The AAMFT Blog

HIPAA Privacy and Security Regulations are inherently complex, with hundreds of pages of regulations.  It is no wonder that therapists can get stymied about knowing specific HIPAA regulations, and how they are to put them in practice.  There is also a lot of erroneous information floating around on the internet, steering therapists in the wrong direction.  Yet, given our ethical and legal obligation to client confidentiality and privacy, and our legal obligation to client security of their digital data, accurate information is a must.  In this article, we will explore some common questions regarding the HIPAA Privacy and Security Regulations, and answer that will help you with your HIPAA compliance efforts.

Q:  How do I know if I need to be HIPAA Compliant? 

A:  If you, your practice, agency, or business furnishes, bills, or receives payment for (mental) health care in the normal course of business, and transmits covered transactions electronically, you are a covered entity (CE) under HIPAA regulations.  However, you should know that if you have a paper-only business with no electronic transactions for reimbursement, you will still want to be familiar with HIPAA requirements.  The reason for this is that HIPAA is quickly becoming the standard of care for guarding client privacy as well as security of any electronic protected health information (PHI)[1].  For example, in North Carolina, in the case of Acosta v. Byrum (2006), when psychiatric and other medical records were improperly accessed and released in during a custody case, the HIPAA was used as the standard of care for privacy of client information.  The Privacy Regulations go well beyond typical confidentiality requirements.

Q:  If I password protect my smart phone, can I use it for sending and receiving confidential client information?

A:  Electronic Protected Health Information (EPHI) must be protected in compliance with the HIPAA administrative, physical, and technical safeguards, preventing unauthorized disclosure, destruction, or loss of PHI.  Loss or theft of mobile devices are one of the most frequently occurring reasons for breach of PHI.  

HIPAA safeguards must be in place for any mobile device used in treatment, payment, or healthcare operations.  In addition to password protection, therapists will want to encrypt PHI stored or sent on their mobile devices, activate remote wiping should the device be lost or stolen, install security and firewall software, keep software up to date.  Additionally, care must be taken with downloading of files or apps.   Agencies and practices should document required measures they take in their HIPAA policies and procedures manual.  For example, if a staff therapist uses their phone to email or text clients, is there a procedure in place for ensuring removal of the PHI on the device in the event their employment is terminated or they leave the facility?  One of the advantages of encrypting the phone is that if the phone with PHI is lost or stolen, it falls under the “safe harbor” exemption, which means that you are not required to report the loss to the Department of Health and Human Services / Office for Civil Rights, and will not be subject to an investigation.  Typically mobile phones have this capacity built into the software.

Q:   My office has the HIPAA Notice of Privacy Practices, and I am careful about confidentiality.  Am I considered compliant? 

A: There is so much more to HIPAA than the Notice of Privacy Practices!  You must complete the required Security Risk Analysis (SRA) on at least a yearly basis (or more often if you change office operations).  In the SRA you walk through the 54 required standards and specifications, rendering a remediation plan.  The remediation plan details what areas of your organization need to be improved to come into compliance.  Regular, documented HIPAA training (at least yearly) must occur for all “workforce,” which would include all therapists, staff, volunteers, etc.—basically anyone who comes into contact with PHI.  While many therapists believe they can order HIPAA training online, the reality is that training must occur on the specific HIPAA policies and procedures of the agency, practice, or organization. 

If you ignore or are unwilling to comply with HIPAA and HITECH[2] regulations, you fall into the category of “willful neglect.”  Consider this:  If an entity has made genuine efforts at HIPAA compliance, and have a HIPAA violation, the fine is $100.  However, if the entity has ignored the regulations and made no efforts at compliance, it is considered “willful neglect,” with a mandatory fine of between $10,000 and $50,000.  The Office for Civil Rights, who is responsible for enforcement of the Regulations, will not look kindly upon those who have turned a blind eye to compliance efforts. 

Q:  Is it OK that my HIPAA Notice of Privacy Practices (NPP) acknowledgement is integrated into my informed consent? 

A:   It is not advisable.  You need your client to sign your informed consent acknowledging the risks and benefits of treatment, and giving their explicit consent to treatment.  HIPAA regulations require an attempt to get the client’s written acknowledgement that they have received the NPP.  However, if clients refuse to provide their signature, you cannot deny service based on their refusal to provide their signature of acknowledgement.  Thus, it is best not to mix the two forms, but many therapists do.  The NPP solely covers patient rights and provider responsibilities under HIPAA regulations; they do not need to “consent,” but they do need to be asked to acknowledge receipt of the NPP.  If a client refuses to sign the acknowledgement of receipt of the NPP, the therapist needs to document their refusal. 

Q:  What is the “minimum necessary”?

A:  The minimum necessary standard is part of HIPAA privacy regulations; it requires that CEs make reasonable efforts to limit use, disclosure of, and requests for protected health information to the minimum necessary to accomplish the intended purpose. The minimum necessary standard requires CEs to evaluate their practices and allow access to PHI only on a “need to know” basis. Staff who are not providing therapy services should have the minimum necessary client information available to them for them to be able to do their job.  In small practices, one person may need total access.  In larger organizations, this is not the case.  There should be clear definitions of job roles, and what type of access to PHI coincides with each role.  For example, a receptionist would not need access to entire client files, just contact information.  This decreases the risk of a breach, or impermissible disclosure of PHI.

The minimum necessary standard does not apply when disclosures or requests are for treatment purposes, or for uses or disclosures to the client themselves (or their legal representative), those made with a valid authorization, or those required by law.  Lastly, the minimum necessary standard does not apply when disclosures are required for compliance with the Privacy Regulations, or when made to the Secretary of the Department of Health and Human Services for purposes of compliance and enforcement of the Regulations.  If another entity makes a request for PHI, you may rely on them to decide what the minimum necessary information is to satisfy their purpose. 

Q:  My electronic records vendor says they are HIPAA compliant.  Does that take care of my security around my client records?

A:  There is so much mythology around services being “HIPAA Compliant, “and vendors tout it continually.  The reality is that practices or agencies are HIPAA compliant, not specific technology.  Each CE must do their security risk assessment, produce a remediation plan with efforts towards compliance, and complete due diligence on their business associates.[3]  Don’t be lulled into complacency on this issue; you must make efforts towards compliance of the Privacy and Security Regulations, and abide by the HITECH Breach Notification law.

Q:  My state law is stricter than HIPAA, but I know HIPAA allows you to release client information without a release of information.  When HIPAA was enacted, did my clients lose privacy rights?

A:  No, HIPAA typically defers to stricter state law, with some limited exceptions.  It is true, under HIPAA you can share PHI for treatment, payment, and healthcare operations. This seems like a lot of sharing!  However, you are allowed to obtain client consent to use or disclose PHI, allowing you to stay consistent with your state law (unless there is a specific pre-emption under HIPAA).  If you keep psychotherapy notes, as defined by the Privacy Regulations, those notes are highly protected under HIPAA, and may not be shared without specific client authorization. 

HIPAA laws are complex, and do periodically change.  For example, the Notice of Privacy Practices was updated in 2013; some therapists are still using the 2009 version. In order to keep up with the latest information, I advise you to sign up for listservs from the Department of Health and Human Services at www.hhs.gov/hipaa/for-professionals.  For general HIPAA information, go to www.hhs.gov.

Lastly, as with taxes, it can be helpful to align yourself with a trained expert to help separate fact from fiction, and keep you keeping your client information private and secure.

References

Acosta v. Byrum, 180 N.C. App. 562, 638 S.E.2d 246 (North Carolina, 2006).

[1] Protected Health Information (PHI) is health information that relates to an individual’s past, present or future physical or mental health or condition, the provision of health care to the individual, or the past present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. 

[2] Health Information Technology for Economic and Clinical Health Act

[3] A Business is a person or entity that performs functions, activities, or services on behalf of a CE that involves the use or disclosure of protected health information.

Lorna Hecker, PhD, LMFT, CHPS has authored the book HIPAA Demystified:  HIPAA Compliance for Mental Health Professionals (2016).  She is a professor in the MFT program at Purdue University Northwest, and director of educational services at Carosh Compliance Solutions in Crown Point, Indiana.  She is an AAMFT Clinical Fellow and Approved Supervisor, and is certified in healthcare privacy and security through the American Health Information Management Association. 

The HIPAA Privacy Rule (45 CFR Parts 160-164) requires that HIPAA covered entities provide clients information detailing how their protected health information* will be used or disclosed.  This is done through the familiar HIPAA Notice of Privacy Practices (NPP), which outlines client rights and the legal duties of the HIPAA covered entity.  The practitioner may not use or disclose protected health information in a manner that is inconsistent with the NPP.  HIPAA privacy rules have evolved, due to the Health Information Technology for Economic and Clinical Health Act, with changes solidified with the Omnibus Final Rules issued in January 2013.  These material changes brought about by the final rule require changes to the NPP.  While this occurred some time ago, in the midst of busy practices, therapists can have difficulty staying abreast of all regulatory changes, so changes that must be reflected in the NPP are reviewed herein.

Changes include the following additions to the NPP: 

• A statement that clients have a right to receive notification if their PHI is breached (viewed, used or disclosed inappropriately),
• A statement must be included that states that any uses or disclosures of PHI not described in the NPP require written authorization by the individual,
• A statement that individuals must be notified that they have the right to restrict certain disclosures of their PHI to their health plan if they pay out of pocket for a service or services, if that disclosure is only for carrying out payment or healthcare operations.
• A statement indicating that the following uses and disclosures require a separate written authorization:
  • Uses and disclosures for marketing purposes,
  • Disclosures that constitute sale of PHI, and
  • For most uses and disclosures of psychotherapy notes.
  • Any uses or disclosures not listed in the NPP
• If your practice engages in fundraising activities, a statement that the client has the right to opt-out of such communications.

The good news is that you do not need to re-distribute the notice to each client, but you can instead post it conspicuously in your waiting room, and it should be posted to your website.  If clients ask, you must have the updated notice available upon request.  New clients should receive the updated notice, and be asked to sign the concomitant acknowledgement of their receipt of the NPP.  While you must make a “good faith effort” to obtain acknowledgement of receipt of the NPP, clients are not required to sign the acknowledgement of receipt in order to receive services. Therapists should document their attempts to gain the acknowledgement signature. Because therapists can treat clients without a signed acknowledgement, the NPP is best kept as a separate document from your informed consent for treatment. NPPs may be emailed to the client should they request it.  

As therapists concerned with client confidentiality, there are a couple of things to remember regarding the NPP.  First, any stricter state law must be integrated into the NPP (45 CFR §164.520(b)(1)(ii)(C)).  This can be confusing for both the client and the therapist.  The Department of Health and Human Services notes that within the NPP, readers could be referred to a separate section of the NPP which details more stringent state privacy laws (U.S. Department of Health and Human Services, 2003).  This would allow for an easier update to your NPP in the event state law changes.  Thus, when there are material changes in state law affecting client privacy, the NPP must be updated to reflect those changes. It is an ethical imperative to accurately inform your clients of their privacy rights, in light of our professional ethical code, as well as state and federal laws. Be sure to note the effective date on your NPP, and keep old NPPs for a period of six years.   HIPAA requires that you retain documentation for “6 years from the date of its creation or the date when it last was in effect, whichever is later.” (45 CFR § 164.316(b)(2)(i)). 

You must also have a named privacy officer with whom clients can file a complaint should they believe their privacy rights have been violated.  This person’s name and contact information must be provided in the NPP.   For solo practices, this can be the solo practitioner.  For larger practices, one person must be named as the privacy officer and is tasked with making sure the practice is complying with the HIPAA privacy regulations.  A security officer must also be named, and may also be the same person as the privacy officer, though need not be.  You may opt to give clients the contact information for them to be able to complain to the Office for Civil Rights, but you are not required to do so. 

In summary, check your NPP to be certain you have the updated version, and be sure it can be made available to new clients, and to established clients should they ask for it.

The Department of Health and Human Services provides model notice of privacy practices in several formats that are user-friendly and using plain language (which is a requirement).  You can access updated model NPPs at http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/model-notices-privacy-practices/index.html . Don’t forget that you must integrate stricter state law into your NPP. 

*Protected health information is “Individually identifiable health information, including demographic data, that relates to: 1) the individual’s past, present or future physical or mental health or condition, 2) the provision of health care to the individual, or 3) the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual” (45 C.F.R. §160.103). 

References

HIPAA, Public Law 104-191, 45 CFR §160.103

HIPAA, Public Law 104-191, 45 CFR § 164.316

HIPAA, Public Law 104-191, 45 CFR §164.520

U.S. Department of Health and Human Services.  Frequently asked questions.  Retrieved from http://www.hhs.gov/hipaa/for-professionals/faq/464/must-a-covered-entity-with-a-notice-revise-the-notice-every-time-it-changes/index.html

Lorna Hecker, PhD, LMFT, CHPS has authored the book HIPAA Demystified:  HIPAA Compliance for Mental Health Professionals (2016).  She is a professor in the MFT program at Purdue University Northwest, and director of educational services at Carosh Compliance Solutions in Crown Point, Indiana.  She is an AAMFT Clinical Fellow and Approved Supervisor, and is certified in healthcare privacy and security through the American Health Information Management Association. 

In a small rural mental health center, an employee unwittingly clicked on a phishing email, releasing malware which subsequently was used to encrypt the center’s electronic records database. The center did not have adequate encryption or backup of their data, and were unable to access client records because of the attack. They were then contacted by an unknown source, who demanded they pay $1000 ransom to gain access to their database. The center had no choice, and were forced to pay the ransom to gain access to their client records. 

This true story is a stark reminder of why we need to pay attention to HIPAA compliance. However, when family therapists hear the term “HIPAA,” many practitioners think that they are compliant when they have their Notice of Privacy Practices in place, or perhaps by purchasing “HIPAA Compliant” electronic record software. Many practitioners are simply unaware of the multitude of requirements placed upon them as HIPAA Covered Entities, or question if they are subject to HIPAA regulations at all. To simplify, if you transmit information electronically for purposes of payment by third party payers (e.g. insurers, government entities) even for one client, you are considered a Covered Entity (CE) under the regulations. As such, you are required to comply with federal HIPAA privacy and security regulations, as well as breach notification standards to protect client Protected Health Information (PHI).  PHI is:

Individually identifiable health information, including demographic data, that relates to: 1) the individual’s past, present or future physical or mental health or condition, 2) the provision of health care to the individual, or 3) the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual (45 C.F.R. § 160.103). 

While therapists are typically very clear on confidentiality requirements set by our ethics code and state statute, protecting client digital data brings a new level of vigilance needed to honor client rights to privacy and confidentiality. For example, client PHI may be exposed through loss or theft of unencrypted mobile devices such as phones and laptops, failure to patch software systems allowing access to PHI by outsiders, or returning photocopiers to vendors with un-erased digital memories. However, allowing unauthorized staff to inappropriately view client PHI due to failure to have strict privacy and security policies and procedures is also considered a breach under HIPAA. 

No one else can complete your HIPAA compliance but you. There is no such thing as an external entity making you HIPAA compliant; you must set policies and procedures that adequately protect your client’s PHI. Here are just a few requirements for you to check your compliance efforts:

• Have you performed a security risk analysis which includes the evaluation of each of the 54 security standards or implementation specification set by the Department of Health and Human Services?
• Have you produced and followed a remediation plan born from the security risk analysis that details strategies for decreasing or eliminating risks to paper and electronic PHI?
• Do you have Business Associate Agreements in place with entities who create, receive, transmit or store PHI on your behalf (for example, with your billing or shredding service, electronic records vendor, attorney, and accountant and so on, if they have access to PHI)?
• Do you understand the protocol set by the standards for breach notification should client PHI be lost, stolen, or otherwise inappropriately used or disclosed?
• Can you produce your documentation of your HIPAA policies and procedures?
• Can you produce documentation of HIPAA training of any employees, volunteers, trainees, and other persons whose conduct is under your direct control as a Covered Entity?  
• Have you posted your Notice of Privacy Practices in your waiting room where clients can clearly see it, and on your practice or organization’s website?

Costs of noncompliance include reputational damage, ethical violation(s), legal costs, reparation costs, and fines and penalties set by the HITECH (Health Information Technology Economic and Clinical Health) Act. Additionally, if you ignore the regulations, there is a mandatory fine should the Office for Civil Rights, who is responsible for enforcement of the regulations, investigate your practice or organization. 

Let’s imagine you suffer the loss or theft of an unencrypted laptop, with contains data from over 500 clients. HIPAA regulations require that you report the loss to the Department of Health and Human Services and to your clients, absolutely no later than 60 days of the discovery of the breach. Your practice or organization name will also be published on the breach portal at the website of the Department of Health and Human Services, which has come to be known as the “Wall of Shame.” You also need to notify prominent local news media of the breach. If you have ignored the regulations, you can also add on a mandatory fine from $10,000 to $50,000.  While there is no private right of action under HIPAA regulations, state attorney generals can sue for HIPAA violations, and lawsuits do occur for invasion of privacy. What has quickly become a standard reparation for breaches of PHI is that the practice or organization pays for credit monitoring for the individual for 2-3 years post-breach. State privacy or breach notification laws may also be at hand. Lastly, it would be hard to imagine that the therapeutic relationship would not be injured or destroyed when a therapist has not maintained privacy and security of their client’s very personal information.

Perhaps you think you do not need to know about HIPAA because you do not fall into the realm of being a CE because you only take private pay clients. Be forewarned that in the legal arena HIPAA is increasingly being used to demonstrate the appropriate standard of care with regard to privacy and security of client PHI (cf. Acosta v. Bryum, in North Carolina, or Walgreen Company v. Abigail E. Hinchy in Indiana). For better or for worse, HIPAA is here to stay, and we must extend the rights to client confidentiality and privacy to all oral, paper, and electronic data. Our relationships with clients depend upon it. 

References

Acosta V. Byrum, 180 N.C. App. 562, 638 S.E.2d 246 (North Carolina, 2006). 

Hinchy v. Walgreen Co., et al, No. 49D06 11 08 CT029165 (Indiana, 2011). 

HIPAA, Public Law 104-191, 45 CFR §160.103

Lorna Hecker, PhD, LMFT, CHPS has authored the book HIPAA Demystified:  HIPAA Compliance for Mental Health Professionals (2016).  She is a professor in the MFT program at Purdue University Northwest, and director of educational services at Carosh Compliance Solutions in Crown Point, Indiana.  She is an AAMFT Clinical Fellow and Approved Supervisor, and is certified in healthcare privacy and security through the American Health Information Management Association.