HIPAA Notice of Privacy Practices

Every therapy practice is required by law to post a notice of privacy practices (NPP). My NPP includes a thorough discussion of HIPAA as relates to your therapy. Read my NPP below.

Have a look at these videos from the Health and Human Services Office of Civil Rights to learn why it’s important that you read the notice of privacy practices. Please note that YouTube is not a HIPAA-compliant application, which means that when you view a YouTube video, that video appears in your user history if you are signed in to your Google account. 

Purpose of the HIPAA Notice of Privacy Practices

This notice describes how medical information about you (protected health information) may be used, protected, and disclosed, and how you can get access to this information. Please review it carefully. 

“I”, “We”, and “You”

For this Notice of Privacy Practices and other documents on this website related to counseling services, “I” refers to the clinician in this practice, Michelle Robin Gould, LMHC, NCC, BC-TMH. “You” refers to any potential, current, or past clients of the counseling services provided by the Michelle Robin Gould Corporation. “We” refers to the collective body of licensed therapy providers, any contractors operating within the services of the Michelle Robin Gould Corporation, and any staff or covered entities providing ancillary or administrative services for the Michelle Robin Gould Corporation.

Overview

Your Rights: An Overview

You have the right to:


Your Choices: An Overview

You have some choices in the way that we use and share information as we:


Our Uses and Disclosures: An Overview

We may use and share your information as we:


Your Security: An Overview

You have a right to understand and ask questions about:


Note that many of  your questions are answered in this or other documents available on my website. Please review the content there before submitting questions via the forms on my contact page.

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA requires covered entities such as counselors and other health care practitioners to protect the privacy and security of your personal health information (PHI) while still allowing us to communicate with you and anyone you give us permission to communicate with regarding your care. The HIPAA privacy rule applies to PHI in any medium—paper, electronic, or verbal.

Read the Office for Civil Rights' paper, HIPAA Privacy Rule and Sharing Information Related to Mental Health, to learn whom we are permitted to communicate with and under what circumstances. 

Read about how HIPAA Helps Caregiving Connections for more information on whom I may contact if you are in crisis or intend to harm yourself or others. 

Read about your health information privacy for more details about HIPAA.


PHI: Protected Health Information

Protected health information (PHI) means individually identifiable health information that is:

See page 16 of the HIPAA Administrative Simplification for more details.


Individually Identifiable Health Information

“Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and:

 Source: Page 15 of the HIPAA Administrative Simplification.


What constitutes PHI?  

Your personal information is classified PHI for the purposes of healthcare if it includes any of the following identifiers:

Read What is Considered PHI Under HIPAA? and 18 HIPAA Identifiers for more details.


Disclosure of Client Information

Client permission is required for me to disclose client information to third parties, except when using or disclosing PHI for treatment, payment, and health care operations. You will be asked to supply this permission in writing with your signature via a HIPAA-secure form. 

When I send your PHI to other practitioners upon your request, I use HIPAA-secure technology. Depending on the type of technology used by the receiving practitioner, you may be charged a fee for sending these records. Please see HIPAA for Providers and pages 15-17 of the Guide to Privacy and Security of Electronic Health Information for exceptions when permission is not legally required. Please see my records request policy on my policies and procedures page


Information about HIPAA-Compliant Technology

As part of your informed consent agreement, please see my technology and security policies and procedures for my discussion on what makes technology HIPAA-compliant and why it’s important for your technician to use HIPAA-secure practices as well as technologies. Just having the technology is not enough; how the technology is set up and how it’s used can make it secure or render it vulnerable. Learn what can happen when a clinician does not properly understand or implement HIPAA-level security measures. 


Additional Information about HIPAA

You can find more detailed information about how we protect your privacy on these sites.

Where can I find information about HIPAA, health information privacy or security rules?

HIPAA for individuals

The HIPAA Privacy Rule and Public Health


Safeguards

Safeguards I take to protect your security and privacy


How you can protect your security and privacy


Signing Forms Securely Online

In some cases, your electronic signature must consist of more than a checkbox, such as when you initially consent to treatment or authorize the release of information. 

When that’s necessary, you will receive forms via a HIPAA-secure platform that allows you to sign with your finger or a stylus. You will be routed to that program with a link that requires a passcode. You will be given that link either during a video session, via HIPAA-secure chat or HIPAA-secure encrypted email, or on your private

In other instances, such as counseling  assessments or self-paced course content, you will be supplied with a HIPAA-secure form and asked to type your name as a signature. 


Identity Confirmation

To ensure your security and the validity of your signature on forms and documents related to your treatment, you will be asked to set up an identity verification passcode (IVP). The purpose of the IVP is to confirm that you are you, and that you are the only person accessing information and services that pertain to you. You will establish this passcode in your initial contact form. I will ask you to supply this IVP in all sessions and on all forms documents, and you will use it as your password to access encrypted emails. Do not share this IVP with anyone else.

Your IVP can be a word or a phrase. Examples of phrases you could use for this purpose are “tennis balls are round” or “I like fluffy clouds” - something random but easy to remember. Since this passcode will be used to confirm that it is you signing the forms and not a curious third party trying to pose as you, it is important that you use a passcode that would be difficult for someone who knows you to guess. 

If your IVP is compromised, you will notify me in a video session and we will change the passcode


Passwords, Passphrases, & Passcodes

Terminology

These three terms are often confused. 

  1. Password

A password is a combination of letters, numbers, and symbols, generally 6-20 characters. The more characters and the more variety, the safer the password. 

  1. Passphrase

A passphrase is typically a short sentence, such as “I like blue bikes.”

  1. Passcode

A passcode can be either a password or a passphrase. 


Please see my getting started with therapy page for a description of the three logins you will need for therapy. 


Password Security


Just as people gravitate toward using the same email to log in to every program, many also use the same password to sign into all of their accounts and programs. This is a BAD idea. Learn why Your Clever Password Tricks Aren't Protecting You from Today's Hackers


Use the following guidelines to create a strong password that will thwart hackers.


Password Dos: Creating Secure Passwords


Password Don’ts


Do not share your passwords.

 

Do not share your passwords or passcodes with your friends, family, partner, boss, or coworkers. As soon as there’s a security breach, anyone you shared the password with becomes a suspect. Imagine feeling like you need to question your loved ones about compromising your privacy - whether deliberately or inadvertently. Prevention is the best way to avoid such discomfort. 


Tips for Creating Safe Passwords, Passphrases, and Passcodes

If you think you will have a hard time remembering such random passwords, here's a way to observe all the above dos and don'ts while still creating a secure password. Think of a word that's easy to remember but has nothing to do with the use of your password. 

For a counseling service login, do not use the words counseling, therapy, or help. Do not use words like learning, personal growth, self-discovery, emotions, support, or anything that might be guessed based on the topic of the platform or service you are logging into. Passwords that are in any way related to the purpose of your login are easy for artificial intelligence (AI, bots) to guess. Think of it this way: if there might be a hashtag in that subject area, don’t use it!

Let's use the word bookcase as an example we can work with. Pick the zip code for a random city, one you've never lived in or been to. Let's use Boise for this example. Boise has multiple zip codes, one of which is 83705. Using bookcase and 83705, we can create a strong password by alternating the letters and numbers, inserting a character, and capitalizing the letters in an unexpected way: 8bO3O7K0C*A5Se gives us a secure password. To remember this password, we have to recall the word bookcase; the zip code 83705; that the sequence alternates numbers, letters; that the sequence starts with a number; that the first and last letters are lowercase and the others are uppercase; and that the * character comes before the A. It seems like a lot, I know. After you have typed in the password a bunch of times, it will become automatic, I promise.

Another option is to use a password generator or password manager, which comes with its own set of disadvantages that you can read about in Are Passwords Managers Secure? You can read perspectives from different experts in The Best Password Managers for 2022, Best Password Manager to Use for 2022, and Best password generators in 2022.  


Dangers of Using a Single Sign-on (SSO) 

People often use a single set of credentials to sign in to multiple apps. For instance, you might sign into your email, your cell phone, your social media, your games, and your various payment portals using the same email address and password for all of them. It saves time and there's less information to remember. It's a convenient productivity strategy. But single sign-on (SSO) is a bad idea when it comes to security. Read why in The Pros and Cons to Single Sign-On (SSO). The problem is, this practice opens you up to identity theft, theft of information, and unwanted intrusion. 

When you have to sign in to any application or service and it's crucial to protect your privacy and security, it is a wise practice to have one dedicated email address that you use only for signing in to that application or service, use a separate and secure password for each application or service, and implement two-factor authentication wherever possible. 

Having a separate email address that you use only for sensitive communications helps you avoid spam, helps you stay anonymous, protect your identity, improve your email address security, and limit the risks of someone accessing your information should your devices get hacked while you are signed in. This is especially important when it comes to a counseling service that keeps records of your communications and other PHI.

Here's why:

If one other person (a friend, a roommate, a partner or spouse, a parent, a coworker, or a random individual working for a non-HIPAA-compliant third-party application such as a personal email service or a mobile phone carrier) gets a hold of your sign-in credentials, they can access your personal health information, including your communications with your counselor. They can try to impersonate you in a chat with your counselor. They can enter your video counseling sessions. Please take steps to prevent this by reading all of the guidelines I have provided regarding your security and privacy.


Email Passphrases

For email communication with counseling clients, I use a secure service called ProtonMail. ProtonMail keeps the contents of the message out of the body of the email, so if someone accesses your email, or you accidentally leave it open at home or at work, no one but you can view the message. When you receive a secure email from me, you will be asked to enter a password before you can read the message. As discussed earlier on this page, you will establish an identity verification passcode when you fill out your initial contact form. Your IVP will be the password for accessing secure emails from me. Once you type in your password, the message will open up in a browser window. You will not need an app to receive and view these emails. For more information on ProtonMail, see my tech trainings page.

Please keep in mind that I can set everything up diligently on my end and you can still compromise your privacy by sharing your passcode or leaving it where someone can see it. The security on your end is your responsibility. 

Your Rights

Understanding Your rights


When it comes to your health information, you have certain rights. This next section explains your rights and some of our responsibilities to help you.


Get an electronic or paper copy of your medical record 

Ask us to correct your medical record 

Request confidential communications

Ask us to limit what we use or share

Get a list of those with whom we’ve shared information

Get a copy of this privacy notice

You can ask for a paper copy of this notice at any time, even if you have agreed to receive the notice electronically. We will provide you with a paper copy promptly.


Choose someone to act for you

File a complaint if you feel your rights are violated

Our Responsibilities

Our Responsibilities


For more information see your rights under HIPAA and notice of privacy practices from the Health and Human Services Office for Civil Rights.


Your Choices

Your Choices

For certain health information, you can tell us your choices about what we share. If you have a clear preference for how we share your information in the situations described below, talk to us. Tell us what you want us to do, and we will follow your instructions.


In these cases, you have both the right and choice to tell us to:


If you are not able to tell us your preference, for example if you are unconscious, we may go ahead and share your information if we believe it is in your best interest. We may also share your information when needed to lessen a serious and imminent threat to health or safety.


In these cases we never share your information unless you give us written permission:


In the case of fundraising:


Uses and Disclosures

How do we typically use or share your health information? 

We typically use or share your health information in the following ways:


Treat you 

We can use your health information and share it with other professionals who are treating you.

Example: A doctor treating you for an injury asks another doctor or healthcare professional about your overall health condition.


Run our organization 

We can use and share your health information to run our practice, improve your care, and contact you when necessary.

Example: We use health information about you to manage your treatment and services. 


Bill for the services you receive

We can use and share your health information to bill and get payment from health plans or other entities. 

Example: We provide information for you to give to your health insurance plan so it may pay for your services if you have out-of-network benefits. 


How else can we use or share your health information? 

We are allowed or required to share your information in other ways – usually in ways that contribute to the public good, such as public health and research. We have to meet many conditions in the law before we can share your information for these purposes. 


Help with public health and safety issues

We can share health information about you for certain situations such as: 


Do research

We can use or share your information for health research.


Comply with the law

We will share information about you if state or federal laws require it, including with the Department of Health and Human Services if it wants to see that we’re complying with federal privacy law.


Respond to organ and tissue donation requests

We can share health information about you with organ procurement organizations.


Work with a medical examiner or funeral director

We can share health information with a coroner, medical examiner, or funeral director when an individual dies.


Address workers’ compensation, law enforcement, and other government requests

We can use or share health information about you:


Respond to lawsuits and legal actions

We can share health information about you in response to a court or administrative order, or in response to a subpoena.


For more information see your rights under HIPAA.


Other Instructions

Changes to the terms of this notice

I can change the terms of this notice, and the changes will apply to all information I have about you. The new notice will be available upon request, in my office (when applicable), and on my website.

Other instructions for this notice


Copyright Notice

Please note that this Notice of Privacy Practices is  proprietary and is  subject to U.S. and International Copyright Law. Counseling materials are intended for the personal use of clients of Michelle Robin Gould, LMHC and/or the Michelle Robin Gould Corporation

This Notice of Privacy Practices may not be further retained or further disseminated without express written permission. Downloading, distributing, and altering these materials in any way is a copyright violation that can result in litigation and fines. Some content was sourced from The Office of the National Coordinator for Health Information Technology (ONC) and used with permission.

Clients may use these materials for personal use only and may not share, distribute, alter, or use these materials for any other purpose on penalty of legal or financial repercussions. 

Current clients may download a copy of this notice for personal use as accessed from the private Drive folder set up for them after the intake process is complete. 


Questions

If you have questions about the Notice of Privacy Practices or any other questions about counseling services, please read the entire notice of privacy practices, my technology and security policies and procedures, my description of online counseling services, and the FAQs before sending your questions. If you are unable to locate the information you seek, please submit any questions about my counseling services via this HIPAA-compliant question form.