Free 15-minute consultation for new patients Get Started

The McPeak Method

HIPAA Compliance Policy and Procedures

The McPeak Method
Effective Date: December 15, 2025
Review Cycle: Annually or as needed

1. Purpose and Scope

This HIPAA Compliance Policy outlines how McPeak Behavioral Health protects the privacy and security of Protected Health Information collected through the website intake form and transmitted into Practice Better.

McPeak does not store or maintain PHI on its website servers and relies on Practice Better as the HIPAA compliant system of record.

These policies apply to all staff, contractors, and administrators who handle PHI through the intake process or access PHI inside Practice Better.

2. Definitions

  • PHI (Protected Health Information) - Any information that identifies a patient and relates to physical or mental health, treatment, or payment.
  • ePHI - PHI that is created, transmitted, or stored electronically.
  • Business Associate - A vendor or service provider that creates, receives, maintains, or transmits PHI on behalf of McPeak.
  • Practice Better - The HIPAA compliant platform used by McPeak to store, process, and manage all patient data.

3. Types of PHI Collected

McPeak collects PHI through an online intake form embedded on the website. The following categories are collected:

Direct identifiers

  • Full name, date of birth, age
  • Phone number, email, address
  • Emergency contact name, relationship, and phone
  • Preferred pharmacy name and address
  • Gender

Clinical information

  • Visit type, chief complaint, current symptoms
  • Psychiatric history, prior medications and responses
  • Side effects, hospitalizations
  • Suicide or self harm history
  • Current medications, medical history
  • Substance use history, family psychiatric history
  • Social history, legal issues, access to weapons
  • Treatment goals

Purpose of collection

PHI is collected to determine patient eligibility for psychiatric services, create treatment plans, coordinate care, and comply with clinical documentation requirements.

4. Data Flow Description

HIPAA requires a clear description of how PHI moves through the system.

  • PHI is entered by the patient into the website intake form.
  • The form uses secure HTTPS encryption during submission.
  • Data is transmitted directly into Practice Better.
  • McPeak staff review and manage patient information only inside Practice Better.
  • No PHI is stored on the website hosting server.
  • No PHI is stored in website logs, analytics tools, caching systems, or email.
  • Website administrators do not access PHI.

This data flow ensures the website acts only as a secure collection point and not a storage system.

5. Systems That Handle PHI

Practice Better (Primary system of record)

  • Stores all PHI
  • Manages clinical workflows
  • Provides audit logs
  • Maintains full HIPAA compliance
  • Covered under a Business Associate Agreement

Website

  • Collects PHI through an encrypted form
  • Does not store or retain any PHI

Email

  • Not used to store or transmit PHI
  • If PHI is ever received in error, it is deleted immediately and logged in the incident report file

6. Administrative Safeguards

McPeak implements the following administrative safeguards as required by the HIPAA Security Rule.

6.1 Workforce training

  • All staff with PHI access receive HIPAA training at onboarding and annually
  • Staff acknowledge responsibility for maintaining confidentiality
  • Staff understand proper use of Practice Better

6.2 Access controls

  • Only authorized staff have accounts inside Practice Better
  • Accounts are role based and limited to minimum necessary access
  • Website administrators do not access PHI

6.3 Security management

  • An annual risk assessment is performed on the website intake system
  • Any identified vulnerabilities are addressed promptly
  • All HIPAA documentation is maintained for at least six years

6.4 Sanctions

Violations of privacy or security policies may result in disciplinary action, including removal of system access or termination.

7. Physical Safeguards

Although McPeak does not host PHI locally, the following safeguards apply to devices accessing Practice Better:

  • All staff use password protected devices
  • Devices must auto lock after inactivity
  • PHI must not be stored on personal devices
  • Printed PHI must be stored securely
  • Paper documents must be shredded when no longer needed

8. Technical Safeguards

8.1 Website security

  • HTTPS is required on all PHI collection pages
  • TLS 1.2 or higher is used for encryption
  • No analytics or tracking scripts fire on the intake form page
  • No website plugins or caching systems store form data
  • Admin access to the website is restricted to authorized personnel

8.2 Practice Better safeguards

Practice Better maintains:

  • Encrypted data storage
  • Access logs and audit trails
  • MFA support
  • Regular security testing

8.3 Integrity controls

PHI must not be altered or destroyed improperly. Data corrections follow Practice Better procedures.

8.4 Transmission security

PHI is transmitted only over encrypted channels.

9. Minimum Necessary Standard

McPeak limits PHI access to the smallest amount needed for treatment, operations, and coordination of care. Website administrators do not view or manage PHI.

10. Business Associate Agreements

  • McPeak maintains a Business Associate Agreement with Practice Better
  • Practice Better is responsible for secure storage and processing of all PHI
  • No BAA is required for hosting providers since PHI is not stored on the website server
  • No BAA is required with analytics vendors as long as PHI is not shared with them

11. Breach Notification Policy

McPeak must follow HIPAA Breach Notification Rule procedures.

11.1 Potential breach scenarios

  • Website compromised
  • Intake form misconfiguration
  • PHI emailed by accident
  • Unauthorized Practice Better access

11.2 Response steps

  • Secure the system immediately
  • Notify the Privacy Officer
  • Conduct a four factor HIPAA breach risk assessment
  • Determine if notification is required
  • Document all findings
  • Notify affected individuals within 60 days if a breach occurred
  • Notify HHS if required

All breach documentation is retained for six years.

12. Patient Rights

Patients have the right to:

  • Access their PHI
  • Request amendments
  • Request confidential communication
  • Request restrictions on use
  • Receive an accounting of disclosures
  • File privacy complaints

Requests must be documented and processed through Practice Better.

13. Notice of Privacy Practices

McPeak will provide a public facing Notice of Privacy Practices (NPP) that explains what PHI is collected, how PHI is used, patient rights, how to contact the Privacy Officer, and how Practice Better stores and protects data.

The NPP must be linked in the website footer and available upon request.

14. Incident Reporting

Any suspected privacy or security issue must be reported immediately to the Privacy Officer. Incident reports include:

  • Date and time
  • Description
  • Systems affected
  • Individuals involved
  • Corrective actions

15. Documentation and Record Retention

HIPAA requires six years of retention for:

  • Policies
  • Risk assessments
  • Training records
  • Breach documentation
  • BAAs
  • Access logs (Practice Better maintains these)

16. Policy Review and Updates

This HIPAA policy will be reviewed:

  • Annually
  • After security incidents
  • After system changes
  • When regulations change

Updates will be documented with version control.

Ready to feel like yourself again?

Take a free assessment to discover how The McPeak Method can help you achieve lasting wellness.

Take the Assessment