Not too long ago, I conducted a workshop on telehealth. During the Q & A period at the end, a woman said that she had been told she was exempt from HIPAA and wanted to check with me to see if that was true. I was caught off guard. I used to get that question a lot, but I hadn’t heard it for a while, so it took me a moment to gather my wits. Finally I said, “Do you only use landlines when talking with your patients?” She replied that she did. I continued, “And are they always only on landlines as well?” She assured me that they were. “And you’re not doing any video sessions, only in person?” That was true, too. My last question was, “And I assume you don’t take insurance at all, that you’re only private pay?” She was. I replied, “Ok, then yes, I guess you’re fine. No need to worry about HIPAA.”
She left relieved. I left unsure of my answer.
The whole interaction bothered me. I just couldn’t understand how, in this day and age, anyone could still be exempt from HIPAA. So I researched it. Did some fact-finding and also checked with colleagues who teach, publish, and/or research in this area. My conclusion was that the initial gut reaction I had to the question was probably correct. I think it’s safest for ALL mental health professionals to assume that HIPAA applies to them. And yes, all of it. Even if you pass the same test I put to the woman in my workshop, have you signed any Business Associate Agreements (BAAs) for any healthcare software you may be using? Those almost all start with a statement similar to this:
“This agreement is between Company A, a software company, and Person/Company B, a Covered Entity.”
If you signed it, you’ve got a legally binding document saying you’re a Covered Entity (i.e., must abide by HIPAA). (And no, I’m not suggesting you NOT get BAAs with your products. Those are very important.)
There are also other things that could have triggered HIPAA for you. Here are some links to the actual codes if you’d like to dig a little deeper:
§ 162.1101 Health care claims or equivalent encounter information transaction.
Additional things that can trigger HIPAA:
§ 162.1201 Eligibility for a health plan transaction.
§ 162.1301 Referral certification and authorization transaction.
§ 162.1401 Health care claim status transaction.
§ 162.1801 Coordination of benefits transaction.
At this point in time, rather than try to figure out how to avoid HIPAA, it’s probably best to just jump in and become compliant. Before I tell you what it takes to become compliant, let me tell you what DOESN’T make you compliant:
- Using “HIPAA-compliant software”
- Putting a disclaimer at the bottom of all email you send saying that it’s not encrypted (or anything else you might think to put there)
- Getting BAAs (Business Associate Agreements) with vendors of all software you use in your practice
None of these things is bad. In fact, some of them are quite good or at least heading in the right direction. The problem is that there are so many products that put the word “HIPAA” on them (often at least partially for marketing purposes), that therapists tend to get lulled into thinking if they have those products, they’re compliant with HIPAA. This is a bit like going to your local farmer’s market to buy the best, freshest ingredients for a wonderful meal, but then taking it all home and leaving it in your fridge – never actually preparing the meal.
- Create a Compliance Repository
- Implement Privacy Policies and Procedures
- Appoint a Privacy Officer
- Provide a Notice of Privacy Practices
- Train Your Workforce
- Implement a Compliant Process
- Document Compliance Procedures
- Possess and Apply Sanctions
A to-do list for creating your Security Policy might look like this:1
- Perform a Risk Assessment
- Create a PHI map for your office
- Inventory Your Equipment
- Develop a Plan to Secure Each Piece of Equipment
- Develop a Plan to Secure any Paper Records You May Have
- Implement Your Plans
- Make Sure You Have Backups
- Develop a Contingency Plan for Emergencies
Following these lists can help ensure that if you ever have to face a HIPAA audit, you’ll come out just fine. The lists may look intimidating but they don’t have to be. One strategy would be to Google each list item, read enough articles about it so you feel you understand it, and then implement it. Or, if you want a simpler solution, these to-do lists are taken from “TELEHEALTH for the Mental Health Professions: Constructive and Evidence-Based Tips for Practicing Safely, Efficiently, and Legally.” The book is comprehensive in that it covers all aspects of telehealth, not just HIPAA. However, the parts that cover HIPAA go through all items on both lists one at a time, making specific suggestions about how to implement each. Although there is no one way to implement HIPAA, the suggestions in the book provide concrete examples of plans you can use for your practice that should stand you in good stead if you’re ever audited.
Reviews and more info about “Telehealth for the Mental Health Professions”
1Litton, S. (2021). Telehealth for the Mental Health Professions: Constructive and Evidence-Based Tips for Practicing Safely, Efficiently, and Legally. Professional Resource Press.