HIPPA Notice of Privacy Practices

This notice was last updated January 5th 2024.

Purpose of the Notice

This Notice of Privacy Practices (NPP) explains your rights and my obligations under the the Health Insurance Portability and Accountability Act (HIPAA), and gives you a clear understanding of the act. My Notice of Privacy Practices includes a thorough discussion of HIPAA as relates to your therapy and services rendered. 

This notice describes how medical information about you specifically protected health information may be used, protected, and disclosed, and how you can get access to this information.

“I”, “We”, and “You”

For this Notice of Privacy Practices and other documents on this website related to counseling services, “I” refers to the clinician in this practice, Crystal Hoban, LMFT. “You” refers to any potential, current, or past clients of the counseling services provided by TruSelf Trauma Informed Therapy and Crystal Hoban, Marriage and Family Therapy PLLC. “We” refers to the collective body of licensed therapy providers, any contractors operating within the services of TruSelf Trauma Informed Therapy, and Crystal Hoban, Marriage and Family Therapy PLLC, and any staff or covered entities providing ancillary or administrative services for TruSelf Trauma Informed Therapy and Crystal Hoban, Marriage and Family Therapy PLLC.

All therapy practices are required by law to post a notice of privacy practices (NPP). This notice was last updated in January 2024.

Your Rights: Overview

You have the right to:

• Obtain a copy of your medical record electronically or paper copies

• You may ask us to correct your paper or electronic medical record

• You may request only confidential communication

• You may ask us to limit the information we share

• You may ask for a list of those with whom we’ve shared your information

• You may obtain a copy of this notice of privacy practices

• You may choose someone to act for you

• You may file a complaint if you believe your privacy rights have been violated

Your Choices: Overview

You have some choices in the way that we use and share information as we:

• Inform family and friends about your condition

• Deliver mental health care

• Market our services and sell your information

• Raise funds

Uses and Disclosures: Overview

We may use and share your information as we:

• Treat you

• Run our practice

• Bill for your services rendered

• Help with public health and safety issues

• Do research

• Comply with the law

• Work with a medical examiner or funeral director

• Address law enforcement, and other Government requests

• Respond to lawsuits and legal actions

Your Security: Overview

You have a right to understand and ask questions about:

• The meaning of any acronyms or unfamiliar terminology you see here

• What kind of technology we use for your services and how to use it as safely as possible

• What safeguards we have in place to protect you

• How we protect your payment methods

• How we communicate with you securely and safely

Please note that many of  your questions are answered here. Please review the content here before submitting questions using the forms on my contact us page.

Health Insurance Portability and Accountability Act (HIPAA)

 HIPAA requires covered entities such as counselors and other health care practitioners to protect the privacy and security of your personal health information (PHI). This is while attempting to communicate with you and anyone you give us written permission to communicate with regarding your care. The HIPAA privacy rule applies to PHI of all types including: paper, electronic, or verbal.

Additional Information:

• HIPAA Privacy Rule and Sharing Information Related to Mental Health- The Office for Civil Rights paper can help you understand with whom we are permitted to communicate with and under what circumstances. 

• HIPAA Helps Caregiving Connections- More information on whom I may contact if you are in crisis/intend to harm yourself or others. 

• health information privacy- More information about HIPAA.

PHI: Protected Health Information

Protected health information (PHI) means individually identifiable health information that is:

• Transmitted by electronic media

• Maintained using electronic media

• Transmitted or maintained in any other form/medium.

HIPAA Administrative Simplification- Details located on page 16

Individually Identifiable Health Information

“Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and:

1. Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and

2. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and it identifies the individual or there is a reasonable basis to believe the information can be used easily to identify the individual.”

 Source: HIPAA Administrative Simplification- See page 15

What constitutes PHI?  

Your personal information is classified PHI for the purposes of healthcare if it includes any of the following identifiers:

• Name or Initials

• Address (all geographic subdivisions smaller than state, which includes street address, city county, and zip code)

• All elements (except years) of dates related to an individual (including birthdate, admission date, discharge date, date of death, and exact age if over 89) 

• Email address (if it includes any individual identifiers including: your name, initials, birthdate, phone number, or third party accounts)

• Phone number or fax numbers

• Social Security Number

• Medical record numbers

• Health plan beneficiary numbers

• Account numbers

• Certificate or license numbers

• Vehicle identifiers and serial numbers (license plate numbers)

• Device identifiers and serial numbers

• Web URL

• Internet Protocol (IP) Address

• Biometric identifiers such as fingerprint, retinal scan, or voice print

• Photographic image (not limited to images of the face)

  Or any other attributes that could uniquely identify the individual

• Your treatment details, including dates, durations, diagnoses, plans, services, assessments, reports, and outcomes; and communications and interactions with your therapist and with any online content.

What is Considered PHI Under HIPAA?- For more information

Disclosure of Client Information

Client permission is required for me to disclose client information to third parties, except when using or disclosing personal health information for treatment, payment, and health care operations. You will be asked to supply this permission in writing with your signature using a HIPAA-secure form. 

When I send your personal health information to other practitioners upon your request, I use HIPAA-secure technology. Depending on the type of technology used by the receiving practitioner, you may be charged a fee for sending these records.

Additional information:

• HIPAA for Providers

• Guide to Privacy and Security of Electronic Health Information-See pages 15-17 for exceptions when permission is not legally required to disclose personal health information

Information Regarding HIPAA-Compliant Technology

Obtaining BAA’s from all companies that we do business with and locking technology with passwords makes technology HIPAA-compliant. Depending on how technology is set up and how it’s used can make it secure or vulnerable.

Additional Information reguarding HIPAA

Additional information about how we protect your privacy is located below:

• HIPAA- health information privacy or security rules?

• HIPAA for individuals

• HIPAA Privacy Rule and Public Health

Privacy Safeguards

 Safeguards I take to protect your security and privacy

• I use secure passwords.

• I use HIPAA-secure technology for record-keeping/storage, communication, video conferencing, computer encryption

• I complete trainings on HIPAA-compliance, cybersecurity, and risk management.

• I obtain a Business Associate Agreement required by HIPAA law from any company or professional individual who has access to your personal health information.

• I use a HIPAA-secure email address, and a HIPAA-compliant phone service for communications related to therapy services.

• I do not record video sessions without your written permission. I recommend that clients request recordings only after a thoughtful discussion with a clinician to determine possible clinical benefits.

• I follow  the codes of ethics of the American Association of Marriage and Family Therapy.

How you can protect your security and privacy

• Store your login information in a location that no one else has access to.

• Use multi-factor authentication wherever possible.

• Do not share your login information, passphrases,  or passwords. Located below are tips on how to create a password

• Remember that you are responsible for maintaining security on your electronic devices. Do not allow others access to your devices.

• Opt against receiving invitation links to video conferences through your personal unsecured email. Receiving links to your counseling sessions, therapy, and documents that contain personal health information can constitute a risk to your privacy and security. This is especially true if someone in your household/workplace has access to your personal unsecured email. I recommend a HIPAA-secure email that makes it very difficult for anyone but you to view your therapy emails. It's more work because you've got to enter a password to access and read encrypted emails.

• Make sure there is no one else present in the room when you are attending video sessions with me.

• Do not make video or audio recordings of your counseling sessions. This is a violation of your service agreement and may violate state law. Violation of this policy will result in termination of the therapeutic relationship and may have legal and/or financial penalties. 

• Do not take screenshots of your therapy sessions or records. Storing screenshots on a device or cloud that is not HIPAA-secure will endanger your confidentiality, privacy, and security. 

• Do not take screenshots or video recordings of the therapy. This is a copyright violation and can result in legal and/or financial penalties. 

• Do not bookmark your private counseling website. If someone else accesses your computer, tablet, or phone and you are signed into a bookmarked site, other members of your household/workplace may be able to access your personal health information. 

Please note that I can set everything up securely on my end and you can still endanger your privacy by sharing your passcode or leaving it where someone can access it. The security on your end is your responsibility. 

Signing Forms Securely Online

In some cases, your electronic signature must consist of a checkbox and understanding of information, especially when you initially consent to treatment or authorize the release of information. 

You will receive forms via a HIPAA-secure platform that allows you to sign electronically.

To complete counseling  assessments, you will be supplied with a HIPAA-secure form and will be asked to type your name as a signature. 

Identity Confirmation

You will be asked to set up a password to ensure your security and the validity of your signature on forms and documents related to your treatment. The purpose of the password is to confirm that you are you, that you are the only person accessing information and services that pertain to you. You will establish this password to access treatment document forms, please do not share this password with anyone.

This password will be used to confirm that it is you are actually signing the forms and not a third party trying to pose as you, it is important that you use a password that would be very difficult for someone to guess. 

If you become aware that you password is compromised, you will inform me in a video session, an email, or a phone call, and I then will send you the email to change/update the password. 

Passwords & Passcodes

Definitions

1. Password- is a combination of letters, numbers, and symbols, generally 6-20 characters. The more characters and variety, the safer the password. 

2. Passcode- can be either a password or a passphrase. 

Password Security

Some people use the same email or passwords to log in to every account, which is not secure or safe.

The following guidelines can be used to create a secure password:

Password Do’s:

• Use a combination of letters, numbers, and symbols

• Symbols are: %$^&*~

• Place the symbol in a randomly instead of at the beginning or end of the password

• Use a combination of upper and lowercase letters randomly, not at the beginning or end of the password

Password Don’ts

• Do not use your name, initials, or any combination of letters that make up an actual word

• Do not use the sequence of numbers in your phone number, birthdate, zip code, or address.

• Do not use the same number twice

• Do not use common numbers in order ether ascending or descending ex: 123 or 321

• Do not use your pet's name, your favorite color, or your favorite number.

• Do not use passwords that are similar to your other passwords and only change a few pieces

• Do not write down your passwords where they can be found by someone else

  
  Do not share your passwords with anyone.

Do not share your passwords or passcodes with your friends, family, partner, boss, or coworkers. If there is a security breach, anyone you shared the password with becomes a possible suspect.

Tips for Creating Safe Passwords and Passcodes

For a counseling service login, stay away from works such as counseling, therapy, help, learning, healing, growth, self-discovery, emotions, support, or anything that might be guessed based on the topic of the platform or service you are logging into. Passwords that are in any way related to the purpose of your login are easy to guess.

Another option you have is to use a password generator or a password manager, which comes with disadvantages that you can read more about in Are Passwords Managers Secure?.

Email Passwords

For email communication with counseling clients, I use a secure service called Google Workspace. You can request to receive a secure emails from me, I will supply you with the password once you request confidential communication only. You will be asked to enter a password before you can read the message, and then the message itself will open on a secure web page or in another window. Since message can only be viewed on a secure web page, this method of communication recognizes the New York law which prohibits provision of health information by email. You do not need a specific application to receive and view these emails.

Issues of Using a Single Sign-on

Using a single set of credentials to sign in to multiple applications in not secure. For instance, you might sign into various portals or accounts using the same email address and password for all of them. Single sign-on is not secure or safe this increases your chances of experiencing identity theft, theft of information, and unwanted intervention.

When you sign in to any application or service and it is important to protect your privacy and security, it is good practice to have one dedicated email address that you use only for signing in to that application or service, use a separate/secure password for each application or service, and implement two factor authentication when possible. 

Having a separate email address that you use only for sensitive communications helps you avoid spam, stay anonymous, protect your identity, improve your email address security, and limit the risks of someone accessing your information should your devices get hacked while you are signed in. This is especially important when it comes to a counseling service that keeps records of your communications and other personal health information.

Additional information: The Pros and Cons to Single Sign-On (SSO)

Your Rights

Understanding Your Rights

When it comes to your health information, you have certain rights. Your rights are written out below.

Get an paper or electronic copy of your medical record 

• You can ask to view or receive an electronic or paper copy of your medical record and other health information we have associated with you. You can ask how this practice gos about sending this information.

• We will provide a copy or a summary of your health information, usually within 30 days of your request. We may charge a reasonable, fee for this request.

Ask us to correct your medical record 

• You can ask us to correct health information about you that you think is incorrect or incomplete. You can ask us how we go about this.

• We may say “no” to your request, but we will inform you about why in writing within 60 days of request.

Request confidential communications

• You can ask us to contact you in a specific way (example: cell, home or work phone) or to send mail to a different address. 

• We will say “yes” to all reasonable requests.

Ask us to limit what we use or share

• You can ask us not to use or share certain health information for treatment, payment, or our operations. We are not required to agree to your request, and we may say “no” if it would affect your care.

• If you pay for a service or health care item out-of-pocket in full, you can ask us not to share that information for the purpose of payment or our operations with your health insurer. We will say “yes” unless a law requires us to share that information.

Get a list of those with whom we’ve shared information

• You can ask for a list of the times we’ve shared your health information for six years prior to the date you ask, who we shared it with, and why.

• We will include all the disclosures except for those about treatment, payment, and health care operations, and certain other disclosures (such as any you requested us to make). We’ll provide one accounting a year for free but will charge a reasonable, cost-based fee if you ask for another one within 12 months.

Get a copy of this privacy notice

You can ask for a paper copy of this notice at any time, we will provide it promptly, even if you have agreed to receive the notice electronically.

Choose someone to act for you

• If you have given someone medical power of attorney or if someone is your legal guardian, that person can exercise your rights and make choices about your health information. We would need a copy of the documentation or a signed release of information to confirm this request in writing.

• We will make sure the person has this authority and can act for you before we take any action.

File a complaint if you feel your rights are violated

• You can complain if you feel we have violated your rights by contacting us.

• You can also file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights by sending a letter to 200 Independence Avenue, S.W., Washington, D.C. 20201, calling 1-877-696-6775, or filing a complaint online.

• We will not retaliate against you for filing a complaint.

Our Responsibilities

Our Responsibilities

• We are required by law to maintain the privacy and security of your protected health information. 

• We will let you know promptly if a breach occurs that may have compromised the privacy or security of your information.

• We must follow the duties and privacy practices described in this notice and give you a copy of it. 

• We will not use or share your information other than as described here unless you tell us we can in writing by completing a release of information. If you tell us in writing we can, you may change your mind at any time, but you must inform us of this change in writing.

Additional Information
your rights under HIPAA

notice of privacy practices -information from the Health and Human Services Office for Civil Rights.

Your Choices

Your Choices

You can tell us your choices about what we share for certain health information. If you have a clear preference for how we share your information, inform us. Let us know what you would like us to do, and we will follow your instructions.

You have both the right and choice to tell us how to share information with your family, close friends, or others involved in your care.

If you are not able to inform us of your preference, for example if you are unconscious/unresponsive, we may go ahead and share your information if we believe it is in your best interest. We may also share your information when needed to lessen a serious and imminent threat to health or safety of yourself or others.

We never share your information in these cases, unless you give us written permission:

• Marketing purposes

• Sale of your information

• Most sharing of psychotherapy notes

In the case of fundraising:

• We may contact you for fundraising efforts, but you can tell us not to contact you again, and we will not.

Uses and Disclosures

How do we typically use or share your health information? 

We typically use or share your health information in the following ways:

Treat you 

We can use your health information and share it with other professionals who are treating you. This can help other providers to receive a full picture of the individual including all aspects even parts they do not treat themselves.

Run our organization 

We can use and share your health information to run our practice, improve your care, and contact you when necessary. We use health information about you to manage your treatment and services. 

Bill for the services you receive

We can use and share your health information to bill and get payment from health plans or other entities. One way this can occur is that we provide information for you to give to your health insurance plan so you may receive out of pocket reimbursement for your services if you have out-of-network benefits through insurance. 

How else can we use or share your health information? 

We are allowed or required to share your information usually in ways that contribute to the public good, such as public health and research. We would have to meet many conditions in the law before we can share your information for these purposes. 

Help with public health and safety issues

We can share health information about you for certain situations such as: 

• Reporting suspected abuse, neglect, or domestic violence

• Preventing or reducing a serious threat to anyone’s health or safety

• Preventing disease

• Helping with product recalls or reporting adverse reactions to medications

Research

We can use or share your information for health research.

Comply with the law

We will share information about you if state or federal laws require it, including with the Department of Health and Human Services if it wants to see that we’re complying with federal privacy law.

Work with a medical examiner or funeral director

We can share health information with a coroner, medical examiner, or funeral director when an individual dies.

Address law enforcement, and other government requests

We can use or share health information about you:

• For law enforcement purposes or with a law enforcement official

• With health oversight agencies for activities authorized by law

• For special government functions such as military, national security, and presidential protective services

Respond to lawsuits and legal actions

We can share health information about you in response to a court or administrative order, or in response to a subpoena.

Additional Information:

• your rights under HIPAA.

Other Instructions

Changes to the terms of this notice:

I can change the terms of this notice, and the changes will apply to all information I have about you. The new notice will be available upon request, in my office (when applicable), and on my website.

Other instructions for this notice

• This notice is effective as of the last update on January 23rd 2024. This date is subject to change if/when this notice of privacy practices is updated.

• The privacy contact for this notice TruSelf Trauma Informed Therapy and Crystal Hoban, Marriage and Family Therapy PLLC is Crystal Hoban, LMFT, CEO of this practice. Please send questions about this notice by email to CrystalHobanLMFT@truselftraumatherapy.com.

• Business Phone: 518-223-9291. You may leave a HIPAA-secured voice message, note that without a voice message a call will not be returned.

• If you are a client and would like to initiate a grievance, please feel free to reach out via email or by phone call.