BHCOE® Standards for Effective Applied Behavior Analysis Organizations
The BHCOE® Standards for Effective Applied Behavior Analysis Organizations (the “BHCOE Standards”) includes 13 sections relevant to the professional and ethical behavior of organizations providing Applied Behavior Analysis therapy, along with suggested evidence of compliance. These standards are effective January 1, 2019, for all BHCOE Accredited organizations. Along with these standards, BHCOE Accredited organizations must obey all applicable federal, state and local laws related to health, safety and employment.
By initiating the BHCOE Accreditation process, the organization acknowledges that they have read and are familiar with BHCOE® Standards for Effective Applied Behavior Analysis Organizations for the BHCOE Accreditation process. The outcome of the audit may result in awarding the clinical practices with the Behavioral Health Center of Excellence Accreditation. Receiving the Behavioral Health Center of Excellence Accreditation allows the use of the accreditation badge on marketing material and in press. Any organization who engages in the BHCOE Accreditation process agrees to abide by the (i) BHCOE logo usage guidelines (Guidelines), and (ii) BHCOE® Standards for Effective Applied Behavior Analysis Organizations. If an organization is found to be out of compliance with the Guidelines and/or The BHCOE® Standards, they will be notified by the BHCOE Compliance Department. Upon notification from the BHCOE Compliance Department, the organization agrees to take steps to become compliant with the Guidelines and/or The BHCOE® Standards. If the organization does not remedy their noncompliance in a timely manner, then their Accreditation may be suspended or revoked by the BHCOE. The BHCOE has established a compliance, disciplinary review and appeal process for matters of noncompliance.
Looking for BHCOE’s 2021 proposed standards and public commentary guidelines? Find them here.
Select the toggles below to read our standards for each type of accreditation:
2019 Preliminary Accreditation Standards
A. General Requirements
A.01 Organization is registered or incorporated.
A.02 Organization has general, property, and liability insurance.
A.03 Organization has a valid business license.
A.04 Organization has a payroll, accounting and record-keeping system and/or software.
A.05 Organization has workman’s compensation insurance.
A.06 Organization has a staff handbook.
A.07 Organization has a current working budget and proposed next year budget.
A.08 Organization has a defined organizational structure and hierarchy.
A.09 Organization has job descriptions and expectations for all current positions.
A.10 Organization has minimum qualifications and requirements for each job position.
B.01 Organization has an organization-specific employment application.
B.02 Organization has a templated offer letter.
B.03 Organization has a checklist for new hires.
B.04 Organization conducts state and federal background checks.
B.05 Organization has staff performance and evaluation guidelines.
B.06 Organization provides safety/crisis management training to staff who may encounter dangerous behavior.
B.07 Organization trains staff on mandated reporting requirements.
B.08 Organization checks all staff Motor Vehicle records.
C.01 Organization has determined where PHI will be located.
C.02 Organization has an appointed HIPAA privacy/security official.
C.03 Organization has determined how or why PHI will be used or disclosed (e.g. treatment, payment, health care operations, public health reasons, etc.).
C.04 Organization’s email and other electronic communication are HIPAA-compliant.
C.05 Organization’s cloud or server-based storage is HIPAA-compliant.
C.06 Organization has a HIPAA breach policy.
C.07 Organization has a data backup plan.
C.08 Organization has HIPAA compliance training.
D.01 Organization has a patient intake form & questionnaire.
D.02 Organization has a patients’ rights agreement.
D.03 Organization provides a financial responsibility agreement to patients.
D.04 Organization has a confidential exchange of information policy.
D.05 Organization has a new patient welcome letter.
D.06 Organization has a written standard treatment/operating procedure for ABA services that is provided to new patients.
D.07 Organization has a patient home safety checklist.
D.08 Organization has an ABA treatment contract.
D.09 Organization has a parent/guardian participation and parent/guardian interaction policy.
D.10 Organization has a patient illness policy.
D.11 Organization has a new patient form and checklist.
D.12 Organization has a Notice of Privacy Practices for patients.
E.01 Organization has an assessment report template.
E.02 Organization has a progress report template.
E.03 Organization has a supervisor case note template.
E.04 Organization has a technician case note template.
E.05 Organization has a preference assessment system for patients.
E.06 Organization has a data collection system.
E.07 Organization has a caregiver training protocol.
E.08 Organization utilizes a standardized assessment when evaluating patients.
E.09 Organization has a plan for how often they will conduct assessments.
E.10 Organization has a curriculum for developing patient programming.
E.11 Organization has a quality assurance officer.
E.12 Organization has guidelines for recommending treatment intensity of services.
E.13 Organization has a fade-out policy.
F. Consumer Protection
F.01 Organization has a conflict of interest policy.
F.02 Organization has guidelines regarding the exchange of gifts, money, or personal fundraising.
F.03 Organization has guidelines for how the organization is represented via social media.
F.04 Organization protects patient privacy by refraining from posting patient information or photos on social media.
F.05 Organization refrains from soliciting and posting testimonials.
F.06 Organization has written ethical codes of conduct.
F.07 Organization has legal representation.
F.08 Organization has a policy regarding non-evidence-based practices that includes refraining from participating in such practices, resolving conflicts when such practices interfere with ABA services, and educating patient or parent/guardian about how to choose effective services.
G.01 Organization has cyber or data privacy insurance.
G.02 Organization has a fidelity bond in place.
G.03 Organization has abuse prevention policies and procedures.
G.04 Organization has a policy in place to avoid one-to-one situations with patients.
2019 Full Accreditation Standards
Organizations who are fully accredited must meet the preliminary accreditation standards in addition to the full accreditation standards.
1.0 Staff Qualifications, Training & Oversight
1.01 Organization employs clinical director-level staff who hold adequate education and qualifications.
1.02 Organization employs supervisory staff who hold adequate education and qualifications.
1.03 Organization employs direct staff who hold adequate education and qualifications.
1.04 Organization tests for clinical competence prior to staff providing treatment to patients.
1.05 Organization provides training to ensure competency in clinical tasks (e.g., assessment processes, goal creation, intervention design, progress reporting, etc.) and administrative tasks (e.g., staff training, feedback delivery, BACB supervision standards, ethical billing practices, etc.).
1.06 Organization provides staff with continuing education in line with their areas of need.
1.07 Organization ensures consistency of treatment across staff members through staff overlap, data collection, and/or team meetings.
1.08 Organization will utilize staff performance evaluation processes such as goal-setting, performance measurement, regular performance feedback, and self-evaluation, as evidenced by documentation of staff progress.
1.09 Organization defines organizational structure and hierarchy.
1.10 Organization provides job descriptions and expectations for all current positions.
2.0 Treatment Program & Planning
2.01 Organization utilizes standardized assessments to evaluate patient outcome annually, or more frequently if needed.
2.02 Organization collects and monitors individual outcome data.
2.03 Organization collects and monitors organizational outcome data.
2.04 Organization utilizes evidence-based curricula when developing patient goals.
2.05 Organization utilizes research-based skill-acquisition procedures.
2.06 Organization utilizes research-based behavior-reduction procedures.
2.07 Organization trains for and measures generalization throughout treatment.
2.08 Organization ensures skills are age-appropriate based on the developmental order in which skills are acquired in individuals with typical development.
2.09 Organization has resources available to service non-verbal/non-vocal patients.
2.10 Organization collaborates with appropriately qualified professionals to facilitate language acquisition.
2.11 Organization determines treatment dosage based on professional judgment, research, and standard of care.
3.0 Collaboration & Coordination of Care
3.01 Organization notifies parents/guardians of expectations for involvement in programming.
3.02 Organization educates parents/guardians on clinical outcomes of parent involvement in their child’s progress.
3.03 Organization has standard requirements for parents/guardians participation and training independent of the patient’s funding source.
3.04 Organization makes reasonable efforts to involve parents/guardians in training, participation and treatment planning.
3.05 Organization appropriately documents parent/guardian participation or lack of participation in treatment sessions and planning.
3.06 Organization ensures eLearning opportunities are easily accessible to parents/guardians.
3.07 Organization makes reasonable efforts to collaborate with other professionals (e.g., speech-language pathologists, occupational therapists, school staff, physicians, etc.) to maximize a patient’s progress.
3.08 Organization provides a clear policy to patients or parents/guardians on collaboration with non-evidence-based practices.
4.0 Ethics & Consumer Protection
4.01 If the organization holds a waitlist, they clearly communicate expectations of waitlist time to patient or parent/guardian.
4.02 Organization offers resources to potential patient or parent/guardian if unable to initiate services within 45 days of contact.
4.03 Organization offers patient or parent/guardian with peer-referral options to potential patients if unable to provide services within 1 month of contact.
4.04 Organization maintains close supervision over wait list times and patient or parent/guardian needs.
Marketing & Representation
4.05 Organization accurately represents the services they provide.
4.06 Organization does not engage in misleading, false, or deceptive statements.
4.07 Organization does not exploit consumers of their services for marketing purposes.
4.08 Organization uses testimonials in compliance with BACB® Professional and Ethical Compliance Code for Behavior Analysts.
Promoting Ethical Behavior
4.09 Organization supports any workers who come forward with any claim of undue pressure to violate the BHCOE® Code of Effective Behavior Organizations or BACB® Professional and Ethical Compliance Code for Behavior Analysts.
4.10 Organization appoints an internal Ethics Officer and/or Ethics Committee to address internal ethical issues.
4.11 Organization obtains any relevant consent from patient or parent/guardian of their services.
4.12 Prior to the commencement of service delivery, the organization informs patient or parent/guardian where they can file complaints about any service provided by their organization.
4.13 Prior to implementation of services, the organization provides in writing the terms of consultation, requirements for providing services, financial agreements, treatment expectations, duration of treatment, the likelihood of success and responsibilities of all parties. If terms change, behavioral organizations will notify patient or parent/guardian.
5.0 HIPAA Compliance
Patient confidentiality and privacy should be consistent with applicable federal regulations including the Health Insurance Portability and Accountability Act of 1996 and Title 42 of the Code of Federal Regulations, state laws, code(s) of conduct, and professional guidelines;
5.01 Organization has determined where PHI will be located.
5.02 Organization has appointed a HIPAA privacy/security official.
5.03 Organization has determined how or why PHI will be disclosed.
5.04 Organization uses HIPAA-compliant electronic communication.
5.05 Organization uses HIPAA-compliant cloud or server-based storage.
5.06 Organization has HIPAA breach policy.
5.07 Organization has a data backup plan.
5.08 Organization provides HIPAA compliance training to staff.
6.0 Patient Satisfaction
The organization operates in a manner that indicates patient or parent/guardian satisfaction at 80% or higher.
7.0 Employee Satisfaction
The organization operates in a manner that indicates staff satisfaction at 80% or higher.
2019 Telehealth Accreditation Standards
(T)A. Organizational Compliance
(T)A.01 Organization has a valid business license to deliver telehealth services in accordance with mandates in the state(s) in which it operates.
(T)A.02 Organization has appropriate documentation from payors allowing the use of telehealth.
(T)A.04 Organization has an employee handbook that clearly defines the telehealth services provided by the employee.
(T)A.05 Organization has a description of services provided via telehealth for each level of care.
(T)B. Human Resources
(T)B.01 Organization has updated job descriptions incorporating minimum qualifications, telehealth duties, and associated expectations.
(T)B.02 Organization has systems in place for training staff providing telehealth services on clinical procedures.
(T)B.03 Organization has systems in place for training staff providing telehealth services on technology usage.
(T)B.04 Organization reviews mandating reporting requirements with staff prior to providing telehealth services.
(T)B.05 Organization provides safety & crisis management training to staff prior to initiation of telehealth services and annually.
(T)B.06 Organization has systems in place for evaluating competency of staff providing telehealth services on clinical procedures.
(T)B.07 Organization has systems in place for evaluating competency of staff providing telehealth services on technology usage.
(T)B.08 Organization ensures continued staff competency to implement procedures via telehealth service delivery.
(T)B.09 Organization has designated technology professional who is responsible for the effectiveness of equipment and health information systems utilized in the delivery of telehealth services.
(T)C. Patient Intake
(T)C.01 Organization has electronic patient intake form.
(T)C.02 Organization conducts a screening of appropriateness for telehealth prior to initiating services.
(T)C.03 Organization conducts a screening of staffing needs for telehealth prior to initiating services.
(T)C.04 Organization requests additional consent from patients to provide telehealth services.
(T)C.05 Organization educates patients about the telehealth process and the risks and benefits involved in utilizing telehealth technology.
(T)C.06 Organization has a systematized process for set up of session, including technological requirements, programmatic requirements, and environmental prerequisites.
(T)C.07 Organization has a patient home safety checklist to ensure the home is a safe and appropriate workplace for employees who are supervised via telehealth.
(T)C.08 Organization has a parent/guardian participation and interaction policy specific to telehealth services.
(T)D. Clinical Practice
(T)D.01 Organization has program goals created to address patient’s clinical needs which are updated as needed.
(T)D.02 Organization collects data to monitor the progress of patient goals.
(T)D.03 Organization has systems to document clinical interactions using ANSI/BHCOE 101 documentation requirements.
(T)D.04 Organization monitors patient outcome to address effectiveness of telehealth services.
(T)D.05 Organization has guidelines for recommending treatment intensity of telehealth services.
(T)E. Technology, Privacy, & Security
(T)E.01 Organizations define procedures for mobile device setup, data removal, and external monitoring.
(T)E.02 Organization ensures staff sign an acknowledgment of receipt of company property.
(T)E.03 Organizations have policies in place that address acceptable use of equipment and security policies for company-issued equipment.
(T)E.04 Organization has systems in place to address maintaining, repairing, deactivating, disposing of, and replacing defective equipment.
(T)E.05 The Organization provides emergency management policies and procedures for software, hardware and other system resources that can be implemented during telehealth consultations.
(T)E.06 Organization has data loss or theft policy.
(T)E.07 Organization maintains written agreements with participating vendors/subcontractors and includes a signed Business Associate Agreement (BAA).
(T)E.08 Organization’s electronic medical records and telehealth data encryption, storage, and transmission are HIPAA compliant.
(T)E.09 Organization delivers telehealth services through a secure internet connection and has backup networks to reduce connectivity problems.
2021 Proposed Full Accreditation Standards
A.01 The organization, and its subsidiaries are in compliance with all applicable healthcare regulatory laws.
A.02 The organization, subsidiary, or any of its owners, officers, and directors are not currently and have not been convicted of, charged, or under an investigation or subject to any enforcement action or legal proceeding by any governmental authority arising out of or relating to any healthcare regulatory law within the past year.
A.03 The organization acts honestly and responsibly to promote ethical practices of its staff and supports certified staff in complying with ethical and professional requirements of their credentialing or licensing body. The organization never directs staff to act in violation of those requirements and resolves any conflicts between the company policy and those requirements.
A.04 The organization is dedicated to ethical and fair competition and will not improperly coordinate to sabotage, speak ill of, or undermine other ABA service organizations.
A.05 The organization ensures employees avoid dual relationships that might impair the ability to make objective and fair decisions.
A.06 The organization protects the privacy of its workers.
A.07 The organization does not offer incentives or remuneration to current patients in exchange for attendance or recruitment of other patients. Remuneration refers to cash, cash equivalents, or anything of value.
A.08 The organization provides guidelines for staff regarding the exchange of gifts, money, or personal fundraising to avoid potential conflicts of interest.
A.09 The organization has a designated ethics officer and/or ethics committee to address ethical issues related to patient programming and/or staff or patient concerns.
A.10 The organization provides employees and volunteers a confidential means to report suspected impropriety or misuse of organizational resources. The organization has a policy prohibiting retaliation against persons reporting improprieties.
B.01 The organization has a diversity statement.
B.02 The organization has a means to translate webpages, training materials, meetings, documents or other materials into different languages if necessary.
B.03 Training and marketing materials should be authentic and inclusive of the individuals within the organization.
B.04 The organization makes closed captioning available for its videos as necessary.
B.05 The organization provides all associates with a mandatory cultural/diversity training program at least annually.
B.06 The organization actively recruits employees and serves patients from diverse backgrounds; organization’s talent acquisition efforts are measured and held accountable for presenting diverse candidate slates.
B.07 The organization uses quantitative and qualitative measurements to assess its workforce diversity and inclusion efforts. (i.e., applicant tracking, hiring, promotions, separations [voluntary and involuntary], career development, and retention).
B.08 The organization has the ability to demonstrate that it is engaging in fair hiring practices, as regulated by Equal Employment Opportunity Commission (EEOC).
B.09 The organization engages in self-assessment of diversity efforts at least annually.
B.10 When applicable, the organization provides minority and women-owned businesses with equal opportunities to supply goods or services.
B.11 The organization’s physical location is compliant with the Americans with Disabilities Act.
B.12 The organization has a means to allow qualified low-income patients access to services.
B.13 The organization can demonstrate reasonable accommodations made to employee’s religious beliefs and practices, physical abilities, and language abilities.
C.01 The organization has processes in place to ensure it maintains state and local requirements regarding business registration, incorporation, and licensing.
C.02 The organization sufficiently protects against claims resulting from injuries or damages by maintaining general, property, and liability insurance.
C.03 The organization obtains workers’ compensation insurance to protect injured workers.
C.04 The organization has protections to ensure the organization and its staff and patients are protected from a cyber-related incident by obtaining cyber or data privacy insurance.
C.05 The organization has systems in place to assure accuracy of payroll calculations, deductions, and expenses by utilizing payroll, accounting, and recordkeeping software.
C.06 The organization monitors resource allocation, planning and coordination by monitoring current and forecasting future business income and expenditures via a working budget and proposed upcoming year budget.
C.07 The organization maintains an ongoing relationship with legal representation.
C.08 The organization develops a business plan, including a budget to forecast expenditures, income and profitability.
C.09 The organization develops a strategic plan to account for growth and/or improvement, at least annually.
D.01 The organization has qualifying questions to screen candidates, standard interview questions, and hiring criteria for each position.
D.02 The organization has an organization-specific employment application and offer letter.
D.03 The organization has administrative and clinical onboarding checklists for new hires.
D.04 The organization conducts state and federal background checks on all staff prior to hire.
D.05 The organization verifies all employees hold a valid driver’s license, motor insurance, and clean motor vehicle record for those employees who transport patients.
D.06 The organization does not engage in hiring practices that could restrict non-executive clinical staff’s future employment , such as by requiring non-executive clinical staff to sign no-compete agreements.
D.07 The organization has job descriptions for each position with minimum qualifications, lines of reporting, hierarchy, and job duties.
D.08 The organization utilizes an employee handbook in line with state-specific labor laws.
D.09 The organization retains clinical director staff who hold adequate education and qualifications.
D.10 The organization retains supervisory staff who hold adequate education and qualifications.
D.11 The organization retains direct care staff who hold adequate education and qualifications.
D.12 The organization provides training in clinical tasks and administrative tasks for each level of staff upon hire.
D.13 The organization tests staff at every level for competence prior to staff providing treatment to patients.
D.14 The organization ensures staff at every level receive continuing education, training, and oversight in line with their certification and specific areas of need.
D.15 The organization utilizes employee performance evaluation processes such as goal-setting, performance measurement, regular performance feedback, self-evaluation, and appropriate consequences for each level of staff.
D.16 The organization regularly measures staff satisfaction and makes reasonable efforts to resolve staff concerns or grievances.
E.01 The organization clearly communicates how patients can initiate services with the organization to ensure patients have equal access to services.
E.02 The organization has a standard operating procedure for ensuring timely and efficient onboarding of new patients.
E.03 The organization has a processes in place to facilitate the verification of benefits in a timely manner.
E.04 The organization obtains initial authorization from payor before providing assessment or other services.
E.05 The organization regularly monitors credentialing requirements and contract and fee schedule expiration date for each payor.
E.06 Prior to the implementation of services, the organization provides, in writing, the terms of consultation, requirements for providing services, patient rights, financial agreements, and responsibilities of all parties. If terms change, the organization will notify parents/guardians and/or patients in advance of the new terms taking effect.
E.07 The organization recognizes, in its policies, procedures, and business practices, that the direct recipient of services is its primary patient, along with the parent or guardian of the direct recipient of services, even if a third party is paying for the services. The organization resolves any conflicts in the best interests of the direct recipient of services.
E.08 The organization collects and monitors data on waitlist length and estimated waitlist time.
E.09 The organization makes reasonable efforts to fulfill all therapy hours recommended within the patient’s clinical assessment.
E.10 The organization provides resources and referrals to patients on waitlist who cannot be served within 60 days.
E.11 Organizations act in the best interests of the patient, including the direct recipient of services and their parent or guardian, to avoid interruption or disruption of service. The organization does not terminate services without 30-day notice, and without efforts to transition, unless the clients’ needs require prompt termination.
F.01 The organization utilizes evidence-based developmentally appropriate assessments to evaluate patient outcome annually, or more frequently if needed.
F.02 The organization collects and monitors individual patient outcome data.
F.03 The organization collects and monitors organizational clinical and administrative outcomes to make data-driven decisions pertaining to hiring, staff training, service delivery, collaboration efforts, etc.
F.04 The organization has a quality assurance officer.
F.05 The organization exclusively utilizes evidence-based clinical practices.
F.06 The organization trains for and measures generalization and maintenance throughout treatment.
F.07 The organization ensures goals are appropriate based on current developmental level, chronological age, and the developmental order in which skills are acquired in individuals with typical development.
F.08 The organization determines treatment dosage (hours) by relying on best practices such as decision models, research, and professional judgment.
F.09 The organization ensures clinicians carry a caseload that enables them to provide appropriate supervision and oversight to facilitate effective treatment.
F.10 The organization regularly measures patient satisfaction and makes reasonable efforts to resolve patient concerns or grievances.
G.01 The organization has a standard clinical assessment activity template.
G.02 The organization has a standard clinical assessment report template.
G.03 The organization has a standard progress report or treatment plan template.
G.04 The organization has a standard supervisor case note template.
G.05 The organization has a standard mid-level and/or direct care staff case note template.
G.06 The organization has a preference assessment policy and procedure.
G.07 The organization has a data collection policy and procedure.
G.08 The organization documents all clinical activities following best practice standards for clinical documentation.
H.01 Before the commencement of service delivery, the organization informs parents/guardians and/or patients how they can file complaints and grievances internally and externally about any service provided by the organization and with BHCOE once the organization is accredited.
H.02 The organization has a policy regarding non-evidence-based practices that includes refraining from participating in such practices, resolving conflicts when such practices interfere with ABA services, and educating patients about how to choose effective services.
H.03 The organization educates parents/guardians of patients on the therapeutic impact of their involvement.
H.04 The organization makes reasonable efforts to involve parents, guardians and/or caregivers of patients in care planning, and does not make significant changes to treatment plans without consent.
H.05 The organization establishes minimum parent/guardian participation/training goals regardless of funding source and documents efforts to engage parents, guardians and/or caregivers when participation is insufficient.
H.06 The organization makes reasonable efforts to involve parents, guardians and/or caregivers in the patient’s treatment.
H.07 The organization appropriately documents caregiver participation or lack thereof in treatment sessions and planning.
H.08 The organization makes reasonable efforts to collaborate with other professionals on a treatment team such as occupational therapists, school staff, speech-language pathologists, and/or physicians to maximize patient’s progress.
I.01 The organization has a policy to protect against abuse or allegations of abuse.
I.02 The organization conducts and documents fire drills at least annually.
I.03 The organization provides access to first aid kit supplies to employees and/or has a first aid kit available in all locations where therapeutic activities take place.
I.04 The organization has policies and procedures for safely transporting patients, if applicable.
I.05 Organization has guidelines for safe medication management, if applicable.
I.06 The organization has a written emergency plan for disaster and casualties.
I.07 The organization provides safety/crisis management training for employees.
I.08 The organization has an employee policy and procedure on mandated reporting requirements including a policy, documented training, an procedure
I.09 The organization has a patient illness policy and procedure.
I.10 The organization has a location-specific patient safety checklist(s).
J.01 The organization accurately represents the services it provides to patients, staff, and/or other stakeholders.
J.02 The organization does not engage in misleading, false, or deceptive statements to patients, staff, and/or other stakeholders.
J.03 The organization has guidelines for how the organization is represented in social media.
J.04 The organization does not permit clinical staff to solicit or use testimonials about behavior-analytic services from current patients on their webpages or in any other electronic or print material.
J.05 The organization does not permit clinical staff to share or create media likely to result in the sharing of any identifying information (written, photographic, or video) about current or past patients and supervisees within social media contexts.
J.06 If an organization utilizes current or past patients to share stories, the organization does not solicit individual patients but, rather, uses an open casting call approach, or use stories provided unsolicited by patients.
J.07 If an organization utilizes current or past patients to share stories, the organization does not conduct such activities during regularly scheduled treatment hours.
J.08 If an organization utilizes current patients to share stories, the organization has clear protocols to ensure separation between the clinical and marketing departments.
J.09 The organization provides opportunities for patient video or photo releases to be renewed annually and provides clear instructions regarding how to relinquish consent, if requested.
K.01 The organization, prior to the implementation of services, informs parent/guardian in writing a notice of privacy practices.
K.02 The organization uses HIPAA-compliant electronic communication that includes a confidentiality disclaimer.
K.03 The organization uses HIPAA-compliant cloud or server-based storage.
K.04 The organization utilizes a HIPAA breach policy and procedure.
K.05 The organization provides HIPAA compliance training to staff upon hire, annually and as required otherwise.
K.06 The organization limits access to Protected Health Information (PHI) only to personnel who require such access in the course of their job duties.
K.07 The organization utilizes a policy and procedure for the protection of facilities and equipment storing PHI.
K.08 The organization has determined where PHI will be located and how long it will be maintained.
K.09 The organization has an appointed HIPAA privacy/security officer
K.10 The organization has a data backup policy and procedure.