Guest Post by Rob Reinhardt, LPCS, Technology Consultant for Mental Health Professionals, CEO of Tame Your Practice
Wouldn't it be nice if someone would provide us with a brief checklist of things we need to do in order to comply with HIPAA (the Health Insurance Portability and Accountability Act)? I strongly recommend that you not wait for that to happen. HIPAA was purposely constructed to be flexible so that both large hospitals and solo practitioners would be able to comply. You wouldn't want to follow the same checklist as a hospital would you? Further, because HIPAA now covers electronic Protected Health Information (ePHI), it's important that it be flexible since technology continually evolves.
That said, there are some basic parameters and processes to be aware of. Once these concepts are understood, HIPAA no longer seems to be this overwhelming, unintelligible, monstrosity. It takes on a role similar to progress notes and other paperwork; that stuff that gets in the way of our client time, but we know we need to do it.
Here then, is a brief summary of the most important things to know about HIPAA:
It's More Than Just the HIPAA Privacy Notices
HIPAA started out in 1996 with the Privacy Rule, which regulates the use and disclosure of Protected Health Information (PHI) by Covered Entities (CEs). Protected Health Information is any data about health care that can be linked to a specific individual. Covered Entities are health plans/insurers, clearinghouses, and providers who engage in “Covered Transactions”. For most mental health clinicians, that means filing electronic insurance claims (even if you don't, be sure to read on). This is the part of HIPAA that brought us the HIPAA Notice of Privacy Practices, where providers detail for clients how and when they will use and/or disclose their PHI.
In 2003, the Security Rule was added in order to set standards for securing ePHI. It requires that CEs establish Administrative, Technical, and Physical safeguards to ensure the privacy of client data. This was further enhanced by the HITECH Act (Health Information Technology for Economic and Clinical Health Act) in 2009 and the Final (Omnibus) Rule in 2013.
I've found that most therapists have the Privacy Rule down pat, so in the following sections, I'll focus on clarifying information from the Security Rule.
HIPAA Security Compliance Is An Ongoing Process
One of the primary components of complying with the Security Rule is completing a Risk Analysis and Management Plan. This is a process of documenting reasonably anticipated threats to the security of ePHI (i.e. theft, loss, fire) and a plan for dealing with those threats. This is required to be reinforced through a documented set of Policies and Procedures (yes, even if you're a solo practitioner). Therapists wouldn't dream of assessing a client at intake and then never re-visiting that assessment. Similarly this Risk Analysis process needs to be re-visited on a regular basis. This ensures that new technologies and threats are addressed appropriately.
Software and Devices Can't Be HIPAA Compliant
If you listen to the marketing speak, you might get the impression that a CE can be in compliance as long as they choose software and devices that are “HIPAA Compliant”. The problem is that such things do not exist!
Only Covered Entities or Business Associates can be compliant with HIPAA by engaging in the processes described above. A Business Associate (BA) is any third party that a CE shares PHI with. This could be a billing agent, an EHR vendor, or a telehealth application vendor. In creating this relationship, the CE is required to establish a Business Associate Agreement with the BA, outlining the responsibilities of each. The good news is that, due to the Omnibus Rule, this requires that the BA is held to the same standards for compliance as the CE. To be clear, this doesn't release the CE from all responsibility. They still need to conduct a Risk Assessment. However, it's often the case (especially with EHR) that using a third party vendor will greatly decrease the scope of (read: amount of work involved in) the CEs process.
(Side Note: It's important to note that financial transactions are exempt from HIPAA, so typically financial institutions don't fit the definition of Business Associate. However, there are some circumstances to be aware of, such as some of the features offered by services like Square).
But I Don't Take Insurance So I Don't Have To Worry About HIPAA
It's true that, if you (or your billing representative) are not filing electronic insurance claims, you likely don't fit the definition of Covered Entity. Technically then, you don't have to comply with HIPAA. You should be aware of and consider the following, however:
- Standard of Care - HIPAA is becoming recognized as a “Standard of Care” when it comes to Privacy and Security. If how you handle privacy and security ever comes into question, there's a solid chance that HIPAA will be the measuring stick for whether you're doing a good job.
- Ethics – Our codes of ethics require that we keep client information confidential. In line with the first point, what standards can we use to prove that we are doing so, especially with ePHI?
- State Law – Be sure to understand your state laws regarding client privacy. If you're in Texas, for example, your state laws are in some cases even more stringent than HIPAA.
- Best Practices – Similar to the idea of Standard of Care, the set of requirements in HIPAA are considered “Best Practices” for securing client data. While HIPAA may seem bloated and overdone in parts, the core requirements make sense and are a good path for significantly reducing the risks to privacy.
Rob Reinhardt is a Licensed Professional Counselor Supervisor in North Carolina and CEO of Tame Your Practice. In addition to helping therapists integrate technology into their practice, he is the column editor for Counseling Today magazine and creator of Describe, a therapy tool appropriate for individuals and families of all ages!