Use this step-by-step playbook to lock down privacy, impress auditors, and sleep at night.
Running therapy sessions is hard enough—wrangling HIPAA shouldn’t feel like group therapy with angry lawyers. Use this step-by-step playbook to lock down privacy, impress auditors, and sleep at night.
Identify every place patient data lives or flows—phones, TherapyNotes, billing spreadsheets, even the inbox on your iPad. Until you know your data map, you can’t protect it. Start with a simple inventory: What data? Where stored? Who touches it?
Clinic Pulse uses LucidCharts for mapping.
Yes, two hats—even if one person wears both. HIPAA requires a point-person for the Privacy Rule and one for the Security Rule to oversee safeguards, training, and breach response.
OCR’s #1 enforcement trigger is skipping an SRA. Use HHS’s free Security Risk Assessment Tool or a consultant. Document threats, likelihood, impact, and your mitigation plan. Repeat yearly (or after big tech changes).
Policies, people, process. At minimum:
These are explicitly required under 45 CFR §164.308.
Small clinics get dinged here:
All map to 45 CFR §164.310.
The 2025 NPRM pushes encryption, MFA, and 72-hour system-restore rules. Get ahead now:
| Must-have | Quick win |
|---|---|
| Unique IDs & strong passwords | Use SSO or password manager |
| Multi-factor authentication | Turn on for EHR & email |
| AES-256 encryption at rest & TLS in transit | Default in TherapyNotes/SimplePractice |
| Automatic logoff & audit logs | 15-minute idle lock, review logs quarterly |
| Regular patching & anti-malware | Enable auto-updates |
Every vendor that handles PHI—billing service, cloud phone, virtual assistant—needs a signed BAA. CP best practice: one master BAA with Clinic Pulse; CP secures downstream BAAs/NDA with each VA so you don’t juggle extra paperwork.
HIPAA says policies must exist and be followed. Draft concise SOPs for: minimum necessary, data retention, device disposal, release-of-records, telehealth, and social media. Review & update whenever laws or workflows change.
It’s not “one-and-done”—train new hires within 30 days, refresh annually, and add social-engineering drills (phishing simulations). Keep rosters, completion dates, and quiz scores on file. Regulators look for proof.
Create an Incident Response Plan: detection, containment, investigation, patient/ HHS notification within 60 days if >500 records are involved. Post OCR’s breach-notification grid on the wall so no one guesses the timeline under stress.
HIPAA requires you to provide records within 30 days (soon to drop to 15 under pending rules). Build a simple request workflow: secure form ➜ verify identity ➜ release via portal or encrypted email. Train staff to say “Yes, we can get that for you” instead of “Let me figure this out.”
Quarterly mini-audits keep surprises away: spot-check access logs, test backups, review BAAs, and walk through a mock breach. Use an Audit Checklist to prove continuous compliance.
| Week | Action |
|---|---|
| 1 | Map PHI, assign officers, schedule SRA |
| 2 | Draft/refresh policies, send workforce training links |
| 3 | Sign BAAs, enable MFA, encrypt devices |
| 4 | Hold tabletop breach drill, finalize incident plan |
| Ongoing | Monthly log review, quarterly mini-audits, annual SRA |
Clinic Pulse VAs work inside Amazon WorkSpaces with MFA, audit logging, and quarterly HIPAA refreshers—so when they schedule in TherapyNotes or verify insurance, your ePHI stays fortress-secure. We handle the paperwork (master BAA, downstream NDAs) so you can focus on care, not clauses.
Need stress-free admin support that checks every HIPAA box? Book a discovery call with Clinic Pulse and let’s keep your clinic compliant, efficient, and patient-focused.
—
Because the only things that should keep you up at night are your patients’ breakthroughs, not your next OCR audit.
We know it’s a big deal to bring someone into your practice — even virtually. That’s why every VA we place is trained, vetted, and ready to support your care with compassion and professionalism.