HIPAA Privacy Practices

Purpose

This policy is established to protect the confidentiality, integrity, and security of Protected Health (PHI) in accordance with the Health Insurance Portability and Accountability Act (HIPAA) and the Wisconsin Confidentiality of Health Records statutes (Wis. Stat.§ 146.81-146.84).

Key Definitions

Protected Health Information (PHI): Refers to any health related information that can be used to identify a client, including but not limited to, names, birthdates, diagnoses, and treatment documentation.

Use: Refers to internal handling or access of PHI by authorized staff.

Disclosure: The act of releasing PHI to parties outside the organization.

Minimum necessary standard: Requires that staff access, use, or disclose only the minimum amount of PHI necessary to complete a task.

Applicability

This policy applies to all staff members of the clinic, including Board Certified Behavior Analysts (BCBAs), Registered Behavior Technicians (RBTs), Behavior Technicians (BTs), administrative staff, billing personnel, contractors, interns, and any third-part vendors who have access to PHI.

Privacy Policy

Client Rights

Clients and their legal guardians have the right to receive a written Notice of Privacy Practices. They may access, review, and request copies of their health records, request corrections to their PHI, request a written accounting of disclosures, and file a privacy complaint without fear of retaliation.

Permitted Use of Disclosure of PHI

PHI may be used and disclosed for purposes related to treatment, payment, and healthcare operations. Disclosure beyond these standard uses requires written authorization from the client or their legal guardian. Certain disclosures may occur without authorization in situations such as mandated reporting of child abuse or neglect under Wis. Stat. § 48.981, response to valid court orders, or when a serious threat to safety exists.

Authorization for Non-Routine Disclosures

For all non-routine uses or disclosures of PHI not otherwise permitted or required by law, a valid HIPAA Authorization Form must be signed by the client or legal guardian before the information is released.

Security Policy

Electronic PHI

Electronic PHI must be stored on secure, HIPAA-compliant platforms. Staff are prohibited from storing client data on personal devices. All digital devices used to access PHI must be password protected, encrypted, and secured. Passwords must be unique to each user, never shared, and changed at least every 90 days.

Email and Communication

PHI may only be community through secure and encrypted platforms. Use of personal email accounts, standard SMS test messaging, or social media for transmitting PHI is strictly prohibited. All email correspondence containing PHI must include a HIPAA-compliant confidentiality disclaimer.

Access Controls

Access to PHI is based on staff roles and responsibilities. RBTs and technicians may only access information for clients to whom they are assigned. Supervisors and administrators have tiered access based on clinical and administrative needs. Audit log of PHI access and use are reviewed quarterly to ensure compliance.

Physical Safeguards

All paper records containing PHI must be stored in locked file cabinets within secure areas of the clinic. Client records, therapy notes, and session materials must not be left in open or accessible areas. Devices used during sessions, such as tablets or laptops, must be encrypted and password-protected. Only authorized personnel may access areas where PHI is stored or disclosed.

Record Retention and Destruction

Client records are maintained for a minimum of seven years after the last day of service or until the client reaches 21 years of age, whichever is longer, in accordance with Wisconsin law. Paper records are shredded using cross-cut shredders when no longer required. Electronic records are permanently deleted from secure systems and backups once the retention period has expired.

Breach Notification Policy

Any suspected or confirmed breach of PHI must be reported immediately to the clinic’s Privacy Officer. If the breach affects fewer than 500 individuals, written notification must be sent to each affected individual within 60 days. If the breach affects 500 or more individuals, notification must also be submitted to the Wisconsin Department of Health Services and the U.S. Department of Health and Human Services (HHS) Office for Civil Rights.

Training and Compliance

Initial and Ongoing Training

All employees, contractors, and trainees must complete HIPAA training upon hire and annually thereafter. Training will address identifying PHI, appropriate handling and communication practices, and breach prevention.

Acknowledgement

Every staff member is required to sign a HIPAA Acknowledgement Form confirming their understanding and agreement to follow privacy and security procedures.

Complaints and Concerns

Clients who have concerns regarding the use or disclosure of their PHI may submit complaints directly to the clinic’s Privacy Officer. Complaints may also be filed with the Office for Civil Rights at the U.S. Department of Health and Human Services. Clients should not be penalized or discriminated against for filing complaints. The contact information for Rocket Learning Center’s Privacy Officer is privacy@rocketlearningcenter.com

Policy Review and Updates

These HIPAA policies will be reviewed at least once annually. Updates will be made as necessary in response to changes in federal regulations, Wisconsin state law, clinical operations, or technology used by the clinic.