HIPAA What's All the Fuss? | Therapist Practice in a Box

HIPAA What’s All the Fuss?

HIPAA Compliant

Recently I was working with a new business owner and I asked about her HIPAA statement. She looked at me with terror and fear in her eyes. She then said, “Do I really have to follow HIPAA?” “I don’t really understand what it is.”  She is not alone in her fear and confusion around HIPAA. Today, I would like to simplify HIPAA to help reduce fear and anxiety.

Let’s look at what it is. The U.S. Department of Health and Human Services,(HHS)  describes HIPAA as “The Privacy Rule.” This regulation standardizes the use and disclosure of individuals’ health information also called “Protected Health Information” (PHI) by organizations subject to the “Privacy Rule.”

That sounds good, right? Protecting one’s privacy; therapists are used to that. Let’s break it down a little further, HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. The original idea was to force the healthcare industry to save money by computerizing paper records which lead to concerns over privacy.

There are 5 Titles to HIPAA they include,

  1. Title I: Ensures and enhances insurance access, portability, and renewability.
    • Protections for millions of working Americans and their families by requiring coverage from certain employers.
    • Ability to get health coverage when starting a new job.
    • Reduces losing existing health care coverage.
    • Provides continuous health coverage when changing jobs.
    • Allows workers access to an exchange to help purchase health insurance on their own if they lose coverage under an employer’s health plan.

 

  1. Title II: Simplifies administration of health care, reduces fraud and waste. It defines confidentiality and how records can be transmitted, privacy and security of records.

 

  1. Titles III, IV, and V:  Describes regulatory agencies and who is responsible for various parts. These parts include delivery, finance, application, enforcement, and revenue. (Major boring stuff).

 

Did you see anything in the above that therapists need to know? No? Well not so fast, let’s look a little deeper.

 

HIPPA applies to any healthcare provider (covered entity) who “transmit, maintain, access or store” PHI. (this could apply to therapists)

 

Next, let’s define who is a covered entity? Any health care provider that transmits any protected health information in electronic form. Therefore, if you do not transmit your claims or send any other PHI electronically, legally, you are not covered entity. However, I would ask, do you work with people that need information for disability, back to work/fitness reports? Then you may be a “covered entity.” If you use an EMR and file electronic claims, that puts you into the “covered entity” space. However, what if you are a 100% cash practice? Then you are not a “covered entity.” However, you still must comply with the act in respect to the release of information, record keeping, and confidentiality. What I do? Yes, and the good thing here is that you most likely are already doing these things.

 

Let’s go back just a minute, to a covered entity. It seems to be that if you follow HIPAA you would be going the extra mile for your clients.  Furthermore, I would argue that all therapists should consider themselves a covered entity.  By following the HIPAA Act, it could mean more clients for you. HIPAA, informs your clients’ that you are taking their privacy seriously and that you are going that extra mile to protect them. Thus, elevating your practice in a crowded space perhaps?

Additionally, if you use email, video conferencing or a fax to distribute PHI ever, even once, you have become a covered entity. I will always side with more client protection and frankly your protection also. When we used paper files we locked the file cabinet, then we locked the file room and then we locked the office door. We only needed two locks but since we had the file room door we added another layer of protection. With our EMR we have a similar “lock” we use passwords to log onto our computer, then we have another password to open the program, our passwords are long and generated randomly. Going again the extra mile to keep client records safe.

Bottom line follow HIPAA even if you’re not a covered entity.

 

I hope I convinced you that you are a covered entity or at least you should act like one. If you are still reading here are the basics of what you really need to know. (source: U.S. Department of Health and Human Services, Privacy information)

 

  • You need to have in writing a Notice of Privacy Practices, (NPP). This should include how you handle confidently, under what circumstances you will release information. How you store information and that to release PHI you (the client) must authorize it. You must also note how to complain both to HHS and the organization aka you, the therapist.
  • This notice must be posted in the office.
  • It must be written in plain language and be easily understood.
  • It must be discussed in the initial session. Or if it’s an emergency session as soon as feasible.

 

The Notice of Privacy Practice must include the following:

  1. How clients can get copies of their medical record.
  2. How clients can ask for correction to their record if there is an error
  3. The client’s preference for how healthcare provider (HP) is to contact them (confidential communications)
  4. The client has the right to inform HP what information they can share. HP doesn’t have to agree. (spell out exceptions)
  5. HP must provide a list of who they shared PHI with when asked by the client.
  6. HP must provide a copy of the notice if requested.
  7. Inform client of how to complain if they feel PHI has been released
  8. Statement of how and when you consult another professional for best care.
  9. If you have interns how and what do you share with them
  10. How your office bills and shares your PHI.
  11. How therapist will respond if there is a breach.
  12. How the therapist will respond to lawsuits and disclosure of PHI
  13. When the therapist is required to share PHI, law enforcement, court orders, subpoenas or to comply with federal or state laws.
  14. How treatment will be conducted
  15. Policy to received updated HIPAA policy or every three years whichever comes first.

 

 

I know there is still fear in your hearts. I can hear you thinking, “Sherry I have to create a form…what? I don’t have any idea what to say or where to start.”  Don’t worry I have got your back. You can purchase all 16 forms that I personally use by clicking on therapistbox.com. Or if you only need the HIPAA form you can download and alter it directly from the HHS website for Notice Of Privacy. Additionally, many associations have copies of the form and will share them with their members.

 

There is one more thing as of 2013, if you have a website (and you should have a website) you must post the NPP on your website. This is the easiest way to do this is by adding it as a download file.

 

I know the above sounds like a lot, and it will take some time to draft the document. However, once it’s done. You will be conveying to your clients how seriously you take their privacy.

 

NOTE: This information provided is for reference only and does not constitute the rendering of legal advice.

 

© 2017 All Rights Reserved, Therapistbox.com, Sherry Shockey-Pope, LMFT

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>