HIPAA Friendly Help
Simple ways for psychotherapists in private practice
to comply with HIPAA regulations
By Ofer Zur, Ph.D.
My goal is to help psychologists, counselors, MFTs, social workers, psychiatrists and other psychotherapists in private practice to become familiar and compliant with HIPAA regulations.
Yes! As most experts advocate, if you are in solo psychotherapy private practice, you still need to become compliant even if you do not submit electronic bills.
Beware! HIPAA regulations regarding security and privacy of electronic-digital records has become the standard of care that all therapists must follow.
Don't take the chance of being caught non-compliant. The penalties can be very severe.
Avoid being overwhelmed and immobilized by fear. HIPAA will not disappear if you put your head in the sand.
Inform yourself about the minimum you need to do.
Realize that every year the number of grievances, complaints, investigations and fines regarding HIPAA violations and non-compliance increases.
Find ways to continue getting insurance company reimbursements if you do not bill electronically or even own a computer.
If you missed the 2003, 2005, 2007 (NPI) and 2013 deadlines, do not wait any longer, become compliant ASAP.
Take the necessary, simple and relatively easy actions to comply.
It is manageable & I'll help you achieve compliance through:
HIPAA Compliance Kit & HIPAA Package of three Online CE Courses
I am committed to assist therapists like you with:
- Understanding HIPAA's basic facts and requirements.
- The simple step-by-step process towards HIPAA compliance.
- A down to earth, calm approach to compliance.
- Acquiring the actual resources for procedures, checklists, ready to use forms, outlines, etc. You will be able to personalize these user-friendly forms and checklists and apply them in your practice right away.
- Continuing to be reimbursed by insurance companies who are likely to ONLY accept electronic claims in the near future.
Generally, only psychotherapists who transmit electronic billing are considered Covered Entity by HIPAA. However, as predicted, HIPAA has indeed become an important aspect of the standard of care when it comes to security and privacy regarding electronic-digital (clinical) records. Therefore becoming HIPAA Compliant in regard to security and privacy of computers, smartphones, e-mails, texts, cloud storage, etc is relevant and applies to almost all psychotherapists who deal with digital records. Also, a growing numbers of states, such as Texas, are making all or most health care practitioners into covered entities through state law.
Many therapists and a few professional organizations believe they are exempt from the HIPAA regulations if they do not submit any bills electronically. The truth is that the new regulations also have to do with storage of records, informed consent, record keeping and much more.
The American Psychological Association (APA), like many other organizations and experts, asserts that all psychologists must consider themselves subject to the Privacy Rule of HIPAA regardless of the nature of their practice. Therefore, it is highly recommended that all psychotherapists in private practice be HIPAA compliant ASAP, regardless of whether or not they do electronic billing.
There seems to be a wide sense of agreement that all therapists should be HIPAA compliant regardless of their billing practices. Paul Litwak, a prominent health care attorney in D.C. who authored a book on HIPAA, states poignantly: "For the most part, there are two kinds of clinicians: 1. Those who are covered by HIPAA, and 2. Those who think they aren't but really are."
CAMFT staff attorney, D. Jensen, J.D., wrote in The Therapist (Sept.-Oct., '03): "In terms of HIPAA, you can run, but you cannot hide; one of its tentacles will undoubtedly find you."
Many states are likely to amend their state laws to be more aligned with HIPAA laws. Some states have already started this process. If, or when, HIPAA regulations become state law, they will apply to all therapists regardless of whether they are a Covered Entity (by HIPAA) or not. Along the same lines, a CAMFT staff attorney wrote about HIPAA in The Therapist (Jan.-Feb., '03): "It is not outside the realm of possibility that California may adopt some, most, or all of these principles as its laws to bring uniformity to the healthcare/privacy landscape." (p.24)
HIPAA is the Health Insurance Portability and Accountability Act. This is the result of the 1996 Kassebaum-Kennedy bill which was signed into law in 1996.
It is designed to protect Americans from losing their health insurance when they change residences, jobs or health plans, to increase protection against fraud and to streamline the health care system through the adoption of standards for transmitting electronic health care claims.
HIPAA regulations adopt standards for: a) securing the storage of health care information; b) transmitting of electronic claims; c) protecting the privacy of individuals' medical records.
The aspect of HIPAA's rules regarding privacy focuses on the application of effective procedures and policies to control access to and use of patient information. The aspect applied to security is about the physical protection of confidential information and deals with questions of access to office files and computers.
Failure to comply with HIPAA can be very costly. It may include significant penalties for non-compliance and potential lawsuits. It is not my intention to frighten anybody, and I will not elaborate further but I just want to make sure that you (and all other psychotherapists you may know) are compliant.
HIPAA 101: The Basics
Dr. Zur's Eight Reasons For ALL Therapists To Become Compliant
- HIPAA has become the standard of care in regard to storage and transmission of electronic-digital records. Generally, it applies to all therapists regardless of their billing practices.
- HIPAA will be determined by case law. This reason alone suggests that all therapists comply ASAP, thus eliminating the need to face it in court.
- Unpredictable emergencies or future events might happen where you will have to submit PHI electronically and need to be instantly compliant, i.e. suicidal clients or a new insurance company that bills electronically.
- HIPAA can be triggered unexpectedly by actions outside of control or even your knowledge, i.e. your billing company changes to electronic billing.
- HIPAA is not only about electronic transmission it is also about privacy, security and the therapist's entire operation. HIPAA also concerns privacy and security of file cabinets, computers, etc.
- Many states have amended their state laws to be aligned with HIPAA laws. As a result HIPAA has, generally, become the standard of care regarding the privacy and security of electronic-digital records.
- The entire field will become electronically dependent and HIPAA compliant. Most likely, in the future the only way to be reimbursed by any third party will be by electronic billing.
- The risks and potential penalties for non-compliance are great. Fines and charges for non-compliant therapists can be severe and damaging.
You can run but you cannot hide! My advice is: Get compliant! It is simple and do-able!
Eleven Simple Steps Towards Compliance
Following is a non-exhaustive list of some of the most basic steps that you can take towards compliance:
- Gain general knowledge of HIPAA regulations. There is no need to wrestle with the incomprehensible original regulations or lengthy manuals that are written in legalese. Just attend a course or review a simple (and relatively inexpensive) compliance manual.
- Create a HIPAA Check List, designate yourself as the "Privacy Officer" and create a general HIPAA file for the checklist, i.e., HIPAA forms, logs, documentation of compliance activities, etc.
- Implement a few new HIPAA forms, such as the Notice of Privacy Practices, Authorizations, Disclosure Logs and/or Request to Amend Health Information, Risk Analysis, Risk Management, Security Policies and Procedures manual, etc. Make sure, following your state preemption analysis, that you adapt the forms to your state and professional requirements.
- Secure records by locking and securing file cabinets and offices. Monitor who has access to them.
- Provide basic (need not be expensive) computer security, such as virus protection, firewalls, backup, passwords (changed regularly), encryptions, log out, access log, and who has access to records. Our HIPAA Security and Privacy course can help you learn how to do this.
- Keep answering machines, fax machines and computer screens confidential and away from unauthorized people.
- Consider the option (this is not a requirement) of keeping separate and more protected clinical notes for some clients, called "Psychotherapy Notes" or what used to be called "Progress Notes".
Post public notices regarding the Privacy Officer and the Notice of Privacy Practices in the waiting room and, when appropriate, on your website.
- Obtain, if relevant, from your "Business Associates" (i.e., clearinghouses, answering services) a HIPAA Business Associate contract.
- Train your employees or staff (if you have any) in HIPAA compliance. Document the training and re-training as necessary.
- Make sure you are not shut out of insurance reimbursement when they stop accepting paper claims. Following are two basic options: 1) For the low-tech therapist, fax or mail your paper invoices to a billing service which, with the help of a clearinghouse, will transmit your bills electronically to the insurance companies; 2) For the high-tech therapist, a more complex option is for you to install a basic billing program, such as Medisoft, and either submit your claim to a clearinghouse or, if you like the challenge, submit them directly yourself.
Order the HIPAA Compliance Kit & HIPAA Forms
Additional Online Resources (some of these sites may be "members only"):
Centers for Medicare & Medicaid Services
Due to the large number of inquiries I receive regarding HIPAA, I decided to create this informational HIPAA Compliance web page and seminars. Please do NOT send me emails or call with questions regarding HIPAA regulations. I will not be able to answer individual questions or personal inquiries, but will be happy to set up an individual or group consultation, in person or by phone. Check this page for updates.
This page, like the HIPAA Kit and seminars, does NOT intend to be a substitute for legal, ethical or clinical advice or consultation. State laws may supersede HIPAA regulations and you have to check with the laws and regulations of your state. This page expresses Dr. O. Zur's opinion and understanding of the regulations and does not claim to give definitive or comprehensive answers or the 'right' interpretation to many of the complex and often ambiguous questions which are brought up by the new HIPAA regulations. Many regulations may be still changing and the material may not reflect such changes. Contact your professional association, your malpractice insurance, attorney, boards and other state agencies or the federal government for more information.
Top of Page