| HIPAA Guidelines |
| By Deborah Ribnick, Ph.D. |
| NSPA Board Secretary |
| NSPA recently hosted two seminars (one in Las Vegas and one in Reno concerning HIPAA, the Health Insurance Portability and Accountability Act, which was signed into law in 1996. The HIPAA mandates are now upon us, and all practitioners need to understand how this will impact their work, whether in private practice or employed in an agency. HIPAA guidelines affect all types of healthcare providers. Mental health providers will likely have to make fewer practice adjustments than other healthcare practitioners, given our existing stringent guidelines. In the following article, I will provide an overview of the issues at hand, as described by Dr. Nan Klein during the seminar and in related literature. |
| HIPAA involves three rules: (1) The Privacy Rule, which identifies the type of health information that is protected and who has to abide by the rules; (2) The Transactions Rule, which describes how information is to be conveyed; and (3) The Security Rule, which defines structural protections required to protect information. In circumstances where the Federal HIPAA Rules are in conflict with State Law, the more stringent policies will take precedence. Stringency is determined from the standpoint of maximal patient protection and access to records. |
| The Privacy Rule refers to policies and procedures regarding the access and use of Protected Health Information (PHI). Four types of PHI exist: (1) Individually identifiable patient information, typed or handwritten, that is transmitted or maintained electronically; (2) The information relates to the past, present, or future physical or mental health condition of an individual; (3) Information regarding the provision of healthcare, i.e., treatment; and (4) The past, present, or future payment for the provision of healthcare. The Privacy Rule applies not only to healthcare providers, but also to health plans (employer-sponsored group plans, Medicaid, and Medicare), healthcare clearinghouses, and business associates. Business associates are defined as an "organization or person, other than a member of the psychologist's workforce, who receives PHI from the psychologist to provide services to, or on behalf of, the psychologist," i.e., an accountant, billing service, etc. Business associates do not include federal oversight agencies or law enforcement agencies. |
| HIPAA guidelines apply anytime PHI is electronically transmitted or documented outside the psychologist's office, even if it is the client who submits or requests the information. HIPAA guidelines apply to both transmission and receipt of PHI information, which has been generated or maintained electronically. It is not yet clear which types of electronic transactions will apply to psychologists, however, minimally it would include checks on insurance benefits and eligibility, claims submissions, and checks on claim status. It is imperative to understand that the Transaction Rule applies to one's entire practice, not just to those clients for whom you have electronically-generated information. That is, a single electronic transaction forces your entire operation into HIPAA compliance! Note, there is no grace period for compliance, beyond the established deadline date. |
| The most notable term of the HIPAA Privacy Rule is that patient consent is not required for the use and disclosure of PHI. This means that information regarding treatment, payment, and healthcare operations may be transmitted to other healthcare providers or payer sources without the patient's consent. However, given the sensitive nature of psychotherapy disclosure, psychotherapy notes are afforded more protection. You must still obtain patient authorization to release your notes. One significant gain in patient protection is that insurance companies can no longer mandate the release of psychotherapy notes as a condition of coverage or payment. Psychotherapy notes are defined as "notes recorded in any medium by a mental health provider documenting or analyzing the contents of a conversation during a private, group, joint, or family counselling session, and that are separated from the rest of the individual's medical record." (The notes can still be in the same folder as the rest of the medical record, but must be kept in a separate area. The best protection is to have them in a completely different folder.) The one exception to this involves psychological testing / evaluation raw data and reports, which no longer require patient authorization! This means you may not want to alert insurance companies that you have conducted an evaluation, as they have rights to this information. |
| Practitioners need only provide the following types of information to an insurance company: the duration, frequency, and modalities of therapy furnished, results of clinical tests, treatment summary, diagnosis, treatment plan, functional status, prognosis, and progress to date. The rule of thumb is to only share the minimum amount of information necessary to conduct an activity. Certain exceptions do exist which require full disclosure without patient consent, some of which include: Tarasoff-related issues, concerning victims of abuse/neglect/domestic violence, to public health authorities, to a coroner or medical examiner, to the military or V.A. for national security, in the pursuit of a suspect or fugitive, by subpoena or court order, or when required by state law. HIPAA mandates that documentation is retained for six years, thereby superseding Nevada state law, which requires a minimum of five years. |
| Patients must be provided notice of PHI use and disclosure policies. It is advised that you get written acknowledgment of the patient's receipt of this notice. A practitioner must agree to "reasonable requests" by a patient concerning restrictions on the use and disclosure of PHI. However, a psychologist may refuse disclosure restrictions that would compromise their professional judgment or treatment. Patients have the right to access their record for inspection and amendment, although psychotherapy notes can now be excluded. Patient changes to the record are in addition to the record, not in lieu of the original record. A practitioner can deny requests for record amendments if he or she is not the originator of the information, or if it is believed the information is accurate and complete. Patients can also get an annual accounting (first one needs to be free of charge) of how their PHI was used and shared. However, this accounting need not include disclosures prior to the compliance date, disclosures to business associates, data about their own access to records, or disclosures to the Department of Health and Human Services regarding HIPAA compliance. |
| Generally parents and legal guardians serve as a minor's personal representative and have access to the medical record. However, three exceptions exist concerning services to a minor: (1) If the state law allows a minor to access mental health services without the consent of a parent or guardian, than the parent is not considered the personal representative and, therefore, cannot access the record; (2) When the court makes a determination, or another law authorizes, someone other than the parent to make healthcare decisions for the parent; and (3) The parent, guardian, or person legally authorized as a parent, assents to an agreement of confidentiality between the minor and the healthcare provider. Even if a minor chooses to involve his/her parent or guardian in treatment, the minor still maintains the ability to preserve confidentiality of PHI. It is advised that you have a minor sign your consent form upon reaching the age of maturity, so that parents / guardians no longer have access to the minor's record. |
| Compliance with HIPAA mandates goes into effect two years after each rule is introduced. The Privacy Rule became effective April 14, 2001 and, therefore, full compliance is mandated by April 14, 2003. The compliance deadline for the Transactions Rule was October 16, 2002. However, for those who got an extension, full compliance has been extended to October 16, 2003. The Security Rule is yet to be defined, with compliance mandated two years after it becomes effective. |
| It is imperative that practitioners have formal policies and procedures in place regarding privacy and security, training their workforce, designating a privacy officer (which can be yourself) to monitor compliance, and applying sanctions as needed. A contract should be created with business associates (including subcontractors) regarding what is permitted and required. Practitioners must provide information to patients about their privacy rights and how that information may be used. A formal complaint process must also be afforded to patients. |
| Legal consequences exist for failure to comply with HIPAA mandates. Fortunately, HIPAA states that a covered entity must "reasonably" meet the HIPAA requirements according to its size and type of activities, which is called "Scalable Compliance." Practitioners are responsible for knowing both HIPAA rules and state law, abiding by the most stringent provisions. The APA has gone to great lengths to conduct an analysis of HIPAA rules compared to individual state laws. The APA will publish their analysis early next year to inform practitioners which rules will take precedence in their state. |
| The APA Practice Organization and Insurance Trust are creating HIPAA compliance resources, to include forms that can be used by practitioners. The HIPAA rules are still subject to interpretation, so it is advised that you stay apprised of updated information through APA and NSPA. You may wish to visit their respective websites at: www.apapractice.org and www.nevadapsychologists.org. |