HIPAA Privacy and Security Regulations are inherently complex, with hundreds of pages of regulations. It is no wonder that therapists can get stymied about knowing specific HIPAA regulations, and how they are to put them in practice. There is also a lot of erroneous information floating around on the internet, steering therapists in the wrong direction. Yet, given our ethical and legal obligation to client confidentiality and privacy, and our legal obligation to client security of their digital data, accurate information is a must. In this article, we will explore some common questions regarding the HIPAA Privacy and Security Regulations, and answer that will help you with your HIPAA compliance efforts.
Q: How do I know if I need to be HIPAA Compliant?
A: If you, your practice, agency, or business furnishes, bills, or receives payment for (mental) health care in the normal course of business, and transmits covered transactions electronically, you are a covered entity (CE) under HIPAA regulations. However, you should know that if you have a paper-only business with no electronic transactions for reimbursement, you will still want to be familiar with HIPAA requirements. The reason for this is that HIPAA is quickly becoming the standard of care for guarding client privacy as well as security of any electronic protected health information (PHI)[1]. For example, in North Carolina, in the case of Acosta v. Byrum (2006), when psychiatric and other medical records were improperly accessed and released in during a custody case, the HIPAA was used as the standard of care for privacy of client information. The Privacy Regulations go well beyond typical confidentiality requirements.
Q: If I password protect my smart phone, can I use it for sending and receiving confidential client information?
A: Electronic Protected Health Information (EPHI) must be protected in compliance with the HIPAA administrative, physical, and technical safeguards, preventing unauthorized disclosure, destruction, or loss of PHI. Loss or theft of mobile devices are one of the most frequently occurring reasons for breach of PHI.
HIPAA safeguards must be in place for any mobile device used in treatment, payment, or healthcare operations. In addition to password protection, therapists will want to encrypt PHI stored or sent on their mobile devices, activate remote wiping should the device be lost or stolen, install security and firewall software, keep software up to date. Additionally, care must be taken with downloading of files or apps. Agencies and practices should document required measures they take in their HIPAA policies and procedures manual. For example, if a staff therapist uses their phone to email or text clients, is there a procedure in place for ensuring removal of the PHI on the device in the event their employment is terminated or they leave the facility? One of the advantages of encrypting the phone is that if the phone with PHI is lost or stolen, it falls under the “safe harbor” exemption, which means that you are not required to report the loss to the Department of Health and Human Services / Office for Civil Rights, and will not be subject to an investigation. Typically mobile phones have this capacity built into the software.
Q: My office has the HIPAA Notice of Privacy Practices, and I am careful about confidentiality. Am I considered compliant?
A: There is so much more to HIPAA than the Notice of Privacy Practices! You must complete the required Security Risk Analysis (SRA) on at least a yearly basis (or more often if you change office operations). In the SRA you walk through the 54 required standards and specifications, rendering a remediation plan. The remediation plan details what areas of your organization need to be improved to come into compliance. Regular, documented HIPAA training (at least yearly) must occur for all “workforce,” which would include all therapists, staff, volunteers, etc.—basically anyone who comes into contact with PHI. While many therapists believe they can order HIPAA training online, the reality is that training must occur on the specific HIPAA policies and procedures of the agency, practice, or organization.
If you ignore or are unwilling to comply with HIPAA and HITECH[2] regulations, you fall into the category of “willful neglect.” Consider this: If an entity has made genuine efforts at HIPAA compliance, and have a HIPAA violation, the fine is $100. However, if the entity has ignored the regulations and made no efforts at compliance, it is considered “willful neglect,” with a mandatory fine of between $10,000 and $50,000. The Office for Civil Rights, who is responsible for enforcement of the Regulations, will not look kindly upon those who have turned a blind eye to compliance efforts.
Q: Is it OK that my HIPAA Notice of Privacy Practices (NPP) acknowledgement is integrated into my informed consent?
A: It is not advisable. You need your client to sign your informed consent acknowledging the risks and benefits of treatment, and giving their explicit consent to treatment. HIPAA regulations require an attempt to get the client’s written acknowledgement that they have received the NPP. However, if clients refuse to provide their signature, you cannot deny service based on their refusal to provide their signature of acknowledgement. Thus, it is best not to mix the two forms, but many therapists do. The NPP solely covers patient rights and provider responsibilities under HIPAA regulations; they do not need to “consent,” but they do need to be asked to acknowledge receipt of the NPP. If a client refuses to sign the acknowledgement of receipt of the NPP, the therapist needs to document their refusal.
Q: What is the “minimum necessary”?
A: The minimum necessary standard is part of HIPAA privacy regulations; it requires that CEs make reasonable efforts to limit use, disclosure of, and requests for protected health information to the minimum necessary to accomplish the intended purpose. The minimum necessary standard requires CEs to evaluate their practices and allow access to PHI only on a “need to know” basis. Staff who are not providing therapy services should have the minimum necessary client information available to them for them to be able to do their job. In small practices, one person may need total access. In larger organizations, this is not the case. There should be clear definitions of job roles, and what type of access to PHI coincides with each role. For example, a receptionist would not need access to entire client files, just contact information. This decreases the risk of a breach, or impermissible disclosure of PHI.
The minimum necessary standard does not apply when disclosures or requests are for treatment purposes, or for uses or disclosures to the client themselves (or their legal representative), those made with a valid authorization, or those required by law. Lastly, the minimum necessary standard does not apply when disclosures are required for compliance with the Privacy Regulations, or when made to the Secretary of the Department of Health and Human Services for purposes of compliance and enforcement of the Regulations. If another entity makes a request for PHI, you may rely on them to decide what the minimum necessary information is to satisfy their purpose.
Q: My electronic records vendor says they are HIPAA compliant. Does that take care of my security around my client records?
A: There is so much mythology around services being “HIPAA Compliant, “and vendors tout it continually. The reality is that practices or agencies are HIPAA compliant, not specific technology. Each CE must do their security risk assessment, produce a remediation plan with efforts towards compliance, and complete due diligence on their business associates.[3] Don’t be lulled into complacency on this issue; you must make efforts towards compliance of the Privacy and Security Regulations, and abide by the HITECH Breach Notification law.
Q: My state law is stricter than HIPAA, but I know HIPAA allows you to release client information without a release of information. When HIPAA was enacted, did my clients lose privacy rights?
A: No, HIPAA typically defers to stricter state law, with some limited exceptions. It is true, under HIPAA you can share PHI for treatment, payment, and healthcare operations. This seems like a lot of sharing! However, you are allowed to obtain client consent to use or disclose PHI, allowing you to stay consistent with your state law (unless there is a specific pre-emption under HIPAA). If you keep psychotherapy notes, as defined by the Privacy Regulations, those notes are highly protected under HIPAA, and may not be shared without specific client authorization.
HIPAA laws are complex, and do periodically change. For example, the Notice of Privacy Practices was updated in 2013; some therapists are still using the 2009 version. In order to keep up with the latest information, I advise you to sign up for listservs from the Department of Health and Human Services at www.hhs.gov/hipaa/for-professionals. For general HIPAA information, go to www.hhs.gov.
Lastly, as with taxes, it can be helpful to align yourself with a trained expert to help separate fact from fiction, and keep you keeping your client information private and secure.
References
Acosta v. Byrum, 180 N.C. App. 562, 638 S.E.2d 246 (North Carolina, 2006).
[1] Protected Health Information (PHI) is health information that relates to an individual’s past, present or future physical or mental health or condition, the provision of health care to the individual, or the past present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.
[2] Health Information Technology for Economic and Clinical Health Act
[3] A Business is a person or entity that performs functions, activities, or services on behalf of a CE that involves the use or disclosure of protected health information.
Lorna Hecker, PhD, LMFT, CHPS has authored the book HIPAA Demystified: HIPAA Compliance for Mental Health Professionals (2016). She is a professor in the MFT program at Purdue University Northwest, and director of educational services at Carosh Compliance Solutions in Crown Point, Indiana. She is an AAMFT Clinical Fellow and Approved Supervisor, and is certified in healthcare privacy and security through the American Health Information Management Association.