Help with HIPAA: Timely Q & As

by Legal and Regulatory Affairs Staff

February 12, 2004 — The APA Practice Organization has produced a series of informational materials and continues to help practicing psychologists understand the requirements of the Health Insurance Portability and Accountability Act (HIPAA). Given the law’s complexity, the Practice Organization continues to receive numerous inquiries about HIPAA and how it applies to practitioners.

Several of the most common APA member questions and answers about HIPAA follow.

These questions pertain to specific aspects of the three HIPAA rules that affect many practicing psychologists.

The HIPAA Privacy Rule involves policies, procedures and business service agreements governing access to and use of patient information. The Transaction Rule requires standard formatting of electronic transactions for certain designated financial and administrative purposes. The Security Rule, which will not take effect until 2005, addresses the health professional’s physical infrastructure and is discussed in the final question.

Q: Am I responsible for HIPAA violations by business associates such as an outside billing service?

A: Yes, unless you are protected by having an appropriate contract with your business associates. HIPAA requires “covered entities,” including individual health professionals who have triggered HIPAA requirements, to enter into contracts with business associates with whom they share “protected health information” (PHI) as defined under HIPAA. Psychologists need to be assured through the contract that a business associate will appropriately safeguard PHI.

A business associate contract must clearly establish what is permitted and required regarding the use and disclosure of records. In effect, the psychologist needs to contractually obligate the business associate to follow all HIPAA compliance requirements that the psychologist must follow.

Q: Am I required to do anything if a business associate violates the HIPAA rules?

A: A psychologist must take action if he or she becomes aware of a pattern of activity that breaches or violates the contract - for example, when the business associate releases PHI to unauthorized parties. In such cases, a psychologist covered by HIPAA must take reasonable steps to cure the breach.

If the breach cannot be cured, the psychologist should terminate his or her contract with the business associate. A report of the breach must be made to the U.S. Department of Health and Human Services if it is not feasible to terminate the contract.

Q: What is the “minimum necessary” standard and when does it apply?

A: When protected health information (PHI) is used or disclosed, the HIPAA Privacy Rule requires psychologists to provide the minimum amount of information necessary to conduct the activity or to respond to an appropriate request for information. The “minimum necessary” standard also applies in making a request for PHI from another covered entity.

Covered entities are given the flexibility to address their unique circumstances. In answering the question of how covered entities are expected to determine the minimum necessary information to use, disclose or request, the U.S. Department of Health and Human Services’ website indicates that, “(the HIPAA Privacy Rule) requires covered entities to make their own assessment of what PHI is reasonably necessary for a particular purpose, given the characteristics of their business and workforce, and to implement policies and procedures accordingly.” (See the final question in this article for additional information about the HHS website.)

The “minimum necessary” standard does not apply to all disclosures of information. When a patient provides an authorization to release information, for example, the authorization itself should give a specific description of the information to be released.

Q: What is the HIPAA Security Rule and when does it take effect?

A: The Security Rule addresses health professionals’ and organizations’ physical infrastructure — such as access to offices, files and computers — to assure secure and private communication and maintenance of confidential patient information. The Security Rule is unique among the HIPAA rules. It applies only to “protected health information” in electronic form, whereas the Privacy rule applies to PHI in any format — electronic or otherwise.

Compliance is scheduled for April 21, 2005. Legal and regulatory affairs staff for the APA Practice Organization are evaluating the Security Rule. APA members will receive additional information in the coming months.

Q: Are there websites that I can consult for information about the HIPAA rules?

A: The U.S. Department of Health and Human Services and the Centers for Medicare and Medicaid Services websites provide detailed information about HIPAA. Both websites contain a comprehensive list of questions and answers about the Transaction and Privacy Rules and offer detailed overviews of the Privacy Rule.

Visit the HHS site. This web page includes a link to “Your Frequently Asked Questions on Privacy” and other educational materials. On the CMS site, click on the link, “HIPAA Administrative Simplification.” offers a variety of information and tools to aid practitioners with HIPAA compliance. Visit the HIPAA Compliance Center.