI are managed and disposed of when are no longer needed. Also, think about the situations when ePHI should be backed-up.

Technical safeguards include:

  1. Access Control. In the technical aspect, the access controlmeans, providing such measures of protectionas assigninguniqueusernames and passwords, implementing automatic logoffs, giving full access to the system to a person responsible for data recovery;

  2. Audit Controls. You should keep logging all interactions within your systems and review these logs regularly to be ablequickly to notice some behavioror prove that there was no fault of your employees in case of a breach; 
  3. Integrity. Protect the integrity of ePHI by creating measures to prevent unauthorized change or deletion of data, including the use of firewalls and antiviruses, data encryption;
  4. Transmission Security. Transfer sensitive data using encryption and secure channels of transmission.

When You Can Disclose the Data

Though HIPAA is about preventing data disclosure, in your practice you may face many situations when you have to disclose the data. For example, the family may require information on their relative’s state and treatment or governmental authorities may require disclosure. 

How to do it without breaking the law? Here are the key aspects.

Patients permission:

  1. In most cases, you need to obtain a patient’s permission for data disclosure whether to provide data to their relatives or third parties (e.g., other clinics);  

  2. In case a patient is incapable to sign permission, you can decide whether to disclose the information or not if it may cause harm to a patient; 
  3. When disclosing your psychotherapy notes, you will have to obtain the patient’s consent as well. At the same time, the patient cannot ask you to disclose psychotherapy notes against you will or without your authorization; 
  4. You do not need permission in case you share information for payments, billing, consultation with another professional regarding the patient treatment; and
  5. Group therapies do not require authorization to disclose PHI in front of other participants. 


Business Associate Agreement:

By using SaaS software like CRM, EHR or ERM, you give access to the data to the vendor o the solution. You’ll need to sign with them Business Associate Agreement to ensure non-disclosure of PHI in your possession and compliance with HIPAA. 

Remember, you are primarily responsible before the patients for the data you collected from them. Misbehavior on the side of your service providers without appropriate contractual safeguards will be your concern. 

Necessary disclosure:

You have to disclose protected health information in the following cases:

  1. disclosure is required by a legal act;
  2. required by court order or official inquiries;
  3. in case of public health activities (domestic violence, child abuse); and
  4. for patient’swork compensation.

Should this happen, you can do it without obtaining additional authorizations from the patients.

How to report a data breach

In case a data was unlawfully disclosed or compromised, you have to report on the breach the following parties after the discovery of the breach:

  1. Affected patients– within 60 days;
  2. The U.S. Department of Health and Human Services (HHS) – on an annual basis here; and
  3. Local mediaoutlets and HHS Website publication – within 60 days, if a breach affects more than, 1500 individuals from one State or jurisdiction.

How to Apply This to Your Practice

We understand that this topic is too large to explain it in a few pages and it is always better to deeper investigate through the official documents. Now, at least, it should not fear you with a volume of the letters and legal language written in the Act. 

Many aspects of the legislation repeat and the main points, like elaborate on disclosure rules, security measures and plans for cases of emergency and data breach to be ready to quickly eliminate the negative consequences. To get a more profound understanding, good advice on the edge of technology and law can help you out. This was the reason why we partnered with Greenice to create end-to-end solutions, where both technical and legal expertise is required.

Greenice is a web development team that has a substantial experience in developing custom medical software. They specialize in developing solutions that are secure and tailored to the exact needs of their clients. 

Disclaimer: the information in this article is provided for informational purposes only. You should not construe any such information as legal, tax, investment, trading, financial, medical, or other advice.

Vlad Nekrutenko, Privacy Lawyer at Legal Nodes

Kateryna Reshetilo, Head of Marketing at

Need a lawyer in this area?




3 years in data protection

Vlad is a data privacy enthusiast and expert in the GDPR compliance. He possesses IAPP...

Legal Nodes Blog

For Startups
Ultimate guide to connecting Virtual Data Protection Officer

Connecting Virtual DPO can greatly reduce start-up’s data protection costs. This article explains who the Data Protection Officer is, why you should consider outsourcing DPO services, and how to pick one that matches the needs of your business....

Legal Nodes Team
Privacy (GDPR)
Cookie Policy: How to Track Website Users Lawfully

The recent study of the Nederlandse Omroep Stichting (the ‘NOS’), a Dutch news media, showed that more than 1,300 Dutch websites violate the privacy of their users. The violation found by the NOS is simple - the users cannot use the websites wit...

Legal Nodes Team
For Startups
Why Your Startup Needs a Founders' Agreement + Template 2021

Founders Agreement – the key step to set clear intentions for you and your partners and to avoid misunderstandings in the future. In a new post on the Legal Nodes blog, we explain what a Founders Agreement is, reasons for your startup to prepare...

Legal Nodes Team
For Startups
Terms of Use that your users will actually read

In this article Legal Nodes Team talks about Terms of Use, how to write them effectively and why you need them in the first place. You could find a FREE template at the end of this article....

Legal Nodes Team
Privacy (GDPR)
How Can You Leverage a Privacy Kit More Effectively?

In this article, Punit Bhatia, a leading privacy expert, shares how small businesses can become privacy compliant by using Privacy Kits in an effective and why just branding the documents and templates in name of your company is not a good idea....

Punit Bhatia
Legal Nodes Updates
Legal Nodes in 2020: A Year in Review

Despite the fact that for many 2020 will be strongly associated with the coronavirus pandemic and lockdown measures, it would be a mistake to forget all the good things that happened this year. Especially when the festive season approaches, and ...

Legal Nodes Team
Privacy (GDPR)
Internet data mining. Is it legal in the EU?

Data mining is the process of collecting and analyzing human-readable data for own purposes. More and more businesses are built on that concept, scientists and medics also use automatically combined data from different sources to spawn predictio...

Ewa Wojnarska-Krajewska
Privacy (GDPR)
11 simple (but complete) steps towards the GDPR compliance in 2020

The GDPR can be a wake-up call to sort out your processes, procedures and technology and thereby run a more successful organisation. Data is now more essential than ever, regardless of your activities or market sector. Not only will efficiencies...

Thomas Hayes
Contract Work
Force Majeure Clauses and the Effect of Coronavirus on Businesses

The coronavirus pandemic has made force majeure clauses one of the hottest legal topics worldwide. To help businesses navigate this issue, we asked Tom Bohills, an English qualified lawyer and the Founder of Chronos Law, to explain the backgrou...

Tom Bohills