Return to Table of Contents

HIPAA WANTS YOU!
Eleven reasons to become compliant
Eleven simple ways to achieve compliance

Professional Practice

Ofer Zur

The most looming and argued question for psychotherapiststhese daysis the question of whether they have to comply with HIPAA regulations. Many therapists in private practice believe that they do not need to be compliant with HIPAA regulations if they do not transmit bills electronically. However, the answer is not that simple.

HIPAA stands for Health Insurance Portability and Accountability Act. It came into being as a result of passage of the Kassenbaum-Kennedy bill that was signed into law in 1996. Its implementation already started in April 2003. It was designed to help contain the ever-rising health care costs by streamlining the system through the adoption of standards for transmitting electronic health care claims. HIPAA regulations also establish standards for protecting the privacy of medical records. Many therapists have neglectfully already missed the April 14, 2003, Privacy Rule deadline and are about to miss the upcoming October 15, 2003, Transaction Rule deadline.

Nicholas Cummings, a former APA president, claims that “HIPAA may become the most disruptive or impactful force psychotherapeutic practice has ever encountered” (Hartman-Stein, 2002, p.17). Confusion and diversified opinions around HIPAA seem to be growing by the day. Professional newsletters and journals, as well as the public media, report that health care providers are overwhelmed by fear and confusion. Lawsuits and legislative efforts are seeking to overturn the HIPAA rule altogether, and Congress continues to challenge several aspects of the regulations. The bad news is that uncertainty is likely to last for many years. The good news for psychotherapists is that compliance is relatively simple and doable because we have always paid close attention to privacy and confidentiality matters. The most important news is that therapists ought to get compliant as soon as possible.

While many physicians, chiropractors, dentists, pharmacists and other health care professionals begrudgingly have met the April 14, 2003, compliance date for the HIPAA Privacy Rule, I suspect most psychotherapists in private practice have not. Ironically, the main reasons for that are derived from psychotherapists’ tendencies to fear and resist change. Our therapeutic training seems to help many therapists rationalize their resistance rather than to overcome it. The isolative setting of private practice psychotherapy helps them adapt the ostrich style of denial (i.e., burying one’s head in the sand) or the possum ploy of avoidance (i.e., playing dead) (Zur, 2003a).

Many therapists, but very few professional organizations, believe that psychotherapists in private practice do not need to be compliant with HIPAA regulations if they do not transmit bills electronically. This assertion, and what I see as very dangerous advice, is based on the narrow understanding that providers are not considered “covered entities” by HIPAA unless they bill or transmit electronically, and therefore they do not need to be HIPAA compliant. As Cummings warns us, the question of compliance is much more complex and bigger than the narrow reading of HIPAA’s definition of “covered entity”. The implications of HIPAA regulations on medical and mental health services are not only complex but also unpredictable, which introduces a significant unknown and potentially dangerous factor into the equation. In addition, the ambiguous nature of the regulations results in different and contradicting interpretations along with confusion. The complexities, unpredictability, disagreement and lack of clarity of the regulations leave the question of whether to become compliant extremely important (Zur, 2003a,b).

Eleven reasons to become compliant

The lack of clarity, the uncertainty and the unpredictability of HIPAA regulations, implementation and enforcement have led many experts and professional organizations to recommend that all therapists become compliant regardless of their billing practices. Most notable are the American Psychological Association (APA), as well as APAIT and APA Practice Directorate, which advise that all psychologists delivering health care must consider themselves subject to the Privacy Rule of HIPAA, regardless of the nature of their practices. Many social workers and psychiatric state associations have also taken a similar stance. Freeny (2003) appropriately titled his article “HIPAA – Big, Hungry But Manageable.”

Consistent with the advice from APA, other professional organizations, Nicholas Cummings, experts, and attorneys, I have compiled the following eleven reasons why all psychotherapists in private practice should become HIPAA compliant.

1. HIPAA will become the Standard of Care. HIPAA federal regulations are so broad and comprehensive that they will ultimately become the standard of care by which all psychotherapists will be judged regardless of their billing practices or their technical status as “covered entities”. Erick Harris, Ph.D., J.D., the experienced attorney for American Psychological Association Insurance Trust (APAIT), notes in his HIPAA workshop handout, “Some commentators expect that at least some changes in confidentiality protection and patient rights instituted by the Privacy Rule will become the new standard of care and thus apply to all psychologists” (2003, p.12). Similarly, Zuckerman states in his HIPAA manual, “Courts may view the Privacy Rule as setting the standard for protecting PHI and so, in a lawsuit or state licensing board complaint, you will be judged by HIPAA’s rules as the standards. ” (2003, p.17). Litwak, a HIPAA attorney and expert stated similarly, “HIPAA requirements will become the standard of what clinicians are expected to do. This is going to be the standard of care for privacy” Psychotherapy Finance, 2002c, p.3). The idea that HIPAA is most likely to become the standard of care should be sufficient for all psychotherapists to make the relatively small effort of becoming compliant.

2. HIPAA ultimately will be Determined by Case Law. The ambiguous and often confusing nature of HIPAA regulations invites the inevitable. HIPAA, like many other federal regulations, will ultimately be determined by case law. HIPAA is a work in progress, and everyone seems to agree. Hartman-Stein (2002) cites how Karr, the attorney for Ohio Psychological Association, and Cummings “agree that no one will know the impact of HIPAA until case law evolves over time” (p.17). In fact at least one court has already used the HIPAA Privacy Rule to decide a case as far back as May 2001. The court stated: “compliance is not required until April 14, 2003. Nevertheless, the standards indicate a strong federal policy to protect the privacy of medical records and they provide guidance to the present case.” (US v. Sutherland, 2001, p.2). Spellman, CEO of Behavioral Health Management Consultants, FL, adds, “It’s a real good bet that the government will be looking for test cases. They’re going to look to see where the lines are. That’s the nature of regulatory law” (Psychotherapy Finance, 2002b, p.8). It appears that it may take up to 10 years of court battle, many rich attorneys and many more hurt practitioners before clarity emerges. No one can predict what shape HIPAA will have when it goes through the courts and is all set and done.

The advice of those who focus on the legal definition of “covered entity” are missing the forest for a single tree. The mere fact that HIPAA will become the standard of care and will be determined by case law should be reason enough that all therapists comply right now, thus not needing to realize that they operate below the standard of care in court, board or administrative hearings.

3. Unpredictable emergencies and future events might happen where therapists have to submit PHI electronically. Therapists who do not transmit electronically today may need to transmit what HIPAA calls Protected Health Information (PHI), electronically in the future. These events may come about due to emergencies, such as an unexpected hospitalization, a suicidal client, taking on a new client whose insurance company requires electronic billing or other unforeseen reasons. According to HIPAA, at the point that a therapist submits electronic billing and becomes, technically, a “covered entity”, s/he must be in full compliance right then and there. There is no grace period for compliance. At that point the therapist’s entire operation, including manuals, checklists, forms, office and computer security, staff training, etc. must be immediately HIPAA compliant. Realistically, instant compliance is impossible. APA’s Online HIPAA For Psychologist course (2003) states, “ . . . it’s in your best interest to comply now, as any number of future actions, like participating in Medicare or another third-party plan in the increasingly electronic private market, may trigger the HIPAA rule without any grace period to become compliant if it is after the April 2003 deadline.”

4. HIPAA can be triggered unexpectedly by actions outside therapists’ control or even their knowledge. In several situations, even when the therapists do not bill electronically, HIPAA may be triggered unexpectedly and unintentionally. Compliance may be triggered by actions outside the therapist’s control, such as if the therapist’s billing service or a clearinghouse changes to become entirely electronic. A more controversial example is if a therapist bills via fax to an insurance company where the receiving fax is in a computer rather than a non-digital, freestanding fax machine. In these two examples therapists may not even be aware that the HIPAA rule was triggered, and that they should be in full compliance. There are many more such uncertain situations where experts do not seem to agree if HIPAA will be triggered or not. As was noted above, clarity will regretfully emerge via the court system. Therefore, I highly recommend that all therapists be compliant rather than being blindsided by such uncertain and uncontrollable situations; rather than risking being audited, legally challenged, sanctioned or fined.

5. HIPAA is not only about electronic transmission. It is about the therapist’s entire operation. The incessant focus on who falls under the definition of “covered entity” led to a wide spread misperception that HIPAA is exclusively or primarily about electronic transmission. This is far from the truth. The privacy and security rules also concern numerous issues, such as medical record concerns, informed consent, disclosures, record keeping, logs, employees, staff training, answering services, attorneys, tech support and shredding practices. The HIPAA rules also concern file cabinets, computer and office security, waiting room privacy concerns, electronic storage and much more. HIPAA regulations concern the therapist’s entire operation. Electronic transmissions are just one small part of these huge regulations.

6. HIPAA will become the State Law. There seems already to be a trend among states to align themselves with HIPAA law. Jensen, the staff attorney for the large California Association of Marriage and Family Therapists (CAMFT), accurately states, “It is not outside the realm of possibility that California may adopt some, most, or all of these principals as its laws to bring uniformity to the healthcare/privacy landscape” (2003, p.24). APA (2003) online HIPAA course also states, “ . . . just because the law may not apply to your practice today, it’s likely that it will apply some time in the future.” When HIPAA regulations become state law, they will apply to all therapists regardless of whether they are Covered Entities or not. The State of California, in its typical ahead-of-the-game approach, has already instituted an agency called California Office for HIPAA Implementation:
(http://www.ohi.ca.gov/state/calohi/ohiHome.jsp).

7. The entire field will become Electronically Dependent. Consistent with the original intent of the HIPAA rule to streamline electronic transmission and the natural evolution of internet technology, there seems to be wide agreement that before long electronic transmission will be the only way to be reimbursed by a third party. Medicare, most experts agree, is likely to be one of the first to require electronic billing from all therapists. California Association of Marriage and Family Therapists (CAMFT) staff attorney, Jensen., accurately outlines the problem. “In fact, if you only accept cash payments from patients, or if you or your patients submit the insurance claims by mail, you do not fall within HIPAA’s purview. However, as attractive as that sounds, the position does come with some consequences. First of all, the rest of the country is going to leave you ‘in the dust’ as we rely more and more on technology in the health care milieu.” (2002, p.24).

8. HIPAA provides an opportunity to upgrade your Practice. Many therapists have been lax about giving their clients office policies, client’s bill of rights or informed consent, thus operating below the standard of care. Many others are not keeping their staff updated about privacy and confidentiality concerns. Due to technologically “shy”, or rather technologically impaired therapists, many more have kept away from Internet technologies. HIPAA provides an opportunity to catch up on the mandatory “Pre-HIPAA” requirements, increase computer and Internet capabilities and, most importantly, come up to standard of care. Since the government gave us a HIPAA type lemon, we might as well make lemonade out of it.

9. Non-(electronic) compliance can increase your operating costs. Not using electronic billing may increase your operating costs. While HIPAA does not mandate electronic billing, insurance companies are likely to impose extra fees for paper claims for the obvious reasons that airlines, hotels, Viagra sellers and millions of other businesses prefer the cheaper option of doing business online rather than with expensive paper and snail mail. Most likely therapists will be prohibited from passing these costs along to Medicare or other insurance clients and will have to pay it themselves.

10. The risks and penalties for non-compliance are too high. While, so far, I offer the reader nine HIPAA carrots, finally, here is the stick. Congress provides civil and criminal penalties for covered entities that misuse personal health information. For civil violations of the standards, therapists may be slapped with penalties of up to $100 per violation, up to $25,000 per year for each requirement or prohibition violated. Criminal penalties apply for certain actions, such as knowingly obtaining protected health information in violation of the law. Criminal penalties can range up to $50,000 and one year in prison for certain offenses; up to $100,000 and up to five years in prison if the offenses are committed under “false pretenses”; and up to $250,000 and up to 10 years in prison if the offenses are committed with the intent to sell, transfer or use protected health information for commercial advantage, personal gain or malicious harm. Even with your “good intentions”, you want to avoid the possibility of court. In short, get compliant. Zuckerman appropriately describes HIPAA as “a complex…mandate, with deadline and teeth” (2003, p.19).

11. HIPAA is good practice. Despite the dread and confusion that surrounds HIPAA, at the end of the day HIPAA stands for good, solid psychotherapy practices and low-cost operations. It provides higher assurance regarding privacy and confidentiality of records, mandates informed consents, gives clients the right to view their records, to get information about who has been privy to their records and to request an amendment of their clinical records. HIPAA will ultimately assure the highest possible level of electronic transmission security and will simplify third party billing. Laudably, HIPAA will also hold the insurance companies to higher standards and speed of reimbursement, as they will no longer be able to hide behind lame excuses, such as “the dog ate the check” or “we have not received your bill”. In short HIPAA is a friendly animal and compliance will not only protect you from trouble with the Feds, boards and courts, it can improve the quality and integrity of your practice and will align it with the evolving standard of care.

You can run but not hide: Get Compliant

Based on the above eleven reasons, it is my recommendation that all therapists become compliant as soon as possible. Litwak, a HIPAA author and experienced health care attorney in DC, states, “ . . . there are two kinds of clinicians: 1. those who are covered by HIPAA, and 2. those who think they aren’t but really are.” (Psychotherapy Finance, 2002b, p.9). CAMFT staff attorney, Jensen, summarizes it well. “In terms of HIPAA, you can run, but you can’t hide; one of its tentacles will undoubtedly find you.” (2002, p.24). Psychotherapy Finance echoes the same sentiment. “Let’s cut to the chase: If you’re in private practice and plan to stay for a while, you’ll have to comply with new federal rules” (2002a, p.1). Now that I, hopefully, have established the necessity for compliance, I hereby offer simple and basic guidelines on how to achieve it with minimum investment of time, money and agony.

Eleven simple ways towards compliance

Following is a non-exhaustive list of some basic steps that psychotherapists in private practice can take towards compliance:

1. Knowledge. Gain the most basic and general knowledge of HIPAA regulations. There is no need to wrestle with incomprehensible original regulations or lengthy manuals that are written in legalese. Just attend a HIPAA compliance course (make sure the course provides you with the proper HIPAA forms) or read a simple and relatively inexpensive compliance manual (i.e., APA, 2003; Zuckerman, 2003; Zur, 2003b). After your initial familiarity with HIPAA regulations, keep yourself posted on changes and revisions of the regulations.

2. Privacy Officer, HIPAA Folder & General Checklist. Designate oneself as the “Privacy Officer” and create a general “HIPAA file” for the checklist, records of staff training, contracts, HIPAA forms and documentation of all compliance activities, such as consultation, complaints and your own and your staff’s training.

3. HIPAA Forms and Communication. Implement the few new HIPAA forms, most importantly, the Notice of Privacy Practices, as well as Authorizations, Disclosure Log and Request to Amend Health Information. Make sure that the forms you adapt or purchase are state specific or, in other words, comply with your state preemption analysis. Make sure that people in your office have access only to the minimum and necessary information in order to perform their jobs (i.e., receptionist does not need to have access to Dx). When communicating with other health care providers, make sure you give them only the minimum information necessary for the communication.

4. Secure Hard Copy Records. Secure records by simply locking and securing file cabinets and offices and closely monitoring those who have access to them. Make sure you shred confidential information, and make a plan to minimize the chance of theft, damage by fire, flood or freeze or accidental disclosure of confidential information.

5. Secure Electronic/Computer Records. Provide basic and relatively inexpensive computer security, such as virus protection (very cheap to acquire, upgrade frequently), backup (backup frequently and store off-site), firewalls (also cheap, upgrade regularly), passwords (change regularly, log who has the password and do not keep it on a sticky note on the screen) and install computer access records. Make a plan to minimize the probability of accidental disclosure of confidential information, especially with e-mails. Attend to the encryption concerns (already available as part of Outlook) even though they are very complex and not yet fully determined.

6. HIPAA Compliant Software. If you bill electronically or if otherwise relevant to your practice, make sure your software is compliant with HIPAA and you are acting in accordance with HIPAA transaction code standards. If you license software or enter into a contract which application services provide, make sure that the software products support HIPAA privacy requirements and that the application meets HIPAA security standards.

7. Assure General Privacy. Keep answering machine messages and your computer screen confidential and away from earshot and eyeshot of unauthorized people. Do not keep sign-in sheets or any other client identifying information in the waiting room.

8. Psychotherapy Notes. Consider the option (this is not a requirement) of keeping separate and more protected clinical notes for some clients, called “Psychotherapy Notes”, or what used to be called “Progress Notes”. If you choose to keep Psychotherapy Notes for some clients, learn more about the rules involved and make sure they are marked clearly and stored separately from the general records.

9. Posting Notices. Post a couple of public notices regarding the Privacy Officer and the Notice of Privacy Practices in the waiting room, office and, when appropriate, on your website.

10. Billing Services & Business Associates. If relevant to your practice, secure signed “Business Associates” (i.e., clearinghouses, answering services) HIPAA contracts. Make sure that all your Business Associates are HIPAA compliant (many of these businesses are HIPAA compliant and will supply you with a ready contract.)

11. Staff & Training. If you have employees or staff, make sure they are HIPAA trained. Develop or purchase a HIPAA training program, document the training and re-train as necessary.

Summary

My advice is neither to adopt the ostrich’s “head in the sand” strategy, namely, “Hey, it doesn’t apply to me!” nor employ the possum ploy, “playing dead”. There is no hiding from the HIPAA, it will catch you. Get compliant ASAP. It is not that hard, and it is good practice.

References

APA (2003). HIPAA For Psychologist. Online course.

Freeny, M. (2003). HIPAA – Big, hungry but manageable. NASW Florida Chapter Newsletter, Jan/Feb.

Harris, E. A. (2002). Legal and Ethics Risks and Risk Management in Professional Psychological Practices. Workshop reader, March, LA.

Hartman-Stein, P. (2002). HIPAA may become most disruptive, impactful force in psychotherapy practice. The National Psychologist, Nov./Dec.

Jensen, D. G. (2002). HIPAA Alert: October 16, 2002. Your first Compliance date is almost here. The Therapist, Sep/Oct.

Jensen, D. G. (2003). HIPAA: Psychotherapy Notes and You. The Therapist, Jan./Feb.

Psychotherapy Finance. (2002a). Sept.

Psychotherapy Finance. (2002b). Oct.

Psychotherapy Finance. (2002c). Nov.

US v. Sutherland, (2001) 143 F. Supp.2nd 609 (W.D.Va.,2001) at 612. Zuckerman, E. (2003). HIPAA Help. Pennsylvania: Three Wishes Press.

Zur, O. (2003a). Is This HIPAA Friendly: All you need to know about HIPAAs, Possums, Ostriches and Eagles in three pages or less. The Independent Practitioner, 23/2, pp 79-82.

Zur, O. (2003b). HIPAA Compliance Kit. Sonoma: O. Zur, Ph.D.

Ofer Zur, Ph.D. is a psychologist and HIPAA expert from Sonoma, CA. His best selling HIPAA Compliance Kit is available at: www.drzur.com To get on his e-mail list go to: drzur@drzur.com

Disclaimer

This article is not a substitute for legal or ethical consultation. It expresses only the author’s opinion and understanding of the complex and ever-changing HIPAA regulations. Consult with your state and your professional organization and/or your attorney for more information.

Return to Top