In a small rural mental health center, an employee unwittingly clicked on a phishing email, releasing malware which subsequently was used to encrypt the center’s electronic records database. The center did not have adequate encryption or backup of their data, and were unable to access client records because of the attack. They were then contacted by an unknown source, who demanded they pay $1000 ransom to gain access to their database. The center had no choice, and were forced to pay the ransom to gain access to their client records.
This true story is a stark reminder of why we need to pay attention to HIPAA compliance. However, when family therapists hear the term “HIPAA,” many practitioners think that they are compliant when they have their Notice of Privacy Practices in place, or perhaps by purchasing “HIPAA Compliant” electronic record software. Many practitioners are simply unaware of the multitude of requirements placed upon them as HIPAA Covered Entities, or question if they are subject to HIPAA regulations at all. To simplify, if you transmit information electronically for purposes of payment by third party payers (e.g. insurers, government entities) even for one client, you are considered a Covered Entity (CE) under the regulations. As such, you are required to comply with federal HIPAA privacy and security regulations, as well as breach notification standards to protect client Protected Health Information (PHI). PHI is:
Individually identifiable health information, including demographic data, that relates to: 1) the individual’s past, present or future physical or mental health or condition, 2) the provision of health care to the individual, or 3) the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual (45 C.F.R. § 160.103).
While therapists are typically very clear on confidentiality requirements set by our ethics code and state statute, protecting client digital data brings a new level of vigilance needed to honor client rights to privacy and confidentiality. For example, client PHI may be exposed through loss or theft of unencrypted mobile devices such as phones and laptops, failure to patch software systems allowing access to PHI by outsiders, or returning photocopiers to vendors with un-erased digital memories. However, allowing unauthorized staff to inappropriately view client PHI due to failure to have strict privacy and security policies and procedures is also considered a breach under HIPAA.
No one else can complete your HIPAA compliance but you. There is no such thing as an external entity making you HIPAA compliant; you must set policies and procedures that adequately protect your client’s PHI. Here are just a few requirements for you to check your compliance efforts:
- Have you performed a security risk analysis which includes the evaluation of each of the 54 security standards or implementation specification set by the Department of Health and Human Services?
- Have you produced and followed a remediation plan born from the security risk analysis that details strategies for decreasing or eliminating risks to paper and electronic PHI?
- Do you have Business Associate Agreements in place with entities who create, receive, transmit or store PHI on your behalf (for example, with your billing or shredding service, electronic records vendor, attorney, and accountant and so on, if they have access to PHI)?
- Do you understand the protocol set by the standards for breach notification should client PHI be lost, stolen, or otherwise inappropriately used or disclosed?
- Can you produce your documentation of your HIPAA policies and procedures?
- Can you produce documentation of HIPAA training of any employees, volunteers, trainees, and other persons whose conduct is under your direct control as a Covered Entity?
- Have you posted your Notice of Privacy Practices in your waiting room where clients can clearly see it, and on your practice or organization’s website?
Costs of noncompliance include reputational damage, ethical violation(s), legal costs, reparation costs, and fines and penalties set by the HITECH (Health Information Technology Economic and Clinical Health) Act. Additionally, if you ignore the regulations, there is a mandatory fine should the Office for Civil Rights, who is responsible for enforcement of the regulations, investigate your practice or organization.
Let’s imagine you suffer the loss or theft of an unencrypted laptop, with contains data from over 500 clients. HIPAA regulations require that you report the loss to the Department of Health and Human Services and to your clients, absolutely no later than 60 days of the discovery of the breach. Your practice or organization name will also be published on the breach portal at the website of the Department of Health and Human Services, which has come to be known as the “Wall of Shame.” You also need to notify prominent local news media of the breach. If you have ignored the regulations, you can also add on a mandatory fine from $10,000 to $50,000. While there is no private right of action under HIPAA regulations, state attorney generals can sue for HIPAA violations, and lawsuits do occur for invasion of privacy. What has quickly become a standard reparation for breaches of PHI is that the practice or organization pays for credit monitoring for the individual for 2-3 years post-breach. State privacy or breach notification laws may also be at hand. Lastly, it would be hard to imagine that the therapeutic relationship would not be injured or destroyed when a therapist has not maintained privacy and security of their client’s very personal information.
Perhaps you think you do not need to know about HIPAA because you do not fall into the realm of being a CE because you only take private pay clients. Be forewarned that in the legal arena HIPAA is increasingly being used to demonstrate the appropriate standard of care with regard to privacy and security of client PHI (cf. Acosta v. Bryum, in North Carolina, or Walgreen Company v. Abigail E. Hinchy in Indiana). For better or for worse, HIPAA is here to stay, and we must extend the rights to client confidentiality and privacy to all oral, paper, and electronic data. Our relationships with clients depend upon it.
Acosta V. Byrum, 180 N.C. App. 562, 638 S.E.2d 246 (North Carolina, 2006).
Hinchy v. Walgreen Co., et al, No. 49D06 11 08 CT029165 (Indiana, 2011).
HIPAA, Public Law 104-191, 45 CFR §160.103
Lorna Hecker, PhD, LMFT, CHPS has authored the book HIPAA Demystified: HIPAA Compliance for Mental Health Professionals (2016). She is a professor in the MFT program at Purdue University Northwest, and director of educational services at Carosh Compliance Solutions in Crown Point, Indiana. She is an AAMFT Clinical Fellow and Approved Supervisor, and is certified in healthcare privacy and security through the American Health Information Management Association.