The HIPAA guidelines for mental health professionals are the same as the HIPAA guidelines for other types of healthcare professionals. However, due to the sensitive nature of health information collected, used, and disclosed in mental health environments, mental health professionals may need to better understand certain standards of the Privacy Rule relating to permissible uses and disclosures of Protected Health Information.
HIPAA Compliance Obligations for Mental Health Professionals
Before discussing the HIPAA guidelines for mental health professionals, it is important to note mental health professionals can have different HIPAA compliance obligations depending on whether they are a sole practitioner that qualifies as a covered entity under HIPAA or an employee of a healthcare organization that qualifies as a covered entity under HIPAA.
Additionally, if a sole practitioner or healthcare organization does not qualify as a covered entity under HIPAA, but provides services to or on behalf of a HIPAA covered entity as a business associate, different HIPAA guidelines for mental health professionals may apply.
If none of the above scenarios apply, mental health professionals still have to comply with ethics codes and state laws that protect the privacy of patients’ health information – which, in many cases, are similar to or the same as the HIPAA guidelines for mental health professionals.
Covered Entities and Business Associates Explained
HIPAA defines covered entities as health plans, health care clearinghouses, and healthcare providers (as defined by §1395x(u) of the Public Health and Welfare Code) that transmit health information in electronic form in connection with a transaction covered by Part 162 of the HIPAA Administrative Simplification Regulations.
Therefore, if a sole practitioner or healthcare organization (that meets the definition of a healthcare provider) transmits health information electronically for eligibility checks, treatment authorizations, and/or claims, they qualify as a covered entity and are required to comply with all applicable standards of the HIPAA Administrative Simplification Regulations.
If a sole practitioner or healthcare organization does not qualify as a covered entity, but provides services to or on behalf of a covered entity, they are defined as business associates. Business associates are required to comply with all applicable standards of the Security and Breach Notification Rules, plus any other standards stipulated by a Business Associate Agreement.
Examples of sole practitioner and healthcare organizations that might not qualify as covered entities, but that might qualify as a business associate include homeopaths, mental health professionals that bill patients directly, and sole practitioners/organizations that conduct Part 162 transactions by mail, PSTN telephone services, or paper-to-paper non-digital fax machines.
An Overview of the HIPAA Guidelines
The primary objectives of HIPAA for mental health professionals are to protect the privacy of individually identifiable health information and ensure the confidentiality, integrity, and availability of electronic Protected Health Information (PHI) while facilitating the flow of information for treatment, payment, and health care operations.
HIPAA attempts to achieve its primary objectives by stipulating which uses and disclosures of PHI are mandatory, permissible, or require consent/authorization from the subject of the PHI or their personal representative. HIPAA also stipulates the controls required when PHI is created, received, maintained, or transmitted electronically or shared with a business associate.
A further objective of HIPAA is to give patients control over how their PHI is used and disclosed. Patients have the right to inspect PHI maintained by a covered entity, request corrections when errors or omissions exist, and request an accounting of disclosures. Patients also have the right to complain to HHS’ Office for Civil Rights if their HIPAA rights are denied.
Because it is not always possible to protect the privacy of individually identifiable health information, covered entities must inform patients if PHI is disclosed impermissibly or if unsecured electronic PHI is exposed in a data breach or other security incident. Notifications must also be sent to HHS’ Office for Civil Rights, who may investigate if a breach is attributable to a HIPAA violation.
HIPAA Guidelines for Mental Health Professionals (Solo Practitioners)
The HIPAA guidelines for mental health professionals that operate as solo practitioners are that – even though they may be solo practitioners – they must develop policies and procedures that govern when and how PHI can be used and disclosed. They must also provide each patient with a Notice of Privacy Practices which is consistent with the policies and procedures.
To comply with their own policies, solo practitioners must understand what disclosures are permitted to other healthcare providers for treatment purposes (i.e., when a direct treatment relationship exists), and when an authorization is required from a patient to disclose PHI, substance use disorder “Part 2” records, and psychotherapy notes.
With regards to protecting the privacy of PHI, solo practitioners must implement appropriate safeguards as required by the Security Rule and enter into Business Associate Agreements with any third party service provider with whom PHI is shared – for example, cloud service providers, managed service providers, accountants, and attorneys.
The standards most important to understand are those relating to disclosures to family members and disclosures in group therapy sessions. Disclosures of these types are often covered by the “opportunity to object” provision of the Privacy Rule (§164.510), but some may require an authorization depending on the service being provided or the nature of PHI being disclosed.
HIPAA Guidelines for Mental Health Professionals (Employed)
The HIPAA guidelines for mental health professionals that are employed by a covered entity should be developed by the covered entity. Business associates may also develop HIPAA guidelines for mental health professionals depending on the nature of services being provided. However, mental health professionals should note §164.530(e) of the Privacy Rule states:
“A covered entity must have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity or the requirements of this subpart [the Privacy Rule] or subpart D of this part [the Breach Notification Rule].”
This implies mental health professionals could be sanctioned by an employer for violating the Privacy or Breach Notification Rule – even though they have received training on specific standards from their employer. Consequently, mental health professionals may need to take responsibility for their own HIPAA knowledge as well as attending employer-provided training.
In theory, no such issues should apply to the Security Rule HIPAA guidelines for mental health professionals as covered entities and business associates are required by §164.308(a) to provide an ongoing security awareness and training program. Nonetheless, it is advisable to be aware of the Security Rule standards to avoid inadvertent violations of the Security Rule.
HIPAA Training for Mental Health Professionals
According to §164.530(b) of the Privacy Rule, covered entities (and business associates where necessary) “must train all members of the workforce on the policies and procedures with respect to PHI required by [the Privacy Rule] and [the Breach Notification Rule] as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.”
Therefore, HIPAA training for mental health professionals ought to include everything mental health professionals need to know to carry out their functions compliantly. This means employer-provided HIPAA training should include basic topics such as “what is PHI?” and “patients’ rights”, as well as more advanced topics such as when it is permissible to share PHI with social service agencies.
However, as employers could sanction members of the workforce for violating Privacy and Breach Notification policies that have not been taught during HIPAA training – which might be likely in the event of a patient compliant being investigated by HHS’ Office for Civil Rights – mental health professionals should attempt to gain a thorough understanding of all applicable HIPAA standards.
The best ways to gain a thorough knowledge of all applicable HIPAA standards are to take advantage of third party courses offering HIPAA training for mental health professionals, study the text of HIPAA, and review HHS publications that provide relevant advice. Effectively, all mental health professionals need to have the same level of knowledge regardless of whether they are sole practitioners or employees of a covered entity.
Although the HIPAA guidelines for mental health professionals are the same as they are for other healthcare professionals subject to HIPAA, mental health professionals are likely to encounter more situations when decisions about uses and disclosures are based on their professional judgement than on Privacy Rule standards.
Therefore, it is important that mental health professionals have a thorough understanding of the standards relating to permissible uses and disclosures of PHI; and if this information is not provided by an employer, it may be necessary for employees to source their own HIPAA training for mental health professionals.