HIPAA Notice of Privacy Practices

Your Rights: An Overview

You have the right to:

• Get a copy of your paper or electronic medical record

• Correct your paper or electronic medical record

• Request confidential communication

• Ask us to limit the information we share

• Get a list of those with whom we’ve shared your information

• Get a copy of this privacy notice

• Choose someone to act for you

• File a complaint if you believe your privacy rights have been violated

Your Choices: An Overview

You have some choices in the way that we use and share information as we:

• Tell family and friends about your condition

• Provide disaster relief

• Include you in a hospital directory

• Provide mental health care

• Market our services and sell your information

• Raise funds

Our Uses and Disclosures: An Overview

We may use and share your information as we:

• Treat you

• Run our organization

• Bill for your services

• Help with public health and safety issues

• Do research

• Comply with the law

• Respond to organ and tissue donation requests

• Work with a medical examiner or funeral director

• Address workers’ compensation, law enforcement, and other Government requests

• Respond to lawsuits and legal actions

Your Security: An Overview

You have a right to understand and ask questions about:

• The meaning of any acronyms you see here

• The meaning of unfamiliar terminology

• What kind of technology we use for your services

• How you can use the technology as safely as possible

• What safeguards we have in place to protect you

• How we protect your payment methods

• How we communication with you safely and securely

Note that many of  your questions are answered in this or other documents available on my website. Please review the content there before submitting questions via the forms on my contact page.

 HIPAA requires covered entities such as counselors and other health care practitioners to protect the privacy and security of your personal health information (PHI) while still allowing us to communicate with you and anyone you give us permission to communicate with regarding your care. The HIPAA privacy rule applies to PHI in any medium—paper, electronic, or verbal.

Read the Office for Civil Rights' paper, HIPAA Privacy Rule and Sharing Information Related to Mental Health, to learn whom we are permitted to communicate with and under what circumstances. 

Read about how HIPAA Helps Caregiving Connections for more information on whom I may contact if you are in crisis or intend to harm yourself or others. 

Read about your health information privacy for more details about HIPAA.

PHI: Protected Health Information

Protected health information (PHI) means individually identifiable health information that is:

• Transmitted by electronic media

• Maintained in electronic media

• Transmitted or maintained in any other form or medium.

See page 16 of the HIPAA Administrative Simplification for more details.

Individually Identifiable Health Information

“Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and:

1. Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and

2. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and

• that identifies the individual; or

• with respect to which there is a reasonable basis to believe the information can be used to identify the individual.”

 Source: Page 15 of the HIPAA Administrative Simplification.

What constitutes PHI?  

Your personal information is classified PHI for the purposes of healthcare if it includes any of the following identifiers:

• Name (including initials)

• Address (all geographic subdivisions smaller than state, including street address, city county, and zip code)

• All elements (except years) of dates related to an individual (including birthdate, admission date, discharge date, date of death, and exact age if over 89) 

• Email address (if it is associated with any individual identifiers such as your name, initials, birthdate, phone number, or third party accounts)

• Telephone or fax numbers

• Social Security Number

• Medical record numbers

• Health plan beneficiary numbers

• Account numbers

• Certificate or license numbers

• Vehicle identifiers and serial numbers, including license plate numbers

• Device identifiers and serial numbers

• Web URL

• Internet Protocol (IP) Address

• Biometric identifiers such as fingerprint, retinal scan, or voice print

• Photographic image - not limited to images of the face.

• Any other characteristic that could uniquely identify the individual

• Your treatment details, including dates, durations, diagnoses, plans, services, assessments, reports, and outcomes; and communications and interactions with your therapist and with any online content.

Read What is Considered PHI Under HIPAA? for more details.

Disclosure of Client Information

Client permission is required for me to disclose client information to third parties, except when using or disclosing PHI for treatment, payment, and health care operations. You will be asked to supply this permission in writing with your signature via a HIPAA-secure form. 

When I send your PHI to other practitioners upon your request, I use HIPAA-secure technology. Depending on the type of technology used by the receiving practitioner, you may be charged a fee for sending these records. Please see HIPAA for Providers and pages 15-17 of the Guide to Privacy and Security of Electronic Health Information for exceptions when permission is not legally required. Please see my records request policy on my policies and procedures page. 

Information about HIPAA-Compliant Technology

As part of your informed consent agreement, please see my technology and security policies and procedures for my discussion on what makes technology HIPAA-compliant and why it’s important for your technician to use HIPAA-secure practices as well as technologies. Just having the technology is not enough; how the technology is set up and how it’s used can make it secure or render it vulnerable. Learn what can happen when a clinician does not properly understand or implement HIPAA-level security measures. 

Additional Information about HIPAA

You can find more detailed information about how we protect your privacy on these sites.

Where can I find information about HIPAA, health information privacy or security rules?

HIPAA for individuals

The HIPAA Privacy Rule and Public Health

 Safeguards I take to protect your security and privacy

• I use secure passwords. To learn how to set up secure passwords, see here.

• I use HIPAA-secure technology for record-keeping and storage, communication, video conferencing, computer encryption, and malware protection.

• I complete annual trainings on HIPAA-compliance, cybersecurity, and risk management.

• I obtain the Business Associate Agreement required by HIPAA law from any company or professional individual who has access to your PHI.

• I take extra steps to confirm your identity in all our communications.

• I offer  service packages that include a HIPAA-secure email address, a HIPAA-compliant phone service, and a HIPAA-secure texting app for communications related to counseling services.

• I do not record video sessions without your written permission. I recommend that clients request recordings only after careful thought and discussion with a clinician to determine possible clinical benefits. Because the security risks associated with recording sessions outweigh the possible therapeutic benefits in most cases, I advise against recording video sessions.

• Text/chat sessions and emails are automatically routed and stored in a HIPAA-secure drive.

• I follow  the codes of ethics of the American Mental Health Counselors Association (AMHCA), the American Counseling Association (ACA), and the National Board for Certified Counselors (NBCC). 

How you can protect your security and privacy

• Store your login information in a place that no one else knows about.

• Use multi-factor authentication wherever possible.

• Do not share your login information, passphrases,  and passwords. See the section below for tips on how to create a safe password.

• Remember that you are responsible for maintaining security on your electronic devices. Do not allow others access to your devices. A good rule of thumb is that if you wouldn't give someone access to your wallet or bank account, you shouldn't give them access to your electronic devices. 

• Opt against receiving invitation links to video conferences through your personal unsecured email. Receiving links to your counseling sessions, therapy and training website, and documents that contain PHI can constitute a risk to your privacy and security if someone in your household or workplace has access to your personal unsecured email. I recommend HIPAA-secure email that makes it very difficult for anyone but you to view your counseling emails. It's a little extra work because you've got to enter a password to read encrypted emails, but that one additional step is worth it to protect your peace of mind. You can read more about how encrypted email works in my technology and security policies and procedures. 

• Make sure there is no one else present in the room when you are participating in video sessions with me.

• Do not make video or audio recordings of your counseling sessions or learning content. Doing so is a violation of your service agreement and may violate state law. Violation of this policy will result in termination of the therapeutic relationship and may have legal and/or financial penalties. 

• Do not take screenshots of your counseling sessions or records. Storing screenshots on a device or cloud that is not HIPAA-secure will compromise your confidentiality, privacy, and security. 

• Do not take screenshots or video recordings of the therapy and training website or learning materials. Doing so is a copyright violation and can result in legal and/or financial penalties. 

• Do not bookmark your private counseling website. If someone else accesses your computer, tablet, or phone and you are signed into a bookmarked site, other members of your household or workplace may be able to access your PHI. 

Please keep in mind that I can set everything up diligently on my end and you can still compromise your privacy by sharing your passcode or leaving it where someone can see it. The security on your end is your responsibility. 

Signing Forms Securely Online

In some cases, your electronic signature must consist of more than a checkbox, such as when you initially consent to treatment or authorize the release of information. 

When that’s necessary, you will receive forms via a HIPAA-secure platform that allows you to sign with your finger or a stylus. You will be routed to that program with a link that requires a passcode. You will be given that link either during a video session, via HIPAA-secure chat or HIPAA-secure encrypted email, or on your private. 

In other instances, such as counseling  assessments or self-paced course content, you will be supplied with a HIPAA-secure form and asked to type your name as a signature. 

Identity Confirmation

To ensure your security and the validity of your signature on forms and documents related to your treatment, you will be asked to set up an identity verification passcode (IVP). The purpose of the IVP is to confirm that you are you, and that you are the only person accessing information and services that pertain to you. You will establish this passcode on your initial contact form. I will ask you to supply this IVP in all sessions and on all forms documents, and you will use it as your password to access encrypted emails. Do not share this IVP with anyone else.

Your IVP can be a word or a phrase. Examples of phrases you could use for this purpose are “tennis balls are round” or “I like fluffy clouds” - something random but easy to remember. Since this passcode will be used to confirm that it is you signing the forms and not a curious third party trying to pose as you, it is important that you use a passcode that would be difficult for someone who knows you to guess. 

If your IVP is compromised, you will notify me in a video session and we will change the passcode. 

Definitions

These three terms are often confused. 

1. Password.

   A password is a combination of letters, numbers, and symbols, generally 6-20 characters. The more characters and the more variety, the safer the password. 

2. Passphrase

   A passphrase is typically a short sentence, such as “I like blue bikes.”

3. Passcode

   A passcode can be either a password or a passphrase. 

On my start therapy page, I talk about the three login credentials you’ll need.

Password Security

Just as people gravitate toward using the same email to log in to every program, many also use the same password to sign into all of their accounts and programs. This is a BAD idea. Learn why your clever password tricks aren't protecting you from today's hackers. 

Use the following guidelines to create a strong password that will thwart hackers.

Password Dos: Creating Secure Passwords

• Do use a combination of letters, numbers, and at least one symbol. 

• Symbols look like this: %$^&*~

• Do place the symbol in an unexpected spot instead of at the beginning or end of the password (e.g. h83l^k9nM4).

• Do use a combination of upper and lowercase letters, but not at the beginning or end of the password. Here's an example: nxB7Lpw0g^4

Password Don’ts

• Do not use your name, initials, or any combination of letters that can be found in the dictionary.

• Do not use the sequence of numbers in your phone number, birthdate, zip code, or address.

• Do not use the same number repeatedly.

• Do not use common numbers in ascending or descending order (e.g. 123, 456, 789).

• Do not use your pet's name, your favorite color, or your favorite number.

• Do not use passwords that are similar to your other passwords and only change a few characters.

• Do not write down your passwords where they can be seen.

• Do not leave your passwords in predictable hiding places where they can be found.

Do not share your passwords.

Do not share your passwords or passcodes with your friends, family, partner, boss, or coworkers. As soon as there’s a security breach, anyone you shared the password with becomes a suspect. Imagine feeling like you need to question your loved ones about compromising your privacy - whether deliberately or inadvertently. Prevention is the best way to avoid such discomfort. 

Tips for Creating Safe Passwords, Passphrases, and Passcodes

If you think you will have a hard time remembering such random passwords, here's a way to observe all the above dos and don'ts while still creating a secure password. Think of a word that's easy to remember but has nothing to do with the use of your password. 

For a counseling service login, do not use the words counseling, therapy, or help. Do not use words like learning, personal growth, self-discovery, emotions, support, or anything that might be guessed based on the topic of the platform or service you are logging into. Passwords that are in any way related to the purpose of your login are easy for artificial intelligence (AI, bots) to guess. Think of it this way: if there might be a hashtag in that subject area, don’t use it!

Let's use the word bookcase as an example we can work with. Pick the zip code for a random city, one you've never lived in or been to. Let's use Boise for this example. Boise has multiple zip codes, one of which is 83705. Using bookcase and 83705, we can create a strong password by alternating the letters and numbers, inserting a character, and capitalizing the letters in an unexpected way: 8bO3O7K0C*A5Se gives us a secure password. To remember this password, we have to recall the word bookcase; the zip code 83705; that the sequence alternates numbers, letters; that the sequence starts with a number; that the first and last letters are lowercase and the others are uppercase; and that the * character comes before the A. It seems like a lot, I know. After you have typed in the password a bunch of times, it will become automatic, I promise.

Another option is to use a password generator or password manager, which comes with its own set of disadvantages that you can read about in Are Passwords Managers Secure?; you may recall that Last Pass had a recent security breach. You can read perspectives from different experts in The Best Password Managers for 2023, Best Password Manager to Use for 2023, and Best password generators in 2023.  

Email Passphrases

For email communication with counseling clients, I use a secure service called ProtonMail. ProtonMail keeps the contents of the message out of the body of the email, so if someone accesses your email, or you accidentally leave it open at home or at work, no one but you can view the message. When you receive a secure email from me, you will be asked to enter a password before you can read the message,, and the messsage itself will open on a secure web page. Since message can only be viewed on a secure web page, this method of communication recognizes the Florida law which prohibits provision of telehealth by email. As discussed earlier on this page, you will establish an identity verification passcode when you fill out your initial contact form. Your IVP will be the password for accessing secure emails from me. Once you type in your password, the message will open up in a browser window. You will not need an app to receive and view these emails. For more information on ProtonMail, see my tech trainings page.

Dangers of Using a Single Sign-on (SSO) 

People often use a single set of credentials to sign in to multiple apps. For instance, you might sign into your email, your cell phone, your social media, your games, and your various payment portals using the same email address and password for all of them. It saves time and there's less information to remember. It's a convenient productivity strategy. But single sign-on (SSO) is a bad idea when it comes to security. Read why in The Pros and Cons to Single Sign-On (SSO). The problem is, this practice opens you up to identity theft, theft of information, and unwanted intrusion. 

When you have to sign in to any application or service and it's crucial to protect your privacy and security, it is a wise practice to have one dedicated email address that you use only for signing in to that application or service, use a separate and secure password for each application or service, and implement two-factor authentication wherever possible. 

Having a separate email address that you use only for sensitive communications helps you avoid spam, helps you stay anonymous, protect your identity, improve your email address security, and limit the risks of someone accessing your information should your devices get hacked while you are signed in. This is especially important when it comes to a counseling service that keeps records of your communications and other PHI.

Here's why:

If one other person (a friend, a roommate, a partner or spouse, a parent, a coworker, or a random individual working for a non-HIPAA-compliant third-party application such as a personal email service or a mobile phone carrier) gets a hold of your sign-in credentials, they can access your personal health information, including your communications with your counselor. They can try to impersonate you in a chat with your counselor. They can enter your video counseling sessions. Please take steps to prevent this by reading all of the guidelines I have provided regarding your security and privacy.

Understanding Your Rights

When it comes to your health information, you have certain rights. This next section explains your rights and some of our responsibilities to help you.

Get an electronic or paper copy of your medical record 

• You can ask to see or get an electronic or paper copy of your medical record and other health information we have about you. Ask us how to do this. 

• We will provide a copy or a summary of your health information, usually within 30 days of your request. We may charge a reasonable, cost-based fee.

Ask us to correct your medical record 

• You can ask us to correct health information about you that you think is incorrect or incomplete. Ask us how to do this.

• We may say “no” to your request, but we’ll tell you why in writing within 60 days.

Request confidential communications

• You can ask us to contact you in a specific way (for example, home or office phone) or to send mail to a different address. 

• We will say “yes” to all reasonable requests.

Ask us to limit what we use or share

• You can ask us not to use or share certain health information for treatment, payment, or our operations. We are not required to agree to your request, and we may say “no” if it would affect your care.

• If you pay for a service or health care item out-of-pocket in full, you can ask us not to share that information for the purpose of payment or our operations with your health insurer. We will say “yes” unless a law requires us to share that information.

Get a list of those with whom we’ve shared information

• You can ask for a list (accounting) of the times we’ve shared your health information for six years prior to the date you ask, who we shared it with, and why.

• We will include all the disclosures except for those about treatment, payment, and health care operations, and certain other disclosures (such as any you asked us to make). We’ll provide one accounting a year for free but will charge a reasonable, cost-based fee if you ask for another one within 12 months.

Get a copy of this privacy notice

You can ask for a paper copy of this notice at any time, even if you have agreed to receive the notice electronically. We will provide you with a paper copy promptly.

Choose someone to act for you

• If you have given someone medical power of attorney or if someone is your legal guardian, that person can exercise your rights and make choices about your health information.

• We will make sure the person has this authority and can act for you before we take any action.

File a complaint if you feel your rights are violated

• You can complain if you feel we have violated your rights by contacting us using the grievance policies and procedures on the policies and procedures page.

• You can file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights by sending a letter to 200 Independence Avenue, S.W., Washington, D.C. 20201, calling 1-877-696-6775, or filing a complaint online.

• We will not retaliate against you for filing a complaint.

Our Responsibilities

• We are required by law to maintain the privacy and security of your protected health information. 

• We will let you know promptly if a breach occurs that may have compromised the privacy or security of your information.

• We must follow the duties and privacy practices described in this notice and give you a copy of it. 

• We will not use or share your information other than as described here unless you tell us we can in writing. If you tell us we can, you may change your mind at any time. Let us know in writing if you change your mind. 

For more information see your rights under HIPAA and notice of privacy practices from the Health and Human Services Office for Civil Rights.

Your Choices

For certain health information, you can tell us your choices about what we share. If you have a clear preference for how we share your information in the situations described below, talk to us. Tell us what you want us to do, and we will follow your instructions.

In these cases, you have both the right and choice to tell us to:

• Share information with your family, close friends, or others involved in your care

• Share information in a disaster relief situation

• Include your information in a hospital directory

If you are not able to tell us your preference, for example if you are unconscious, we may go ahead and share your information if we believe it is in your best interest. We may also share your information when needed to lessen a serious and imminent threat to health or safety.

In these cases we never share your information unless you give us written permission:

• Marketing purposes

• Sale of your information

• Most sharing of psychotherapy notes

In the case of fundraising:

• We may contact you for fundraising efforts, but you can tell us not to contact you again.

How do we typically use or share your health information? 

We typically use or share your health information in the following ways:

Treat you 

We can use your health information and share it with other professionals who are treating you.

Example: A doctor treating you for an injury asks another doctor or healthcare professional about your overall health condition.

Run our organization 

We can use and share your health information to run our practice, improve your care, and contact you when necessary.

Example: We use health information about you to manage your treatment and services. 

Bill for the services you receive

We can use and share your health information to bill and get payment from health plans or other entities. 

Example: We provide information for you to give to your health insurance plan so it may pay for your services if you have out-of-network benefits. 

How else can we use or share your health information? 

We are allowed or required to share your information in other ways – usually in ways that contribute to the public good, such as public health and research. We have to meet many conditions in the law before we can share your information for these purposes. 

Help with public health and safety issues

We can share health information about you for certain situations such as: 

• Preventing disease

• Helping with product recalls

• Reporting adverse reactions to medications

• Reporting suspected abuse, neglect, or domestic violence

• Preventing or reducing a serious threat to anyone’s health or safety

Do research

We can use or share your information for health research.

Comply with the law

We will share information about you if state or federal laws require it, including with the Department of Health and Human Services if it wants to see that we’re complying with federal privacy law.

Respond to organ and tissue donation requests

We can share health information about you with organ procurement organizations.

Work with a medical examiner or funeral director

We can share health information with a coroner, medical examiner, or funeral director when an individual dies.

Address workers’ compensation, law enforcement, and other government requests

We can use or share health information about you:

• For workers’ compensation claims

• For law enforcement purposes or with a law enforcement official

• With health oversight agencies for activities authorized by law

• For special government functions such as military, national security, and presidential protective services

Respond to lawsuits and legal actions

We can share health information about you in response to a court or administrative order, or in response to a subpoena.

For more information see your rights under HIPAA.

Changes to the terms of this notice

I can change the terms of this notice, and the changes will apply to all information I have about you. The new notice will be available upon request, in my office (when applicable), and on my website.

Other instructions for this notice

• This notice is effective as of the last update on May 21, 2023. This date is subject to change if/when this notice of privacy practices is updated.

• The privacy contact for this notice and the Michelle Robin Gould Corporation is Michelle Robin Gould, LMHC, NCC, BC-TMH, CEO of the corporation. Please send questions about this notice by unsecured email to counseling@michellerobingould.com or contact me securely via the HIPAA notice of privacy practices queries form.

• Business Phone: 561-223-8502. Please note that calls are answered by appointment only. You may leave a HIPAA-secured voice message or contact me via the notice of privacy practices queries form.

• If you are a client and would like to initiate a grievance, please see my grievance policy and procedures. 

Please note that this Notice of Privacy Practices is  proprietary and is  subject to U.S. and International Copyright Law. Counseling materials are intended for the personal use of clients of Michelle Robin Gould, LMHC and/or the Michelle Robin Gould Corporation. 

This Notice of Privacy Practices may not be further retained or further disseminated without express written permission. Downloading, distributing, and altering these materials in any way is a copyright violation that can result in litigation and fines. Some content was sourced from The Office of the National Coordinator for Health Information Technology (ONC) and used with permission.

Clients may use these materials for personal use only and may not share, distribute, alter, or use these materials for any other purpose on penalty of legal or financial repercussions. 

Current clients may download a copy of this notice for personal use.