HIPAA Privacy and Security Policy

Physio by Petra

Effective Date: June 1, 2025

1. Purpose

The purpose of this HIPAA policy is to ensure the protection of the privacy and security of Protected Health Information (PHI) as required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the HITECH Act. This policy applies to all PHI created, received, maintained, or transmitted by [Your Practice Name], a private-pay, solo physical therapy practice.

2. Definitions

  • PHI: Protected Health Information includes any health information that can be linked to an individual, including demographic data, that relates to:

    • The individual’s physical or mental health,

    • The provision of health care to the individual,

    • Payment for the provision of health care.

  • Solo Provider: For this policy, "provider" refers to the sole practitioner operating this practice.

3. Applicability

This policy applies to:

  • The physical therapist (solo practitioner),

  • Any business associates or contractors (e.g., billing software, EMR vendors, cloud storage),

  • Any temporary assistants or substitute providers (if applicable).

4. Use and Disclosure of PHI

PHI will only be used or disclosed as necessary for:

  • Treatment,

  • Operations (e.g., scheduling, documentation),

  • Patient requests,

  • As required by law (e.g., court order or public health).

The practice does not bill insurance and therefore does not release PHI for payment purposes to third-party payers.

5. Patient Rights

Patients have the right to:

  • Receive a Notice of Privacy Practices (NPP),

  • Access their medical records upon written request,

  • Request amendments to their records,

  • Receive an accounting of disclosures,

  • Request restrictions on certain uses or disclosures,

  • Request confidential communications.

6. Safeguards

The practice will implement the following safeguards to protect PHI:

Administrative Safeguards

  • Annual HIPAA training for the provider.

  • Documentation of privacy practices and any patient complaints.

Physical Safeguards

  • Locked filing cabinet or secure storage for paper records.

  • Controlled access to treatment and administrative areas.

Technical Safeguards

  • Use of encrypted and password-protected devices.

  • Secure, HIPAA-compliant EMR and communication platforms.

  • Regular backups stored securely or in a HIPAA-compliant cloud.

7. Notice of Privacy Practices (NPP)

Each new patient will be provided with the NPP. A copy is posted in the office and available upon request.

8. Business Associates

All vendors and service providers who may have access to PHI (e.g., electronic health record software providers, cloud storage, or IT services) must sign a Business Associate Agreement (BAA) before PHI is shared.

9. Breach Notification

Any suspected breach of PHI must be documented and investigated promptly. If a breach is confirmed, affected patients and HHS will be notified in accordance with HIPAA breach notification rules.

10. Complaint Procedure

Patients may file complaints about privacy violations by contacting the provider directly or by submitting a complaint to the Office for Civil Rights (OCR). There will be no retaliation for filing a complaint.

11. Policy Review and Updates

This policy will be reviewed annually and updated as needed to reflect changes in laws, regulations, or practice operations.

Signed: Petra McCauley, DPT
Owner, Physical Therapist
May 1, 2025