Kid Pushing Mom's RacecarUpdated 05/2021

Forms: wouldn’t it be nice if they were much simpler?

Private practice as a mental health professional is a funny thing. We go into it expecting to be independent therapists but actually become independent businesspeople whose business is doing therapy. So we spend time trying to figure out how to get all the logistics of business nailed down and out of the way so we can do what we care about: therapy.

To that end, we’ve come up with a list of sources where you can get some help with those forms — at least the HIPAA-related ones. And at least the ones you need when therapy begins.

This list is the culmination of numerous answers to questions that start with, “Where can I get a…?”

We hope it helps!

Notice of Privacy Practices (“The HIPAA Form” For Mental Health Professionals)

HushMost of us already have a “HIPAA form,” more formally known as a “Notice of Privacy Practices.” What many of us don’t have, however, is an NPP form that reflects our own practice’s policies around privacy, or a form that reflects our state laws.

The NPP should reflect not only the privacy practices that HIPAA requires but also the privacy practices that you employ. Privacy practices are things like what information you’ll disclose about clients, when, and to whom. Not everyone does this the same way and not every state has the same laws around it. That is why Person-Centered Tech has never released a sample NPP of our own making.

The Feds themselves created and released a model Notice of Privacy Practices after they released the 2013 HIPAA Omnibus Final Rule. They have multiple versions, including a layered one, in both English and Spanish. These model forms give you spaces in which to write specific information about your own practice.

You’ll need to ask your attorney, or possibly your state professional organization, about any state law items that need to be added to the form or modified in the form.

Model Notice of Privacy Practices from The US Department of Health and Human Services→

Special note: The 2013 HIPAA Omnibus Rule made it a rule that if you have a website, you need to post your NPP on the site. You can make it a whole web page on the site or make it a downloadable file — perhaps along with your other blank intake forms. Either way, it needs to be conspicuously easy to find.

Release of Information Forms for Clinicians in Private Practice

Outgoing MailThis is generally one of the first things we get when we start a counseling private practice, so there are tons of options out there.

It’s worth noting, though, that HIPAA defines a special kind of consent called “authorization.” This gets confusing easily, because many states will refer to simple consent as “authorization” in their laws. Also, some documents will refer to HIPAA authorization as “consent.” So if you get confused, don’t worry. You’re in good company.

We won’t go into the details of what “authorization” is according to HIPAA. You can read about it here→.

Many of the release forms we pass around amongst private practitioners are built to be HIPAA-style authorizations. So you might already have what you need for this one.

To be sure, however, we tracked down a good example of an authorization for release of information that is made by an authority. This one is built to address both HIPAA and Massachusetts state law. So unless you practice in Massachusetts, be sure not to use it as-is, but rather as a model for your own forms.

Massachusetts Department of Public Health Authorization for Release of Information, Permission to Share Information Form→

That link goes directly to the PDF of the form. The state of Massachusetts lists it on this page here→.

Our free, informative articles are brought to you by Hushmail,
who is offering our readers 15% off for life!
Wondering why this is here? See our sponsorship policy for details.

Hushmail Image

Roy with coffee mugRoy says: Hushmail is one of several secure email options that serves health care practitioners like us. Hushmail is highly trusted, affordable, includes secure web forms that accept e-signatures, and has earned a recommendation from us for use by mental health professionals. Learn more about Hushmail for Healthcare and get 15% off for life.

Business Associate Agreement Contracts

Bow Tie GuyIf you’re not sure what this is, then you probably haven’t been reading our stuff for very long. :) In that case, welcome to Person-Centered Tech! We invite you to familiarize yourself with the hugely important topic of HIPAA Business Associates before moving on:

We implore you to remember that any third party with whom you need a BAA should already have one of these agreement contracts prepared. Those who act as HIPAA Business Associates for health care providers need to also comply with HIPAA, just like we do. So if they’re not prepared to do so, you probably don’t want to work with them.

There are occasional times when finding your own BAA contract is useful, however. Perhaps you have someone you want to hire as a biller. They haven’t done their professional responsibilities around due diligence, but for various reasons you want to work them anyway. That is a common time when finding a BAA contract becomes necessary.

Enter the fabulous, lovely people of HIPAACOW. HIPAACOW is a volunteer organization in Wisconsin that produces utterly amazing, highly professional work that should by all rights cost us thousand of dollars. They give it out for free, though. So take advantage!

One of the many items they offer is a sample Business Associate Agreement contract. Be sure to download the one that is updated for the 2013 HIPAA Omnibus Rule:

HIPAACOW Security and Privacy Documents→

Risk Analysis Tools

Lens on PathRisk analysis is one of our most favoritist topics to talk about around here. Many of our colleagues don’t know what it is, however, which is a huge HIPAA compliance issue for our entire field.

So if you haven’t yet read our orientation articles on the subject, please do so now. We’ll wait for you to get back:

  1. Mental Health Pros’ 3 Steps to (Actually) Be HIPAA Security Compliant
  2. Risk Analysis and Risk Management Planning: Can You Do It Yourself?

BTW, “risk analysis” is the term used in the HIPAA Security Rule language. You can also say “risk assessment.” They’re interchangeable in this case.

Risk analysis is a process. And the initial work of it is a big process (it gets easier after you’ve got it started, though.) So there isn’t a form or even a set of forms for risk analysis. There are, however, tools to help guide you through it. We feature a couple of them here:

  1. Person Centered Tech Risk Tool
  2. HIPAACOW Toolkit [free to all]
  3. NASW HIPAA Toolkit [free for NASW members]

Both of those are well-known tools, but they are also both very technical and broad. In other words, most clinicians don’t find them useful. You can try them out, however, to get an idea of where you’re going and to decide for yourself if they really are too vague and technical or if they’re just fine for you.

HIPAA Security Rule Compliance Prep

Ruler Pen and DeskIn addition to risk analysis, the HIPAA Security Rule just includes a bunch of stuff you need to address, including policies and procedures.

Your own policies and procedures need to match your own practice’s needs, but it’s very useful to have models from which you can figure out what you need. Enter again the plethora of high-value HIPAA compliance materials included in Person Centered Tech’s membership:

  1. Person Centered Tech Policy and Procedure Templates
  2. HIPAACOW Security and Privacy Documents [free to all]

Forms Around Using Tech With Clients

Vintage TelephoneClients often want to use email and texting with their therapists. There are a number of risks involved, and our professional ethics are actually much more restrictive on this point than HIPAA is. There are processes (and forms!) involved in the process of addressing those risks, though.

We never found good paperwork materials for the process of using non-secure tech with clients, so we made our own. We make them freely available to all our (also free) newsletter subscribers. Those forms include the:

  • Email and Texting Risk Questionnaire
  • Consent for Non-Secure Communications Forms (e.g. email and texting are both “non-secure communications”)

We also offer an Electronic Records Disclosure form, but that is not needed for HIPAA compliance. It’s needed for the ACA Code of Ethics’ requirement around electronic records disclosure→.

Please, please, please get educated before using these forms! We have at least one article that helps explain their use but it’s just the tip of the iceberg. We also offer education on the issue of communicating with clients over the Internet and with everyday gear in the Level I session of our Digital Confidentiality course series.

  1. Clients Have the Right to Receive Unencrypted Emails Under HIPAA→
  2. Engaging in HIPAA Security and Digital Confidentiality as a Mental Health Professional

Those forms are free for our (also free) newsletter subscribers:

Person-Centered Tech Newsletter and Free Downloads Info→

What Else?

As with all things private practice, the need for tools will keep evolving. We’ll update this space as the need arises!

Learn more about HIPAA compliance for your private practice:


1 CE Credit Hours

With Forms

1 CE Credit Hours


9 CE Credit Hours



Scheduled Maintenance

We will be temporarily taking the website offline at 10:00 PM Pacific (1:00 AM Eastern) tonight, July 6, in order to make some improvements. We plan to be back online by midnight Pacific (3:00 AM Eastern). We apologize for any inconvenience this may cause. Dismiss