The HIPAA Privacy Rule: Frequently Asked Questions (FAQs)
by Legal and Regulatory Affairs Staff
The Practice Organization has received many questions about what psychologists need to do in light of the April 14, 2003 deadline for complying with the HIPAA Privacy Rule (Privacy Rule). Below are answers to some of the most common questions.
The most complete resource, however, is the HIPAA for Psychologists product that has been developed by the APA Practice Organization and APA Insurance Trust. You can learn more about the product and order it at APApractice.org.
Yes, because the Privacy Rule applies to any psychologist who transmits protected health information (see Question 5) in electronic form in connection with a health care claim.
Once the rule is triggered (for example by a single electronic transaction as described in the previous answer), the psychologist’s entire practice must come into compliance.
Because the Privacy Rule applies to the electronic transmission of health information, some psychologists who do not submit electronic claims or who don’t participate with third-party payment plans may not currently need to comply with the Privacy Rule. However, it is in your best interest to comply now, as any number of future actions may trigger the Privacy Rule (for example, participating in Medicare or another third-party payment plan in the increasingly electronic private market). Compliance may also be triggered by actions outside of your control, such as if you use a billing service that becomes entirely electronic. If one of these events suddenly triggers your Privacy Rule obligations after the April 2003 deadline, you will have no grace period for coming into compliance. Consequently, the APA Practice Organization and the APA Insurance Trust strongly recommend that you act now to get in compliance, so that you will be ready as the health care industry becomes increasingly dependent upon electronic transmissions.
Yes, the Privacy Rule applies to all health care providers — from those in large multihospital systems to individual solo practitioners. The administrative requirements of the Privacy Rule are “scalable,” meaning that a covered entity must take “reasonable” steps to meet the requirements according to its size and type of activities. In other words, the administrative burden on a psychologist who is a solo practitioner will be far less than that imposed on a hospital. For example, a hospital may be required to create a full-time staff position to serve as a privacy officer, while a psychologist in a solo practice may identify him or herself as the “privacy officer.”
The Privacy Rule applies to, and provides specific protections for, protected health information (PHI). With certain exceptions, the Privacy Rule defines PHI as information that: (1) is created or used by health care professionals or entities; (2) is transmitted or maintained in any form or medium; (3) identifies or can be used to identify a particular patient; and (4) relates to one of the following: (a) the past, present, or future physical or mental health condition of a patient; (b) the provision of health care to a patient, or (c) the past, present, or future payment for providing health care to a patient.
“Consent,” as it was used in the Privacy Rule, refers to advance permission, typically given by the patient at the start of treatment, for various disclosures of patient information to third parties. Consent is no longer required by the Privacy Rule after the August 2002 revisions. However, in many states this type of consent will still be required for routine disclosures, such as for treatment and payment purposes (these more protective state laws are not preempted by the Privacy Rule).
“Informed consent to treatment” is not a concept found in the Privacy Rule. It refers to a client’s decision to allow a health care provider to perform a particular treatment or intervention. State laws and ethical codes on informed consent require that the psychologist provide understandable information about the risks and benefits so that a patient can make a knowledgeable, informed decision about treatment.
HIPAA defines psychotherapy notes as notes recorded in any medium by a health care provider who is a mental health professional, documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session. To meet the definition, these notes must also be kept separate from the rest of the individual’s medical record. The Privacy Rule specifically excludes from the definition information pertaining to counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, medication prescription and monitoring, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date. (Psychotherapy notes are similar to, but generally not the same as, “personal notes” as defined by a few states.)
Yes, the Privacy Rule provides a higher level of protection for psychotherapy notes than for other types of patient information. For example, in most situations you cannot release psychotherapy notes without the patient signing a detailed authorization form specifically for the release of psychotherapy notes. By contrast, in most states you could release the patient’s other records for most treatment and payment purposes without consent, or with just the patient’s signature on a simpler general consent form.
An insurance company cannot obtain psychotherapy notes without the patient’s authorization. And the insurance company is not permitted to condition reimbursement on receipt of the patient’s authorization for disclosure of psychotherapy notes.
No, the Privacy Rule does not require that you keep psychotherapy notes. It simply specifies heightened protection for psychotherapy notes in the event that a psychologist maintains them. Because of that protection, however, it may be advisable to keep psychotherapy notes and use them to protect sensitive information that is not specifically excluded from the psychotherapy notes definition (see Question 8 above).
In certain circumstances, the Privacy Rule permits use and disclosure of protected health information without the patient’s permission. For example, the Privacy Rule permits consultations between psychologists and other health care professionals without permission, because such consultations fall under the Rule’s “treatment” exception. However, many states require that before releasing patient information for a consultation, a psychologist must have obtained the patient’s generalized consent at the start of treatment. (Such state laws are not preempted by the Privacy Rule because they are more protective of privacy.) How the Privacy Rule interacts with your state’s consent or authorization rules is an important issue covered in the HIPAA for Psychologists product.
For purposes of the Privacy Rule, business associates include organizations or persons other than a member of the psychologist’s office staff who receive protected health information (see Question 5 above) from the psychologist to provide service to, or on behalf of, the psychologist. Examples of “business associates” are billing services, accountants, and attorneys. The Privacy Rule requires that psychologists have a "business associate contract" with any business associates with whom they share PHI. This contract assures that the business associate (who is not directly regulated by the Privacy Rule) will safeguard privacy. HIPAA for Psychologists contains a model business associate contract that you can use in your practice.
An I/O psychologist simply performing assessment for an employer for an employer’s use typically would not need to comply with the Privacy Rule. However, an I/O psychologist or other psychologist performing services for an employer for which insurance reimbursement is sought, or which the employer (acting as a self-insurer) pays for, would have to make sure that the employer is complying with the Privacy Rule.
Military, veterans’ affairs and CHAMPUS programs all fall under the definition of “health plan” in the rule. Therefore, the rule applies to the health services provided by these programs. The Secretaries of Veterans’ Affairs and Defense are charged with working with the Department of Health and Human Services to apply the Privacy Rule requirements to their respective health programs. Psychologists in these programs should look to their central offices for guidance.
The Security Rule is one of three rules issued under HIPAA. (The others being the Privacy Rule, which is the primary focus of these FAQs, and the Transaction Rule, which requires standardized formatting of all electronic health care transactions in the health care system. It had an October 2002 compliance date, but psychologists who filed a timely extension form have until October 2003 to comply.) The Security Rule focuses on the physical and technical means of ensuring the privacy of patient information, e.g., locks on file drawers and computer and Internet security systems. The final security rule has not yet been released. Information about the Security Rule and its status can be found on the HHS website.
Information about how the Privacy Rule applies to psychological practice, how the Privacy Rule preempts and interacts with your state’s privacy laws, and what you must do to prepare for the April 14, 2003 compliance deadline;
The necessary state-specific forms that comply with both the Privacy Rule and relevant state law;
Policies, procedures and other documents needed to comply with the Privacy Rule in your state;
Four hours of CE credit from an APA-approved CE Sponsor; and
A 5 percent premium discount for psychologists insured in the Trust-sponsored Professional Liability Insurance Program for taking the CE course.