Does HIPAA Apply to Therapists?
HIPAA applies to therapists who own, who work for, or who are contracted to a healthcare organization or practice that qualifies as a HIPAA covered entity. Therapists who are not covered by HIPAA may be subject to equally as stringent privacy regulations depending on their location, state licensing laws, and board certification requirements.
Because there are many types of therapists, there is no one-size-fits-all answer to does HIPAA apply to therapists. The job title “therapist” can be used to describe occupations as diverse as psychiatrists and marriage counsellors, and even when a healthcare professional describes themself as a “therapist” and works in a healthcare environment, HIPAA may not apply to the healthcare environment. In this case, HIPAA would also not apply to the healthcare professional/therapist.
When Does HIPAA Apply to Therapists?
HIPAA applies to healthcare providers (as that term is defined in Chapter 7 §1395x of the Public Health and Welfare Code) who conduct – or subcontract – electronic healthcare transactions for which the Secretary of Health and Human Services (HHS) has adopted standards in Part 162 of the HIPAA Administrative Simplification Regulations.
Not all therapists meet the definition of a healthcare provider. Of those that do, only practices that conduct or subcontract transactions such as eligibility checks, treatment authorization requests, and claims for payment to health plans and public health programs qualify as HIPAA covered entities – provided the transactions are conducted electronically.
Consequently, HIPAA does not apply to career counsellors, mediation services, most sports teams, or life coaches. Nor does it apply to therapists’ practices who bill patients directly, or who conduct HIPAA-covered transactions in non-electronic formats (i.e., via USPS, paper-to-paper fax, or a PSTN telephone service).
HIPAA also does not apply to school therapists who work in public schools, as student health records are considered part of their education records under the Family Educational Rights and Privacy Act (FERPA). Therefore, even when a therapist describes themselves as having a specific occupation (i.e., psychologist), there is no guarantee HIPAA applies to the therapist.
How Does HIPAA Apply by Status?
When HIPAA does apply to therapists, how HIPAA applies is determined by the therapist’s “HIPAA status”. For example, a therapist who owns a qualifying practice and who operates the practice as a sole practitioner is responsible for complying with all applicable standards of the HIPAA Administrative Simplification Regulations.
This means the therapist is responsible for determining which HIPAA standards apply, developing policies and procedures to comply with the standards, implementing safeguards to ensure the confidentiality of Protected Health Information, and monitoring compliance by members of the workforce and business associates.
A therapist who is employed by a therapist’s practice – or a healthcare organization that qualifies as a HIPAA covered entity – only has to comply with the HIPAA policies and procedures implemented by the practice/organization that apply to their function(s). The policies and procedures should be explained to workforce members during HIPAA training.
How does HIPAA apply to therapists who are contracted to a practice depends on their workforce status. If the therapist is a self-employed member of the workforce, their compliance obligations are the same as an employed member of the workforce. If they are contracted as a business associate, their compliance obligations depend on the content of the Business Associate Agreement.
Other Regulations That Can Apply to Therapists
There are many other regulations that can apply to therapists – whether they are covered by HIPAA or not. These most commonly include Part 2 regulations relating to the confidentiality of substance use disorder patient records, the Americans with Disabilities Act (ADA), and the Mental Health Parity and Addiction Equity Act (MHPARA).
Privacy regulations in several states apply HIPAA-esque privacy protections to healthcare records when a therapist does not qualify as a HIPAA covered entity (for example, Texas’ Medical Records Privacy Act), while most states have mandatory reporting requirements when a child demonstrates signs of abuse or neglect.
State licensing laws and board certification requirements may also include privacy regulations that apply to therapists that are as – or more – stringent than HIPAA. For example, the California Board of Behavioral Sciences requires licensed marriage and family therapists to understand clients’ privacy rights in situations requiring involuntary hospitalization.
Healthcare professionals unsure about when does HIPAA apply to therapists are advised to seek professional compliance advice. Sole proprietor therapists and therapists that qualify as business associates should speak with their licensing board, while employed and contracted members of a therapist’s workforce should speak with the practice’s compliance officer.
