Demystifying HIPAA.
Subject: Privacy, Right of (Laws, regulations and rules)
Medical records (Laws, regulations and rules)
Authors: Hixson, Ron
Hunt-Unruh, Dana
Pub Date: 09/22/2008
Publication: Name: Annals of the American Psychotherapy Association Publisher: American Psychotherapy Association Audience: Academic; Professional Format: Magazine/Journal Subject: Psychology and mental health Copyright: COPYRIGHT 2008 American Psychotherapy Association ISSN: 1535-4075
Issue: Date: Fall, 2008 Source Volume: 11 Source Issue: 3
Topic: Event Code: 930 Government regulation; 940 Government regulation (cont); 980 Legal issues & crime Advertising Code: 94 Legal/Government Regulation Computer Subject: Government regulation
Geographic: Geographic Scope: United States Geographic Code: 1USA United States
Legal: Statute: Health Insurance Portability and Accountability Act of 1996
Accession Number: 187049613

Most of us would rather have a root canal procedure than to read another article about HIPAA. However, avoidance can cause an infection in our practices that can require an even worse surgical procedure later. Attempting to chop the information into short pieces that may clarify and demystify the rules of HIPAA can keep us in compliance and out of trouble.

Privacy has become a valuable commodity among health-care vendors and their governmental counterparts. The privacy regulation industry grew out of the Internal Revenue Service Code of 1986, known as the Kennedy-Kassebaum Act and the Social Security Act in an effort to protect Americans with pre-existing conditions from losing their medical coverage and to unify the state of electronic exchange of protected health information (PHI) in the marketplace.

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 also serves as a champion for increased confidentiality and a stronger barrier for security measures of health-care information. Health-care providers of all clinical disciplines tend to be leery of government regulations and enforcement techniques, because they see it as an intrusion between the provider and the patient as well as increasing their risks and liabilities. This article is written as a brief reminder of the need to keep aware of the impact of the expectation of the "HIPAA police" as well as other investigative agents on the practice of health care.

Who is Affected?

HIPAA compliance is required of health plans, health-care clearing houses, and health-care providers who work with health information regardless of whether or not they bill electronically, whether they accept cash only, or if they are a one-person office or a large-group medical or mental health practice. The U.S. Department of Health & Human Services develops policy, makes certain their jurisdiction follows compliance to laws, and enforces the laws. While staff support are not generally health-care providers, they are also affected because providers are responsible for providing the training or the opportunities to be trained in the rules and boundaries of HIPAA. Although there remains much confusion and ambiguity within the law, most people expect these problems to be worked out by the judicial branch of government by the development of case law.

The second issue normally is what triggers HIPAA audits. They can be triggered by a complaint or by PHI being accidently placed in the wrong hands. The third issue is the cost of risks for non-compliance. Congress has stipulated that civil and criminal penalties for misuse of PHI can range from $100 per violation up to $25,000 per year for each requirement or prohibition violated and may include imprisonment up to 10 years (HIPAA Primer, 2005).

Because many providers are solo practitioners, there are concerns and obligations that those smaller practices may face the same consequences as larger organizations in the changes expected by the enactment of HIPAA. The scalable compliance means that larger organizations will have more administrative and financial burdens, risks, and liabilities, while solo practitioners will have substantially less exposure.

Administrative Simplification

The HIPAA Administration Simplification provision is divided into four parts:

1. Standards for electronic transactions

2. Unique identifiers standards

3. Security rule

4. Privacy rule

The goal is to reduce the administrative costs of health care by establishing standards for electronic transmission of all administrative, clinical, and financial information related to patients. The reduced costs are expected in more standardized forms as well as adequate protective measures that can reduce any fines and penalties for inappropriate exposure of health-care information.

There are nine transactions that are covered by HIPAA and will be required to be transmitted in a standard, HIPAA-approved format:

* First report of injury

* Eligibility for a health plan

* Health-care claim or encounter

* Health-care claim attachment

* Referral certification and authorization

* Enrollment or disenrollment in a health plan

* Health-care claim status

* Premium payments and

* Claim payment and remittance advice (HIPAA Administrative Simplification, 2006, 45 C.F.R. 160.103)

If you or your organization file any of the above nine transactions electronically or store them in any format, you would be required to comply with HIPAA. Today even sending patient health information (PHI) via fax makes you an entity that requires compliance. Health information includes any information that discusses or states a patient's past, present, or future physical or mental health condition(s) or prognosis or health-care recommendations and information about the payment of the health care of a patient.

The Transactions and Code Sets Standards are geared toward setting the standards for how electronic transmissions can and cannot be made. The Code Sets refer to CPT Codes and diagnostic codes, which, for mental health providers, is the DSM-IV-TR. Standardization is also created in the Transaction Standards for the forms that are used for medical billing ... for us, the CMS 1500 or HICFA form. The Security Rule sets the requirements to assure security of client files and PHI in electronic form. There are three subparts. Each subpart has its own required specifications and addressable specifications. (HIPAA Administrative Simplification, 2006, Section 1177)

Covered entities (health-care providers) must have a compliance plan, and their employees must follow that plan in good faith. The provider must have a written policy and procedure manual that is available for anyone to view. There must be a designated officer who oversees the compliance and policies and procedures laid out in the written manual. In a one-person office, the therapist must be the Compliance Officer. The manual must be updated and revised as changes in the law take place. Under the mandates of the Administrative Procedures Act, changes can be made no more than once a year, and covered entities would be wise to track those changes, as they will be held accountable. Compliance records must be kept for a minimum of 6 years from the date of the last transaction concerning the client. The compliance policy must also do the following:

* Designate responsible parties. This includes all employees and contract workers.

* Train and educate employees. If the office is within the home, this may include family members.

* Adopt, implement, and publicize a process for the handling of complaints regarding privacy violations.

* Inform employees that they will be disciplined or sanctioned for privacy violations. This could include leaving written material or files face up on the desk while the employee is away from the desk. It also includes oral violations of client privacy rules.

* Provide notice to employees that they will not be retaliated against for making reports of privacy violations.

* Have a policy limiting wrongful or inappropriate disclosures. (HIPAA Administrative Simplification, 2006, 45 C.F.R. 164.316)

The Verification Requirement establishes that prior to disclosing protected health information, a covered entity must verify the identity and authority of the person seeking protected health information. The Minimum Necessary Standard sets the level of disclosure to fulfill the request for information from another provider, the patient, and disclosures required by law. There are, however, limitations to this standard:

* Disclosures to or by a health-care provider for treatment

* Disclosures made to the individual patient or client

* Disclosures made pursuant to an authorization requested by the individual but not including authorizations requested by the covered entity

* Disclosures made by the secretary of the HHS for compliance and enforcement of HIPAA's administrative simplification provisions

* Uses or disclosures required by law

* Uses or disclosures required for compliance with the privacy standards (HIPAA Administrative Simplification, 2006, 45 C.F.R. 164.502, b, 1-2)

Vendors are making new information technology (IT) hardware and software to handle the evolving mobility of health-care information security needs. For example, Global Platform (2007) has introduced mobile phones as a critical end-user information vehicle that requires both privacy and security.

Another example is the Double-Take Software. This software package has been created to assist health-care providers (doctors, hospitals, pharmacies, health insurers, clearinghouses, or any organization directly handling patients' health-care information (Double-Take Software, 2008). The Portland, Oregon-based Kryptiq Corp. has integrated its Connect IQ technology with HealthVault platform from Microsoft, which will enable consumers to view and save clinical information including problem and medication lists, lab and radiology reports, care plans, and home-monitored clinical data (Health Data Management, 2008).


The Security Rule

The Security Rule is embedded within the Privacy Rule and is process oriented. There are required elements and addressable elements within the three main parts of the rule. These subparts are the Administrative, Physical, and Technical Safeguards. The Security Rule specifically addresses the transactions that are electronic in nature and issues of storage (locked file cabinets, computers with regular changes of password codes, and reasonable efforts to safeguard operational and clinical information). (Bernstein & Hartsell, 2004; HIPAA Administrative Simplification, 2006, 45 C.F.R. 163.3069, d, ii, B, 2)

General Rule Provisions

* Ensure the confidentially, integrity, and availability of all electronic PHI that the entity creates, receives, maintains, or transmits.

* Protect against any reasonably anticipated threats or hazards to the security and/or integrity of that information.

* Protect against any reasonably anticipated use or breach of such information that is not permitted by the Privacy Rule.

* Ensure compliance of the workforce and workplace. (HIPAA Administrative Simplification, 2006, 45 C.F.R. 164.306)

Administrative Standards

These standards encompass more than half of the Security Rule. There are four required specifications:

* Risk management

* Risk analysis

* Sanction policy

* Information system activity (HIPAA Administrative Simplification, 2006, 45 C.F.R. 164.308, a, 1, ii, A-D)

Each covered entity must designate one person to oversee and be responsible for compliance with and implementation of the Security Rule. That person will be responsible for the following:

* Supervision, clearance, and termination of personnel procedures

* Clarification of the standards by requiring information management controls

* Implementation of policies and procedures to protect electronic PHI (EPHI)

* Training all personnel regarding the Rule requirements

* Logging security incidents, reports, and response procedures

* Development and use of emergency contingency plan for protection of EPHI

* Periodic evaluation and documentation of all compliance issues

* Development and maintainance of business associate contract language that is compliant for EPHI (HIPAA Administrative Simplification, 2006, 45 C.F.R. 164.530)

To help you protect your laptops from hackers, there are the usual software packages such as Norton and McAfee security systems. But you might be wise to check out additional security in the event they are stolen. Absolute Software has been developed by a company that has created a better mouse trap as well as a recovery system. Absolute Software can be found at


The main concern of the Organizational Standards is the creation and use of business associate contracts. Business Associates (BA) refer to persons or an organization that assists the health-care provider and has access to PHI. Examples of these people include those that provide answering services, bookkeeping, billing services, collection of bad debt, computer repair, paging services, shredding services, clearinghouse, and transcription services. It also includes contract therapists who provide professional services for an organization on a contract basis rather than as an employee. But it doesn't include those you refer to for health-care provider services. The BA relationship does not include those agents representing a Medicaid or Medicare review or audit of your practice or law enforcement requests. Consult with your attorney on to how to develop, implement, and administer these contracts of trust. These contracts create a chain of trust, which is established under the Privacy Rule. These contracts hold several requirements:

* Implement the Security Rule safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of clients' EPHI.

* Ensure that associates meet the same standards.

* Report to the covered entity all security breaches.

* Ensure termination of association if material item has been violated. (HIPAA Administrative Simplification, 2006, 45 C.F.R. 164.314)

Policies, Procedures and Documentation

This section requires covered entities to be fully compliant with all standards of the Security Rule and that the Policies and Procedures be kept in written form, which can be electronic in format.

* The records must be maintained for 6 years.

* Documentation must be made available to those responsible for implementing policies and procedures.

* Documentation must be reviewed and updated periodically in response to operational and environmental changes. (HIPAA Administrative Simplification, 2006, 45 C.F.R. 164.316, Standards 19-20)

The Privacy Rule

The Privacy Rule creates national standards to protect an individual's medical records and other PHI. This part of HIPAA addresses the clients' rights of privacy concerning their medical records:

* It gives clients more control over their health information.

* It sets boundaries for the use and release of records.

* It establishes safeguards that covered entities must achieve to protect PHI.

* It holds violators accountable with civil and criminal penalties.

* It strikes a balance when the public responsibility makes disclosures necessary. (Bernstein & Hartsell, 2004; HIPAA Administrative Simplification, 2006, 45 C.F.R. 160, 164)

For the patient or client, the Privacy Rule provides several rights:

* They are able to make informed decisions regarding their PHI.

* They are permitted to know how their PHI is being used.

* They are limited in the release of information to the minimum necessary to fulfill the request.

* Clients are given the right to a copy of their records.

* Clients are given a degree of control over disclosures of information in their PHI. (Bernstein & Hartsell, 2004)

For mental health providers, there are requirements in terms of what they must do and provide for their clients:

* They must notify patients and clients of their privacy rights.

* They must adopt and implement privacy procedures.

* They must train staff in those procedures.

* They must designate an individual to be the responsible party for implementation.

* They must secure files and records so that no unauthorized use or discovery occurs.

* They must keep an accounting of disclosures of a client's PHI. (Bernstein & Hartsell, 2004)

There is flexibility in that all the standards can be scaled to fit your particular practice. In the case of a sole proprietor, he or she is the one responsible. He or she must maintain a written copy of the policies and procedures for new people joining the staff and train them in all HIPAA compliance procedures. If you are a sole proprietor, how do you know if you must be compliant? How do you determine what is protected health information and how do you decide what is permitted use and disclosure of PHI?

* If you do anything regarding your clients electronically, you ARE a covered entity.

* The Privacy Rule defines PHI as "any information, written or oral, recorded in ANY media or format that:

** is created by health-care providers

** relates to the past, present, or future physical or mental health or condition of the patient; the provision of health care; or the past, present, or future payment for health care"

* Individual identifiable health information is information that is a subset of health information including demographics and

** is created by health-care providers

** relates to the past, present, or future physical or mental health or condition of the patient

** identifies the individual

** could reasonably be used to identify the client (HIPAA Administrative Simplification, 2006, 45 C.F.R. 160.103, 164.501)

A distinction is made by HIPAA between what psychotherapy notes are and are not. "Psychotherapy notes means notes recorded in any medium by a health-care provider documenting or analyzing the contents of conversations during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual's medical records." (HIPAA Administrative Simplification, 2006, 45 C.F.R. 164.501)

"Psychotherapy notes EXCLUDE medication prescriptions and monitoring, counseling session start and stop time, the modalities and frequency of treatment, furnished results of clinical tests, and any summary of the following: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress notes to date" (45 C.F.R. 164.501). Anything, even a note, appointment schedules, or phone messages on a scrap of paper regarding a client, constitutes transmitted information and must be kept in the client's file. Any mental-health provider who uses, creates, or receives any of the following in any format MUST comply with the Privacy Rule:

* Health-care claims

* Health-care payment and remittance advice

* Coordination of benefits

* Health-care claim status, enrollment, or disenrollment

* Eligibility for a health plan

* Referral certification and authorization

* First report of injury

* Health-claim attachments

* Any other transactions that the Secretary of the U.S. Department of Health & Human Services may proscribe by regulation (HIPAA Administrative Simplification, 2006, 45 C.F.R. 160.103)

The Privacy Rule mandates that providers have a specific policy regarding faxes and e-mails and must have written procedures for training, monitoring, and auditing that policy. All transmissions must include a confidentiality clause such as:

The wording is less important than the intent of the disclaimer. Every fax and e-mail must have this in lettering large enough that the reader will not miss the intent of the statement. If your state law is more protective of a patient or client's privacy rights, then the state law prevails. You are responsible for knowing your state laws pertaining to confidentiality and privacy. The rules under the licensing entity of your state should be consulted. When in doubt as to what you should do. consult an attorney and the Code of Ethics of a professional association such as the American Psychotherapy Association.

One interesting aspect of this Act is that managed care organizations do not have a right to review the psychotherapy notes. It does not say federal programs (Medicaid and Medicare) do not have this right, only man aged care organizations. It doesn't clarify if this includes managed care organizations with contracts for Medicaid and Medicare services. In Texas, Medicaid's Integrity Department hunts out uncrossed "t's" and undotted "i's" and threatens people with fines exceeding $100,000 in some cases. So, we go back to the statement that encourages you to consult with an attorney for clarification and guidance on these issues.

The Privacy Rule addresses and sets the standards for health-care providers and their organizations that may have access to PHI, whereas the Security Rule sets the standards dictating that only those who should have access, do, and those who should not have access to PHI do not. The Privacy Rule requires covered entities to have administrative, physical, and technical safeguards and to implement them. There remains much ambiguity and uncertainty regarding the extent of HIPAA's presence in our offices and with our patients. When it comes to differences between the state and federal laws, the position of both parties is that the one with the most restrictions is deemed as overriding the other when it comes to privacy and security policies.

HIPAA Quick Facts

HIPAA Protects Workers and Their Families By

* Limiting exclusions for preexisting medical conditions (known as preexisting conditions)

* Providing credit against maximum preexisting condition exclusion periods for prior health coverage and a process for providing certificates showing periods of prior coverage to a new group health plan or health insurance issuer

* Providing new rights that allow individuals to enroll for health coverage when they lose other health coverage, get married or add a new dependent

* Prohibiting discrimination in enrollment and in premiums charged to employees and their dependents based on health status-related factors

* Guaranteeing availability of health insurance coverage for small employers and renewability of health insurance coverage for both small and large employers

* Preserving the states' role in regulating health insurance, including the states' authority to provide greater protections than those available under federal law

Discrimination Prohibitions

* Ensure that individuals are not excluded from coverage, denied benefits, or charged more for coverage offered by a plan or issuer, based on health status-related factors

U.S. Department of Labor. The Health Insurance Portability and Accountability Act (HIPAA) Fact Sheet. Retrieved August 15, 2008, from http://


After studying this article, participants should be better able to do the following:

1. Be able to describe the impact of HIPAA on the practice of health care.

2. Explain how to encourage compliance with the requirements of HIPAA and explain how to encourage acquisition of checklists and forms available for compliance.

3. Describe who is covered by HIPAA and demonstrate bow to decrease the costs of the risks and liabilities from HIPAA for health-care providers.


The Health insurance Portability, and Accountability Act (HIPAA) of 1996 serves as a champion for increased confidentiality and a stronger barrier for security measures of health-care information. Health-care providers of all clinical disciplines tend to be leery of government regulations and enforcement techniques, because they see it as an intrusion between the provider and the patient as well as increasing their risks and liabilities. This article is written as a brief reminder of the need to keep aware of the impact of the expectation of the "HIPAA police" as well as other investigative agents on the practice of health care.

KEY WORDS: administration simplification, technical standards, privacy rule, security rule, HIPAA

TARGET AUDIENCE: mental health professionals, therapists, psychologists, counselors, social workers


DISCLOSURE: The authors have nothing m disclose.



1. True or false: Many professional associations recommend that even if health-care providers do not bill electronically, they should be HIPAA compliant.

a) True

b) False

2. True or false: HIPAA can never be triggered if you do not bill electronically.

a) True

b) False

3. True or false: HIPAA overrules state laws when there is a difference in similar legislation.

a) True

b) False

4. True or false: Scalable compliance means that solo practitioners have the same risks and liability under HIPAA as hospitals or large group practices.

a) True

b) False

5. True or false: HIPAA is the result of the 9/11 attack on New York City and the institution of Homeland Security.

a) True

b) False

6. True or false: Therapists can be their own privacy officer/compliance officer in their own practice.

a) True

b) False



Bernstein, B. E., & Hartsell, T. L. Jr. (2004). The portable lawyer for mental health professionals: An A-Z guide to protecting your clients, your practice and yourself. Hoboken, NJ: John Wiley and Sons, Inc.

Double-Take Software. (2008). Retrieved March 1, 2008, from

Global Platform. (2007). Why the mobile industry is evolving towards security. Retrieved March 1, 2008, from

Health Data Management. (2008). Kryptiq adds messaging to Health Vault. Retrieved March 1, 2008, from

HIPAA Administrative Simplification, Regulation Text. (2006). U.S. Dept. of Health and Human Services. Office for Civil Rights (to be codified at 45 C.F.R. pt. 160). Unofficial version as amended through February 16, 2006.

HIPAA Primer. (2005). Phoenix Health Systems. Retrieved from HIPAAprimer.htm

Mitchell, R. W. (2007). Documentation in counseling records: An overview of ethical, legal, and clinical issues. Alexandria, VA: American Counseling Association.

Wheeler, A. M., & Bertrum, B. (2007). The counselor and the law. 5th ed. Alexandria, VA: American Counseling Association.

Wiger, D. (2005). The clinical documentation sourcebook. Hoboken, NJ: John Wiley and Sons, Inc.

Ronald Hixson, PhD, BCPC, has been a therapist for more than 25 years, and he currently serves as the Chair of the American Board of Professional Counselors. He has o Texas corporation private practice and has founded a non-profit group mental health organization where he serves as President/Executive Director. He has a PhD in Health Administration from Kennedy-Western University, an MBA from Webster University, and graduate degrees from the University of Northern Colorado and the University of California (Sacramento).

Dana Hunt-Unruh, MS, LCPC, FAPA, serves on the American Board of Professional Counselors. She is the Ethics Chair for the Idaho Mental Health Counselor's Association and has 22 years of experience as a counselor working with adults, couples, and victims of violent crime.
A broad range of applications will only be deployed
   or enhanced if mobile phones fulfill market
   requirements for interoperability, flexibility,
   reactivity, and provability of the relevant security
   level. In this environment, contactless transport
   ticketing, mobile payment involving screen, keyboard
   and/or contactless communication, digital
   rights management (DRM) of high-value multimedia
   content and broadcast service protection
   with conditional access system (CAS) can all
   flourish. (Global Platform, 2007)

The fax (or e-mail) and any files transmitted
   with it are confidential and intended
   solely for the use of the individual or entity
   to whom they are addressed. Nothing
   in this fax (or email) is intended to constitute
   a waiver of a privilege or the confidentiality
   of this message. Any dissemination,
   copying, or use of this information
   by anyone other than the designated and
   intended recipient(s) is prohibited. If you
   have received this fax (or e-mail) in error,
   please notify me immediately by reply
   and delete and destroy this message and
   information immediately. (Bernstein &
   Hartsell, 2004)
Gale Copyright: Copyright 2008 Gale, Cengage Learning. All rights reserved.