What is HIPAA?
HIPAA or the Health Insurance Portability and Accountability Act was signed into law in 1996. The original goal was to protect people with pre-existing illnesses from losing health insurance when they changed jobs, as well as to standardize electronic filing and availability of information in order to cut down on paperwork. The Department of Health and Human Services (HHS) added several rules to explain how it is carried out because Congress failed to do so. HHS estimates that compliance will cost $17 billion over the next 10 years, but this will be offset by $29.9 billion in savings to the health care industry.
HIPAA entails “scalable compliance” or the idea that smaller organizations are expected to do less, while larger organizations are expected to do more. Its applies to:
- health care providers, such as doctors, nurses, psychologists…
- insurance companies, including health plans
- health care clearing houses
What Does HIPAA Entail?
The Transaction Rule
The Transactions Rule relates to the “electronic transactions” or electronic exchanges of information to determine eligibility benefits, claim status, processing of payments, and such.
The Privacy Rule
The final Privacy Rule went into effect in 2001, and compliance was expected by April 14th, 2003. This refers to how and when patient information may be used and disclosed, to patient access and control over to PHI, and to administrative procedures regarding PHI.
The Security Rule
The Security Rule covers security concerns for all PHI in electronic form. It is written to be clear regarding the expectations, but flexible regarding the specific implementation. It also includes a clear focus on providers conducting security risk analysis, in line with the scalability idea, and then managing risk.
Business Associate Contracts
Business Associates of providers are also bound through the Business Associate Contract to adhere to HIPAA.
The Privacy Rule
What information is covered by HIPAA?
- Health Information – Any information, written, oral, or electronic, collected, created, or used by health care professionals or entities.
- Individually Identifiable Information
- Protected Health Information (PHI) – This refers to Individually Identifiable Information regarding from the set of Health Information in any form or medium (e.g., written notes, database records, billing claims). It includes at least mental health condition, payment records, and treatment provided.
- Psychotherapy Notes – HIPAA specifically excludes from Psychotherapy Notes information about medication management, start and stop times of sessions, frequency and type of treatment provided, results of testing, and summaries of diagnosis, treatment plan, symptoms, prognosis, and progress to date. These are, however, PHI. Psychotherapy notes are not stored in the general client record, nor are Personal Notes. In Illinois, these are considered your property, are not subject to subpoena or client review.
HIPAA and the Privacy Rule do not apply to “deidentified information” which can not be used to identify the client. Deidentification includes removing information, including but not limited to:
- information about relatives, employers, or household members
- all geographic subdivisions smaller than a state
- all elements of dates (except year)
- phone numbers, email addresses, SSN, medical record numbers…
- health plan beneficiary information
Who Must Comply with HIPAA?
HIPAA and the Privacy Rule apply to service providers, as well as Business Associates (BA)through contract. The BA contract requires the BA to:
- provide access to PHI for the client and for HHS
- make clear and abide by the permitted uses of PHI, not use or further disclose PHI beyond this, and mitigate any damage that results from inappropriate use or disclosure
- use safeguards to prevent misuse or disclosure, and notify the provider of a breech
BAs would include:
- an offsite billing service
- an attorney/financial adviser who reviews PHI and advises the practice
- an accrediting organization
- a service provider hired by you to provide services on a consulting basis
But would not include:
- supervisors (who are involved in service delivery) or secretaries (who are employees of the practice)
- a lab that analyzes urine samples for your clients or other service providers who coordinate care for a client with you (this is part of treatment)
- disclosure to an insurance company
- researchers who receive deidentified information or have patient consent
- people who provide services that do not entail direct review of PHI (cleaning staff)
Of note, you are not required to monitor compliance of BAs, and are not liable for their violations. If you become aware of a BA’s breach or violation, however, you must take reasonable steps to cure the breach, or, if unsuccessful, terminate the contract or report the problem to HHS.
Authorization to Disclose Protected Health Information
“Use” of PHI pertains to within the organization for any reason (e.g., supervision or consultation, as well as quality assessment and in-house research), and does not require Authorization. “Disclosure” of PHI relates to outside entities, and generally does require Authorization.
What Makes Authorization Valid?
To be valid under Illinois law, a client Authorization to release information must include:
- the person or agency who will receive the information (no “blanket consents”)
- the purpose and exact nature of the information to be shared
- that the client can inspect/copy disclosed information, and revoke consent at any time
- consequences, if any, of refusing to release the information
- the date the consent expires
Of note, Authorization to release PHI can not also include Authorization to release Psychotherapy Notes too, as this requires a separate form. Generally, authorized requests for records should be honored within 30 days (60 days if records are offsite), but you may have a 30 day extension with a written statement of the reasons for the delay and the date by which the records can be provided.
You should also make reasonable efforts to limit the PHI released to the “minimum” necessary to accomplish the intended purpose of the use or disclosure (e.g., your secretary may need to see client contact information but not background records). “Minimum” relies on professional judgment and you must have policies that define what the minimum generally is. This does not apply to:
- disclosures to health care providers for treatment purposes
- disclosures to the patient or in accord with patient authorization
- uses or disclosures required for HIPAA compliance (like HHS)
- uses or disclosures that are required by other law
The Privacy Rule does not prohibit training, as “health care operations” includes training programs. It also does not prohibit release of information that a different provider gathered, so long as it is part of the minimum necessary information. The client record should also contain documentation for every Authorized disclosure.
Do I Always Need Authorization?
Of note, Authorization is not required for:
- providing treatment or referring a case to another provider
- supervision or consultation within the group
- billing and processing payment
- health care operations (e.g., quality assurance, licensing, utilization review, case review to obtain insurance, legal services, administrative scheduling…)
- State laws governing reporting of abuse and harm to self or others
- State psychology boards, so long as PHI is remitted before use
- court orders to release PHI and Psychotherapy Notes (ie, Worker’s Compensation Claims)
- when the coroner or medical examiner requests Psychotherapy Notes
- when disclosure is a matter of national security
In the event that client information is inappropriately disclosed without Authorization, documentation of the date, receiver, and the reason for the disclosure must be in the file.
Patient Rights Under HIPAA
- Clients can request restrictions to disclosure, although the psychologist is not required to accept them
- Clients can amend their record. The psychologist may deny amendments, but must provide the patient with a written denial. The client can file a written disagreement, the psychologist can prepare a rebuttal, and this is turned over to an appeal process. After this, the request for amendment, denial, client’s disagreement, psychologist’s rebuttal, and the final resolution all become part of the client’s file
- The client may request an accounting of all disclosures. Generally, these requests for records should be honored within 30 days (60 days if records are offsite), but you may have a 30 day extension with a written statement of the reasons for the delay and the date by which the records can be provided. The first accounting in a twelve month period is free, but subsequent accountings can require a cost-based fee
What About Marketing?
“Marketing” is defined as making “a communication about a product or service that encourages recipients to purchase or use the product or service.” It requires authorization and includes:
- a letter from a hospital informing former patients about a new facility that is not part of the hospital and not related to treatment advice.
- any disclosure of PHI “in exchange for direct or indirect remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages purchase or use [of] that product or service.” For example, a drug company buys a list of patients from a provider and sends people discount coupons for a new drug.
HIPAA does not consider the following examples to be marketing that require Authorization:
- an ophthalmologist in a certain insurance plan sends existing patients in that plan discount coupons for eye exams or eye glasses
- a hospital uses its patient list to announce the arrival of new clinic
- a provider mails appointment reminders to patients
- a hospital provides a free package of baby products to new mothers as they leave
Do I Have to Comply With HIPAA?
There are likely very few psychologists who are excluded:
- you are likely bound if you use a computer for client reports, billing, or scheduling
- if you submit bills to someone who does not use any computers, you are free, but, if they switch over to electronic billing, you must immediately become compliant
Because of the “scalable compliance,” consequences for noncompliance will vary given the size of the organization, and range from administrative action, to fines of $100 per violation (max $25,000 per calendar year), to fines of $250,000 and jail time for a knowingly wrongful disclosure. Patients can file complaints about HIPAA violations within 180 days from the time the violation occurred or the time they would have reasonably known it had occurred, although HHS may make exceptions.
A good starting point would be to create a “HIPAA Binder” including:
- copies of all Business Associates contracts
- copies of the handouts for clients
- the Minimum Necessary Standard
- documentation of training of employees and violation sanctions
- a client complaint process
- the administrative, technical, and physical safeguards in place to protect PHI
- the procedure and fee for processing Authorized releases of information and Accountings of Disclosures
- the person(s) clients contact to appeal denied amendments and request an Accounting of Disclosures
- the name of the practice Privacy Specialist
Where Do I Start with Clients?
Notice of Privacy Rules
A notice of your privacy rules and procedures must be available to the client, with paper copies to take away from the office. Clients should sign wavers indicating they have received the notice and understand it, but you are not required to get a signature, but make a good faith effort to get one.
Forms for clients should include:
- Consent to Treatment
- Authorization to Release PHI
- Authorization to Release Psychotherapy Notes
- Privacy handout detailing client rights
- Privacy Policies Handout
The Security Rule
When Does the Security Rule Take Effect?
In February 2003, HHS adopted the final security regulations to protect electronic PHI from improper access or alteration. The rules went into effect immediately, and compliance is required by April 21, 2005.
Does It Apply to Me?
The Security Rule covers “transactions” which the Rule defines as “the transmission of information between two parties to carry out financial or administrative activities related to health care” and includes by name:
- Health care claims or equivalent encounter information
- Health care payment and remittance advice
- Coordination of benefits
- Health care claim status
- Enrollment and disenrollment in a health plan
- Eligibility for a health plan
- Health plan premium payments
- Referral certification and authorization
- First report of injury
- Health claims attachments
- Other transactions that the Secretary may prescribe by regulation
What Does the Security Rule Entail?
All these must be documented, available to staff, and updated periodically:
- Certification by evaluation to assure that the appropriate security has been implemented
- Chain of Trust Partner Agreements
- Contingency Planning for emergencies (backups, responses to fire or system failure…)
- Documented Procedures for receipt, manipulation, storage, dissemination, transmission, and/or disposal of records
- Security Training and periodic Awareness Training
- Security Configuration Management in order to keep documentation, hardware/software, and malicious software protection up-to-date…
- Security Incident Procedures to handle any security breaches
- Security Management Process to assure updates to risk analysis and management
- Termination Procedures for when an employee quits, is fired, is suspended…
- Assigned Security Responsibility to a specific individual or organization
- Media Control policies regarding hardware/software (e.g., diskettes, CDs, tapes)
- Physical Access Controls for limiting physical access
- Policy/Guideline on Workstation Use
- Secure Workstation Location
- Security Awareness Training (as noted above)
Technical Security Services
- Access Control to restrict access to the specific people needing it
- Audit Controls to identify and respond to potential weaknesses
- Authorization Control for use and disclosure of PHI
- Data Integrity to show data has not been altered
- Entity Authentication to assure users are who they say they are
Note on Technical Security
- for electronically transmitted PHI, some form of encryption is suggested but not required. I’ve been using ShellCrypt.Exe, a free utility from PCWorld.
Scalability and the Small Provider
A small office of four or five physicians and some staff would:
- evaluate and self-certify their systems as secure
- develop contingency plans for maintaining back ups and PC maintenance…
- create and document a personnel security policy and procedures
- create a Security Configuration Management program, including virus checking software and plans to respond to employee termination
- create internal auditing to track who has accessed PHI, likely through software packages
- create an “office procedures” document that would be required reading for new employees
- have periodic security reminders
- require locking file rooms and cabinets, logging off when leaving terminals
- have a Technical Security Services person to assign user names and passwords
- have Chain of Trust agreements with third parties