There are so many reasons that MFTs should be sure their practices/organizations are HIPAA compliant. Each day we hear in the news threats to client confidentiality such as ransomware, records loss, stolen unencrypted laptops or phones, and so on. Since confidentiality is the foundation of our practice, it is important we pay attention to the myriad of ways in which confidentiality can be breached in this day and age. Let’s go through some examples where client information has been breached:
- A small midwestern mental health organization received a message that their data had been encrypted, and an unknown entity was demanding $1,500 from them in bitcoins, in order for them to get their client data back. Not only was their data not properly protected from this ransomware attack, they had not properly backed up their data; the attack occurred when an employee opened a phishing email. The organization was left with no option but to pay the ransom to access their client records. At that point, they could not guarantee that the data had not been viewed by others, and were required by HIPAA regulations to make a report to the Department of Health and Human Services (HHS), and because the data included more than 500 records, were also required to post the breach on their website, and notify local news media.
- A practice in Maryland was burglarized, and a therapist’s locked file cabinet containing client protected health information (PHI) was broken into. While it was unclear whether the information was viewed, HIPAA regulations require reporting of any breach of PHI. In this case, state law also required the incident reported to the state’s attorney general as well. Breach notification was made to the clients, as per HIPAA regulations and the Maryland personal information protection act.
- In a county mental health organization in California, 1,200 clients were affected when in the midst of relocating offices, paper records were left behind in the old office, constituting another HIPAA breach that had to be reported to clients, local media, HHS, and the state.
HIPAA covered entities are required to follow the HIPAA privacy regulations, security regulations, and breach notification laws. Privacy regulations require safeguarding of client PHI in any form- electronic, paper, or oral. Security regulations specifically focus on protection of electronic PHI (ePHI). Breach notification laws were enacted by the Health Information Technology Economic and Clinical Health Act (HITECH), and with some exceptions, require reporting of a breach the clients, HHS, and with breaches of over 500 individuals, prominent local news media.
So how do you know if your practice is would pass regulatory scrutiny? That is not easily answered in a blog, but in broad strokes, covered entities are required to do the following:
- Conduct a thorough privacy and security risk assessment. The risk assessment includes a comprehensive analysis of threats to client PHI. There are 54 security administrative, physical, and technical safeguards that must be evaluated within your practice. The National Institute for Standards and Technology (NIST) provide guidelines for conducting risk assessments (NIST, 2012).
- Create a remediation plan based on identified risks. Once threats and risk profiles have been identified, they are categorized into high, medium, and low risks, and appropriate safeguards developed based on risk priority, with task assignment and time frames for implementation of the remediation strategy identified.
- Privacy and Security Policies and Procedures must be put in place. The policies and procedures require regular updates, and changes notated. If a privacy or security incident occurs, policies and procedures must be reviewed and updated. Each policy is written with operational steps taken to address specific regulatory safeguards.
- Due diligence must be performed on business associates. With the advent of the HITECH Act, covered entities are responsible for breaches of their business associates (BAs). Each practice or organization should be sure to have a business associate agreement (BAA) in place, and have done their due diligence to ensure the BA is following the HIPAA regulations (more than just the BA saying they are compliant!). BAs are any entity that you use who have access to PHI. These may be folks like your attorney, accountant, shredding service, billing service, phone service, etc., who, in the course of their business with you, have access to your client PHI.
- Conduct regular, documented, training of workforce. HIPAA regulations require that “workforce” (practitioners, employees, interns, volunteers-anyone with access to client PHI) have regular training on your specific HIPAA policies and procedures. Generic “canned” training does not fully mean this requirement. Training must be logged, and logs kept for six years.
So, would you pass regulatory scrutiny? The Office for Civil Rights (OCR) which is responsible for enforcing HIPAA regulations, has instituted both an on-site and desk audit program. If you file a notice of a breach, or if a client complains, you are given 20 days to respond to their requests for documentation. If OCR chooses your practice/organization for a desk audit, you have 10 days to provide them with your compliance documentation. It is more likely a client complaint would trigger request for documentation, as audits are still relatively rare, for now. If you ignore the regulations, it is considered willful neglect. Willful neglect, by HIPAA regulations, garners a mandatory fine of between $10,000 and $50,000 per violation.
As MFT’s it is incumbent upon us to protect client confidentiality, privacy, and security. It is now statutorily required that we protect client PHI, whether it be in oral, written, or electronic format. Failure to follow the regulations can seriously tarnish your relationship with your clients, your reputation, and your bottom line, but can also result in serious client privacy violations given the intimate nature of MFT, but also leaves clients open to identity theft, and if you have their insurance information, medical identity theft. Don’t forget to check your state privacy and breach notification regulations as well.
National Institute for Standards and Technology (NIST). (2012). Guide for Conducting Risk Assessments. Special publication 800-30 (Rev. 1). Retrieved from http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf
Protected Health Information (PHI) is any individually identifiable health information that relates to an individual’s past, present, or future physical or mental health condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual.
Lorna Hecker, PhD, LMFT, CHPS has authored the book HIPAA Demystified: HIPAA Compliance for Mental Health Professionals (2016). She is the executive vice president, and director of educational services at Carosh Compliance Solutions, a HIPAA consultancy, and professor emerita of Purdue University Northwest’s marriage and family therapy program. She is an AAMFT Clinical Fellow and Approved Supervisor, and is certified in healthcare privacy and security through the American Health Information Management Association.