ATP Online Legal Information

Return to Legal Home

HIPAA Privacy Statement

Last Updated: July 2018

Academic Therapy Publications, Inc. is committed to protecting personally identifiable information (PII) or protected health information (PHI) from loss, misuse and unauthorized access, disclosure, alteration or destruction.

The following statement ("Policy") describes how Academic Therapy Publications, Inc. and ATP Assessments ("ATP", "we", "us", or "our") collects, protects, uses and shares data through our interactions with users of the ATP Online web site located at ("ATP Online", "Service(s)"). ATP Online is made available to qualified clinicians, therapists, examiners, and other professionals ("Customer(s)", "Practitioner(s)", "you", "your") with access to "Personal Data" including: personal information ("PI"), personally identifiable information ("PII"), Protected Health Information ("PHI"), or electronic PHI ("ePHI") about their clients, students, or patients ("Data Subject(s)", "Examinee(s)").

We reserve the right to revise this Policy periodically to reflect changes in our Services and in order to comply with changes in the law. Any such revisions are effective immediately upon posting. Your use of the Services subsequent to such posting constitutes your acceptance of such revisions. The date at the top of this document shall indicate the most recent date of this Policy revision.

Business Associate Relationship

ATP Online complies with all applicable provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). By providing ATP Online to Practitioners working on behalf of healthcare covered entities, we are your Business Associate.

Customers who are covered entities or business associates of covered entities under HIPAA should review the ATP Online HIPAA Business Associate Agreement before creating, maintaining, or transmitting PHI in ATP Online.


ATP provides HIPAA training to all employees with access to ePHI in ATP Online on the policies and procedures with respect to PHI as necessary and appropriate for the employees to carry out their functions.


ATP has in place appropriate administrative, technical, and physical safeguards to protect the privacy of ePHI in ATP Online. ATP has implemented policies and procedures with respect to PHI that are designed to comply with the standards, implementation specifications, or other requirements of HIPAA.

Breach Mitigation and Notification

Following a breach of unsecured PHI, ATP will provide the required notice to the Customer without unreasonable delay and no later than 60 days from the discovery of the breach. To the extent possible, ATP will provide the Customer with the identification of each individual affected by the breach as well as any other available information required to be provided by the Customer in its notification to affected individuals. ATP will mitigate, to the extent practicable, any harmful effect that is known to the Customer of an unauthorized use or disclosure of PHI.

Inquiries and Complaints

All inquiries or complaints concerning ATP's policies and procedures or its compliance with such policies and procedures should be submitted in writing to the ATP Privacy and Security Officer. We will respond to questions or concerns within 30 days.

Changes to policies or procedures

ATP will change its policies and procedures as necessary and appropriate to comply with changes in the law, including the standards, requirements, and implementation specifications. Whenever there is a change in law that necessitates a change to ATP's policies or procedures, ATP will promptly document and implement the revised policy or procedure. If the change in law materially affects the content of the notice required by §164.520, ATP will promptly make the appropriate revisions to the notice in accordance with §164.520(b)(3). For changes to privacy practices stated in the notice, ATP will ensure that the policy or procedure, as revised to reflect a change in ATP's privacy practice as stated in its notice, complies with the standards, requirements, and implementation specifications. ATP will document the policy or procedure, as revised, as required and will revise the notice as required by §164.520(b)(3) to state the changed practice and make the revised notice available as required by §164.520(c). ATP will not implement a change to a policy or procedure prior to the effective date of the revised notice. ATP may change, at any time, a policy or procedure that does not materially affect the content of the notice required by §164.520, provided that the policy or procedure, as revised, complies with the standards, requirements, and implementation specifications and prior to the effective date of the change, the policy or procedure, as revised, is documented as required.

Documentation and Retention Period

ATP will maintain documentation of its policies and procedures and records of its notifications, actions, activities, designations as required by HIPAA and will retain documentation for six years from the date of its creation or the date when it last was in effect, whichever is later.

Additional Information

For additional questions regarding HIPAA regulations please use the link below:
US Department of Health and Human Services: Health Information Privacy.