Privacy concerns have become part of the fabric of our day to day lives in America. From our social media accounts, to our search history, it seems as if too many people know too much about us. Nowhere are these concerns more prevalent than in the area of our mental health information. The set of regulations governing our privacy rights is called HIPAA. In this multi-part series, we will discuss these regulations, and try to provide some “HIPAA help” to individuals and practitioners alike.
In this first article in the series, we’ll provide a HIPAA overview. We will discuss what it is, how it came to be, and who is affected by these regulations. HIPAA for mental health practices is a little different than in other healthcare areas. We specialize in understanding these specific needs, and we will cover them as they arise.
What is HIPAA?
HIPAA is an acronym and refers to a set of medical privacy regulations that all in health care must follow. The Health Insurance Portability and Accessibility Act (HIPAA) of 2003 is an Act of Congress created in order to formalize instructions to the Department of Health and Human Services (HHS) that pertain to electronic personal health information (ePHI) and its protection.
Essentially, HIPAA is designed to protect patients from the release of their medical information without their consent. It covers when medical records can be disclosed, as well as regulates electronic storage and transmission of these records to protect patient privacy. This protected health information ensures the digital privacy of individuals and stipulates certain occasions where health information must be disclosed (public health crises, cases of abuse, workers’ compensation, and other occasions as specifically required by law).
The history of the HIPAA privacy rule
HIPAA is part of broader efforts at healthcare reform, started in the 1990s. The intent behind this set of laws is to protect valuable private medical information from being misused against individuals, whether on the black market by criminals, or to violate fair hiring practices or fair housing act regulations. The US Office of Civil Rights (OCR) is responsible for monitoring HIPAA compliance, including HIPAA mental health compliance, and may levy fines or other penalties against doctors, nurses, and all those required to follow HIPAA.
HIPAA was the beginning of work to ensure that Electronic Patient Health Information (ePHI) is properly handled and protected. Subsequently, HITECH was enacted in 2009 to ensure that regulation of HIPAA policies was fair, yet had enforcement measures to protect patients.
Who is Required to Follow HIPAA Regulations?
There are certain individuals that are required to be HIPAA compliant. People who must follow HIPAA/HITECH regulations are called “covered entities,” and include:
- Health plan providers, including Medicare and Medicaid, or anyone who pays for your health care
- MOST health care providers – essentially any health care provider that conducts business electronically or has patient medical records stored online or electronically
- Health care clearinghouses, including “clearinghouses” that transfer medical records from one place to another
- Business associates of covered entities (covered in depth below)
Essentially, anyone who has access to patient electronic medical records must follow the HIPAA guidelines stipulated for their position.
Business associates
Others required to follow HIPAA guidelines, who are not directly responsible for patient care, are called business associates of covered entities. These are often contractors, subcontractors, or other outside agencies or persons. While they aren’t employees of covered entities, they are people who will need to have access to patient health information as part of their role as service providers to a covered entity.
For example, companies that help health care providers process billing, such as claims processing companies, billing transcriptionists, or medical billing parties would be considered a business associate. Other business associates are companies that administer health plans and companies that store or destroy medical records. Even some outside accountants, lawyers, and IT professionals may have access to records from a covered entity, and therefore might be considered a business associate.
Covered entities must sign contracts with their business associates in order to guarantee that patients’ protected medical information will remain private. As per HHS, “Business associates (including subcontractors) must follow the use and disclosure provisions of their contracts and the Privacy Rule, and the safeguard requirements of the Security Rule.”
Steps to Improve HIPAA Compliance in Your Medical Practice
There are several things that health care providers can do to ensure that their practice is fully compliant with HIPAA policies:
- Insist on privacy everywhere in the office, such as calling patients by first or last name only. Patient records should never be left unattended or unsecured, including protecting the screen of electronic devices so that others cannot see what is on there.
- Print and post notices of privacy policies in the common areas as well as the work areas for all employees. Patients may be provided with their own copies of the privacy laws.
- Create, maintain, and enforce written policies and procedures. Upon hire, have all employees read and agree to your office’s HIPAA policies, and consider having small quizzes to ensure that all workers know their obligations. Also, having a written manual available for easy consultation can help workers avoid costly mistakes for patients, themselves, and the organization.
- Conduct HIPAA training every year for all employees and relevant business associates. If you outsource billing to another agency, ask to see their HIPAA training and compliance Best Practices. If necessary, include provisions in your contract with these providers that relate to auditing and compliance with training.
- Begin conducting the Mandatory Annual HIPAA Security Risk Assessment, and quickly address actionable items. For example, ensure that your office is equipped to practice secure disposal techniques for written records, and train your records keeperson proper policies. Other types of secure encryption practices may be more technical, such as secure internet access and an IT vulnerability assessment. Consider hiring a professional to complete these.
Disclaimer
We intend this to be an informative article for anyone required to follow HIPAA guidelines to know a bit about the program and how to get started. Therefore, the information above is referenced from HHS.gov, and HHS.gov is considered a reliable source for this information. This post should not be considered legal advice. If you need legal advice concerning your cybersecurity and HIPAA/HITECH requirements or potential breaches, please obtain that advice from a knowledgeable and competent cybersecurity lawyer or legal practice. We are posting this blog item as information for our customers and the general public.