Records Access in Cases of Practitioner Death or Incapacitation Policy

Purpose

This policy defines the responsibilities and procedures for TherapyAppointment to facilitate secure, authorized access to client records maintained in the TherapyAppointment platform in the event of a practitioner’s death or incapacitation. This policy supports the provider’s obligations for continuity of care and proper records stewardship.

Scope

This policy applies to all practices that utilize the TherapyAppointment software and to all client records maintained within the platform on behalf of those practices.

Background

TherapyAppointment operates as a Business Associate under HIPAA. Client records maintained in the platform remain the property of the Covered Entity (the practitioner or practice). TherapyAppointment’s role is to provide secure technical access to these records in accordance with the Business Associate Agreement (BAA) and applicable laws.

Policy

Practitioner Responsibility for Succession Planning

As the Covered Entity, each practice Account Owner is responsible for establishing a succession or contingency plan that complies with applicable state laws, professional licensing requirements, and HIPAA privacy and security regulations. TherapyAppointment strongly encourages each practice Account Owner to designate an Authorized User through the practice settings in the application as part of this succession planning.


Pre-Designation of Authorized User

Setting the Authorized User

Practice Account Owners may designate one Authorized User by providing the following information in the practice settings within their TherapyAppointment account:

  • Full Name
  • Email Address
  • Phone Number

This setting requires step-up authentication to establish or modify. Only the practice Account Owner had editing rights to this designation. Practice Managers may view but not modify this information.

The Authorized User designation is kept confidential, and the designated individual will not be notified of their designation by TherapyAppointment unless and until access is requested and granted.


Practice Obligations

  • By designating an Authorized User in the TherapyAppointment system, the practice represents that:
  • The designated individual is legally authorized to access PHI on behalf of the practice.
  • The designation complies with applicable state laws regarding records custodianship.
  • The designation aligns with any professional will, succession plan, power of attorney, or other legal documents governing the practice.
  • The designated individual understands their responsibilities as a records custodian, including HIPAA obligations.

TherapyAppointment, as a Business Associate, relies on the Covered Entity’s designation and does not independently verify the legal authority or qualifications of the designated Authorized User.


Access Request Process

When an Authorized User Has Been Designated

If a practice Account Owner has designated an Authorized User in the system, TherapyAppointment will facilitate access through the following streamlined process:

  1. Written Request: The designated Authorized User must submit a written request to support for access from the email address on file in the TherapyAppointment system. 
    1. Submit this request to support@therapyappointment.com
  2. Identity Verification: TherapyAppointment will verify that: 
    1. The request originates from the registered email address. 
    2. The requestor’s information matches the designated Authorized User information on file. 
    3. The requester provides a copy of valid government-issued photo identification (such a driver’s license or passport) matching the name on file. 
  3. Notification: TherapyAppointment will attempt to notify the current Account Owner via the phone number and email address on record before granting access to the Authorized User. The current Account Owner will be given two (2) business days to respond. If no response is received within this timeframe, access may be granted to the Authorized User. This notification period applies to both death and incapacitation requests as a security measure to protect against unauthorized access attempts. 
  4. Access Provisioning: Upon successful identity verification and completion of the notification period, TherapyAppointment will execute the transfer of Account Owner rights within five (5) business days. TherapyAppointment will:
    1. Grant the Authorized User the Account Owner role for the practice. 
    2. If the Authorized User does not already have an account in the practice, send an invitation to the email address on file. 
    3. Provide access for an initial period of 30 days from the date access is granted. 
  5. Access Duration and Data Export: 
    1. Initial access is limited to 30 days from the date access is granted. 
    2. During this 30-day period, the Authorized User has full export capabilities and may export all practice records. 
    3. Access becomes permanent if the Authorized User updates the practice billing information within the 30-day period. 
    4. If billing information is not updated within 30 days, access will expire, the practice will become inactive, and the account will be subject to TherapyAppointment’s standard termination terms. 
    5. The Authorized User assumes all Covered Entity responsibilities under the BAA upon receiving access.

When No Authorized User Has Been Designated

If no Authorized User has been designated in the system, TherapyAppointment requires valid legal documentation demonstrating the requester’s authority to act as the practice’s representative or records custodian. 


In such cases: 

  1. Notification: The requester must notify TherapyAppointment as soon as possible following the practitioner’s death or incapacitation. 
  2. Request Submission: Requests for access must be submitted in writing to support@therapyappointment.com, accompanied by:
    1. Copy of valid government-issued photo identification
    2. Legal documentation demonstrating authority as described below 
  3. Required Legal Documentation: The requestor must provide documentation demonstrating both that the death or incapacitation has occurred and that they have legal authority to access the records. 
    1. For Death, the requester must provide: 
      1. Proof of death: Certified copy of death certificate from vital records office (preferred), OR if death certificate is not yet available, obituary from verified funeral home website AND letter from estate attorney or executor on professional letterhead with verifiable contact information
      2. Proof of authority: One of the following: 
        1. Letters of administration or testamentary from probate court
        2. Court order or other legal directive establishing custodianship or authority over the practice
        3. Executor documentation from an estate with authority over the practice
    2. For Incapacitation, the requester must provide: 
      1. Proof of incapacitation and authority: One of the following:
        1. Court order appointing guardian or conservator with authority over healthcare or business matters
        2. Valid, unexpired durable power of attorney document (covering healthcare or business decisions) AND supporting medical documentation from treating physician
        3. Letter from licensed attorney on professional letterhead with verifiable contact information AND supporting court or medical documentation. 
      2. TherapyAppointment reviews the submitted documentation for apparent validity but does not guarantee authenticity. TherapyAppointment may, at its discretion, contact issuing parties or authorities to verify documentation. 
  4. Documentation Review: TherapyAppointment will review the submitted documentation to verify the requester’s apparent legal authority. This review is limited to confirming that documentation appears valid on its face. TherapyAppointment does not provide legal interpretation or validation of the documents. 
  5. Access Provisioning: Upon acceptance of the documentation, TherapyAppointment will execute the transfer of Account Owner rights within five (5) business days. TherapyAppointment will:
    1. Grant the Account Owner role for the practice. 
    2. If the requester does not already have an account in the practice, send an invitation used to request access. 
    3. Provide access for an initial period of 30 days from the date access is granted. 
  6. Access Duration and Data Export: 
    1. Initial access is limited to 30 days from the date access is granted. 
    2. During this 30-day period, the requester has full export capabilities and may export all practice records. 
    3. Access becomes permanent if the requester updates the practice billing information within the 30-day period. 
    4. If billing information is not updated within 30 days, access will expire, the practice will become inactive, and the account will be subject to TherapyAppointment’s standard termination terms. 
    5. The user assumes all Covered Entity responsibilities under the BAA upon receiving access. 

Security and Audit Requirements

As a Business Associate, TherapyAppointment will:

  • Document all access requests and actions taken in response to such requests.
  • Maintain audit logs of access to PHI during the transition period. 
  • Apply the same security safeguards to the Authorized User’s access as applied to the original Account Owner. 
  • Report any suspected breaches or unauthorized access in accordance with the BAA and HIPAA requirements. 

Access Revocation

TherapyAppointment reserves the right to suspend or revoke access if: 

  • Misuse of PHI or system access is identified
  • Multiple conflicting legal claims to the records are received. 
  • Unauthorized or suspicious activity is detected. 
  • Required by law or court order
  • The account becomes subject to legal dispute. 

Access revocation or suspension may occur regardless of whether access was granted through the Authorized User designation or through legal documentation. 


Disputes Over Account Ownership

In the event of a dispute over account ownership: 

  • TherapyAppointment will not determine ownership or resolve disputes between parties. 
  • TherapyAppointment may suspend administrative changes until all parties provide mutually agreed documentation or legal directive resolving the dispute. 
  • It is the responsibility of the practice to resolve disputes and clearly identify a single authorized practice Account Owner.
  • TherapyAppointment is not responsible for changes made by practice users during the course of a dispute.

State Law Compliance

Practices are responsible for ensuring their succession planning, Authorized User designation, and records management practices comply with all applicable state laws and professional licensing requirements, including but not limited to state-specific requirements for mental health records custodianship. TherapyAppointment, as a Business Associate, does not provide legal guidance on state law compliance and recommends that Covered Entities consult with legal counsel familiar with their jurisdiction’s requirements.


TherapyAppointment Responsibilities and Limitations

As a Business Associate, TherapyAppointment’s responsibilities are limited to: 

  • Providing a secure mechanism for practice Account Owners to designate an Authorized User. 
  • Verifying the identity of access requesters against information provided by the practice or reviewing legal documentation provided. 
  • Provisioning system access to facilitate lawful records transition in accordance with the BAA and other applicable agreements. 
  • Maintaining the security, privacy, and integrity of PHI during the transition process. 
  • Documenting access requests and actions for audit purposes. 

TherapyAppointment does not:

  • Assume any Covered Entity obligations for client notification, continuity of care, or clinical responsibilities. 
  • Provide legal interpretation or validation of succession planning documents.
  • Determine the legal authority or qualifications of an Authorized User beyond identity verification. 
  • Make determinations regarding compliance with state licensing laws or professional ethics requirements. 
  • Mediate disputes between competing claimants to practice records. 
  • Assume liability for the Covered Entity’s succession planning or lack thereof.

The Covered Entity remains responsible for all HIPAA obligations, including breach notification, patient access requests, and proper PHI handling during and after the transition period.