HIPAA expert Nancy Wheeler, J.D., in an article titled “Tick Tock…Heed the HIPAA/HITECH Clock” provides a great overview of what a counseling practice need to include in their “Notice of Privacy Practices.”
However, let me give you a short cut. Hhs.gov has done the work for you and prepared a model notice here: Model Notice of Privacy Practice!
Take this form and customize it to your practice’s needs. How to Post this! Once you have the Notice of Privacy Practices completed, what do you do with it?
1) Have it available in your waiting room for clients / patients.
It’s 5 pages long, so you probably won’t be able to hang it one the wall. Print it, and put it in one of those plastic book report things that you used in the 6th grade.
2) Post it on your website.
If you have a website. If you don’t—get a website!! And have someone else post it on your website.
3) Provide new clients a copy of the Notice of Privacy Practices
The model notice the government created is pretty spectacular. However, it’s a full color 5-page notice. You might not want to eat the cost for every client who walks through your door. Here’s an idea. Provide it to every new client, and give them the option of giving it back to you. Most won’t want to keep it. I think this is okay, right? Note: I am not an attorney. I cannot provide legal advice.
An Overview of HIPAA Basics
HIPAA was passed by Congress in 1996 to set a national standard for electronic transfers of health data. This was necessary because while once private information revealed in confidence to a health professional was stored in a locked filing cabinet, where the information was presumably safe (and basically forgotten about), now most records end up in electronic data files (admittedly, counselors are a bit behind the curve with this). Records are often seen by persons working in the insurance industry, or a by a host of businesses associated with maintaining the electronic filing systems. What’s worse, private medical information is now a valuable commodity for marketers wanting to tailor advertisements to persons’ interests and circumstances.
“Mental health professionals often resent using an electronic clinical record system that makes more than rudimentary demands. As a result, the EPR [electronic patient record] for mental health lags behind EPRs for other health specialties.”
Hence, the U.S. Department of Health and Human Services issued the HIPAA Privacy Rule. HIPAA compliance is required by April 21, 2003 (yes, that was 10 years ago). The basic requirement seems to be that: “…the covered entity has in place reasonable safeguards and minimum necessary policies and procedures to protect an individual’s privacy…” However, and this is important, note that: “…The Privacy Rule does not require that all risk of protected health information disclosure be eliminated…” This means that incidental disclosures are still acceptable as long as reasonable safeguards and protocols are put in place. Let’s look briefly at some important HIPAA highlights.
Minimum Standards of HIPAA Compliance Basics
HIPAA sets a nationwide minimum standard for the way medical information is handled and accessed. Before HIPAA, one’s right to privacy of health information varied depending on state. It still does to an extent, but there is now a national minimum standard.
Minimum standard safeguards include limiting administrative access to information, limiting disclosure of information in public places, and limiting access to certain areas in a local center. How limiting are these restrictions? HIPAA describes that only the minimum information necessary “to accomplish the intended purpose” should be disclosed to another party. Does this seem vague? That is intentional. Generally speaking, HIPAA spells out what needs to be done, not how it is to be done.
For an online counseling practice, some technical safeguards might include:
- Unique User Identification: Having a unique username and password for each administrator and client
- Automatic User Logoff: Implementing an automatic logout after a period of workstation inactivity
- Auditing Mechanisms: Using a system that monitors and records user activity
- Authentication of Electronic Protected Health Information: There should be mechanisms to verify that electronic data has not been tampered with
- Protected Transmission: Providers are to ensure transmitted data is secure during transit. This includes the encryption of transmitted data.
Provider Organization and Training
A privacy officer should be appointed at each counseling agency. This individual takes on the responsibility of overseeing HIPAA compliance. Also, this person oversees the need for all staff to be educated and trained about HIPAA compliance principles and procedures.
Client Relations and Education
Clients are to be informed of their privacy rights, as well as the privacy practices that are put into place to ensure the protection of those rights. For local practices, a notice should be given to the client or posted in the health care facility. In an online counseling practice, this information should be posted prominently on the website, or a notice of privacy rights may be emailed to the client, if the client agrees to that process. In the instance of the latter, there should be an electronic acknowledgement of receipt. Accordingly, “…For notice delivered electrically, an electronic return receipt or other return transmission from the individual is considered a valid written acknowledgment of the notice.”
Also, HIPAA states, “…When first service delivery to an individual is provided over the Internet, through e-mail, or otherwise electronically, the provider must send an electronic notice [regarding privacy rights] automatically and contemporaneously in response to the individual’s first request for service. The provider must make a good faith effort to obtain a return receipt or other transmission from the individual in response to receiving the notice…”
In addition to following the present HIPAA guidelines, it is a HIPAA standard that reasonable “special requests” for confidential communications should be granted to clients. For instance, a client might prefer that telephone calls from a health professional be made to their home rather than their work office. Or, a client might desire that notices, such as appointment reminders or bills for services, be sent to a post office box, instead of their home.
Client Access to Records
Prior to HIPAA, client access to their health records was not guaranteed by federal law, and only about half of the U.S. states had laws requiring clients/patients be allowed to view a copy of their medical records. However, now HIPAA gives everyone the right to see, copy, and request an amendment to their health files.
For online counseling, if copies of email transactions or chat sessions have been saved, these recordings are constituted as part of the client’s record and as such the client must be granted access to them as well.
Keeping an Account of Disclosures
Providers are required to keep an account of any disclosures of clients’ health information. This means that clients should be able to find out exactly who has had access to their health records (for at least the previous six years). Have insurance companies had access? If so which ones? Have administrative employees had access?
Who exactly? Has a technology company had the ability to access the files? What company; and which employees within that company? However, an account log of persons is not required when information is disclosed for treatment, payment, and health care operations.
HIPAA works to keep health care providers accountable to their standards. With HIPAA, clients have the ability to file a grievance with their health care provider and/or with the US department of Health and Human Services if they believe a health care provider or health plan has violated their privacy. Penalties, both civil and criminal, are a potential outcome if the government brings a lawsuit against a provider for HIPAA violations.