The Essential Guide to HIPAA Compliance
- Identify the steps required to comply with HIPAA regulations.
- Describe which ‘entities’ are covered under HIPAA law.
- Identify what constitutes ‘electronic transmit’ under HIPAA guidelines.
Need for Compliance
The rules within states for compliance with HIPAA may or may not conflict. To this end, a state by state study is currently in effect to provide that the state rules conform to HIPAA.
This is a guide only to complying with HIPAA regulations for mental health professionals operating either a solo or small group practice. HIPAA is a lengthy, complex, and at times, contradictory document. The language used is hazy and often open to interpretation in specific cases. Additionally, the laws governing the privacy of patients are changing and will continue to change. This should be used only as a guide. If you have specific questions which are not addressed by this guide or if you are not sure whether certain parts apply to your specific situation, contact your professional association for clarification.
Although HIPAA set a deadline of April 14, 2003 for compliance with the new federal regulations for virtually all MFT’s, psychologists, MSW’s, counselors, psychiatrists and other types of psychotherapists, many have not yet done so, partially in the belief that this legislation does not apply to them. While it was possible to apply for an extension for meeting the HIPAA regulations until October 2002, all relevant deadlines have now passed and practitioners are expected to be in compliance.
If you are practicing psychotherapy in a private practice, either as an individual or with a group, it is important, if not vital to your practice to bring your patient notes, billing, and forms such as those which provide for informed consent for treatment, authorization for release of notes, rules for disclosures of patient records, and rules for patient’s access to their records. Many of you will find that you have already met the HIPAA regulations.
All health professionals who send information via electronic transmission are considered “Covered Entities” and all HIPAA rules apply to them. What one must do as a Covered Entity to become compliant with HIPAA will be covered in this course. However, this course should not be seen as covering all aspects of compliance.
Individual practitioners may have practices which differ in important ways from the majority of other practitioners and may require additional changes in their operating procedures to become compliant. Also, as the task force continues its work on integrating laws governing the health professions with HIPAA regulations, new laws may become an additional part of what one must do to become or remain compliant. Continue to check with your professional organizations and licensing boards for updates.
Exempt Mental Health Professionals:
If you are a health care provider who never transmits electronic data regarding patients you are not required, at this time, to comply with the HIPAA regulations and are not considered a “Covered Entity.” However, HIPAA is very quickly becoming the standard of care by which health care providers’ office practices are regulated. In other words, you may be found to be negligent with your patient’s records and confidentiality if you do not move your office practices into compliance.
Additionally, even though you do not submit bills electronically, a patient, an attorney, or other party to whom you submit bills or information may subsequently forward the information electronically, making you responsible for being a Covered Entity under the HIPAA regulations. For example, a patient may submit a claim electronically or it may be stored by the insurance company electronically which would require that the mental health professional be compliant with HIPAA regulations.
Using a FAX machine is not considered to be the same as using electronic transmission. Therefore, a mental health professional can send sensitive materials over a FAX machine without concern about being considered a Covered Entity. However, if the Faxed materials are subsequently sent via electronic transmission, the mental health professional with whom the material originated can also be considered a Covered Entity and thus required to follow HIPAA regulations. As yet, there is no requirement that the mental health professional who sent the FAX be notified that the information will be sent to others by electronic transmission. Protect yourself. It is not that difficult.
A business associate is a person or entity other than the therapist’s immediate workforce which receives confidential or PHI information from the therapist and provides services to the therapist. Among others, these may include a bookkeeper, lawyer, accountant, collection agency, answering service, computer service, or answering service. Business associates are not considered Covered Entities by HIPAA. The PHI may be given to a business associate only after the therapist has obtained a written contract with that person who notifies them that they must safeguard confidential information and how to do so appropriately. Samples of business associate contracts may be obtained online:
It is ultimately the therapist’s responsibility to be certain that the business associate follows the contract. Any subcontractors hired by the business associate must also sign a written contract agreeing to safeguard the PHI. If a business associate is found to have violated the contract, the therapist will need to make certain that steps are taken to repair the problem. If the problem is irreparable or if additional problems occur, the therapist may have to terminate the business associate and/or report the problem to HHS.
Another therapist to whom patients are referred during one’s absence is not considered a business associate. Additionally, janitorial, plumbing, electrical, or other repairmen are not considered business associates. Any postal service is not a business associate either under HIPAA. Business associate relationships are also not created by federal or state oversight committees such as the Medicare Peer Review. A therapist should not consider other therapists within one’s own practice or a consultant who is used for treatment purposes as a business associate. None of these are considered Covered Entities by HIPAA.
History of HIPAA:
HIPAA stands for the Health Insurance Portability and Accountability Act. When this act was initially proposed by Senators Kassenbaum and Kennedy, it was seen as a means to protect individuals who were changing jobs or using a private insurance plan while self-employed from being denied insurance because of previous illness. During the Act’s passage through Congress, it has become quite different than the authors of the initial proposal envisioned.
At this time, HIPAA provides standards for protecting the records and privacy of individuals by making the transmission of electronic claims (billing) secure, by providing rules for the secure storage of patient records, streamlining the insurance billing process, and actually protecting some records for both the therapist and the patient. It is no longer a means for protecting patient records from being denied insurance due to a previous diagnosis or prescription which would be seen by an insurance company as “risky.” People who have had previous illnesses continue to have their insurance applications denied because insurance companies have access to vital data such as the diagnosis, treatment administered, and prognosis. In short, the information provided in the patient’s Protected Health Information is more than adequate for an insurance company to determine whether the patient in question will be covered by an insurance company. Most large group policies are required by law to admit all individuals working within the company to be provided with health insurance, regardless of previous illness. (Senator Nancy Kassenbaum)
The main problem lies with those individuals who must obtain private health insurance. They generally must supply the insurance company to which they apply with information about their previous medical and psychological care and provide permission for the insurance company to access those care records. Obtaining private insurance, such as one would do when self-employed or working for a small company which is not required to cover its employees by law, requires that an individual have a health record which is virtually clean of all major illnesses. It has been my experience that psychotherapy for those conditions covered under the “parity law” which have such diagnoses as varieties of major depressions, schizophrenia, and other such illnesses will cause major insurance carriers to decline coverage to an individual. Within my practice, patients have also been denied coverage for being proscribed Prozac within the last year, having a “sleeping disorder” which the patient reported his wife thought he had but was neither evaluated nor treated. Providing a prospective insurance company with the Private Health Information no longer protects the patient in any way from being denied coverage. In fact, it seems to simplify the records so insurance companies can quickly decide whether or not to cover an applicant.
HIPPA provides standards for the storage of all health care information including the transmission of electronic claims to protect the individuals’ records from others who may have improper access to unprotected electronic transmission. Thus, anyone who is using electronic transmission, including Medicare providers, and providers for insurance which require electronic transmission, must use protected electronic transmission only. The Privacy Rule is the aspect of HIPAA which most concerns psychotherapists now. HIPAA also was designed to streamline the insurance claims process by standardizing both claims and records.
Becoming Compliant with HIPAA:
Luckily, for a solo or small group of health professionals, the process of achieving HIPAA compliance is a fairly easy task, particularly if you have already been following the laws for privacy within your field. HIPAA has required many more administrative responsibilities for large corporations such as hospitals and large clinics. They are likely to need a full-time Privacy Officer while within a smaller private practice, you can designate yourself as the Privacy officer and take care of the necessary changes without a great deal of difficulty.
There are, however, several important changes which should be made as soon as possible. It is likely you will need to take and keep two sets of notes, learn new rules about patient’s access to their clinical records, learn the rules about the rights patients now have to amend their records, and develop new forms for Consent for services and Authorization by the patient to have others see their records or otherwise consult with you about your patient. Additionally, there are new rules about how one must secure records in computers. Unfortunately, if you somehow trigger a HIPAA audit, the likelihood of a lawsuit or fines is high. Additionally, you must be in full compliance immediately since there is no grace period.
Because HIPAA may become the general law which is followed by all states, it is likely that if you are not in compliance you will be open to a lawsuit under a state law you may have overlooked or which may have become law since your last law and ethics class.
Steps to HIPAA Compliance:
These steps apply only to solo practices or those of small groups and should not be taken to apply to hospitals or large clinics. The rules for these entities are different in important ways.
1. Designate a Privacy Officer: This person is responsible for meeting HIPAA requirements by developing the necessary new documents, computer storage of patient records, training staff to comply with regulations, and review the changes. The privacy officer should post or provide each patient, whether new or continuing with a Notice of Privacy Practices. Additionally, an announcement should be placed in a public area which includes the following:
Our Privacy Officer is (name of person). The Privacy Officer:
(a) Can answer your questions about our privacy practices;
(b) Can accept any complaints you have about our privacy practices;
(c) Can give you information on how to file a complaint.
You can call the Privacy Officer at (enter your office number.)
2. Comply with the Privacy Rule: The Privacy Rule applies to all Protected Health Information (PHI will be explained in 3.)Therapists are required to inform all patients of office privacy policies and how they are implemented. The patient’s records must be secured. Release of patient records for any reason either by the therapist, business associates, or staff cannot be done without informing the patient and obtaining the patient’s consent. These will be explained more thoroughly and suggestions for appropriate forms are available. A list of government sponsored and association sponsored websites will be provided at the end of this course.
3. PHI is Protected Health Information: Information which you have about your patient which identifies them as an individual when it is transmitted is PHI. All such material must be treated with utmost caution and respect for the rights of your patient. When the patient is identified by name, Social Security Number, or other means which make the patient identifiable by others requires that the material be classified as PHI. If the information contains PHI, all past, present, and future physical or mental health diagnoses, treatment of any sort, and billing or payment become confidential material.
It is crucial that all material containing PHI or information which identifies a patient be protected within the office. It is advisable to personally chart the flow of this information through your office. For example:
- Is incoming mail secure and protected from unauthorized disclosure?
- Is the information created within the office stored and protected?
- Is the information recorded in other areas, such as on or off-site billing personnel have storage which is protected from unauthorized disclosure?
- Is all incoming and outgoing electronic transmission secure?
HIPAA also requires that PHI material be available to be legitimately shared, sent out, or given to those who are authorized. If you personally see where the information comes in, is stored, used, created, and released, you will feel more confident that there is protection for these documents all along the line of transfer. It is helpful to some therapists to pretend these are their own personal records when deciding whether or not the records of their patients are securely protected throughout the process.
HIPAA requires that PHI be available within five days to an authorized agency under law.
Patients’ Rights to Their Protected Health Information (PHI):
Under the HIPAA regulations, patients have a right to receive a notice about the therapist’s privacy practices. This information should be contained in the paperwork which is done in the first session when the patient is to sign a form in which they “consent” to treatment.
Patients can also restrict the use or disclosure of their PHI. However, there are serious limitations on this. The patient’s consent is no longer required for use or disclosure of treatment, payment, or health care operations or TPO. When the consent requirement was deleted in the published regulations of August 14, 2002, there was a huge protest from those who had fought for patients to have privacy. Essentially, the entire process of treatment, payment and operations of health care is not required to be given to the patient.
While many patients are unaware of the tremendous amount of information revealed about their personal medical and psychological treatment, most clinicians, particularly those who regularly deal with managed care and HMO’s are very aware of the type of information required both about the patient and about the qualifications of the practitioner. While a patient can submit a written revocation of their TPO at any time, the therapist may still use the now revoked consent to obtain payment for the treatment if the therapist has already acted in reliance on their initial consent for treatment. More simply stated, the therapist may bill the insurance company and receive payment for services rendered.
Treatment may refer to the type of psychotherapy received, consultation with other health care providers, and/or referral of a patient from one provider to another. The therapist may act without consultation with their patient in areas such as billing, determining eligibility, managing claims, collection of fees, providing information for the review of medical necessity for treatment, and giving information to insurance companies for the purpose of utilization review. Health Care Operations may include quality assessment, medical review, legal services, having an insurance underwriter review the competence or qualifications for health care professionals, and other matters pertaining to managing the business. The patient has no legal right under HIPAA to this information. Nevertheless, a practitioner may, out of a personal sense of ethical responsibility, provide their patients with information about their own policies and what is required of them by the patient’s insurance company.
Patients essentially lost the right which was the original point of the HIPAA legislation. The National Coalition of Mental Health Professionals and Consumers reported that, “The Bush Administration’s Rule changes in August 2002, ended the right of each American to consent to the release of personal health information , PHI, and gave ‘regulatory permission’ for disclosure of any identifiable health information for treatment, payment, and health care operations (TPO), stipulating that the treating professional should determine the minimum necessary information to be disclosed to meet TPO requirements, and that the patient must be advised of that professional’s privacy policies.”
The patient must authorize any use of PHI or Psychotherapy notes other than TPO or those situations which require disclosure with or without the patient’s permission. This usually occurs when a patient is applying for a new insurance policy or is changing physicians or health groups. It has been my experience that when information is released to a large provider of health care, such as the Veteran’s Administration system for continuation of a patient’s care, the PHI is passed throughout the care system; including not only the treating physician but also hospitals and other health care units have access to this information. A patient may see this release of health care information as useful in providing their current health care providers with a complete record of their previous treatment. Other patients may feel threatened by having information dispersed so widely.
Patient’s Access to Their PHI:
Patients have access to their health information contained in their PHI and may request amendments to their records. They are to be told that they have these rights. The therapist must act within 30 days of receipt of a request to provide access.
Therapists may charge a reasonable fee for copying and mailing the PHI if it is requested that the PHI be mailed, but not for the time required to find the documents. If the patient requests a summary of the records, a fee may be charged for the time to do this service.
However, a therapist may deny a patient access to their PHI if the patient is given the right to have their denial reviewed. There are several reasons why access to the PHI may be denied:
- If the therapist has reason to assume that the life or physical safety of others will be endangered by access to the records.
- If the records make reference to other persons (unless that other person is a healthcare provider) or if access to the information would cause harm to the other person. This may occur if another person has made contact with the therapist and notes of that interaction are in the PHI.
- If access is denied, the therapist must provide a timely, written denial including the basis for the denial, a statement of the patient’s review rights, a description of how the patient may exercise such review rights, a description of how the patient may complain to the provider including the name and number of the contact person or office designated to receive his complaints, and a description of how the patient may complain to the HHS Secretary.
Patients have the right to appeal the denial of access to their health information to another licensed health care professional who was not involved in the original decision to deny access. This reviewer must be designated by the psychotherapist, and the therapist must comply with the decision of the reviewer.
Disclosure of PHI notes without Permission of the Patient
- When required by law
- To a coroner or medical examiner when required by law
- To show compliance with the Privacy Rule
- To avert serious threat to the health and safety of a person or the public
- For a public health authority
- For a health oversight agency
- For the military or other national security agency
- To comply with Worker’s compensation laws
- When there are victims of abuse, neglect, and domestic violence
- When there is suspicion or evidence of child abuse.
There are other exceptions to the rule of privacy; however, it is best to consult with one’s professional association such as CAPS or CAMFT prior to disclosing information about a patient.
Case Notes or Non-PHI Notes:
Information which does not identify the patient and could not reasonably be used to identify the patient is not considered PHI and is not protected by HIPAA. This implies, and is readily translated to mean that a mental health professional’s private case notes are not open to scrutiny by anyone other than the therapist.
This encourages the therapist to keep two sets of records, one which duly provides the information required by HIPAA and a second set of notes which are kept separately from the HIPAA records. They must be kept in a separate file and perhaps in a separate filing cabinet from PHI notes and other medical records. In this way, a therapist can keep track of private, personal notes which are used for therapy purposes from such diverse information as what their patient has been eating lately to what the therapist thinks about a dream but decides it is too soon to interpret to the patient. They can contain other sensitive information such as drug abuse, HIV-AIDS information, and other sensitive information about the patient. There is no requirement that two separate sets of notes be kept but they can certainly be useful to the therapist in the treatment of the patient.
Psychotherapy Notes or “process notes” are excluded from HIPAA regulations since they do not have information such as full names, Social Security Numbers and other information which could reasonably be used to identify a patient. They are the often sketchy notes one makes to oneself while listening to a patient. The therapist’s guesses and hypotheses can be included also in these notes and excluded from those notes controlled by HIPAA.
Psychotherapy notes also cannot be used by Insurance companies to determine the patient’s eligibility for treatment or payment. While no records are completely immune from disclosure, these records are far more protected under the HIPAA regulations than they have been previously. When a patient releases information for reimbursement or other purposes, the Psychotherapy Notes are not released. This legislation supports the previous Supreme Court’s 1996 Jaffee v. Redmond decision which affirmed the importance of confidentiality and privacy to develop trust and other aspects of a therapeutic relationship.
Psychotherapy Notes specifically may not include medication prescription and monitoring. They may also not include starting and stopping times of the sessions and modality and frequency of the treatment. They must also not include a diagnosis, functional status, treatment plan, results of clinical tests, symptoms, prognosis, or progress in treatment since those parts of the record are to be a part of the general record or the PHI controlled by HIPAA. Thus the distinction between the very private Psychotherapy Notes and the ironically much more public notes which identify the patient, the diagnosis, and the prognosis is maintained.
To clarify this distinction further, a psychoanalytically based treatment to document an intervention in a PHI, HIPAA regulated file, which does not contain Psychotherapy Notes may read:
Interpretations were made regarding the onset of the patient’s current symptoms and were accepted and used by the patient with some success to further his understanding.
Psychotherapy Notes, in contrast may read:
Some success today. Discussed his attachment to his mom and feelings that she needed him to talk with while father went to sleep early. Discussed details of his plans to seduce her--I was feeling like his mother in the countertrans. \ he slipped and called me the first part of his M.s name then corrected it. New Girl he likes sounds nice.
The patient’s insurance company, managed-care, or Medicare may need information similar to the first example to document that the patient is making progress in treatment and why. They do not need the private information which occurs in the consulting room. HIPAA protects this information if the therapist is willing to make separate folders for their patients. The patient is able to talk about shameful thoughts, acts, and memories while the therapist can take private Psychotherapy Notes on these which remain private but would cause damage or harm to the patient if revealed. Additionally, the patient must authorize the therapist to share the Psychotherapy Notes with other clinicians. If several therapists or others such as physicians are involved in a case, the general notes or medical records can be shared. Only the patient, the subject of the notes, can authorize sharing of the Psychotherapy Notes.
Disclosure of Psychotherapy Notes:
The Psychotherapy Notes can only be disclosed without the patient’s authorization under certain circumstances:
- When mandated by law.
- To defend the therapist against charges brought by the patient.
- For training or supervision
- For oversight of the therapist
- Under the Tarasoff Law and under HIPAA to avert a serious and imminent treat to the health or safety of a person or the public, The disclosure may be made to only the person or persons who can reasonably be expected to prevent or reduce the threat. The person who is threatened must also be notified in this disclosure.
Therapists cannot disclose Psychotherapy Notes they receive from another therapist to any other therapist without authorization from the patient. This is not the case with general Protected Health Information or PHI which may be re-disclosed or sent as part of the record and is routine treatment.
If a patient authorizes the release of their Psychotherapy Notes to a NON-COVERED person or entity with whom the therapist does not have a business contract, that person or entity may release them to whomever they please without any need for the patient’s authorization. For example, if a patient releases their Psychotherapy Notes to someone who has convinced the patient that they will write their biography, but they are not a health provider, or other Covered Entity, the “biographer” may release the Psychotherapy Notes to whomever he or she pleases.
Patients have NO right to review their Psychotherapy Notes. Under the HIPAA rules, they have many rights regarding their general record or PHI including reviewing it. However, a patient can request to have an entire record transferred to another therapist or someone else and then may see the Psychotherapy Notes. Again, keep the Psychotherapy Notes separate from other notes and psychotherapists are not required to keep Psychotherapy Notes at all so they may be destroyed after they cease to be useful to the psychotherapist.
Patient’s Rights to Amend Their Private Health Information:
Under the HIPAA regulations, patients can review their PHI and amend statements in the PHI which they consider to be incorrect. However, the therapist can refuse to amend the PHI if it is not part of the designated PHI record set; if it is not available for inspection; if the therapist thinks the record is accurate and complete; or if the record was not created by the therapist and the creator is no longer available. If the patient provides a reasonable basis to believe that the creator of the PHI is no longer available to act on the request, the therapist must address the request as if he or she created the information.
If the therapist refuses to do the requested amendment, he or she must provide the patient with a timely, written denial which explains the patient’s right to submit a written statement of disagreement, the patient’s right to have the denial notice sent out with subsequent disclosures of the PHI, and how the patient may make a complaint to DHHS. Although the patient has the right to disagree, the therapist has the right to provide the patient with a written rebuttal both to the patient and to be entered in the PHI. All subsequent disclosures of the PHI would contain the rebuttal.
The therapist must develop a procedure for granting and denying requests to amend the PHI. Under HIPAA regulations, the therapist must respond within 60 days after receiving the patient’s request to amend the record but may request an additional 30 days if the patient is given notice.
If the therapist determines that the record should be changed according to the requested amendment, he or she must make the amendment; notify the patient; ask the patient who else should be notified of the amendment; and provide the amended information to those identified by the patient. However, all information and communication relating to granting or denying requests by the patient to amend the PHI must be included as part of the record. Changes resulting from a patient’s request to amend the record do not exclude any prior information or part of the record it is simply added to it.
Records of Minors:
HIPAA generally intends not to interfere with state laws regarding parental control and access to their children’s mental health treatment. The parents in general are the representatives of their children and thus have access to the PHI concerning their children. The parent may release the PHI to whomever they deem suitable with or without the permission of their children.
The only exceptions to this rule are if a court makes the determination that the parent does not have the right to access their child’s PHI; if someone other than the parent is legally authorized to make decisions for the minor; when the parent, or other person legally acting as the parent, consents to an agreement of confidentiality between the minor and the health care provider. Also, if a state law allows a minor access to mental health services without the consent of the parent, the minor has the same rights as an adult patient regarding their PHI. State laws which recognize this right supercedes the HIPAA regulations and the specific situations to which this may apply are beyond the scope of this class.
It is important to recognize that a HIPAA compliance audit can be conducted at any time without any cause. No one needs to file a complaint or does there need to be any apparent problem. The department of Health and Human Services HHS is the body which will eventually have enforcement power. Any person who believes their rights have been violated by having a therapist who is not compliant with HIPAA can contact HHS and file a complaint which immediately is to trigger an investigation. Once this investigation has begun, the HIPAA rules apply not only to the particular difficulty which was found initially but to the therapist’s entire practice.
The most likely causes for an audit are when a therapist electronically transmits Protected Health Information (PHI) through filing a health care claim; inquiring about the status of a claim; inquiring about eligibility of enrollment; obtaining advice about a health care payment or remittance; attempting to coordinate payments; confirming a referral; or creating the first report of an injury. Clearly, some of these are done more frequently by the therapist while others are more frequently initiated by an insurance company or a patient. Therapists who use billing and collection services may also trigger application of the Privacy rule. The therapist is responsible, in other words, for the actions of everyone with whom they contract to be certain that the electronic transmissions they create are secure.
The consequences of failing to be in compliance with HIPAA can be severe. Fines of up to $250,000 and imprisonment for up to ten years or both can be levied against an individual who knowingly perpetrates “wrongful disclosure of individual, identifiable, health information. Additionally the Office of Civil Rights at the US Department of Health and Human Services can initiate administrative action against non-compliant therapists. Patients can also file lawsuits if a therapist is non-compliant because their private health information is endangered. There may also be civil penalties but these cannot exceed $25,000 in one year.
Because any or all of these things would make a normal therapist pack his or her bags and head for a country without an extradition treaty, it is important to become compliant with the HIPAA regulations as soon as possible. Also, it is likely that the HHS will enforce HIPAA in a way which is educational rather than punitive unless there is evidence that the clinician profited in some manner by unlawfully transmitting Protected Health Information.
Problems within HIPAA:
This is a new set of laws which are designed by the US Congress to regulate the healthcare industry. Because of this, states, which have regulated healthcare previously, have a variety of laws which are usually similar to those of HIPAA, but different enough that there is an ongoing task force to determine which laws should be changed so that Federal and State law governing the privacy of healthcare are more closely the same. When state laws are more restrictive the HIPAA rules do not preempt state laws. Additionally, all states will continue to investigate and regulate therapists with regard to confidentiality, ethics, and integrity.
Although HIPAA went into effect in April 2003, and was to become the law of the land by October 16, 2003, it is clear at this time (November 2003) that this has not yet occurred. Those healthcare providers who have small practices and have used electronic transmission of billing provided by Medicare have been told that the new software is not yet complete to replace the system which has been offered for free to practitioners with a small number of Medicare patients. The pre-HIPAA software continues to be adequate to submit billing for now.
Additionally, HIPAA does not give clear black and white rules about when therapists may and may not disclose information. Perhaps some of these rules will eventually be decided through case law. Your issue, as an individual clinician is to make certain that you are not the one whose name appears in the case law which will eventually be cited.
HIPAA, at this time, does not create a national data bank for offenders. However, if you are successfully sued by a patient for failing to follow HIPAA and failing to protect the confidentiality of records, you will find yourself in the National Data Bank anyway.
Psychotherapists who work on a fee-for-service, out-of-pocket, cash only basis 100% of the time and who never bill insurance either directly or by providing their patients with the means to bill their own insurance carrier can, so far remain free of the HIPAA regulations.
HIPAA is a long, rambling, complex set of laws. In many places it is unclear and difficult to interpret. If one looks at the law with a particular question in mind, the problems become very difficult indeed. HIPAA will continue to change. It is necessary to stay in touch with one’s professional organizations to stay current with the law.
Additional HIPAA information
Permitted Uses and Disclosures
Permitted Uses and Disclosures. A covered entity is permitted, but not required, to use and disclose protected health information, without an individual’s authorization, for the following purposes or situations: (1) To the Individual (unless required for access or accounting of disclosures); (2) Treatment, Payment, and Health Care Operations; (3) Opportunity to Agree or Object; (4) Incident to an otherwise permitted use and disclosure; (5) Public Interest and Benefit Activities; and (6) Limited Data Set for the purposes of research, public health or health care operations.Covered entities may rely on professional ethics and best judgments in deciding which of these permissive uses and disclosures to make.
(1) To the Individual. A covered entity may disclose protected health information to the individual who is the subject of the information.
(2) Treatment, Payment, Health Care Operations. A covered entity may use and disclose protected health information for its own treatment, payment, and health care operations activities.A covered entity also may disclose protected health information for the treatment activities of any health care provider, the payment activities of another covered entity and of any health care provider, or the health care operations of another covered entity involving either quality or competency assurance activities or fraud and abuse detection and compliance activities, if both covered entities have or had a relationship with the individual and the protected health information pertains to the relationship.
Treatment is the provision, coordination, or management of health care and related services for an individual by one or more health care providers, including consultation between providers regarding a patient and referral of a patient by one provider to another.
Payment encompasses activities of a health plan to obtain premiums, determine or fulfill responsibilities for coverage and provision of benefits, and furnish or obtain reimbursement for health care delivered to an individualand activities of a health care provider to obtain payment or be reimbursed for the provision of health care to an individual.
Health care operations are any of the following activities: (a) quality assessment and improvement activities, including case management and care coordination; (b) competency assurance activities, including provider or health plan performance evaluation, credentialing, and accreditation; (c) conducting or arranging for medical reviews, audits, or legal services, including fraud and abuse detection and compliance programs; (d) specified insurance functions, such as underwriting, risk rating, and reinsuring risk; (e) business planning, development, management, and administration; and (f) business management and general administrative activities of the entity, including but not limited to: de-identifying protected health information, creating a limited data set, and certain fundraising for the benefit of the covered entity.
Most uses and disclosures of psychotherapy notes for treatment, payment, and health care operations purposes require an authorization as described below.Obtaining “consent” (written permission from individuals to use and disclose their protected health information for treatment, payment, and health care operations) is optional under the Privacy Rule for all covered entities.24 The content of a consent form, and the process for obtaining consent, are at the discretion of the covered entity electing to seek consent.
(3) Uses and Disclosures with Opportunity to Agree or Object. Informal permission may be obtained by asking the individual outright, or by circumstances that clearly give the individual the opportunity to agree, acquiesce, or object. Where the individual is incapacitated, in an emergency situation, or not available, covered entities generally may make such uses and disclosures, if in the exercise of their professional judgment, the use or disclosure is determined to be in the best interests of the individual.
Facility Directories. It is a common practice in many health care facilities, such as hospitals, to maintain a directory of patient contact information. A covered health care provider may rely on an individual’s informal permission to list in its facility directory the individual’s name, general condition, religious affiliation, and location in the provider’s facility.25 The provider may then disclose the individual’s condition and location in the facility to anyone asking for the individual by name, and also may disclose religious affiliation to clergy. Members of the clergy are not required to ask for the individual by name when inquiring about patient religious affiliation.
For Notification and Other Purposes. A covered entity also may rely on an individual’s informal permission to disclose to the individual’s family, relatives, or friends, or to other persons whom the individual identifies, protected health information directly relevant to that person’s involvement in the individual’s care or payment for care. 26 This provision, for example, allows a pharmacist to dispense filled prescriptions to a person acting on behalf of the patient. Similarly, a covered entity may rely on an individual’s informal permission to use or disclose protected health information for the purpose of notifying (including identifying or locating) family members, personal representatives, or others responsible for the individual’s care of the individual’s location, general condition, or death. In addition, protected health information may be disclosed for notification purposes to public or private entities authorized by law or charter to assist in disaster relief efforts.
(4) Incidental Use and Disclosure. The Privacy Rule does not require that every risk of an incidental use or disclosure of protected health information be eliminated. A use or disclosure of this information that occurs as a result of, or as “incident to,” an otherwise permitted use or disclosure is permitted as long as the covered entity has adopted reasonable safeguards as required by the Privacy Rule, and the information being shared was limited to the “minimum necessary,” as required by the Privacy Rule.(5) Public Interest and Benefit Activities. The Privacy Rule permits use and disclosure of protected health information, without an individual’s authorization or permission, for 12 national priority purposes.These disclosures are permitted, although not required, by the Rule in recognition of the important uses made of health information outside of the health care context. Specific conditions or limitations apply to each public interest purpose, striking the balance between the individual privacy interest and the public interest need for this information.
Required by Law. Covered entities may use and disclose protected health information without individual authorization as required by law (including by statute, regulation, or court orders).
Public Health Activities. Covered entities may disclose protected health information to: (1) public health authorities authorized by law to collect or receive such information for preventing or controlling disease, injury, or disability and to public health or other government authorities authorized to receive reports of child abuse and neglect; (2) entities subject to FDA regulation regarding FDA regulated products or activities for purposes such as adverse event reporting, tracking of products, product recalls, and post-marketing surveillance; (3) individuals who may have contracted or been exposed to a communicable disease when notification is authorized by law; and (4) employers, regarding employees, when requested by employers, for information concerning a work-related illness or injury or workplace related medical surveillance, because such information is needed by the employer to comply with the Occupational Safety and Health Administration (OHSA), the Mine Safety and Health Administration (MHSA), or similar state law.Victims of Abuse, Neglect or Domestic Violence. In certain circumstances, covered entities may disclose protected health information to appropriate government authorities regarding victims of abuse, neglect, or domestic violence.
Health Oversight Activities. Covered entities may disclose protected health information to health oversight agencies (as defined in the Rule) for purposes of legally authorized health oversight activities, such as audits and investigations necessary for oversight of the health care system and government benefit programs.
Judicial and Administrative Proceedings. Covered entities may disclose protected health information in a judicial or administrative proceeding if the request for the information is through an order from a court or administrative tribunal. Such information may also be disclosed in response to a subpoena or other lawful process if certain assurances regarding notice to the individual or a protective order are provided.
Law Enforcement Purposes. Covered entities may disclose protected health information to law enforcement officials for law enforcement purposes under the following six circumstances, and subject to specified conditions: (1) as required by law (including court orders, court-ordered warrants, subpoenas) and administrative requests; (2) to identify or locate a suspect, fugitive, material witness, or missing person; (3) in response to a law enforcement official’s request for information about a victim or suspected victim of a crime; (4) to alert law enforcement of a person’s death, if the covered entity suspects that criminal activity caused the death; (5) when a covered entity believes that protected health information is evidence of a crime that occurred on its premises; and (6) by a covered health care provider in a medical emergency not occurring on its premises, when necessary to inform law enforcement about the commission and nature of a crime, the location of the crime or crime victims, and the perpetrator of the crime.
Decedents. Covered entities may disclose protected health information to funeral directors as needed, and to coroners or medical examiners to identify a deceased person, determine the cause of death, and perform other functions authorized by law.35
Cadaveric Organ, Eye, or Tissue Donation. Covered entities may use or disclose protected health information to facilitate the donation and transplantation of cadaveric organs, eyes, and tissue.36
Research. “Research” is any systematic investigation designed to develop or contribute to generalizable knowledge.The Privacy Rule permits a covered entity to use and disclose protected health information for research purposes, without an individual’s authorization, provided the covered entity obtains either: (1) documentation that an alteration or waiver of individuals’ authorization for the use or disclosure of protected health information about them for research purposes has been approved by an Institutional Review Board or Privacy Board; (2) representations from the researcher that the use or disclosure of the protected health information is solely to prepare a research protocol or for similar purpose preparatory to research, that the researcher will not remove any protected health information from the covered entity, and that protected health information for which access is sought is necessary for the research; or (3) representations from the researcher that the use or disclosure sought is solely for research on the protected health information of decedents, that the protected health information sought is necessary for the research, and, at the request of the covered entity, documentation of the death of the individuals about whom information is sought.A covered entity also may use or disclose, without an individuals’ authorization, a limited data set of protected health information for research purposes (see discussion below).
Serious Threat to Health or Safety. Covered entities may disclose protected health information that they believe is necessary to prevent or lessen a serious and imminent threat to a person or the public, when such disclosure is made to someone they believe can prevent or lessen the threat (including the target of the threat). Covered entities may also disclose to law enforcement if the information is needed to identify or apprehend an escapee or violent criminal.40
Essential Government Functions. An authorization is not required to use or disclose protected health information for certain essential government functions. Such functions include: assuring proper execution of a military mission, conducting intelligence and national security activities that are authorized by law, providing protective services to the President, making medical suitability determinations for U.S. State Department employees, protecting the health and safety of inmates or employees in a correctional institution, and determining eligibility for or conducting enrollment in certain government benefit programs1
Workers’ Compensation. Covered entities may disclose protected health information as authorized by, and to comply with, workers’ compensation laws and other similar programs providing benefits for work-related injuries or illnesses.
(6) Limited Data Set. A limited data set is protected health information from which certain specified direct identifiers of individuals and their relatives, household members, and employers have been removed. A limited data set may be used and disclosed for research, health care operations, and public health purposes, provided the recipient enters into a data use agreement promising specified safeguards for the protected health information within the limited data set.
Limiting Uses and Disclosures to the Minimum Necessary
Minimum Necessary. A central aspect of the Privacy Rule is the principle of “minimum necessary” use and disclosure. A covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request.50 A covered entity must develop and implement policies and procedures to reasonably limit uses and disclosures to the minimum necessary. When the minimum necessary standard applies to a use or disclosure, a covered entity may not use, disclose, or request the entire medical record for a particular purpose, unless it can specifically justify the whole record as the amount reasonably needed for the purpose. See additional guidance on Minimum Necessary.
The minimum necessary requirement is not imposed in any of the following circumstances: (a) disclosure to or a request by a health care provider for treatment; (b) disclosure to an individual who is the subject of the information, or the individual’s personal representative; (c) use or disclosure made pursuant to an authorization; (d) disclosure to HHS for complaint investigation, compliance review or enforcement; (e) use or disclosure that is required by law; or (f) use or disclosure required for compliance with the HIPAA Transactions Rule or other HIPAA Administrative Simplification Rules.
Access and Uses. For internal uses, a covered entity must develop and implement policies and procedures that restrict access and uses of protected health information based on the specific roles of the members of their workforce. These policies and procedures must identify the persons, or classes of persons, in the workforce who need access to protected health information to carry out their duties, the categories of protected health information to which access is needed, and any conditions under which they need the information to do their jobs.
Disclosures and Requests for Disclosures. Covered entities must establish and implement policies and procedures (which may be standard protocols) for routine, recurring disclosures, or requests for disclosures, that limits the protected health information disclosed to that which is the minimum amount reasonably necessary to achieve the purpose of the disclosure. Individual review of each disclosure is not required. For non-routine, non-recurring disclosures, or requests for disclosures that it makes, covered entities must develop criteria designed to limit disclosures to the information reasonably necessary to accomplish the purpose of the disclosure and review each of these requests individually in accordance with the established criteria.
Reasonable Reliance. If another covered entity makes a request for protected health information, a covered entity may rely, if reasonable under the circumstances, on the request as complying with this minimum necessary standard. Similarly, a covered entity may rely upon requests as being the minimum necessary protected health information from: (a) a public official, (b) a professional (such as an attorney or accountant) who is the covered entity’s business associate, seeking the information to provide services to or for the covered entity.
Author: K. Gates, PhD