1. Identify specific areas in which psychologists are likely to fail to be in compliance with HIPAA, how to rectify the problems, and protect the public.
2. List training procedures for staff to assure that patient files are protected.
3. Identify specific legal situations in which patients' files containing PMI must be released to protect both the psychologist and the patient.
Need for Compliance
The rules within states for compliance with HIPAA may or may not conflict. To this end, a state by state study is currently in effect to provide that the state rules conform to HIPAA.
HIPAA is a lengthy, complex, and at times, contradictory document. The language used is hazy and often open to interpretation in specific cases. Additionally, the laws governing the privacy of patients are changing and will continue to change. This should be used only as a guide. If you have specific questions which are not addressed by this guide or if you are not sure whether certain parts apply to your specific situation, contact your professional association for clarification.
Although HIPAA set a deadline of April 14, 2003 for compliance with the new federal regulations for virtually all heatlh care workers, many have not yet done so, partially in the belief that this legislation does not apply to them. While it was possible to apply for an extension for meeting the HIPAA regulations until October 2002, all relevant deadlines have now passed and practitioners are expected to be in compliance.
If you are practicing psychotherapy in a private practice, either as an individual or with a group, it is important, if not vital to your practice to bring your patient notes, billing, and forms such as those which provide for informed consent for treatment, authorization for release of notes, rules for disclosures of patient records, and rules for patient’s access to their records. Many of you will find that you have already met the HIPAA regulations.
All health professionals who send information via electronic transmission are considered “Covered Entities” and all HIPAA rules apply to them. What one must do as a Covered Entity to become compliant with HIPAA will be covered in this course. However, this course should not be seen as covering all aspects of compliance.
Individual practitioners may have practices which differ in important ways from the majority of other practitioners and may require additional changes in their operating procedures to become compliant. Also, as the task force continues its work on integrating laws governing the health professions with HIPAA regulations, new laws may become an additional part of what one must do to become or remain compliant. Continue to check with your professional organizations and licensing boards for updates.
Exempt Mental Health Professionals:
If you are a health care provider who never transmits electronic data regarding patients you are not required, at this time, to comply with the HIPAA regulations and are not considered a “Covered Entity.” However, HIPAA is very quickly becoming the standard of care by which health care providers’ office practices are regulated. In other words, you may be found to be negligent with your patient’s records and confidentiality if you do not move your office practices into compliance.
Additionally, even though you do not submit bills electronically, a patient, an attorney, or other party to whom you submit bills or information may subsequently forward the information electronically, making you responsible for being a Covered Entity under the HIPAA regulations. For example, a patient may submit a claim electronically or it may be stored by the insurance company electronically which would require that the mental health professional be compliant with HIPAA regulations.
Using a FAX machine is not considered to be the same as using electronic transmission. Therefore, a mental health professional can send sensitive materials over a FAX machine without concern about being considered a Covered Entity. However, if the Faxed materials are subsequently sent via electronic transmission, the mental health professional with whom the material originated can also be considered a Covered Entity and thus required to follow HIPAA regulations. As yet, there is no requirement that the mental health professional who sent the FAX be notified that the information will be sent to others by electronic transmission. Protect yourself. It is not that difficult.
A business associate is a person or entity other than the therapist’s immediate workforce which receives confidential or PHI information from the therapist and provides services to the therapist. Among others, these may include a bookkeeper, lawyer, accountant, collection agency, answering service, computer service, or answering service. Business associates are not considered Covered Entities by HIPAA. The PHI may be given to a business associate only after the therapist has obtained a written contract with that person who notifies them that they must safeguard confidential information and how to do so appropriately. Samples of business associate contracts may be obtained online:
It is ultimately the therapist’s responsibility to be certain that the business associate follows the contract. Any subcontractors hired by the business associate must also sign a written contract agreeing to safeguard the PHI. If a business associate is found to have violated the contract, the therapist will need to make certain that steps are taken to repair the problem. If the problem is irreparable or if additional problems occur, the therapist may have to terminate the business associate and/or report the problem to HHS.
Another therapist to whom patients are referred during one’s absence is not considered a business associate. Additionally, janitorial, plumbing, electrical, or other repairmen are not considered business associates. Any postal service is not a business associate either under HIPAA. Business associate relationships are also not created by federal or state oversight committees such as the Medicare Peer Review. A therapist should not consider other therapists within one’s own practice or a consultant who is used for treatment purposes as a business associate. None of these are considered Covered Entities by HIPAA.
History of HIPAA:
HIPAA stands for the Health Insurance Portability and Accountability Act. When this act was initially proposed by Senators Kassenbaum and Kennedy, it was seen as a means to protect individuals who were changing jobs or using a private insurance plan while self-employed from being denied insurance because of previous illness. During the Act’s passage through Congress, it has become quite different than the authors of the initial proposal envisioned.
At this time, HIPAA provides standards for protecting the records and privacy of individuals by making the transmission of electronic claims (billing) secure, by providing rules for the secure storage of patient records, streamlining the insurance billing process, and actually protecting some records for both the therapist and the patient. It is no longer a means for protecting patient records from being denied insurance due to a previous diagnosis or prescription which would be seen by an insurance company as “risky.” People who have had previous illnesses continue to have their insurance applications denied because insurance companies have access to vital data such as the diagnosis, treatment administered, and prognosis. In short, the information provided in the patient’s Protected Health Information is more than adequate for an insurance company to determine whether the patient in question will be covered by an insurance company. Most large group policies are required by law to admit all individuals working within the company to be provided with health insurance, regardless of previous illness. (Senator Nancy Kassenbaum)
The main problem lies with those individuals who must obtain private health insurance. They generally must supply the insurance company to which they apply with information about their previous medical and psychological care and provide permission for the insurance company to access those care records. Obtaining private insurance, such as one would do when self-employed or working for a small company which is not required to cover its employees by law, requires that an individual have a health record which is virtually clean of all major illnesses. It has been my experience that psychotherapy for those conditions covered under the “parity law” which have such diagnoses as varieties of major depressions, schizophrenia, and other such illnesses will cause major insurance carriers to decline coverage to an individual. Within my practice, patients have also been denied coverage for being proscribed Prozac within the last year, having a “sleeping disorder” which the patient reported his wife thought he had but was neither evaluated nor treated. Providing a prospective insurance company with the Private Health Information no longer protects the patient in any way from being denied coverage. In fact, it seems to simplify the records so insurance companies can quickly decide whether or not to cover an applicant.
HIPPA provides standards for the storage of all health care information including the transmission of electronic claims to protect the individuals’ records from others who may have improper access to unprotected electronic transmission. Thus, anyone who is using electronic transmission, including Medicare providers, and providers for insurance which require electronic transmission, must use protected electronic transmission only. The Privacy Rule is the aspect of HIPAA which most concerns psychotherapists now. HIPAA also was designed to streamline the insurance claims process by standardizing both claims and records.
Becoming Compliant with HIPAA:
Luckily, for a solo or small group of health professionals, the process of achieving HIPAA compliance is a fairly easy task, particularly if you have already been following the laws for privacy within your field. HIPAA has required many more administrative responsibilities for large corporations such as hospitals and large clinics. They are likely to need a full-time Privacy Officer while within a smaller private practice, you can designate yourself as the Privacy officer and take care of the necessary changes without a great deal of difficulty.
There are, however, several important changes which should be made as soon as possible. It is likely you will need to take and keep two sets of notes, learn new rules about patient’s access to their clinical records, learn the rules about the rights patients now have to amend their records, and develop new forms for Consent for services and Authorization by the patient to have others see their records or otherwise consult with you about your patient. Additionally, there are new rules about how one must secure records in computers. Unfortunately, if you somehow trigger a HIPAA audit, the likelihood of a lawsuit or fines is high. Additionally, you must be in full compliance immediately since there is no grace period.
Because HIPAA may become the general law which is followed by all states, it is likely that if you are not in compliance you will be open to a lawsuit under a state law you may have overlooked or which may have become law since your last law and ethics class.
Steps to HIPAA Compliance:
These steps apply only to solo practices or those of small groups and should not be taken to apply to hospitals or large clinics. The rules for these entities are different in important ways.
1. Designate a Privacy Officer: This person is responsible for meeting HIPAA requirements by developing the necessary new documents, computer storage of patient records, training staff to comply with regulations, and review the changes. The privacy officer should post or provide each patient, whether new or continuing with a Notice of Privacy Practices. Additionally, an announcement should be placed in a public area which includes the following:
Our Privacy Officer is (name of person). The Privacy Officer:
(a) Can answer your questions about our privacy practices;
(b) Can accept any complaints you have about our privacy practices;
(c) Can give you information on how to file a complaint.
You can call the Privacy Officer at (enter your office number.)
2. Comply with the Privacy Rule: The Privacy Rule applies to all Protected Health Information (PHI will be explained in 3.)Therapists are required to inform all patients of office privacy policies and how they are implemented. The patient’s records must be secured. Release of patient records for any reason either by the therapist, business associates, or staff cannot be done without informing the patient and obtaining the patient’s consent. These will be explained more thoroughly and suggestions for appropriate forms are available. A list of government sponsored and association sponsored websites will be provided at the end of this course.
3. PHI is Protected Health Information: Information which you have about your patient which identifies them as an individual when it is transmitted is PHI. All such material must be treated with utmost caution and respect for the rights of your patient. When the patient is identified by name, Social Security Number, or other means which make the patient identifiable by others requires that the material be classified as PHI. If the information contains PHI, all past, present, and future physical or mental health diagnoses, treatment of any sort, and billing or payment become confidential material.
It is crucial that all material containing PHI or information which identifies a patient be protected within the office. It is advisable to personally chart the flow of this information through your office. For example:
- Is incoming mail secure and protected from unauthorized disclosure?
- Is the information created within the office stored and protected?
- Is the information recorded in other areas, such as on or off-site billing personnel have storage which is protected from unauthorized disclosure?
- Is all incoming and outgoing electronic transmission secure?
HIPAA also requires that PHI material be available to be legitimately shared, sent out, or given to those who are authorized. If you personally see where the information comes in, is stored, used, created, and released, you will feel more confident that there is protection for these documents all along the line of transfer. It is helpful to some therapists to pretend these are their own personal records when deciding whether or not the records of their patients are securely protected throughout the process.
HIPAA requires that PHI be available within five days to an authorized agency under law.
Patients’ Rights to Their Protected Health Information (PHI):
Under the HIPAA regulations, patients have a right to receive a notice about the therapist’s privacy practices. This information should be contained in the paperwork which is done in the first session when the patient is to sign a form in which they “consent” to treatment.
Patients can also restrict the use or disclosure of their PHI. However, there are serious limitations on this. The patient’s consent is no longer required for use or disclosure of treatment, payment, or health care operations or TPO. When the consent requirement was deleted in the published regulations of August 14, 2002, there was a huge protest from those who had fought for patients to have privacy. Essentially, the entire process of treatment, payment and operations of health care is not required to be given to the patient.
While many patients are unaware of the tremendous amount of information revealed about their personal medical and psychological treatment, most clinicians, particularly those who regularly deal with managed care and HMO’s are very aware of the type of information required both about the patient and about the qualifications of the practitioner. While a patient can submit a written revocation of their TPO at any time, the therapist may still use the now revoked consent to obtain payment for the treatment if the therapist has already acted in reliance on their initial consent for treatment. More simply stated, the therapist may bill the insurance company and receive payment for services rendered.
Treatment may refer to the type of psychotherapy received, consultation with other health care providers, and/or referral of a patient from one provider to another. The therapist may act without consultation with their patient in areas such as billing, determining eligibility, managing claims, collection of fees, providing information for the review of medical necessity for treatment, and giving information to insurance companies for the purpose of utilization review. Health Care Operations may include quality assessment, medical review, legal services, having an insurance underwriter review the competence or qualifications for health care professionals, and other matters pertaining to managing the business. The patient has no legal right under HIPAA to this information. Nevertheless, a practitioner may, out of a personal sense of ethical responsibility, provide their patients with information about their own policies and what is required of them by the patient’s insurance company.
Patients essentially lost the right which was the original point of the HIPAA legislation. The National Coalition of Mental Health Professionals and Consumers reported that, “The Bush Administration’s Rule changes in August 2002, ended the right of each American to consent to the release of personal health information , PHI, and gave ‘regulatory permission’ for disclosure of any identifiable health information for treatment, payment, and health care operations (TPO), stipulating that the treating professional should determine the minimum necessary information to be disclosed to meet TPO requirements, and that the patient must be advised of that professional’s privacy policies.”
The patient must authorize any use of PHI or Psychotherapy notes other than TPO or those situations which require disclosure with or without the patient’s permission. This usually occurs when a patient is applying for a new insurance policy or is changing physicians or health groups. It has been my experience that when information is released to a large provider of health care, such as the Veteran’s Administration system for continuation of a patient’s care, the PHI is passed throughout the care system; including not only the treating physician but also hospitals and other health care units have access to this information. A patient may see this release of health care information as useful in providing their current health care providers with a complete record of their previous treatment. Other patients may feel threatened by having information dispersed so widely.
Patient’s Access to Their PHI:
Patients have access to their health information contained in their PHI and may request amendments to their records. They are to be told that they have these rights. The therapist must act within 30 days of receipt of a request to provide access.
Therapists may charge a reasonable fee for copying and mailing the PHI if it is requested that the PHI be mailed, but not for the time required to find the documents. If the patient requests a summary of the records, a fee may be charged for the time to do this service.
However, a therapist may deny a patient access to their PHI if the patient is given the right to have their denial reviewed. There are several reasons why access to the PHI may be denied:
- If the therapist has reason to assume that the life or physical safety of others will be endangered by access to the records.
- If the records make reference to other persons (unless that other person is a healthcare provider) or if access to the information would cause harm to the other person. This may occur if another person has made contact with the therapist and notes of that interaction are in the PHI.
- If access is denied, the therapist must provide a timely, written denial including the basis for the denial, a statement of the patient’s review rights, a description of how the patient may exercise such review rights, a description of how the patient may complain to the provider including the name and number of the contact person or office designated to receive his complaints, and a description of how the patient may complain to the HHS Secretary.
Patients have the right to appeal the denial of access to their health information to another licensed health care professional who was not involved in the original decision to deny access. This reviewer must be designated by the psychotherapist, and the therapist must comply with the decision of the reviewer.
Disclosure of PHI notes without Permission of the Patient
- When required by law
- To a coroner or medical examiner when required by law
- To show compliance with the Privacy Rule
- To avert serious threat to the health and safety of a person or the public
- For a public health authority
- For a health oversight agency
- For the military or other national security agency
- To comply with Worker’s compensation laws
- When there are victims of abuse, neglect, and domestic violence
- When there is suspicion or evidence of child abuse.
There are other exceptions to the rule of privacy; however, it is best to consult with one’s professional association such as CAPS or CAMFT prior to disclosing information about a patient.
Case Notes or Non-PHI Notes:
Information which does not identify the patient and could not reasonably be used to identify the patient is not considered PHI and is not protected by HIPAA. This implies, and is readily translated to mean that a mental health professional’s private case notes are not open to scrutiny by anyone other than the provider of service.
This encourages the provider to keep two sets of records, one which duly provides the information required by HIPAA and a second set of notes which are kept separately from the HIPAA records. They must be kept in a separate file and perhaps in a separate filing cabinet from PHI notes and other medical records. In this way, a therapist can keep track of private, personal notes which are used for therapy purposes from such diverse information as what their patient has been eating lately to what the therapist thinks about a dream but decides it is too soon to interpret to the patient. They can contain other sensitive information such as drug abuse, HIV-AIDS information, and other sensitive information about the patient. There is no requirement that two separate sets of notes be kept but they can certainly be useful to the therapist in the treatment of the patient.
Notes or “process notes” are excluded from HIPAA regulations since they do not have information such as full names, Social Security Numbers and other information which could reasonably be used to identify a patient. They are the often sketchy notes one makes to oneself while listening to a patient. The therapist’s guesses and hypotheses can be included also in these notes and excluded from those notes controlled by HIPAA.
Notes also cannot be used by Insurance companies to determine the patient’s eligibility for treatment or payment. While no records are completely immune from disclosure, these records are far more protected under the HIPAA regulations than they have been previously. When a patient releases information for reimbursement or other purposes, the Psychotherapy Notes are not released. This legislation supports the previous Supreme Court’s 1996 Jaffee v. Redmond decision which affirmed the importance of confidentiality and privacy to develop trust and other aspects of a therapeutic relationship.
Notes specifically may not include medication prescription and monitoring. They may also not include starting and stopping times of the sessions and modality and frequency of the treatment. They must also not include a diagnosis, functional status, treatment plan, results of clinical tests, symptoms, prognosis, or progress in treatment since those parts of the record are to be a part of the general record or the PHI controlled by HIPAA. Thus the distinction between the very private Psychotherapy Notes and the ironically much more public notes which identify the patient, the diagnosis, and the prognosis is maintained.
The patient’s insurance company, managed-care, or Medicare may need information similar to the first example to document that the patient is making progress in treatment and why. They do not need the private information which occurs in the consulting room. HIPAA protects this information if the professional is willing to make separate folders for their patients.
- When mandated by law.
- To defend the professional against charges brought by the patient.
- For training or supervision
- For oversight
- Under the Tarasoff Law and under HIPAA to avert a serious and imminent treat to the health or safety of a person or the public, The disclosure may be made to only the person or persons who can reasonably be expected to prevent or reduce the threat. The person who is threatened must also be notified in this disclosure.
If a patient authorizes the release of their Notes to a NON-COVERED person or entity with whom the therapist does not have a business contract, that person or entity may release them to whomever they please without any need for the patient’s authorization. For example, if a patient releases their Notes to someone who has convinced the patient that they will write their biography, but they are not a health provider, or other Covered Entity, the “biographer” may release the Notes to whomever he or she pleases.
Patients have NO right to review their Notes. Under the HIPAA rules, they have many rights regarding their general record or PHI including reviewing it. However, a patient can request to have an entire record transferred to another therapist or someone else and then may see the Notes. Again, keep the Psychotherapy Notes separate from other notes and psychotherapists are not required to keep Psychotherapy Notes at all so they may be destroyed after they cease to be useful to the psychotherapist.
Patient’s Rights to Amend Their Private Health Information:
Under the HIPAA regulations, patients can review their PHI and amend statements in the PHI which they consider to be incorrect. However, the therapist can refuse to amend the PHI if it is not part of the designated PHI record set; if it is not available for inspection; if the therapist thinks the record is accurate and complete; or if the record was not created by the therapist and the creator is no longer available. If the patient provides a reasonable basis to believe that the creator of the PHI is no longer available to act on the request, the therapist must address the request as if he or she created the information.
If the therapist refuses to do the requested amendment, he or she must provide the patient with a timely, written denial which explains the patient’s right to submit a written statement of disagreement, the patient’s right to have the denial notice sent out with subsequent disclosures of the PHI, and how the patient may make a complaint to DHHS. Although the patient has the right to disagree, the therapist has the right to provide the patient with a written rebuttal both to the patient and to be entered in the PHI. All subsequent disclosures of the PHI would contain the rebuttal.
The therapist must develop a procedure for granting and denying requests to amend the PHI. Under HIPAA regulations, the therapist must respond within 60 days after receiving the patient’s request to amend the record but may request an additional 30 days if the patient is given notice.
If the therapist determines that the record should be changed according to the requested amendment, he or she must make the amendment; notify the patient; ask the patient who else should be notified of the amendment; and provide the amended information to those identified by the patient. However, all information and communication relating to granting or denying requests by the patient to amend the PHI must be included as part of the record. Changes resulting from a patient’s request to amend the record do not exclude any prior information or part of the record it is simply added to it.
Records of Minors:
HIPAA generally intends not to interfere with state laws regarding parental control and access to their children’s mental health treatment. The parents in general are the representatives of their children and thus have access to the PHI concerning their children. The parent may release the PHI to whomever they deem suitable with or without the permission of their children.
The only exceptions to this rule are if a court makes the determination that the parent does not have the right to access their child’s PHI; if someone other than the parent is legally authorized to make decisions for the minor; when the parent, or other person legally acting as the parent, consents to an agreement of confidentiality between the minor and the health care provider. Also, if a state law allows a minor access to mental health services without the consent of the parent, the minor has the same rights as an adult patient regarding their PHI. State laws which recognize this right supercedes the HIPAA regulations and the specific situations to which this may apply are beyond the scope of this class.
It is important to recognize that a HIPAA compliance audit can be conducted at any time without any cause. No one needs to file a complaint or does there need to be any apparent problem. The department of Health and Human Services HHS is the body which will eventually have enforcement power. Any person who believes their rights have been violated by having a therapist who is not compliant with HIPAA can contact HHS and file a complaint which immediately is to trigger an investigation. Once this investigation has begun, the HIPAA rules apply not only to the particular difficulty which was found initially but to the therapist’s entire practice.
The most likely causes for an audit are when a therapist electronically transmits Protected Health Information (PHI) through filing a health care claim; inquiring about the status of a claim; inquiring about eligibility of enrollment; obtaining advice about a health care payment or remittance; attempting to coordinate payments; confirming a referral; or creating the first report of an injury. Clearly, some of these are done more frequently by the therapist while others are more frequently initiated by an insurance company or a patient. Therapists who use billing and collection services may also trigger application of the Privacy rule. The therapist is responsible, in other words, for the actions of everyone with whom they contract to be certain that the electronic transmissions they create are secure.
The consequences of failing to be in compliance with HIPAA can be severe. Fines of up to $250,000 and imprisonment for up to ten years or both can be levied against an individual who knowingly perpetrates “wrongful disclosure of individual, identifiable, health information. Additionally the Office of Civil Rights at the US Department of Health and Human Services can initiate administrative action against non-compliant therapists. Patients can also file lawsuits if a therapist is non-compliant because their private health information is endangered. There may also be civil penalties but these cannot exceed $25,000 in one year.
Because any or all of these things would make a normal therapist pack his or her bags and head for a country without an extradition treaty, it is important to become compliant with the HIPAA regulations as soon as possible. Also, it is likely that the HHS will enforce HIPAA in a way which is educational rather than punitive unless there is evidence that the clinician profited in some manner by unlawfully transmitting Protected Health Information.
Problems within HIPAA:
This is a new set of laws which are designed by the US Congress to regulate the healthcare industry. Because of this, states, which have regulated healthcare previously, have a variety of laws which are usually similar to those of HIPAA, but different enough that there is an ongoing task force to determine which laws should be changed so that Federal and State law governing the privacy of healthcare are more closely the same. When state laws are more restrictive the HIPAA rules do not preempt state laws. Additionally, all states will continue to investigate and regulate therapists with regard to confidentiality, ethics, and integrity.
Although HIPAA went into effect in April 2003, and was to become the law of the land by October 16, 2003, it is clear at this time (November 2003) that this has not yet occurred. Those healthcare providers who have small practices and have used electronic transmission of billing provided by Medicare have been told that the new software is not yet complete to replace the system which has been offered for free to practitioners with a small number of Medicare patients. The pre-HIPAA software continues to be adequate to submit billing for now.
Additionally, HIPAA does not give clear black and white rules about when therapists may and may not disclose information. Perhaps some of these rules will eventually be decided through case law. Your issue, as an individual clinician is to make certain that you are not the one whose name appears in the case law which will eventually be cited.
HIPAA, at this time, does not create a national data bank for offenders. However, if you are successfully sued by a patient for failing to follow HIPAA and failing to protect the confidentiality of records, you will find yourself in the National Data Bank anyway.
Psychotherapists who work on a fee-for-service, out-of-pocket, cash only basis 100% of the time and who never bill insurance either directly or by providing their patients with the means to bill their own insurance carrier can, so far remain free of the HIPAA regulations.
HIPAA is a long, rambling, complex set of laws. In many places it is unclear and difficult to interpret. If one looks at the law with a particular question in mind, the problems become very difficult indeed. HIPAA will continue to change. It is necessary to stay in touch with one’s professional organizations to stay current with the law.
By completing this course the healthcare professional will be able to:
- Identify the steps required to comply with HIPAA regulations.
- Describe which ‘entities’ are covered under HIPAA law.
- Identify what constitutes ‘electronic transmit’ under HIPAA guidelines.
Required Reading: HIPAA Privacy Rule and Public Health
Home |FAQs |Accreditations |Contact Us |Login| Course Catalog| Nursing CEUs