Privacy, HIPAA Compliance and Communication Policy

Virginia Beach Clinical Counseling

Purpose

To ensure VB Clinical Counseling maintains full compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and all applicable state and federal regulations governing the privacy, security, and confidentiality of Protected Health Information (PHI).

Scope

This policy applies to all employees, contractors, interns, and affiliates of VB Clinical Counseling who have access to client information in any form (electronic, paper, or verbal).

Policy Statement

VB Clinical Counseling is committed to protecting the privacy and security of all client health information. All team members are required to understand and adhere to HIPAA standards as a condition of employment or contract with the practice.

1. Administrative Safeguards

1.1 Privacy Officer

The Practice Owner or designee will serve as the HIPAA Privacy and Security Officer, responsible for developing, implementing, and overseeing privacy and security policies, procedures, and training.

1.2 Policies and Procedures

• The practice maintains written HIPAA policies and procedures accessible to all team members.
• These policies will be reviewed and updated annually or as needed based on changes in law or practice operations.
• Documentation of compliance activities (e.g., risk assessments, training logs, BAAs) will be maintained for a minimum of six years.

1.3 Business Associate Agreements (BAAs)

• VB Clinical Counseling will enter into BAAs with all vendors or partners who may have access to PHI (e.g., EHR providers, billing services, telehealth platforms, email services).
• BAAs will specify each party’s responsibilities for safeguarding PHI.
• Copies of all BAAs will be stored securely by the Privacy Officer.

1.4 Staff Training

• All staff must complete HIPAA training prior to beginning work and annually thereafter.
• Training includes privacy standards, breach reporting, and secure handling of PHI.
• A signed acknowledgment of HIPAA training completion will be kept in each employee’s file.

1.5 Breach Notification

• Any suspected or actual breach of PHI must be reported immediately to the Privacy Officer.
• The Privacy Officer will investigate and determine whether notification to affected individuals or regulatory agencies is required under HIPAA Breach Notification Rules.
• All incidents will be documented, including findings and corrective actions.

2. Clinical Safeguards

2.1 Client Records

• All client documentation will be maintained in the practice’s HIPAA-compliant Electronic Health Record (EHR).
• Psychotherapy notes will be stored separately from general clinical documentation in accordance with HIPAA standards.
• Records will be retained for six years after last date of service for adults and until the client reaches age 18 plus six years for minors, in compliance with Virginia law.

2.2 Client Rights

Clients have the right to: - Receive a copy of the Notice of Privacy Practices (NPP) 

• Access and request amendments to their records 
• Request restrictions on certain disclosures of PHI 
• Receive an accounting of disclosures upon written request

2.3 Communication Standards

• Email, text messaging, and voicemail are used for administrative communication only, with client consent documented in the EHR.
• Messages will contain minimal information (e.g., appointment confirmations, scheduling).
• Staff will not transmit clinical or sensitive details via unsecured channels.
• All emails will include a confidentiality disclaimer.
• Messaging frequency may vary
• Message and data rates may apply.
• SMS consent is not shared with third parties.
• To opt out at any time, text STOP.
• For assistance, text HELP.

2.4 Telehealth

• Telehealth sessions are conducted through a HIPAA-compliant platform with a signed BAA.
• Clients must provide consent for telehealth services prior to their first session.
• The clinician will verify the client’s location at the start of each session and ensure privacy on both ends.

3. Technical Safeguards

3.1 Electronic Health Record (EHR)

• VB Clinical Counseling utilizes a HIPAA-compliant EHR that integrates all documentation, billing, and client portal functions.
• The system uses data encryption in transit and at rest and is protected by two-factor authentication.
• Access to the EHR is role-based, ensuring the minimum necessary access to PHI.

3.2 Devices and Access Control

• All users must log in using unique credentials; passwords must meet complexity standards and be changed regularly.
• Workstations and mobile devices will automatically lock after a period of inactivity.
• All practice-owned devices are encrypted and protected by antivirus software.
• PHI will not be stored on personal devices or removable media.

3.3 Physical Security

• Client files (if any are maintained in paper form) must be stored in locked cabinets in secure office areas.
• Offices and therapy rooms are to be locked when not in use.
• Printed materials containing PHI must be shredded before disposal.

4. Documentation & Oversight

The Privacy Officer will maintain a HIPAA Compliance Folder containing: - Policies and Procedures Manual - Business Associate Agreements - Risk Assessments - HIPAA Training Logs - Breach Reports (if applicable) - Notice of Privacy Practices and Acknowledgments

All HIPAA compliance materials will be reviewed annually for accuracy and relevance.

5. Enforcement

Failure to comply with HIPAA policies may result in disciplinary action up to and including termination of employment or contract, and may carry civil or criminal penalties under federal law.

SMS Terms of Service By opting into SMS from a web form or other medium, you are agreeing to receive SMS messages from Virginia Beach Clinical Counseling. This includes SMS messages for account notifications, customer care. Message frequency varies. Message and data rates may apply. Message HELP for help. Reply STOP to any message to opt out.

SMS consent is not shared with third parties or affiliates for marketing purposes.

Terms & Conditions Section

1) SMS Consent Communication:

The information (Phone Numbers) obtained as part of the SMS consent process will not be shared with third parties for marketing purposes.

2) Types of SMS Communications:

If you have consented to receive text messages from Virginia Beach Clinical Counseling, you may receive messages related to the following:

• Appointment reminders
• Follow up messages
• Customer care messages
• Account notifications

Example: “Hello, this is a friendly reminder of your upcoming appointment with [Agent’s Name] at [Location] on [Date] at [Time]. Reply STOP to opt out of SMS messaging at any time.”

3) Message Frequency:

Message frequency may vary depending on the type of communication. For example, you may receive up to 2 SMS messages per week regarding your appointments or account status.

4) Potential Fees for SMS Messaging:

Please note that standard message and data rates may apply, depending on your carrier’s pricing plan. These fees may vary if the message is sent domestically or internationally.

5) Opt-In Method:

You may opt-in to receive SMS messages from Virginia Beach Clinical Counseling in the following ways:

• Verbal Confirmation

6) Opt-Out Method:

You can opt out of receiving SMS messages at any time. To do so, simply reply “STOP” to any SMS message you receive. Alternatively, you can contact us directly to request removal from our messaging list.

7) Help:

If you are experiencing any issues, you can reply with the keyword HELP. Or, you can get help directly from us at https://vbclinicalcounseling.com/

Additional Options: If you do not wish to receive SMS messages, you can choose not to check the SMS consent box on our forms.

8) Standard Messaging Disclosures:

• Message and data rates may apply.
• You can opt-out at any time by texting “STOP.”
• For assistance, text “HELP” or visit our Privacy Policy page and Terms and Conditions section.
• Message frequency may vary