Electronic Records Disclosure

I keep and store records for each client in a record-keeping system produced and maintained TherapyNotes, LLC. This system is “cloud-based,” meaning the records are stored on servers, which are connected to the internet. Here are the ways in which the security of these records is maintained:

I have entered into a HIPAA Business Associate Agreement with TherapyNotes, LLC. Because of this agreement, TherapyNotes, Inc. is obligated by federal law to protect these records from unauthorized use or disclosure.

The computers on which these records are stored are kept in secure data centers, where various physical security measures are used to maintain the protection of the computers from physical access by unauthorized persons.

TherapyNotes, LLC employs various technical security measures to maintain the protection of these records from unauthorized use or disclosure.

TherapyNotes, LLC is deeply invested in keeping your records safe and secure. They take extraordinary security measures to protect your data that are often outside of the capabilities of the average person, decreasing worry about potential threats to data. Here’s how each of their technical safeguards and powerful security features help protect records from malware, hackers, natural disasters, and catastrophe.

  • Their HIPAA-compliant software verifies that the physical and technical safeguards they implement satisfy the requirements outlined in the HIPAA Privacy Rule and HIPAA Security Rule
  • A strong SSL encryption ensures secure communications between their web servers and my web browser
  • An extended validation (EV) certificate displays their company name (TherapyNotes, LLC) and country of origin (US) in green in my address bar to give you confidence that you’re in the right place
  • A SAS 70 Type II audited data center employs internal controls such as risk assessment procedures and monitoring processes to ensure the security of their IT infrastructure, data storage, and data processing
  • Their fully-encrypted database protects data from unauthorized access
  • Powerful firewalls guard their servers against untrusted networks and protect their software from misuse
  • Regular onsite and offsite backups ensure that data is always safe and accessible
  • Automatic updates ensure that I am always using the latest version of TherapyNotes with the most up-to-date security features
  • An activity log keeps track of every action taken in my TherapyNotes account to aid in security, auditing, and staff accountability

I have my own security measures for protecting the devices that I use to access these records:

  • On computers, I employ firewalls, antivirus software, passwords, and disk encryption to protect the computer from unauthorized access and thus to protect the records from unauthorized access.
  • With mobile devices, I use passwords, remote tracking, and remote wipe to maintain the security of the device and prevent unauthorized persons from using it to access my records.

Here are things to keep in mind about my record-keeping system:

While my record-keeping company and I both use security measures to protect these records, their security cannot be guaranteed.

Some workforce members at TherapyNotes, LLC, such as engineers or administrators, may have the ability to access these records for the purpose of maintaining the system itself. As a HIPAA Business Associate, TherapyNotes, LLC is obligated by law to train their staff on the proper maintenance of confidential records and to prevent misuse or unauthorized disclosure of these records. This protection cannot be guaranteed, however.

My record-keeping company keeps a log of my transactions with the system for various purposes, including maintaining the integrity of the records and allowing for security audits. These transactions are kept for a period of five years.

NOTICE OF PRIVACY PRACTICES FOR PROTECTED HEALTH INFORMATION

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW THIS NOTICE CAREFULLY. 

Your health record contains personal information about you and your health. State and federal law protects the confidentiality of this information. “Protected health information” (PHI) is information about you, including demographic information, that may identify you and that relates to your past, present or future physical or mental health or condition and related health care services.

THIS NOTICE This Notice of Privacy Practices describes how Nan Long and RelationSkills, LLC may use and disclose your protected health information (“PHI”) in accordance with all applicable law. It also describes your rights regarding how you may gain access to and control your PHI. I am required by law to maintain the privacy of PHI and to provide you with notice of my legal duties and privacy practices with respect to PHI. I am required to abide by the terms of this Notice of Privacy Practices. I will notify you promptly if a breach occurs that may have compromised the privacy or security of your information. I reserve the right to change the terms of the Notice of Privacy Practices at any time. Any new Notice of Privacy Practices will be effective for all PHI that I maintain at that time. I will make available a revised Notice of Privacy Practices upon request, in my office, and on my website www.relationskills.com.

YOUR RIGHTS REGARDING YOUR PHI  You have the following rights regarding PHI that RelationSkills, LLC, maintains about you:

Right of Access to Inspect and Copy or Request an Electronic Copy. You have the right, which may be restricted only in certain limited circumstances (e.g. where there is compelling evidence that access would cause serious harm to you), to inspect and copy PHI that may be used to make decisions about your care. I may charge a reasonable, cost-based fee for copies.

Right to Amend. If you feel that the PHI I have about you is incorrect or incomplete, you may ask me to amend the information although I am not required to agree to the amendment.

Right to an Accounting of Disclosures. You have the right to request a copy of the required accounting of disclosures that I make of your PHI. I may charge you a reasonable fee if you request more than one accounting in any 12-month period.

Right to Request Restrictions. You have the right to request a restriction or limitation on the use of your PHI for treatment, payment, or health care operations. I am not required to agree to your request.

Right to Request Confidential Communication. You have the right to request that I communicate with you about medical matters in a certain way or at a certain location. I will accommodate reasonable requests and will not ask why you are making the request.

Right to a Copy of this Notice. You have the right to a paper copy of this notice.

Right to choose someone to act for you. If you have given someone medical power of attorney or if someone is your legal guardian, that person can exercise your rights and make choices about your health information. I will make sure the person has this authority and can act for you before I take any action.

Right of Complaint. You have the right to file a complaint in writing with RelationSkills, LLC or with the Secretary of Health and Human Services if you believe I have violated your privacy rights. I will not retaliate against you for filing a complaint.

MY USE AND DISCLOSURES OF PHI FOR TREATMENT, PAYMENT AND HEALTH CARE OPERATIONS 

Treatment. Your PHI may be used and disclosed by me for the purpose of providing, coordinating, or managing your health care treatment and any related services. This includes consultation with clinical supervisors or other treatment team members. I may disclose PHI to any other unaffiliated consultant only with your authorization.

Payment. I will not use your PHI to obtain payment for your health care services without your written authorization. Examples of payment-related activities are: making a determination of eligibility or coverage for insurance benefits, processing claims with your insurance company, reviewing services provided to you to determine medical necessity, or undertaking utilization review activities.

Healthcare Operations. I may use or disclose, as needed, your PHI in order to support the business activities of my professional practice including, but not limited to, quality assessment activities, health education, employee review activities, reminding you of appointments, to provide information about treatment alternatives or other health related benefits and services, licensing, and conducting or arranging for other business activities. I may share your PHI with third parties that perform various business activities, provided I have a written contract with the business that requires it to safeguard the privacy of your PHI.

OTHER USES AND DISCLOSURES THAT DO NOT REQUIRE YOUR AUTHORIZATION OR OPPORTUNITY TO OBJECT 

Required by Law. I may use or disclose your PHI to the extent that the law requires the use or disclosure, made in compliance with the law, and limited to the relevant requirements of the law. Examples are public health reports and law enforcement reports. I also must make disclosures to the Secretary of the Department of Health and Human Services for the purpose of investigating or determining my compliance with the requirements of the Privacy Rule.

Abuse or Neglect. I may disclose your PHI to a state or local agency that is authorized by law to receive reports of abuse or neglect. However, the information that I disclose is limited to only that information necessary to make the initial mandated report. I may disclose PHI regarding deceased patients for the purpose of determining the cause of death, in connection with laws requiring the collection of death or other vital statistics, or permitting inquiry into the cause of death.

Research. I may disclose PHI to researchers if: (a) an Institutional Review Board reviews and approves the research and an authorization or a waiver to the authorization requirement; (b) the researchers establish protocols to ensure the privacy of your PHI; and (c) the researchers agree to maintain the security of your PHI in accordance with applicable laws and regulations.

Threat to Health or Safety. I may disclose PHI when necessary to prevent a serious threat to your health and safety or the health and safety to the public or another person.

Criminal Activity on My Business Premises. I may disclose your PHI to law enforcement officials if you have committed a crime on my premises.

Compulsory Process. I will disclose your PHI if a court of competent jurisdiction issues an appropriate order. I will disclose your PHI if both you and I have been notified in writing at least fourteen day in advance of a subpoena or other legal demand, and no protective order has been obtained, and I have satisfactory assurances that you have received notice of an opportunity to have limited or quashed the discovery demand.

Uses and Disclosures of PHI With Your Written Authorization  Other uses and disclosures of your PHI will be made only with your written authorization. You may revoke this authorization in writing at any time, unless I have taken an action in reliance on the authorization of the use or disclosure you permitted, such as providing you with health care services for which I must submit subsequent claim(s) for payment.

Contact Information  If you have any questions about this Notice of Privacy Practices, please contact me at: RelationSkills, LLC, Nan Long, LPC, 11307 Sunset Hills Road, Suite B4, Reston, VA, 20190, telephone 816-686-6277.

Complaints  If you believe I have violated your privacy rights, you may file a complaint in writing to the Privacy Officer. I will not retaliate against you for filing a complaint. You may also file a complaint with the U.S. Secretary of Health and Human Services at 200 Independence Avenue SW, Washington, D.C. 20201- (877) -696-6775 or by visiting www.hhs.gov/ocr/privacy/hipaa/complaints/. The effective date of this Notice is June 11, 2014.