How does HIPAA affect music therapy record-keeping and information sharing?

• A. HIPAA allows sharing without consent in emergencies.
• B. HIPAA requires that all records be stored in physical form only.
• C. HIPAA does not require minimum necessary standard.
• D. HIPAA protects privacy, requires secure storage, access control, consent for release of information, and the minimum necessary standard.

Answer: (D)

HIPAA in music therapy centers on protecting patient information as you keep records and decide what can be shared. It requires that privacy of PHI be respected, and that records—whether paper or electronic—are stored securely with appropriate safeguards. Access to PHI must be limited to staff who need it to do their job, using proper authentication and role-based controls.

Sharing information isn’t freeform; it typically requires the patient’s consent or a legitimately permitted exception, and even then you disclose only the minimum necessary to accomplish the purpose. The minimum necessary standard is central: you should share the least amount of information needed, and only for the specific purpose at hand. In emergencies, disclosures may be allowed to protect safety or ensure treatment, but they’re still governed by these safeguards and usually documented.

So, this reflects HIPAA’s protections, storage requirements, access controls, consent for releases, and the minimum necessary standard. The other statements don’t fit because HIPAA does not mandate physical-only storage, it does require the minimum necessary, and it doesn’t permit blanket sharing without appropriate consent or a valid exception.