HIPAA Fast Facts

A HIPAA breach is any unauthorized acquisition, use, or disclosure of a client’s protected health information—otherwise known as “PHI.” 

The severity of a breach is determined by: (1) the type and amount of PHI that was involved, including whether an individual could use the information to re-identify a specific client; (2) who the inappropriate disclosure was made to; (3) whether that person actually looked at the information; and (4) whether the PHI was encrypted or secured in any manner, making it unreadable or difficult to decode. 

Common causes of HIPAA breaches include:

• stolen or lost laptops;

• stolen or lost smart phones;

• an EHR breach;

• sending PHI to the wrong client or email address;

• office break-ins; and 

• other types of intentional hacking events. 

PHI stands for Protected Health Information. Put simply, PHI is health information that our company has an obligation to protect. Under the HIPAA Privacy and Security Rules there are 18 categories of PHI:

1. Names (typically first and last) 

2. All geographical identifiers smaller than a state (hometown, address, town)

3. Dates directly related to an individual (birthday, death date, date of admission, etc.) 

4. Phone Numbers (cell and home) 

5. Fax numbers

6. Email addresses

7. Social Security numbers

8. Medical record numbers

9. Health insurance beneficiary numbers

10. Account numbers

11. Certificate/license numbers

12. Vehicle identifiers (VIN, license plate number) 

13. Device identifiers and serial numbers (typically cellphone or laptop);

14. Web Uniform Resource Locators (URLs)

15. Internet Protocol (IP) address numbers

16. Biometric identifiers (finger, retinal and voice prints)

17. Full face photographic images

18. Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data

Where can I find the ROI? 

The most current version of the ROI can be found on AMD as well as in the Portal Library. For assistance finding this form and dealing with it from a case management perspective, feel free to reach out to your RCD! 

Who must fill out an ROI for joint/couples/family therapy sessions? 

In the case of joint/couples/family therapy sessions we require ROIs from all parties to release a copy of the entire (unredacted) record. If only one party chooses to complete the ROI, the record will need to be redacted to avoid any unauthorized disclosure of the other party’s information. This redaction is completed by Medical Records and Legal when processing the request. 

If the ROI is missing information, is it still valid? 

If the submitted ROI is missing the client’s first and last name, date of birth, email address, or Social Security number please return the document and ask the requestor to complete. Thriveworks collects this information on the ROI as part of its verification requirements under HIPAA, so it is critical we only accept completed forms. 

Where should I send the ROI? 

If the ROI is a request for Medical Records, please upload the form to the client’s chart and email the form to medicalrecords@thriveworks.com for processing. If there are any follow-up items or documents needed, Medical Records will contact you directly. Please remember that client’s are entitled to receive their records within 30 days of the request, so be sure to send the ROI over to Medical Records as soon as possible.  If the ROI is to allow you (the clinician) to speak with an authorized third party, please upload the form to the client’s chart before speaking with the third party. 

How long is an ROI valid for? 

Thriveworks ROIs are valid for twelve months of the date of signature unless otherwise stipulated by the client.