Is This Hipaa Friendly?
All You Need To Know About Hipaas, Possums, Ostriches And Eagles In Three Pages Or Less
By Ofer Zur, Ph.D. A HIPPA Trainer
2013 - Note: This article was written in 2003, in the very early years of HIPAA, and some clarity has evolved since. Generally, only psychotherapists who transmit electronic billing are considered Covered Entity by HIPAA. As you read this article you will realize that HIPAA, as this article predicted, has indeed become an important aspect of the standard of care when it comes to security and privacy regarding electronic-digital (clinical) records. Therefore becoming HIPAA Compliant regarding the security and privacy of computers, smart phones, e-mails, texts, cloud storage, etc. is relevant and applies to almost all psychotherapists who deal with digital records.
Published in the Independent Practitioner, the bulletin of Psychologists in Independent Practice, a Division (42) of the American Psychological Association (APA), V. 23/3. pp 79-82, 2003.
See Permission to Reprint at the end of the article
My wife, one of many of a new class of "HIPAA-Widow(er)s", protested the title of this piece, insisting that HIPAA is neither friendly nor can it be summarized in less than three thousand pages, let alone three pages. In a recent article, Nicolas Cummings, the most accurate predictor (and painfully so) of mental health trends, claimed, "HIPAA may become the most disruptive or impactful force psychotherapy practice has ever encountered." In the same way that I ferociously fought to disprove Cummings' previous managed care prediction, and thereby helped thousands of therapists to throw off the shackles of managed-care, I am committed again to trying to disprove his newest prophecy. I intend to tame the HIPAA-beast and transform it into a friendly beast.
As any animal trainer knows, before we try to domesticate an animal and make it work for us, we have to get to know its nature, its little habits, and.... Intentions. Animal training protocol mandates that HIPAA's house-training must be completed by April 14th, 2003. Most large animal trainers would agree that if you don't manage to train (most of) your HIPAA by April 14th, you had best get it housebroken ASAP thereafter. An old HIPAA trainers' saying is, "Better later than never."
HIPAA stands for the Health Insurance Portability and Accountability Act - a suitably corpulent name for such a fat critter. It was born as the result of the passage of the Kassenbaum-Kennedy bill that was signed into law in 1996, to be implemented in April 2003. HIPAA was originally bred to be a kind of guard animal to protect Americans, who were previously ill, from losing their health insurance when they changed residences or jobs. It was also genetically engineered to help contain ever-rising health-care costs by streamlining the system through the adoption of standards for transmitting electronic health-care claims and reducing the number of claim forms from a few hundred to a about a dozen standard forms. HIPAA regulations also establish standards for securing the storage of health-care information, transmission of electronic claims, and protecting the privacy of individuals' records. Simple, right? So what is there to be afraid of?
Therapists As Ostriches And Possums
Despite the fact that this HIPAA is charging towards us at breakneck speed, most therapists, so far, have chosen to adopt the ostrich's "head in the sand" strategy, namely, "Hey, it doesn't apply to me!" Or the possum ploy, "playing dead". However, some therapists are not equipped to bury their heads in the sand, do not have any sand around, do not like playing dead, or don't do it convincingly. Instead, they are brave, smart, or desperate enough to face this frightening creature. For them, the big, bad, pertinent question is, "Do I need to become HIPAA compliant even though I do not submit electronic bills to insurance companies?" In response to that very legitimate question, many psychotherapists' national and state professional associations, such as APA, attorneys and insurance companies (such as APAIT) have advised that all their therapists members become compliant. The argument is that while you may not need to comply today, you have no idea if, in the future, you may end up triggering the wrath of HIPAA. If that happens, woe unto you, for at that very moment you will have to be 100% compliant without any grace period. Obviously, this will be impossible. While, I am in a 100% managed-care-free, out-of-pocket, solo, private practice, I still give an invoice to clients who request it, which in itself make me vulnerable to the dreaded HIPAA. Most importantly, many experts predict that HIPAA will eventually become the standard of care for psychotherapy. That means that regardless of whether you are covered by HIPAA, you need to comply with its regulations. So, I decided to face this animal and become HIPAA compliant. I am committed to doing it in the most painless, simple, and doable way - and I hope you will be, too.
The Nature Of The Beast
While this rare and unknown strange beast may look fierce and scary, if you know how to handle it, it's not so bad. Now, let's look at the nature of the beast. HIPAA, like many animals, is composed of three main parts:
1. The Privacy Rule is the most relevant to psychotherapists in the short run. It focuses on the application of policies and procedures to protect the privacy of our patients' medical information through the control of access to this information. It involves implementing a few new clinical forms, considering changing the way we take clinical notes, and a few other doable changes. It also involves all kinds of rules about disclosures, authorizations, and consents that are listed in the afore-mentioned HIPAA training manuals.
2. The Security Rule aspect of HIPAA is about the physical protection of confidential information and issues of access to office files (i.e. are your file cabinets locked?), computers (i.e. passwords, firewalls, encryption) and other protective measures.
3 The Transaction Rule is still developing. It will require standard electronic transactions, such as, insurance claims and dealing with complex issues of encryption, and other electronic safety measures. The second part of this rule standardizes the use of codes, such as ICD-9 and CPT-4.
This Creature Is, In Fact, Tamable
Another characteristic of the HIPAA is that, despite its daunting reputation, it only provides a floor or minimum standard for privacy protection. That means that if any state law is more restrictive and protective than HIPAA, it will take precedence over HIPAA. In the field of psychotherapy, many of the states' privacy and confidentiality rules are already very strict and, therefore, preempt HIPAA. The interaction between HIPAA federal regulations and state laws requires a state-by-state preemption analysis to determine which one is more restrictive.
The truth is that we therapists are already accustomed to dealing with HIPAA-type animals. Likewise, we are well prepared to deal with issues of privacy and confidentiality; permission, consents and authorizations; and disclosures and reporting. Most of us do it already, all the time.
Bottom line, facing HIPAA is not such an insurmountable task, after all. Taming the HIPAA will generally require following some simple explainable steps. Following is a list of such steps. This list is neither exhaustive nor complete; nevertheless, it will give you the general sense of some of the most pertinent steps towards HIPAA compliance:
1. Overcoming overwhelming feelings of fear and anxiety.
2. Evolving beyond the ostrich or possum state of development. I.e., resorting to more advanced defense mechanisms than denial or avoidance.
3. Educating oneself by reading some of the available (readable) manuals, often available, in addition to a hard copy, on CD or online via pdf file.
4. Attending HIPAA taming live seminars or enrolling in HIPAA obedient home study programs. In addition to HIPAA taming tips, this option will also give you CE credits, 5% off insurance premiums and compliance with some states' law and ethics requirements.
5. Simply implementing a few HIPAA compliance, ready-to-use, personalized forms provided by many HIPAA kits or manuals. Most important is the new form of Notice of Privacy Practices, which must be specific to your state.
6. Paying attention to those who conduct state-by-state preemption analysis, which will tell you if you need to follow your current state law or the new HIPAA rules for each situation.
7. Ensuring the privacy of records in our offices by installing locks and monitoring access to the records.
8. Right now, taking very basic computer precautions by installing passwords and firewalls, when appropriate.
9. Making informed decisions about the alternative possibilities of note-taking and record-keeping. More importantly, learn about the option of keeping separately what HIPAA calls "Psychotherapy Notes" which are more detailed and private notes that we used to call "progress notes." These "Psychotherapy Notes" have special protection under HIPAA and are not routinely accessible by clients or insurance companies (Yeah!).
HIPAA Obedient Training- Mastering Compliance
As with any obedience training, whether for dogs, ostriches, possums or our children, there are many offerings out there. My review of these revealed that most of the manuals, kits, books, online interactive courses, etc. are based on the author's skills of copying and pasting. Meaning that many of these resources use extensive quotes from the original legislation and are almost as overwhelming and incomprehensible as the original legislation and therefore not very helpful, unless you are an attorney and can read legalese. After all, the original legislation and the Department of Health and Human Service's comments are available for free online (www.hhs.gov/ocr/hipaa). The price of available products range between $60+ to $800+ and their weight is even more varied. Another important and dangerously overlooked issue is the preemption analysis. At the end of the day you must have, by April 14th, a Notice of Privacy Practices form that is neither generic nor universal, but tailored to your very own state. My advice is, be very careful and do your homework before you spend big bucks on HIPAA training. Remember, for psychotherapists the changes are relatively minor and very doable.
From the several resources out there, I will list two entities that have produced HIPAA compliance manuals or kits:
1. American Psychological Association: www.apait.org ($175 for members and $575 for non-members. Online course that is geared (almost exclusively) to techie-psychologists who are highly Internet savvy, and includes a comprehensive state-by-state preemption analysis and forms. Also available on CD.
2. Ofer Zur, Ph.D, your humble, large-animal tamer, me, at website: www.zurinstitute.com ($69. At 116 pages, my Kit, available on hard copy, CD, PC and Mac floppy, is the shortest and simplest manual that I am aware of. It also includes the basic forms.)
Note: For information regarding Dr. Zur's HIPAA obedience training, HIPAA Compliance Kit, HIPAA live seminars and home studies and online HIPAA courses visit his website at www.zurinstitute.com, call 707-935-0655 or email: firstname.lastname@example.org.