Continuing Education At Home
Psychologist
HIPAA
Credits
1 CE credit hours training
Cost
$0.00
You have up to 3 chances to pass this test, after which the course will be unavailable for credit.
Target audience and instructional level of this course: foundational
There is no known conflict of interest or commercial support related to this CE program.
Course Description
This course provides a readable and practical overview of the Health Information Portability and Accountability Act (HIPAA). It is for psychotherapists and mental health workers in private practice, small group practices, and agencies. The course focuses on key principles of HIPAA, along with details that you need to apply now. For example, it explains how the HIPAA principle of "scalability" can help you determine how to adopt HIPAA practices that fit your situation. You will also know what questions to ask and where to turn as additional issues arise in the course of your work.
When providers first learn about HIPAA, they may feel overwhelmed. However, the law was intended to be scalable, that is, the expectations take into account the size of the practice or organization. Thus, the practitioner should not be bowled over by materials and services created for corporate insurers and hospitals. Instead, we focus on the principles and they way they apply to smaller practices. That is what this course provides.
There is no known conflict of interest or commercial support related to this CE program.
Course Description
This course provides a readable and practical overview of the Health Information Portability and Accountability Act (HIPAA). It is for psychotherapists and mental health workers in private practice, small group practices, and agencies. The course focuses on key principles of HIPAA, along with details that you need to apply now. For example, it explains how the HIPAA principle of "scalability" can help you determine how to adopt HIPAA practices that fit your situation. You will also know what questions to ask and where to turn as additional issues arise in the course of your work.
When providers first learn about HIPAA, they may feel overwhelmed. However, the law was intended to be scalable, that is, the expectations take into account the size of the practice or organization. Thus, the practitioner should not be bowled over by materials and services created for corporate insurers and hospitals. Instead, we focus on the principles and they way they apply to smaller practices. That is what this course provides.
Introduction
Section 1. What is HIPAA?
Section 2. When does HIPAA Apply, and to Whom?
Section 3. General Principles
Section 4. The Privacy Rule
Section 5. The Security Rule
Appendix A: Notice of Privacy Practices (Required)
Appendix B: Acknowledgement of Receipt of Notice of Privacy Rights
Resources
Citations
Introduction
This course provides an overview of the Health Information Portability and Accountability Act. It is for psychotherapists and mental health workers in private practice, small group practices, and agencies. We designed it to be readable and to emphasize the key information you need to know, rather than make you feel like you are reading the tax code. As a somewhat brief, two-unit course, it will focus on key principles of HIPAA and the details you are most likely to need now. You will also know what questions to ask and where to turn when additional issues come up in actual practice.
When providers first learn about HIPAA, they may feel overwhelmed. However, lawmakers intended the law to be scalable, that it, the expectations take into account the size of the practice or organization. Thus, the practitioner should not be bowled over by materials and services created for corporate insurers and hospitals. To that end, we focus on the principles of HIPAA and on how those principles apply to smaller practices.
Section 1. What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) became effective as federal law in 1997, but congress enacted some components in later years. It serves these purposes:
To help Americans keep or get health insurance, despite previous illnesses, job loss or change, or change of a group policy from one carrier to another. (Dauner, 2001) (This is what the term "portability" refers to).
To improve consistency and efficiency in the healthcare system through promulgation of standards pertaining to transmission of electronic health care claims: (Title II of HIPAA, known as the Administrative Simplification provisions.) It recognized that the explosion in electronic health records represented opportunities as well as threats to cost and quality of care and patient rights.
To protect privacy of health records: This, of course, is the aspect that mental health providers and other clinicians are especially concerned about, and is the focus of this course. Electronic transmission, increasing portability of devices, hackers, and massive databases are the primary risk factors that caused the need for additional attention to privacy on a national scale.
Definition of "Health Information" per HIPAA:
Health Information means any information, whether oral or recorded in any form or medium, that:
(1) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. (Department of Health and Human Services, Undated)
Individually identifiable health information is health information that includes enough information to identify the patient. This can be an identifier, even a code in a list separate from the record. This even applies to information that allows others infer the patient's identity from details it contains. Such information becomes protected health information (PHI) when it is maintained or transmitted in any form. The reason for this definition of protected health information is that HIPAA is very sensitive to the diverse ways that privacy might be breached in an electronic world. For example, practitioners have sometimes said too much through social media, resulting in a breach of confidentiality.
Protected health information (PHI) is confidential information protected by HIPAA. You will see this acronym often. The Privacy Rule defines it (45 C.F.R. ? 160.103) as all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or spoken. (Department of Health and Human Services, undated)
HIPAA is composed of three main rules outlining its requirements, plus the more recent HITECH act.
Section 2. When does HIPAA Apply, and to Whom?
HIPAA rules apply to health care providers that transmit private health information electronically, including psychotherapists. This is typically done in order to carry out related transactions or administrative activity such as submitting claims. This does not include faxing or electronic data storage. (Alameda County Psychological Association, 2003) HIPAA calls these providers and organizations "covered entities."
HIPAA applies to the following types of entities:
Health care providers, including psychotherapists
Health plans, including employer-sponsored group plans, Medicaid, ad Medicare
Health care clearinghouses
Entities that provide certain services for covered entities ("business associates"). However, the covered entity is required to select providers that guarantee HIPAA compliance. It is also the responsibility of the covered entity to take prompt, effective action when there is reason to suspect that a business associate is not in compliance.
Triggers: When conditions arise that cause the entity to become "covered" (responsible for complying with HIPAA), the condition is called a "trigger." The requirement to comply with HIPAA is "triggered" by various conditions. The provider is then responsible for full compliance with HIPAA.
For smaller practices, the trigger you need to be concerned with is transmission of protected health information in electronic form (ePHI). Most practices do this, whether they realize it or not. Consider these "transactions" that trigger HIPAA compliance when they are electronic, that is, communications concerning:
Insurance pre-authorization (referral certification and authorization)
Claim submissions
Claim attachments
Advice regarding payment and remittance
Coordination of benefits
Status of a health care claim or health care plan membership or eligibility
Section 3. General Principles
Some principles of HIPAA apply across its Rules.
Scalability: Because covered entities are of diverse forms and sizes, Congress designed HIPAA to be scalable, that is, to be relevant to the actual demands and risks that the covered entities face. For example, a solo practitioner does not need to hire a Security Officer to oversee compliance, but he or she does need to take responsibility for compliance.
Moving target: The design of HIPAA recognizes that the technology it covers is changing and unpredictable. That, and the scalability principle, led to HIPAA not specifying standards such as what type of encryption to use.
Minimum Standards: The provider can take stricter measures, and states can enact laws that require more than HIPAA. However, HIPAA trumps any less restrictive laws when there is a conflict or difference in standards. In other words, HIPAA sets the minimum level or requirements. This means that the provider must also know relevant state law regarding privacy and security of confidential records.
Fundamental concern for confidentiality: Confidentiality is the cornerstone of the psychotherapist-client relationship because treatment and the viability of the profession depend on client and public trust. (US Department of Health and Human Services, 1999, citing Sharkin, 1995) Since people need to reveal very personal information in treatment, they would be reticent to see a therapist if there were no guarantees and legal protections regarding their privacy. Serious concerns exist regarding the management of medical information because such information may threaten one's ability to acquire employment or insurance. Social stigma is a great concern for people seeking mental health care. Society benefits from the utilization of mental health services in numerous ways, and thus has strong incentives to support the field. HIPAA legislation is, in part, such a support, because of its privacy measures. Laws that place upon therapists the duty to protect privacy are an expression of our fundamental right to privacy. The Supreme Court has inferred the right to privacy from the Constitution. This doctrine has been evolving since 1962. (Alexander, & Spurgeon, 1978)
Informed consent is a right: Confidentiality is an aspect of informed consent. Clients should know that their information is protected, but also that there are specific limits to that protection. Clients should know the risks, responsibilities, and potential rewards pertaining to receiving clinical services. They should know what valid options are available. Confidentiality is an important part of informed consent because of the risks and legitimate reasons for breaching confidentiality. (Alban, 2007) We shall see how HIPAA supports informed consent, where privacy is concerned, with requirements such as the Notice of Privacy Practices.
Recognition of electronic risks to confidentiality: The advent of electronic data storage and communications has substantially increased risks to privacy. This is not just an academic argument, as there have been large-scale electronic breaches of client privacy. HIPAA recognizes these points, and provides for stiff penalties for noncompliance with privacy measures.
Telehealth refers to providing health-related services through telecommunications or electronic media. The first telehealth probably occurred soon after the invention of the telephone, and the first use of psychiatric video conferencing took place long before the Internet was established. Now, telehealth modalities in mental health are commonplace, with video conferencing (such as Skype calls) being the most common. Providers should learn about the privacy issues of telehealth modalities. Changes in this area are ongoing and require monitoring.
Because of the scale and nature of data transmission enabled by telehealth, we must ensure that electronic transmissions of protected health information are secure. Phone calls, emails, and traditional fax transmissions may contain protected health information, so long as reasonable cautions are used. Since typical email is less secure than other communications, experts recommend that providers limit protected health information provided through this medium. At the time of this writing, the practical meaning of "reasonable cautions" is being worked out. The Telehealth course by this author goes into these issues.
Rules: HIPAA is comprised of several Rules that divide the content of HIPAA into key topics. We will address them below.
Section 4. The Privacy Rule
As a mental health provider, you will not be starting from scratch in implementing the Privacy Rule. You already have standards and knowledge of confidentiality.
The Privacy Rule provides requirements for the following:
Explaining privacy rights to clients.
Explaining how confidential information will be used.
Train employees on privacy procedures.
Use contractors that guarantee compliance (e.g., a billing service).
For organizations: designate who is in charge of compliance.
Actively secure client records.
Incidental Uses and Disclosures: HIPAA recognizes that clinicians must be free to engage in the normal communications needed to carry out their responsibilities. So long as there are reasonable safeguards, HIPAA allows a margin of flexibility. Guidance from HHS provides examples of this flexibility. One example is that of patients overhearing verbal exchanges between staff members. To minimize the risk to privacy from such exchanges, the guidance instructs providers to use discretion and speak in low voices when discussing private information. Another example is a sign-in sheet or white board at a nurses' station that exposes some patient information. The guidance allows this, but suggests that staff take reasonable safeguards to limit the exposure of information. HIPAA also allows for basic disclosures of a patient's general health condition and physical location to friends and family without authorization, so long as there is no reason to withhold that information.
Penalties and Actions: Noncompliance can result in consequences ranging from administrative actions by the HHS Office for Civil Rights to fines of up to $250,000 and imprisonment for up to ten years for knowingly and wrongfully disclosing individually identifiable health information. Middle of the road civil penalties are not more than $100 per violation to total not more than $25,000 for violations that are of the same requirement in a given year.
Psychotherapy Notes: HIPAA takes the innovative measure of establishing a special protected category of protected health information. These are the process notes or raw data created by the psychotherapist in documenting or analyzing what takes place in counseling sessions.
Appendix A: Notice of Privacy Practices (Required)
HIPAA requires covered entities to provide a Notice of Privacy Practices. Obtain a signed acknowledgment of receipt of the Notice from each client (Appendix B is the signature sheet for this form). This signed acknowledgment can be on a form separate from the Notice.
Adapt the Notice of Privacy Practices to your practice policies. Take care to follow these policies consistently. Format the text according to your preferences and for readability.
Be sure to include the content that HIPAA requires. This includes the first statement, "THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY." Also: the listing of your uses and disclosures of client's medical and mental health information, a statement that a written authorization is required for other disclosures or releases of information, and the client's rights, including the right to revoke the authorization at any time, and how to make a complaint.
So long as clients have access to the full version, you may use a more concise or shortened version that you feel is appropriate for your clients as the form that you physically give them during intake. You can revise your policies so long as they are accessible to your clients.
The following is the form:
NOTICE OF PRIVACY PRACTICES OF
*(name of your practice)
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
Effective *(date)
If you have any questions or requests about this Notice, please contact *(name and contact information for person designated as privacy officer or yourself, if appropriate).
State and Federal law require that the Practice *(you might want to use "I" to be less formal throughout) maintain the privacy of protected health information.
"Protected health information" is information the Practice has created or received about your physical or mental health, the healthcare provided to you or payments for your healthcare if the information identifies you, or if a reasonable person would say that someone could use it to identify you. It includes your identity, diagnosis, dates of service, treatment plan, and progress in treatment.
In addition, the law requires that the Practice provide clients with this Notice of Privacy Practices. It explains our legal duties and privacy practices with respect to your medical and mental health information. It is also required to request that you sign the attached written acknowledgement that you received a copy of this Notice. This Notice describes how the Practice may use and disclose your protected health information.
This Notice also describes your rights regarding your protected health information and explains how you may exercise your rights.
USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION
Permissible Uses and Disclosures Not Requiring Your Written Authorization
The Practice may use and disclose your medical and mental health information in the following ways:
Treatment: The Practice may use and disclose your medical and mental health information to provide and coordinate your healthcare. The Practice may use or disclose your medical and mental health information when I consult with another professional colleague, if I refer you for medication, or when I arrange coverage for being away. In any of these situations, we will provide only the minimum information necessary.
Payment: The practice will use your mental health care information for accounting and billing. If you consent, we will provide the minimum necessary information to your insurance company or other third party payer. The information can include information that identifies you, your diagnosis, dates and type of service, and limited information about your condition and treatment.
Health Care Operations: The Practice may use and disclose your medical and mental health information for health care operations, including quality improvement activities, training programs, and obtaining legal services. I will only disclose necessary information.
Required or Permitted by Law: The Practice may use or disclose your medical and mental health care information when I am required or permitted to do so by law or for health care oversight. This includes, but is not limited to: (a) reporting child abuse or neglect; (b) when court ordered to release information; (c) when there is a legal duty to warn or to take action regarding imminent danger to others; (d) when the client is a danger to self or others or gravely disabled; (e) when a coroner is investigating the client's death; or (f) to health oversight agencies for oversight activities authorized by law and necessary for the oversight of the health care system, government health care benefit programs, or regulatory compliance.
Contacting the Client: You may be contacted to remind you of appointments and to tell you about treatments or other services that might be of benefit to you.
Crimes on the premises or observed by the provider: Crimes that are observed by the therapist or the therapist's staff, crimes that are directed toward the therapist or the therapist's staff, or crimes that occur on the premises will be reported to law enforcement.
Business Associates: Business associates may provide some of the functions of the practice. For example, business associates may provide some of the billing, legal, auditing, and practice management services. In those situations, the Practice will provide only necessary protected health information to those contractors as needed to perform their contracted tasks. Business associates are required to enter into an agreement maintaining the privacy of the protected health information released to them.
Involuntary Clients: Information regarding clients who are being treated involuntarily, pursuant to law, will be shared with other treatment providers, legal entities, third party payers and others, as necessary to provide the care and management coordination needed.
Family Members: Except for certain minors, incompetent clients, or involuntary clients, the Practice cannot provide protected health information to family members without the client's consent. In situations where family members are present during a discussion with the client, and it is reasonable to infer from the circumstances that the client does not object, I may disclose information in the course of the discussion. However, if the client objects, I will not disclose protected health information.
Emergencies: In life-threatening emergencies, the Practice will disclose information necessary to avoid serious harm or death.
*(Note: List can be modified according to your individual practices.)
Uses and Disclosures Requiring Your Written Authorization or Release of Information
Except as described above, or as permitted by law, other uses and disclosures of your medical and mental health information will be made only with your written authorization to release the information. When you sign a written authorization, you may later revoke the authorization in writing as provided by law.
However, that revocation may not be effective for actions already taken under the original authorization.
Psychotherapy Notes: Psychotherapy notes are maintained separate from your mental health record. These notes will be used only by your therapist and disclosure will occur only under these circumstances: (a) you specifically authorize their use or disclosure in a separate written authorization; or (b) the therapist who wrote the notes uses them for your treatment; or (c) they may be used for training programs in which students, trainees, or practitioners in mental health learn under supervision to practice or improve their skills; or (d) if you bring a legal action and we have to defend ourselves; and (e) certain limited circumstances defined by the law.
YOUR RIGHTS AS A CLIENT
Additional Restrictions: You have the right to request additional restrictions on the use or disclosure of your medical and mental health information. However, the clinician does not have to agree to that request, and there are certain limits to any restriction, which will be provided to you at the time of your request. Ask your clinician for the Request Form.
Alternative Means of Receiving Confidential Communications: You have the right to request that you receive communications from the practice by alternative means or at alternative locations. For example, you may request that bills and other correspondence be sent to an address other than your home address. Ask your clinician for the Request Form.
Access to Protected Health Information: You have the right to inspect and obtain a copy of your protected health information in the mental health and billing record. However, any psychotherapy notes are for the use of your therapist, and are treated differently. If it is thought that access to your mental health records would harm you, your access may be restricted. Ask your clinician for the Request Form and the appeal process.
Amendment of Your Record: You have the right to request an amendment or correction to your protected health information. If the clinician agrees that the amendment or correction is appropriate, the Practice will attach it to the record. An appeal process is available if the clinician determines the record is accurate and complete as is. Ask your clinician for the Request Form and the appeal process available to you.
Accounting of Disclosures: You have the right to receive an accounting of certain disclosures the practice has made regarding your protected health information. However, that accounting does not include disclosures that were made for the purpose of treatment payment and healthcare operations. In addition, the accounting does not include disclosures made to you, disclosures authorized by you, or disclosures made prior to April 14, 2003. Other exceptions will be provided to you, should you request an accounting. Ask your clinician for the Request Form.
Right to Revoke Consent or Authorization: You have the right to revoke your consent or authorization to use or disclose your medical and mental health information, except for action that has already taken place under your consent or authorization.
Copy of this Notice: You have a right to obtain a copy of this Notice upon request.
The Practice is required to abide by the terms of this Notice, or any amended Notice that may follow. The Practice reserves the right to change the terms of this Notice and to make the new Notice provisions effective for all protected health information that it maintains. When changes are made, the revised Notice will be posted at the Practice's office and copies will be available upon request.
If you believe the Practice has violated your privacy rights, you may file a complaint with the person designated within the Practice to receive your complaints, *(that is your clinician or the Privacy Officer).
You also have the right to complain to the United States Secretary of Health and Human Services by sending your complaint to the Office of Civil Rights, U.S. Department of Health and Human Services, 200 Independence Avenue, S.W., Room 515F, HHH Bldg., Washington, D.C. 20201. It is the policy of the Practice that there will be no retaliation for your filing of such a complaint.
Appendix B: Acknowledgement of Receipt of Notice of Privacy Rights (Required)
See the instructions in Appendix A for use of this form. Adapt this form to your practice.
*(Name of Practice)
Acknowledgement of Receipt of Notice of Privacy Rights
I, _________________________________, Client Name acknowledge that I received a copy of the Notice of Privacy Practices for *(name of practice).
_________________________________________________
Signature of Client or Personal Representative Date
If not the client, please print name and state legal authority to sign for client.
= = = For Practitioner Use Only = = =
I attempted to obtain written acknowledgement of receipt of Notice of Privacy Practices, but acknowledgement could not be obtained because:
- Individual refused to sign
- Communications barriers prohibited obtaining acknowledgement
- Client was incapable of signing
- Other
(Specify) ___________________________________________________________________________________
Signature of Practitioner _______________
Date
Resources
California Office of HIPAA Implementation, CalOHI
HIPAA, Centers for Medicare and Medicaid Services
Congressional Research Service (CRS) reports regarding HIPAA, University of North Texas Libraries
Full text of the Health Insurance Portability and Accountability Act (PDF/TXT), U.S. Government Printing Office
Full text of the Health Insurance Portability and Accountability Act (HTM), Legal Archiver
Office for Civil Rights page on HIPAA
HIPAA documentation, resources and commentary
Health Information Privacy, HHS, US
The HHS complete listing of all HIPAA medical privacy resources
Small Providers and Small Businesses, HHS, US, Health Information Privacy
Concise information for solo practices and small groups.
Summary of the HIPAA Privacy Rule, (PDF) HHS, US
Excellent summary with concise sections. 18 pages. Good for reference.
Citations
Law, Legislation
Code of Federal Regulations chapter 45 section 160.103
Code of Federal Regulations chapter 45 section 164.501 (2007). Psychotherapy notes.
Code of Federal Regulations chapter 45 section 164.502 (b) (2007). Uses and disclosures of protected health information: general rules.
Code of Federal Regulations chapter 45 section 164.524
Code of Federal Regulations chapter 45 section 290dd-2 (also known as "Part 2")
Health & Safety Code section 123110 (d)
HIPAA Final Privacy Rule, Part I. URL: http://www.hhs.gov/ocr/part1.html
HIPAA Final Privacy Rule, Part II. URL: http://www.hhs.gov/ocr/part2.html
Other Citations
Alameda County Psychological Association. (2003). Becoming HIPAA compliant. Retrieved 12/4/2007 http://www.alamedapsych.org/documents/BecomingHIPAACompliant.doc
Alban, A. (2007). Informed consent (part 1): Its origins and development. Clinical Lawyer. May 3. URL: http://clinicallawyer.com/2007/05/informed-consent-part-1-its-origins-and-development/ accessed 8/10/2012
Alexander, R. and Spurgeon, R. K. (1978). Privacy, banking records and the supreme court: A before and after look at miller. Southwestern University Law Review. URL: http://consumerlawpage.com/article/privacy.shtml
American Psychological Association Practice Organization. (2005). HIPAA security rule primer. URL: http://www.apapractice.org/apo/hipaa/hipaa_security_rule.html Accessed 8/6/2012.
Center for Substance Abuse Treatment. (2005). Substance abuse treatment for persons with co-occurring disorders. Rockville (MD): Substance Abuse and Mental Health Services Administration (US), Treatment Improvement Protocol (TIP) Series, No. 42, Appendix K: Confidentiality. URL: http://www.ncbi.nlm.nih.gov/books/NBK64176/ Accessed 8/5/2012.
Dauner, C. D. (2001). Health care scene in california. Retrieved 11/1/2007 http://www.ehcca.com/presentations/casymposium/dauner.pdf.
Department of Health and Human Services (US). (2000). Protecting the privacy of patients' health information. Retrieved 11/1/2007 from http://www.hhs.gov/news/press/2000pres/00fsprivacy.html
Department of Health and Human Services (US). (1999). Confidentiality of mental health information: Ethical, legal, and policy issues. In Mental health: A report of the surgeon general. Rockville, MD: US Dept. of Health and Human Services. Retrieved: 12/7/2007.
Department of Health and Human Services (US). (undated). Summary of the HIPAA Privacy Rule. HHS Office of Civil Rights. URL accessed 8/15/2010: http://dhhs.gov/ocr/privacy/hipaa/understanding/summary/index.html#top
Department of Health & Human Services. (Undated b). Summary of the HIPAA security rule. HHS Office of Civil Rights. URL: http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html Accessed. 8/6/2012.
Felt-Lisk, S., Humensky, J. (2003). Personal health information collected by MCOs: Current practice. In Privacy issues in mental health and substance abuse treatment: Information sharing between providers and managed care organizations: Final report. Mathematica Policy Research, Inc. for the US Department of Health and Human Services, Office of the Assistant Secretary for Planning and Evaluation, Office of Science Policy. Retrieved 12/26/2007 http://aspe.hhs.gov/datacncl/reports/MHPrivacy/Chap-2.htm
Jenson, D. (2003). Psychotherapy notes and you. The Therapist,CAMFT.
Miller, S. R. (2011). Report details health care data theft. South Florida Business Journal, 2/23. Accessed at: http://www.bizjournals.com/southflorida/news/2011/02/23/report-details-health-care-reform-theft.html
Section 1. What is HIPAA?
Section 2. When does HIPAA Apply, and to Whom?
Section 3. General Principles
Section 4. The Privacy Rule
Section 5. The Security Rule
Appendix A: Notice of Privacy Practices (Required)
Appendix B: Acknowledgement of Receipt of Notice of Privacy Rights
Resources
Citations
Introduction
This course provides an overview of the Health Information Portability and Accountability Act. It is for psychotherapists and mental health workers in private practice, small group practices, and agencies. We designed it to be readable and to emphasize the key information you need to know, rather than make you feel like you are reading the tax code. As a somewhat brief, two-unit course, it will focus on key principles of HIPAA and the details you are most likely to need now. You will also know what questions to ask and where to turn when additional issues come up in actual practice.
When providers first learn about HIPAA, they may feel overwhelmed. However, lawmakers intended the law to be scalable, that it, the expectations take into account the size of the practice or organization. Thus, the practitioner should not be bowled over by materials and services created for corporate insurers and hospitals. To that end, we focus on the principles of HIPAA and on how those principles apply to smaller practices.
Section 1. What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) became effective as federal law in 1997, but congress enacted some components in later years. It serves these purposes:
To help Americans keep or get health insurance, despite previous illnesses, job loss or change, or change of a group policy from one carrier to another. (Dauner, 2001) (This is what the term "portability" refers to).
To improve consistency and efficiency in the healthcare system through promulgation of standards pertaining to transmission of electronic health care claims: (Title II of HIPAA, known as the Administrative Simplification provisions.) It recognized that the explosion in electronic health records represented opportunities as well as threats to cost and quality of care and patient rights.
To protect privacy of health records: This, of course, is the aspect that mental health providers and other clinicians are especially concerned about, and is the focus of this course. Electronic transmission, increasing portability of devices, hackers, and massive databases are the primary risk factors that caused the need for additional attention to privacy on a national scale.
Definition of "Health Information" per HIPAA:
Health Information means any information, whether oral or recorded in any form or medium, that:
(1) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. (Department of Health and Human Services, Undated)
Individually identifiable health information is health information that includes enough information to identify the patient. This can be an identifier, even a code in a list separate from the record. This even applies to information that allows others infer the patient's identity from details it contains. Such information becomes protected health information (PHI) when it is maintained or transmitted in any form. The reason for this definition of protected health information is that HIPAA is very sensitive to the diverse ways that privacy might be breached in an electronic world. For example, practitioners have sometimes said too much through social media, resulting in a breach of confidentiality.
Protected health information (PHI) is confidential information protected by HIPAA. You will see this acronym often. The Privacy Rule defines it (45 C.F.R. ? 160.103) as all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or spoken. (Department of Health and Human Services, undated)
HIPAA is composed of three main rules outlining its requirements, plus the more recent HITECH act.
Section 2. When does HIPAA Apply, and to Whom?
HIPAA rules apply to health care providers that transmit private health information electronically, including psychotherapists. This is typically done in order to carry out related transactions or administrative activity such as submitting claims. This does not include faxing or electronic data storage. (Alameda County Psychological Association, 2003) HIPAA calls these providers and organizations "covered entities."
HIPAA applies to the following types of entities:
Health care providers, including psychotherapists
Health plans, including employer-sponsored group plans, Medicaid, ad Medicare
Health care clearinghouses
Entities that provide certain services for covered entities ("business associates"). However, the covered entity is required to select providers that guarantee HIPAA compliance. It is also the responsibility of the covered entity to take prompt, effective action when there is reason to suspect that a business associate is not in compliance.
Triggers: When conditions arise that cause the entity to become "covered" (responsible for complying with HIPAA), the condition is called a "trigger." The requirement to comply with HIPAA is "triggered" by various conditions. The provider is then responsible for full compliance with HIPAA.
For smaller practices, the trigger you need to be concerned with is transmission of protected health information in electronic form (ePHI). Most practices do this, whether they realize it or not. Consider these "transactions" that trigger HIPAA compliance when they are electronic, that is, communications concerning:
Insurance pre-authorization (referral certification and authorization)
Claim submissions
Claim attachments
Advice regarding payment and remittance
Coordination of benefits
Status of a health care claim or health care plan membership or eligibility
Section 3. General Principles
Some principles of HIPAA apply across its Rules.
Scalability: Because covered entities are of diverse forms and sizes, Congress designed HIPAA to be scalable, that is, to be relevant to the actual demands and risks that the covered entities face. For example, a solo practitioner does not need to hire a Security Officer to oversee compliance, but he or she does need to take responsibility for compliance.
Moving target: The design of HIPAA recognizes that the technology it covers is changing and unpredictable. That, and the scalability principle, led to HIPAA not specifying standards such as what type of encryption to use.
Minimum Standards: The provider can take stricter measures, and states can enact laws that require more than HIPAA. However, HIPAA trumps any less restrictive laws when there is a conflict or difference in standards. In other words, HIPAA sets the minimum level or requirements. This means that the provider must also know relevant state law regarding privacy and security of confidential records.
Fundamental concern for confidentiality: Confidentiality is the cornerstone of the psychotherapist-client relationship because treatment and the viability of the profession depend on client and public trust. (US Department of Health and Human Services, 1999, citing Sharkin, 1995) Since people need to reveal very personal information in treatment, they would be reticent to see a therapist if there were no guarantees and legal protections regarding their privacy. Serious concerns exist regarding the management of medical information because such information may threaten one's ability to acquire employment or insurance. Social stigma is a great concern for people seeking mental health care. Society benefits from the utilization of mental health services in numerous ways, and thus has strong incentives to support the field. HIPAA legislation is, in part, such a support, because of its privacy measures. Laws that place upon therapists the duty to protect privacy are an expression of our fundamental right to privacy. The Supreme Court has inferred the right to privacy from the Constitution. This doctrine has been evolving since 1962. (Alexander, & Spurgeon, 1978)
Informed consent is a right: Confidentiality is an aspect of informed consent. Clients should know that their information is protected, but also that there are specific limits to that protection. Clients should know the risks, responsibilities, and potential rewards pertaining to receiving clinical services. They should know what valid options are available. Confidentiality is an important part of informed consent because of the risks and legitimate reasons for breaching confidentiality. (Alban, 2007) We shall see how HIPAA supports informed consent, where privacy is concerned, with requirements such as the Notice of Privacy Practices.
Recognition of electronic risks to confidentiality: The advent of electronic data storage and communications has substantially increased risks to privacy. This is not just an academic argument, as there have been large-scale electronic breaches of client privacy. HIPAA recognizes these points, and provides for stiff penalties for noncompliance with privacy measures.
Telehealth refers to providing health-related services through telecommunications or electronic media. The first telehealth probably occurred soon after the invention of the telephone, and the first use of psychiatric video conferencing took place long before the Internet was established. Now, telehealth modalities in mental health are commonplace, with video conferencing (such as Skype calls) being the most common. Providers should learn about the privacy issues of telehealth modalities. Changes in this area are ongoing and require monitoring.
Because of the scale and nature of data transmission enabled by telehealth, we must ensure that electronic transmissions of protected health information are secure. Phone calls, emails, and traditional fax transmissions may contain protected health information, so long as reasonable cautions are used. Since typical email is less secure than other communications, experts recommend that providers limit protected health information provided through this medium. At the time of this writing, the practical meaning of "reasonable cautions" is being worked out. The Telehealth course by this author goes into these issues.
Rules: HIPAA is comprised of several Rules that divide the content of HIPAA into key topics. We will address them below.
Section 4. The Privacy Rule
As a mental health provider, you will not be starting from scratch in implementing the Privacy Rule. You already have standards and knowledge of confidentiality.
The Privacy Rule provides requirements for the following:
Explaining privacy rights to clients.
Explaining how confidential information will be used.
Train employees on privacy procedures.
Use contractors that guarantee compliance (e.g., a billing service).
For organizations: designate who is in charge of compliance.
Actively secure client records.
Incidental Uses and Disclosures: HIPAA recognizes that clinicians must be free to engage in the normal communications needed to carry out their responsibilities. So long as there are reasonable safeguards, HIPAA allows a margin of flexibility. Guidance from HHS provides examples of this flexibility. One example is that of patients overhearing verbal exchanges between staff members. To minimize the risk to privacy from such exchanges, the guidance instructs providers to use discretion and speak in low voices when discussing private information. Another example is a sign-in sheet or white board at a nurses' station that exposes some patient information. The guidance allows this, but suggests that staff take reasonable safeguards to limit the exposure of information. HIPAA also allows for basic disclosures of a patient's general health condition and physical location to friends and family without authorization, so long as there is no reason to withhold that information.
Penalties and Actions: Noncompliance can result in consequences ranging from administrative actions by the HHS Office for Civil Rights to fines of up to $250,000 and imprisonment for up to ten years for knowingly and wrongfully disclosing individually identifiable health information. Middle of the road civil penalties are not more than $100 per violation to total not more than $25,000 for violations that are of the same requirement in a given year.
Psychotherapy Notes: HIPAA takes the innovative measure of establishing a special protected category of protected health information. These are the process notes or raw data created by the psychotherapist in documenting or analyzing what takes place in counseling sessions.
Appendix A: Notice of Privacy Practices (Required)
HIPAA requires covered entities to provide a Notice of Privacy Practices. Obtain a signed acknowledgment of receipt of the Notice from each client (Appendix B is the signature sheet for this form). This signed acknowledgment can be on a form separate from the Notice.
Adapt the Notice of Privacy Practices to your practice policies. Take care to follow these policies consistently. Format the text according to your preferences and for readability.
Be sure to include the content that HIPAA requires. This includes the first statement, "THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY." Also: the listing of your uses and disclosures of client's medical and mental health information, a statement that a written authorization is required for other disclosures or releases of information, and the client's rights, including the right to revoke the authorization at any time, and how to make a complaint.
So long as clients have access to the full version, you may use a more concise or shortened version that you feel is appropriate for your clients as the form that you physically give them during intake. You can revise your policies so long as they are accessible to your clients.
The following is the form:
NOTICE OF PRIVACY PRACTICES OF
*(name of your practice)
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
Effective *(date)
If you have any questions or requests about this Notice, please contact *(name and contact information for person designated as privacy officer or yourself, if appropriate).
State and Federal law require that the Practice *(you might want to use "I" to be less formal throughout) maintain the privacy of protected health information.
"Protected health information" is information the Practice has created or received about your physical or mental health, the healthcare provided to you or payments for your healthcare if the information identifies you, or if a reasonable person would say that someone could use it to identify you. It includes your identity, diagnosis, dates of service, treatment plan, and progress in treatment.
In addition, the law requires that the Practice provide clients with this Notice of Privacy Practices. It explains our legal duties and privacy practices with respect to your medical and mental health information. It is also required to request that you sign the attached written acknowledgement that you received a copy of this Notice. This Notice describes how the Practice may use and disclose your protected health information.
This Notice also describes your rights regarding your protected health information and explains how you may exercise your rights.
USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION
Permissible Uses and Disclosures Not Requiring Your Written Authorization
The Practice may use and disclose your medical and mental health information in the following ways:
Treatment: The Practice may use and disclose your medical and mental health information to provide and coordinate your healthcare. The Practice may use or disclose your medical and mental health information when I consult with another professional colleague, if I refer you for medication, or when I arrange coverage for being away. In any of these situations, we will provide only the minimum information necessary.
Payment: The practice will use your mental health care information for accounting and billing. If you consent, we will provide the minimum necessary information to your insurance company or other third party payer. The information can include information that identifies you, your diagnosis, dates and type of service, and limited information about your condition and treatment.
Health Care Operations: The Practice may use and disclose your medical and mental health information for health care operations, including quality improvement activities, training programs, and obtaining legal services. I will only disclose necessary information.
Required or Permitted by Law: The Practice may use or disclose your medical and mental health care information when I am required or permitted to do so by law or for health care oversight. This includes, but is not limited to: (a) reporting child abuse or neglect; (b) when court ordered to release information; (c) when there is a legal duty to warn or to take action regarding imminent danger to others; (d) when the client is a danger to self or others or gravely disabled; (e) when a coroner is investigating the client's death; or (f) to health oversight agencies for oversight activities authorized by law and necessary for the oversight of the health care system, government health care benefit programs, or regulatory compliance.
Contacting the Client: You may be contacted to remind you of appointments and to tell you about treatments or other services that might be of benefit to you.
Crimes on the premises or observed by the provider: Crimes that are observed by the therapist or the therapist's staff, crimes that are directed toward the therapist or the therapist's staff, or crimes that occur on the premises will be reported to law enforcement.
Business Associates: Business associates may provide some of the functions of the practice. For example, business associates may provide some of the billing, legal, auditing, and practice management services. In those situations, the Practice will provide only necessary protected health information to those contractors as needed to perform their contracted tasks. Business associates are required to enter into an agreement maintaining the privacy of the protected health information released to them.
Involuntary Clients: Information regarding clients who are being treated involuntarily, pursuant to law, will be shared with other treatment providers, legal entities, third party payers and others, as necessary to provide the care and management coordination needed.
Family Members: Except for certain minors, incompetent clients, or involuntary clients, the Practice cannot provide protected health information to family members without the client's consent. In situations where family members are present during a discussion with the client, and it is reasonable to infer from the circumstances that the client does not object, I may disclose information in the course of the discussion. However, if the client objects, I will not disclose protected health information.
Emergencies: In life-threatening emergencies, the Practice will disclose information necessary to avoid serious harm or death.
*(Note: List can be modified according to your individual practices.)
Uses and Disclosures Requiring Your Written Authorization or Release of Information
Except as described above, or as permitted by law, other uses and disclosures of your medical and mental health information will be made only with your written authorization to release the information. When you sign a written authorization, you may later revoke the authorization in writing as provided by law.
However, that revocation may not be effective for actions already taken under the original authorization.
Psychotherapy Notes: Psychotherapy notes are maintained separate from your mental health record. These notes will be used only by your therapist and disclosure will occur only under these circumstances: (a) you specifically authorize their use or disclosure in a separate written authorization; or (b) the therapist who wrote the notes uses them for your treatment; or (c) they may be used for training programs in which students, trainees, or practitioners in mental health learn under supervision to practice or improve their skills; or (d) if you bring a legal action and we have to defend ourselves; and (e) certain limited circumstances defined by the law.
YOUR RIGHTS AS A CLIENT
Additional Restrictions: You have the right to request additional restrictions on the use or disclosure of your medical and mental health information. However, the clinician does not have to agree to that request, and there are certain limits to any restriction, which will be provided to you at the time of your request. Ask your clinician for the Request Form.
Alternative Means of Receiving Confidential Communications: You have the right to request that you receive communications from the practice by alternative means or at alternative locations. For example, you may request that bills and other correspondence be sent to an address other than your home address. Ask your clinician for the Request Form.
Access to Protected Health Information: You have the right to inspect and obtain a copy of your protected health information in the mental health and billing record. However, any psychotherapy notes are for the use of your therapist, and are treated differently. If it is thought that access to your mental health records would harm you, your access may be restricted. Ask your clinician for the Request Form and the appeal process.
Amendment of Your Record: You have the right to request an amendment or correction to your protected health information. If the clinician agrees that the amendment or correction is appropriate, the Practice will attach it to the record. An appeal process is available if the clinician determines the record is accurate and complete as is. Ask your clinician for the Request Form and the appeal process available to you.
Accounting of Disclosures: You have the right to receive an accounting of certain disclosures the practice has made regarding your protected health information. However, that accounting does not include disclosures that were made for the purpose of treatment payment and healthcare operations. In addition, the accounting does not include disclosures made to you, disclosures authorized by you, or disclosures made prior to April 14, 2003. Other exceptions will be provided to you, should you request an accounting. Ask your clinician for the Request Form.
Right to Revoke Consent or Authorization: You have the right to revoke your consent or authorization to use or disclose your medical and mental health information, except for action that has already taken place under your consent or authorization.
Copy of this Notice: You have a right to obtain a copy of this Notice upon request.
The Practice is required to abide by the terms of this Notice, or any amended Notice that may follow. The Practice reserves the right to change the terms of this Notice and to make the new Notice provisions effective for all protected health information that it maintains. When changes are made, the revised Notice will be posted at the Practice's office and copies will be available upon request.
If you believe the Practice has violated your privacy rights, you may file a complaint with the person designated within the Practice to receive your complaints, *(that is your clinician or the Privacy Officer).
You also have the right to complain to the United States Secretary of Health and Human Services by sending your complaint to the Office of Civil Rights, U.S. Department of Health and Human Services, 200 Independence Avenue, S.W., Room 515F, HHH Bldg., Washington, D.C. 20201. It is the policy of the Practice that there will be no retaliation for your filing of such a complaint.
Appendix B: Acknowledgement of Receipt of Notice of Privacy Rights (Required)
See the instructions in Appendix A for use of this form. Adapt this form to your practice.
*(Name of Practice)
Acknowledgement of Receipt of Notice of Privacy Rights
I, _________________________________, Client Name acknowledge that I received a copy of the Notice of Privacy Practices for *(name of practice).
_________________________________________________
Signature of Client or Personal Representative Date
If not the client, please print name and state legal authority to sign for client.
= = = For Practitioner Use Only = = =
I attempted to obtain written acknowledgement of receipt of Notice of Privacy Practices, but acknowledgement could not be obtained because:
- Individual refused to sign
- Communications barriers prohibited obtaining acknowledgement
- Client was incapable of signing
- Other
(Specify) ___________________________________________________________________________________
Signature of Practitioner _______________
Date
Resources
California Office of HIPAA Implementation, CalOHI
HIPAA, Centers for Medicare and Medicaid Services
Congressional Research Service (CRS) reports regarding HIPAA, University of North Texas Libraries
Full text of the Health Insurance Portability and Accountability Act (PDF/TXT), U.S. Government Printing Office
Full text of the Health Insurance Portability and Accountability Act (HTM), Legal Archiver
Office for Civil Rights page on HIPAA
HIPAA documentation, resources and commentary
Health Information Privacy, HHS, US
The HHS complete listing of all HIPAA medical privacy resources
Small Providers and Small Businesses, HHS, US, Health Information Privacy
Concise information for solo practices and small groups.
Summary of the HIPAA Privacy Rule, (PDF) HHS, US
Excellent summary with concise sections. 18 pages. Good for reference.
Citations
Law, Legislation
Code of Federal Regulations chapter 45 section 160.103
Code of Federal Regulations chapter 45 section 164.501 (2007). Psychotherapy notes.
Code of Federal Regulations chapter 45 section 164.502 (b) (2007). Uses and disclosures of protected health information: general rules.
Code of Federal Regulations chapter 45 section 164.524
Code of Federal Regulations chapter 45 section 290dd-2 (also known as "Part 2")
Health & Safety Code section 123110 (d)
HIPAA Final Privacy Rule, Part I. URL: http://www.hhs.gov/ocr/part1.html
HIPAA Final Privacy Rule, Part II. URL: http://www.hhs.gov/ocr/part2.html
Other Citations
Alameda County Psychological Association. (2003). Becoming HIPAA compliant. Retrieved 12/4/2007 http://www.alamedapsych.org/documents/BecomingHIPAACompliant.doc
Alban, A. (2007). Informed consent (part 1): Its origins and development. Clinical Lawyer. May 3. URL: http://clinicallawyer.com/2007/05/informed-consent-part-1-its-origins-and-development/ accessed 8/10/2012
Alexander, R. and Spurgeon, R. K. (1978). Privacy, banking records and the supreme court: A before and after look at miller. Southwestern University Law Review. URL: http://consumerlawpage.com/article/privacy.shtml
American Psychological Association Practice Organization. (2005). HIPAA security rule primer. URL: http://www.apapractice.org/apo/hipaa/hipaa_security_rule.html Accessed 8/6/2012.
Center for Substance Abuse Treatment. (2005). Substance abuse treatment for persons with co-occurring disorders. Rockville (MD): Substance Abuse and Mental Health Services Administration (US), Treatment Improvement Protocol (TIP) Series, No. 42, Appendix K: Confidentiality. URL: http://www.ncbi.nlm.nih.gov/books/NBK64176/ Accessed 8/5/2012.
Dauner, C. D. (2001). Health care scene in california. Retrieved 11/1/2007 http://www.ehcca.com/presentations/casymposium/dauner.pdf.
Department of Health and Human Services (US). (2000). Protecting the privacy of patients' health information. Retrieved 11/1/2007 from http://www.hhs.gov/news/press/2000pres/00fsprivacy.html
Department of Health and Human Services (US). (1999). Confidentiality of mental health information: Ethical, legal, and policy issues. In Mental health: A report of the surgeon general. Rockville, MD: US Dept. of Health and Human Services. Retrieved: 12/7/2007.
Department of Health and Human Services (US). (undated). Summary of the HIPAA Privacy Rule. HHS Office of Civil Rights. URL accessed 8/15/2010: http://dhhs.gov/ocr/privacy/hipaa/understanding/summary/index.html#top
Department of Health & Human Services. (Undated b). Summary of the HIPAA security rule. HHS Office of Civil Rights. URL: http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html Accessed. 8/6/2012.
Felt-Lisk, S., Humensky, J. (2003). Personal health information collected by MCOs: Current practice. In Privacy issues in mental health and substance abuse treatment: Information sharing between providers and managed care organizations: Final report. Mathematica Policy Research, Inc. for the US Department of Health and Human Services, Office of the Assistant Secretary for Planning and Evaluation, Office of Science Policy. Retrieved 12/26/2007 http://aspe.hhs.gov/datacncl/reports/MHPrivacy/Chap-2.htm
Jenson, D. (2003). Psychotherapy notes and you. The Therapist,CAMFT.
Miller, S. R. (2011). Report details health care data theft. South Florida Business Journal, 2/23. Accessed at: http://www.bizjournals.com/southflorida/news/2011/02/23/report-details-health-care-reform-theft.html
