Frequently Asked Questions
What every mental health provider needs to know before it’s too late
Why do I need a HIPAA Manual?
Because not having one is already a violation. If you can’t hand an auditor your written policies and procedures today, you’re at risk of a five-figure fine. One client complaint, one data breach, one angry ex-employee is all it takes to trigger an OCR investigation.
Aren’t solo and small practices too small to be audited?
No. In fact, 79% of OCR investigations involve private practices, including solo providers, small groups, and especially mental health clinicians. The government knows small practices usually don’t have strong compliance systems, and they are low-hanging fruit for fines.
What happens if I get audited and I’m not prepared?
You’ll be asked for a risk assessment, written HIPAA policies, a Notice of Privacy Practices, Business Associate Agreements, and training logs. If you can’t produce them, each missing piece is considered non-compliance. Providers have paid $30,000 to $125,000 for exactly this.
Can’t I just download free HIPAA forms online?
That’s like downloading a generic will from Google and hoping it protects your estate. Free templates don’t match state law, licensing board rules, or Medicaid and telehealth standards. Using them creates a false sense of safety until you’re investigated.
How much can the fines really be?
Fines range from $100 to $50,000 per violation. And it’s not per incident, it’s per record. If you have 100 clients and your policies are missing, that is potentially 100 violations. Add in civil lawsuits, licensing board complaints, and reputational damage, and it can bury a practice.
What about cyber breaches?
If your email, laptop, or phone isn’t secured the right way, and client PHI is exposed, you could face breach notification costs, fines, and lawsuits. Hackers don’t care that you are just a solo therapist. Mental health records sell for up to 20 times more than credit cards on the dark web.
My clients trust me. Isn’t that enough?
Trust doesn’t protect you when a client files a complaint, or when their attorney requests your policies during a custody dispute. HIPAA isn’t optional, it’s federal law. Good intentions don’t keep you out of trouble.
How fast can I get compliant with GCE tools?
Our products are editable, branded, and ready to implement. Depending on what you choose, you could have a HIPAA Manual, a State-Specific Supplement, a Self-Audit Toolkit, or even a Professional Will fully customized and audit-ready in just a few days. Every file is prepared with your business name and locked with copyright protection. We offer multiple products and bundles that can be utilized together or individually, so you can build the exact compliance system your practice needs.
Would my Cyber Liability Coverage with my insurance company protect me?
Usually not. Most cyber liability policies exclude HIPAA fines, OCR investigations, or known violations. If you did not have a risk assessment and written HIPAA manual in place before the breach, your coverage may be denied. Providers often discover this after paying premiums for years.
Do I need to update my HIPAA compliance every year?
Yes. HIPAA requires ongoing risk assessments and updated policies whenever laws, technology, or your practice changes. Waiting even one year could mean your manual is outdated and no longer compliant. OCR expects you to have a current, living compliance system, not a dusty binder.
What if I only take private-pay clients and don’t bill insurance?
HIPAA still applies. If you use electronic devices, email, cloud storage, telehealth, or even an EHR system, you are subject to the HIPAA Security Rule. Many private-pay practices think they’re exempt until they are hit with a breach, complaint, or subpoena.
Can I just respond to bad reviews if a client misrepresents or lies online?
No. HIPAA still applies even when a client attacks you publicly. Responding in a way that confirms someone was your client, or mentions their treatment, is a violation. Providers have been fined for trying to defend themselves online. Best practice is no comment at all, and yes, it’s maddening.
What if I have a Business Associate Agreement, isn’t that enough?
Having one BAA doesn’t cover you. Every vendor that touches PHI must have one, including your email provider, EHR, billing system, telehealth platform, cloud storage, and even your shredding service. Missing just one is considered a violation.
I’m in a small town. Would the government really come after me?
Yes. Complaints don’t come from the government, they come from clients, ex-clients, employees, or competitors. All it takes is one person filing a report with OCR. You will never see it coming.
Delivery & Customization FAQ
How are the products delivered?
Each product is delivered as a customized Microsoft Word file, branded with your business name and formatted to be immediately editable. This isn’t a generic download. Every order is manually prepared, watermarked, and delivered in 3–5 business days.
Why are your products watermarked?
Because unprotected documents get stolen, resold, or stripped of their copyright. Without watermarking, your compliance system could be floating around the internet with no proof of ownership. Every GCE product includes a locked header and footer with copyright protections so you are safe from copycat exposure.
Can I edit the documents after delivery?
Yes. The body of the documents is fully editable so you can adjust policies, add your logo, or customize for your practice workflows. The headers and footers remain locked to preserve copyright and licensing protection.
Will I automatically receive updates if laws change?
No. Compliance is a living process, and laws evolve. Our products reflect the most current standards at purchase, but updates are offered separately when released. This ensures you are always aware when major changes occur and avoids the false security of thinking you are covered forever with one outdated file.
Why don’t you allow instant downloads?
Instant downloads leave you exposed. Anyone could share, copy, or re-upload the file without licensing protections. By manually customizing and watermarking every order, we protect your practice and our intellectual property.
What if I need multiple state versions?
Multi-state practices require custom integration. Each additional state supplement or toolkit is licensed separately, and blended versions are priced based on the added legal complexity. Cutting corners here can mean violating the wrong state law, and that is exactly the type of mistake OCR loves to find.
Tax & Compliance FAQ
Can I write off these compliance products as a business expense?
Yes. Compliance manuals, toolkits, and policies are considered ordinary and necessary business expenses. That means they are tax deductible, just like your EHR subscription or malpractice insurance. The IRS expects you to invest in protecting your business — and they let you deduct it.
What happens if I don’t invest in compliance?
Then you pay in a different way. A $2,500 compliance manual can be deducted at tax time. A $25,000 HIPAA fine cannot. The IRS will not soften the blow of federal penalties. Cutting corners costs more than doing it right.
Will my accountant understand how to categorize these products?
Absolutely. They fall under “Professional Fees,” “Legal & Professional Services,” or “Business Compliance Tools.” All common categories for small practices.
Are compliance products still deductible if I’m a solo provider?
Yes. Whether you’re a sole proprietor, LLC, or group practice, these qualify as business expenses. In fact, solo providers are at the highest risk for audits because they rarely have legal-grade compliance systems in place.
