HIPAA Compliance for Psychiatrists: A One-Stop Shop

HIPAA Compliance for Psychiatrists: A One-Stop Shop
In this month’s interview, Dr. Brendel does a wonderful job explaining what psychiatrists need to know in order to become HIPAA-compliant. In this article, TCR really gets down and dirty with HIPAA, taking you by the hand to tell you exactly what to do, what forms to use, and where to get them. The only thing we won’t do is to actually come to your office to post notices – but we can give you the number of Staples if you need to order some scotch tape!

Are you a “covered entity”?
Many psychiatrists do not have to comply with HIPAA guidelines because they are not HIPAA-defined “covered entities.” If you file any insurance claims electronically, you are a HIPAA provider; otherwise, you’re not.

The following psychiatrists are not HIPAA providers:
   • Psychiatrists who don’t accept any insurance.
   • Psychiatrists who accept insurance but file all their claims by       old-fashioned paper mail.
   • Psychiatrists who use their computer or Palm pilots for various       aspects of their practice (like storing patient info, writing notes, or       doing medline searches) but who never use their computer to       communicate with insurance companies about anything.
   • Psychiatrists in solo practice who see Medicare patents and file       paper claims rather than electronic claims by special arrangement       with Medicare.

There’s a fairly understandable flowchart from the government to help you decide if you’re a covered entity at

What do you absolutely have to do under HIPAA?
Assuming that you are a covered entity, there’s a relatively short list of things you are absolutely required to do by law:
   1. Create and post a Privacy Notice in your office.
   2. Make a good faith effort to have your patients sign an        acknowledgment that they have read it.
   3. Obtain and sign a special HIPAA Business Associates        Agreement with any company you do business with who must        see patient information as part of their business (e.g., billing        companies).
   4. You should add a confidentiality statement to all faxes and        emails.
   5. You were supposed to have done all these things by April of        2003!

The Privacy Notice
How do you go about creating a privacy notice? Most of us will simply copy a colleague’s notice or download a copy from innumerable samples available for free on the internet. You should be aware, however, that the Government requires that notices be written in “plain language,” and that most of the samples you see (including the APA’s sample at in the “member’s area”) fail miserably in this regard.

In fact, in a study conducted by the Privacy Rights Clearinghouse, a nonprofit consumer group, six HIPAA privacy notice samples and 31 actual HIPAA privacy notices were downloaded and analyzed using readability software. They were all scored at the “difficult” reading level, with complicated vocabulary and grammar ( HIPAA-Readability.htm), and they were judged to be non-compliant with HIPAA based on failing the plain language standard.

This article originally appeared in The Carlat Psychiatry Report -- an unbiased monthly covering all things psychiatry.
Want more, plus easy CME credit?
Subscribe today!

The other problem with most samples is that they include a lot of stuff that is not applicable to the typical small psychiatric practice, like statements that patient information might be used for marketing, fundraising, research, patient directories, etc., all of which is relevant mostly to hospitals and other large organizations. It’s overkill for solo practitioners, and you don’t have to include it in your own notice.

Because TCR was not able to find anything appropriate for most psychiatrists on the web, we wrote up our own sample, which you can access and download for free from our website ( Feel free to alter it as you see fit.

The Acknowledgment  
This is an easy one, being simply a one-pager saying something like, “I acknowledge that I have read Dr. X’s Privacy Notice,” with a place for a signature. You can download a sample at TCR’s website.

The Business Associates Agreement
If you contract with an outside company or individual to help you with your practice in such a way that they must see some patient information (for example, someone who does your billing), you both have to sign an official Business Associates Agreement. This just says that your billing company, or transcriptionist, or whoever, promises to keep patient information confidential. These contracts don’t have to be written in plain language (unlike the Privacy Notice) and a suitably legalistic sample is available for free at a continuing legal education site: exult/prudential.svc4.2003.04.14.shtml.

Regular employees, like your secretary or other regular office staff, don’t have to sign this form, but you do have to document in their employment files that you’ve given them formal training in privacy practices.

Faxes and Emails
You can easily cut and paste a standard confidentiality disclaimer from a colleague’s email or download this language from TCR’s website. Again, this can be as legalistic sounding as you can stomach.

The Deadline
You’re very late, but don’t worry, you won’t get arrested – just get it done!

HIPAA Compliance for Psychiatrists: A One-Stop Shop

This article originally appeared in:

The Carlat Psychiatry Report
Click on the image to learn more or subscribe today!

This article was published in print 7/2005 in Volume:Issue 3:7.

The Carlat Psychiatry Report

Carlat Publishing provides clear, authoritative, engaging, independent psychiatric education to make you look forward to learning, with the goal of helping you feel smarter, more competent, and more confident in your ability to help your patients become happy. We receive no corporate funding, which allows a clear-eyed evaluation of all available treatments. Learn more and subscribe to one of their newsletters here.


APA Reference
Psychiatry Report, T. (2013). HIPAA Compliance for Psychiatrists: A One-Stop Shop. Psych Central. Retrieved on December 4, 2020, from


Scientifically Reviewed
Last updated: 2 Aug 2013
Last reviewed: By John M. Grohol, Psy.D. on 2 Aug 2013
Published on All rights reserved.