Chances are, you took steps over the last two years to comply with the HIPAA Privacy Rule. But being compliant with the Privacy Rule does not mean you are compliant with the latest rule to go into effect - the HIPAA Security Rule.

Complying with the HIPAA Security Rule involves an entirely separate process to secure all patient information that is electronically stored, generated, transmitted or received. This includes related information such as patient notes, insurance records, email, or even a paper fax you send that is received via someone else’s computer. As of April 20, 2005, psychologists deemed in violation of the HIPAA Security Rule could be subject to substantial penalties, including fines and even imprisonment.

Here are three important things every psychologist should know about Security Rule compliance:

1. The HIPAA Security Rule requires its own set of compliance activities. Because each HIPAA Rule is separate and distinct, each requires its own compliance process. To be compliant with the Privacy Rule, for example, you needed to inform patients about how to access protected health information contained in their records. Under the Security Rule, if that protected health information is transmitted electronically or stored on a computer, you must take specific steps to ensure that unauthorized parties cannot access that information. In other words, while the Privacy Rule outlines the process for obtaining authorized disclosures of protected health information, the Security Rule focuses on preventing unauthorized disclosure. A separate set of steps must be taken to ensure compliance with both.
   


2. Security Rule compliance requires more than adding new locks and a password. To be compliant with the Security Rule, you must conduct a formal risk assessment of your practice, document your compliance decisions, and then implement safeguards to minimize any risks you have identified. Documenting the process of identifying and minimizing risks is as important as the actual steps you take. For instance, a number of the Security Rule requirements are “addressable.” This means you must decide whether the requirement is one with which you will choose to comply (based on the type of risk, the size of your practice, the cost of compliance, etc.). Under the Security Rule, “addressable” does not mean “optional”; if you elect not to comply with an addressable requirement, the Security Rule obliges you to document your decision as well as the rationale you used to arrive at that decision. A psychologist responding to a Security Rule complaint will be required to demonstrate that he or she not only undertook a risk assessment, but - in the case of addressable requirements - provide a rationale for why he or she did or did not choose to comply.
   


3. Even if you do not submit electronic claims, it’s likely you still need to be in compliance. Like the Privacy Rule, the Security Rule is "triggered" when you transmit information in electronic form in connection with a "standard transaction." The following standard electronic transactions are specified by the Security Rule and trigger the need for compliance:
   
   
   
   • Health care claims
   • Health care payment and remittance advice
   • Coordination of benefits
   • Health care claim status, enrollment or disenrollment in a health plan
   • Eligibility for a health plan
   • Health plan premium payments
   • Referral certification and authorization
   • First report of injury
   • Health claims attachments

Even if you believe you do not electronically transmit protected health information, taking steps to comply with the Security Rule is sound risk management. Why? Because, just as with the Privacy Rule, once the Security Rule is triggered, all aspects of a psychologist’s practice must be in compliance with the Rule from that point forward.

What are the penalties for not being compliant? The Security Rule is enforced by the Center for Medicare and Medicaid Services (CMS) within the U.S. Department of Health and Human Services (HHS), which may impose the following:

• Administrative Action (i.e., implement a corrective action plan created by CMS)
• Civil Penalties ranging from $100 to $25,000
• Fines of up to $250,000 and imprisonment for up to ten (10) years

The bottom line is, it makes sense for practitioners who electronically store, access, send or receive patient or patient-related information to ensure that they are compliant with the HIPAA Security Rule. The APA Practice Organization has developed the “HIPAA Security Rule Primer” and the “HIPAA Security Rule Online Compliance Workbook,” created especially for practicing psychologists. You can access these and other HIPAA compliance resources by visiting http://www.apapractice.org.

Reprinted with permission from APApractice.org, the official website of the APA Practice Organization. For more information about issues and topics affecting the practice of psychology, including important legislative and legal developments and information about managing a practice, visit APApractice.org.