HIPAA or the Health Insurance Portability and Accountability Act was signed into law in 1996. The original goal was to protect people with pre-existing illnesses from losing health insurance when they changed jobs, as well as to standardize electronic filing and availability of information in order to cut down on paperwork. The Department of Health and Human Services (HHS) added several rules to explain how it is carried out because Congress failed to do so. HHS estimates that compliance will cost $17 billion over the next 10 years, but this will be offset by $29.9 billion in savings to the health care industry.

HIPAA entails "scalable compliance" or the idea that smaller organizations are expected to do less, while larger organizations are expected to do more. Its applies to:
  health care providers, such as doctors, nurses, psychologists…
insurance companies, including health plans
health care clearing houses

  The Transaction Rule
The Transactions Rule relates to the "electronic transactions" or electronic exchanges of information to determine eligibility benefits, claim status, processing of payments, and such.

The Privacy Rule
The final Privacy Rule went into effect in 2001, and compliance was expected by April 14th, 2003. This refers to how and when patient information may be used and disclosed, to patient access and control over to PHI, and to administrative procedures regarding PHI.

The Security Rule
The Security Rule covers security concerns for all PHI in electronic form. It is written to be clear regarding the expectations, but flexible regarding the specific implementation. It also includes a clear focus on providers conducting security risk analysis, in line with the scalability idea, and then managing risk.

Business Associate Contracts
Business Associates of providers are also bound through the Business Associate Contract to adhere to HIPAA.

  Health Information
Any information, written, oral, or electronic, collected, created, or used by health-care professionals or entities.

Individually Identifiable Information

Protected Health Information (PHI)
This refers to Individually Identifiable Information regarding from the set of Health Information in any form or medium (e.g., written notes, database records, billing claims). It includes at least mental health condition, payment records, and treatment provided.

Psychotherapy Notes
HIPAA specifically excludes from Psychotherapy Notes information about medication management, start and stop times of sessions, frequency and type of treatment provided, results of testing, and summaries of diagnosis, treatment plan, symptoms, prognosis, and progress to date. These are, however, PHI. Psychotherapy notes are not stored in the general client record, nor are Personal Notes. In Illinois, these are considered your property, are not subject to subpoena or client review.

HIPAA and the Privacy Rule do not apply to "de-identified information" which can not be used to identify the client. De-identification includes removing information, including but not limited to:
  information about relatives, employers, or household members
all geographic subdivisions smaller than a state
all elements of dates (except year)
phone numbers, email addresses, SSN, medical record numbers…
health plan beneficiary information

HIPAA and the Privacy Rule apply to service providers, as well as Business Associates (BA)through contract. The BA contract requires the BA to:
  1) provide access to PHI for the client and for HHS
2) make clear and abide by the permitted uses of PHI, not use or further disclose PHI beyond this, and mitigate any damage that results from inappropriate use or disclosure
3) use safeguards to prevent misuse or disclosure, and notify the provider of a breech
BAs would include:
  an off-site billing service
an attorney/financial adviser who reviews PHI and advises the practice
an accrediting organization
a service provider hired by you to provide services on a consulting basis
But would not include:
  supervisors (who are involved in service delivery) or secretaries (who are employees of the practice)
a lab that analyzes urine samples for your clients or other service providers who coordinate care for a client with you (this is part of treatment)
disclosure to an insurance company
researchers who receive de-identified information or have patient consent
people who provide services that do not entail direct review of PHI (cleaning staff)
Of note, you are not required to monitor compliance of BAs, and are not liable for their violations. If you become aware of a BA's breach or violation, however, you must take reasonable steps to cure the breach, or, if unsuccessful, terminate the contract or report the problem to HHS.

"Use" of PHI pertains to within the organization for any reason (e.g., supervision or consultation, as well as quality assessment and in-house research), and does not require Authorization. "Disclosure" of PHI relates to outside entities, and generally does require Authorization.

What Makes Authorization Valid? To be valid under Illinois law, a client Authorization to release information must include:
  the person or agency who will receive the information (no "blanket consents")
the purpose and exact nature of the information to be shared
that the client can inspect/copy disclosed information, and revoke consent at any time
consequences, if any, of refusing to release the information
the date the consent expires

Of note, Authorization to release PHI can not also include Authorization to release Psychotherapy Notes too, as this requires a separate form. Generally, authorized requests for records should be honored within 30 days (60 days if records are off-site), but you may have a 30 day extension with a written statement of the reasons for the delay and the date by which the records can be provided.

You should also make reasonable efforts to limit the PHI released to the "minimum" necessary to accomplish the intended purpose of the use or disclosure (e.g., your secretary may need to see client contact information but not background records). "Minimum" relies on professional judgment and you must have policies that define what the minimum generally is. This does not apply to:
  disclosures to health care providers for treatment purposes
disclosures to the patient or in accord with patient authorization
uses or disclosures required for HIPAA compliance (like HHS)
uses or disclosures that are required by other law

The Privacy Rule does not prohibit training, as "health care operations" includes training programs. It also does not prohibit release of information that a different provider gathered, so long as it is part of the minimum necessary information. The client record should also contain documentation for every Authorized disclosure.

Of note, Authorization is not required for:
  providing treatment or referring a case to another provider
supervision or consultation within the group
billing and processing payment
health care operations (e.g., quality assurance, licensing, utilization review, case review to obtain insurance, legal services, administrative scheduling…)
State laws governing reporting of abuse and harm to self or others
State psychology boards, so long as PHI is remitted before use
court orders to release PHI and Psychotherapy Notes (ie, Worker's Compensation Claims)
when the coroner or medical examiner requests Psychotherapy Notes
when disclosure is a matter of national security

In the event that client information is inappropriately disclosed without Authorization, documentation of the date, receiver, and the reason for the disclosure must be in the file.

  Clients can request restrictions to disclosure, although the psychologist is not required to accept them
Clients can amend their record. The psychologist may deny amendments, but must provide the patient with a written denial. The client can file a written disagreement, the psychologist can prepare a rebuttal, and this is turned over to an appeal process. After this, the request for amendment, denial, client's disagreement, psychologist's rebuttal, and the final resolution all become part of the client's file
The client may request an accounting of all disclosures. Generally, these requests for records should be honored within 30 days (60 days if records are off-site), but you may have a 30 day extension with a written statement of the reasons for the delay and the date by which the records can be provided. The first accounting in a twelve-month period is free, but subsequent accountings can require a cost-based fee

"Marketing" is defined as making "a communication about a product or service that encourages recipients to purchase or use the product or service." It requires authorization and includes:
  a letter from a hospital informing former patients about a new facility that is not part of the hospital and not related to treatment advice
any disclosure of PHI "in exchange for direct or indirect remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages purchase or use [of] that product or service." For example, a drug company buys a list of patients from a provider and sends people discount coupons for a new drug.

HIPAA does not consider the following examples to be marketing that require Authorization:
  an ophthalmologist in a certain insurance plan sends existing patients in that plan discount coupons for eye-exams or eye-glasses
a hospital uses its patient list to announce the arrival of new clinic
a provider mails appointment reminders to patients
a hospital provides a free package of baby products to new mothers as they leave

There are likely very few psychologists who are excluded:
  you are likely bound if you use a computer for client reports, billing, or scheduling
if you submit bills to someone who does not use any computers, you are free, but, if they switch over to electronic billing, you must immediately become compliant
Because of the "scalable compliance," consequences for non-compliance will vary given the size of the organization, and range from administrative action, to fines of $100 per violation (max $25,000 per calendar year), to fines of $250,000 and jail time for a knowingly wrongful disclosure. Patients can file complaints about HIPAA violations within 180 days from the time the violation occurred or the time they would have reasonably known it had occurred, although HHS may make exceptions.

A good starting point would be to create a "HIPAA Binder" including:
  copies of all Business Associates contracts
copies of the handouts for clients
the Minimum Necessary Standard
documentation of training of employees and violation sanctions
a client complaint process
the administrative, technical, and physical safeguards in place to protect PHI
the procedure and fee for processing Authorized releases of information and Accountings of Disclosures
the person(s) clients contact to appeal denied amendments and request an Accounting of Disclosures
the name of the practice Privacy Specialist

Notice of Privacy Rules
A notice of your privacy rules and procedures must be available to the client, with paper copies to take away from the office. Clients should sign wavers indicating they have received the notice and understand it, but you are not required to get a signature, but make a good faith effort to get one.

Forms for clients should include:
  Consent to Treatment
Authorization to Release PHI
Authorization to Release Psychotherapy Notes
Privacy handout detailing client rights
Privacy Policies Handout

HIPAA Questions and Answers
  HHS Link

The Security Rule
When Does The Security Rule Take Effect?
In February 2003, HHS adopted the final security regulations to protect electronic PHI from improper access or alteration. The rules went into effect immediately, and compliance is required by April 21, 2005.

Does It Apply to Me?
The Security Rule covers "transactions" which the Rule defines as "the transmission of information between two parties to carry out financial or administrative activities related to health care" and includes by name:
  (1) Health care claims or equivalent encounter information
(2) Health care payment and remittance advice
(3) Coordination of benefits
(4) Health care claim status
(5) Enrollment and disenrollment in a health plan
(6) Eligibility for a health plan
(7) Health plan premium payments
(8) Referral certification and authorization
(9) First report of injury
(10) Health claims attachments
(11) Other transactions that the Secretary may prescribe by regulation
It's the "Other transactions" that makes me nervous.

What Does the Security Rule Entail?
All these must be documented, available to staff, and updated periodically:

Administrative Procedures
  Certification by evaluation to assure that the appropriate security has been implemented
Chain of Trust Partner Agreements
Contingency Planning to for emergencies (backups, responses to fire or system failure…
Documented Procedures for receipt, manipulation, storage, dissemination, transmission, and/or disposal of records
Security Training and periodic Awareness Training
Security Configuration Management in order to keep documentation, hardware/software, and malicious software protection up-to-date…
Security Incident Procedures to handle any security breeches
Security Management Process to assure updates to risk analysis and management
Termination Procedures for when an employee quits, is fired, is suspended…

Physical Safeguards
  Assigned Security Responsibility to a specific individual or organization
Media Control policies regarding hardware/software (e.g., diskettes, CDs, tapes)
Physical Access Controls for limiting physical access
Policy/Guideline on Workstation Use
Secure Workstation Location
Security Awareness Training (as noted above)

Technical Security Services
  Access Control to restrict access to the specific people needing it
Audit Controls to identify and respond to potential weaknesses
Authorization Control for use and disclosure of PHI
Data Integrity to show data has not been altered
Entity Authentication to assure users are who they say they are

Note on Technical Security
  for electronically transmitted PHI, some form of encryption is suggested but not required

The Small Provider
A small office of four or five physicians and some staff would:
  evaluate and self-certify their systems as secure
develop contingency plans for maintaining back ups and PC maintenance…
create and document a personnel security policy and procedures
create a Security Configuration Management program, including virus checking software and plans to respond to employee termination
create internal auditing to track who has accessed PHI, likely through software packages
create an "office procedures" document that would be required reading for new employees
have periodic security reminders
require locking file rooms and cabinets, logging off when leaving terminals
have a Technical Security Services person to assign user-names and passwords
have Chain of Trust agreements with thirds-parties