What Does It Mean for a Therapist to Be HIPAA Compliant?

Whether you’re currently a practitioner or you’re on your journey to opening a private practice, it’s essential to understand the basics of HIPAA to ensure you aren’t making any of the most common practitioner HIPAA-compliance mistakes.

What Is HIPAA? 

The Health Insurance Portability and Accountability Act, better known as HIPAA, was issued on August 21, 1996 by the Department of Health and Human Services (HHS) to establish a set of national standards for the privacy protection of certain health information. 

It may be hard to believe that prior to HIPAA, there was no national privacy law when it came to an individual’s health and medical information.

If one’s health information was released, they had to rely on state law—if and when it applied.

After HIPAA became federal law in 1996, any information considered Protected Health Information (PHI) became protected.

PHI addresses the use and disclosure of individuals’ health information.

This means that under the HIPAA Privacy Rule, individuals have the right to control how and where their health information is used including any marketing, fundraising, research, or other purposes. 

What Information Does HIPAA Protect?

The HIPAA Privacy Rule protects all information that could identify an individual in any method or format. 

Some identifiable information may include obvious identifiers such as date of birth, social security number, place of residence, and ethnicity. 

There is some health information that isn’t considered PHI—as long as there’s no personal identifiable information attached.

Some examples of non-PHI are the number of steps a person takes, or amount of calories burned in a day. On its own, this information isn’t protected under HIPAA. 

One thing to note about HIPAA—in the case of a minor or a client who can’t make their own healthcare decisions, practitioners have the right to share information with the clients’ guardians or caregiver. This information may include specific treatment plans, progress, or symptoms the client is having. However, psychotherapy notes are not shareable and are protected under HIPAA.

Another important thing to note is that HIPAA privacy only goes one way. This means that family members or loved ones can share information about an individual’s health or behavior with you, even though you can’t share with them.

So, what happens if you have a patient who is expressing thoughts of self harm, or harming others? How does breaking confidentiality relate to HIPAA? 

In the event that a therapist does need to break confidentiality, HIPAA protects and does not penalize the practitioner if they decide that sharing this information is in the person’s best interest. This could be by telling an immediate family member, a spouse, or calling 911. All of this can be done without the consent of the client, since the therapist or practitioner is acting in this person’s best interest. 

Of course, HIPAA is not the only determinant of when otherwise-confidential information may be shared. It’s important to understand how privacy and confidentiality laws in your state also impact that decision-making process.

What Does It Mean to Be a HIPAA-Compliant Practitioner? 

There are three main rules when it comes to being HIPAA compliant:

1. The first rule is the Privacy Rule. The Privacy Rule is what encompasses HIPAA and outlines the patients rights to access their PHI.
2. The second rule is the Security Rule. The security rule protects all information that could identify an individual, in any method or format. Safeguards for this rule are physical, technical, or administrative.
3. The third rule is The Breach Notification Rule. Added in 2009, this rule states what needs to happen in the event that PHI is breached and gets in the hands of an unauthorized person or group. The rule requires that any breach must be reported to the Department of Health and Human Services Office of Civil Rights—no matter the size of the breach.
4. By following these rules and continuously staying up-to-date on any changes as they happen, you can maintain HIPAA compliance. 

Why Is It Important to Comply with HIPAA?

The overarching ethical answer here is that you should care about the privacy of your clients and the sensitive information they could be sharing with you.

The other important answer is because it’s the law. If any healthcare provider or organization fails to comply with HIPAA, they could face some serious consequences, including heavy fines and the possibility of action against your license. 

With HIPAA in place, clients can be more honest and open with you as their provider.

With their information protected, they don’t need to worry that sensitive information could be shared with employers, peers, or even family members. Should they choose for their family or healthcare providers to share information, it’s all within the patient’s rights.

If they do give permission for their providers and/or family members to share, it can have some positive impacts. It may improve treatment plans, or better help others understand what the patient is going through as well as identifying ways to help. 

HIPAA also protects you if you suspect your client is going to harm themselves or others. This is important to have in place so you understand you won’t be penalized under HIPAA if it means protecting the life of a patient, or somebody else.

How to Make Sure Your Records Are Secure

Whether you’re using an EHR, or pen and paper, there are a lot of things to take into consideration when it comes to being HIPAA-compliant.

Here are a few simple ways you can check, to make sure your records are secure. Things like secure communication and a HIPAA-compliant EHR are essentials for any practitioner. 

Even if you’re using secure software and communication platforms, how you use them can make a big difference.

Are you linking to your Notice of Privacy Practices from your website’s homepage? 

Are you informing your clients how they can exercise their rights?

These are two important steps many practitioners forget about. 

Staying up-to-date with HIPAA is an ongoing process throughout your career.

To make sure you’re doing everything you can to protect your practice and your clients’ data, open a conversation up with your peers and mentors, and ask questions about what you don’t know.

To gain a deeper understanding of how HIPAA works, it’s important to take in-depth continuing education courses on HIPAA, so you can be sure you’re maintaining compliance at all times. 

Benefits of Using a HIPAA-Compliant EHR Like SimplePractice 

If you’ve been considering tying out a fully integrated, HIPAA-compliant EHR, SimplePractice gives you everything you need. 

Used by over 185,000 private practice clinicians nationwide, SimplePractice is the practice management software with HIPAA-compliant booking, billing, secure messaging, and telehealth for therapists, speech-language pathologists, occupational therapists, and other practitioners in the health and wellness industry.

To try SimplePractice out, sign up for a free, 30-day trial. No credit card needed.

READ NEXT: The Key to HIPAA-Compliant Email for Therapists