HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HIPAA Compliance for Behavioral Health Practices

One of the challenges of HIPAA compliance for behavioral health practices is that the HIPAA Privacy Rule only provides a “federal floor” of privacy protections. It is often the case that other federal or state laws have more stringent privacy protections or security requirements that pre-empt HIPAA, and the challenge is knowing when HIPAA applies – and when it doesn´t.

Most behavioral health professionals are subject to the HIPAA Privacy, Security, and Breach Notification Rules inasmuch as they are either solo practitioners who qualify as a HIPAA Covered Entity, or they work for a behavioral health practice that has implemented policies and procedures to comply with the HIPAA Rules.

In terms of HIPAA compliance for behavioral health practices, if a solo practitioner qualifies as a Covered Entity, they are responsible for implementing measures to protect the privacy of individually identifiable health information and that ensure the confidentiality, integrity, and availability of electronic Protected Health Information (PHI).

In multi-practitioner behavioral health practices, these responsibilities are delegated to a Privacy and Security Officer who is either an existing member of the workforce (usually a non-clinical employee) or appointed to fulfil the role(s). Alternatively, the challenge of HIPAA compliance for behavioral health practices is contracted out to specialist compliance organization.

In both scenarios, any employed or sub-contracted practitioners, assistants, support staff, or administrative staff are required to comply with the policies and procedures put in place by the responsible person – and, in some cases, these can go way beyond the requirements of the HIPAA Privacy, Security, and Breach Notification Rules.

Privacy Rule HIPAA Compliance for Behavioral Health Practitioners

Privacy Rule HIPAA compliance for behavioral health practitioners is the same as for any other HIPAA Covered Entity inasmuch as all members of the workforce must understand what individually identifiable health information is, know when it can permissibly be used or disclosed, and be aware of patients´ rights to access PHI and request an accounting of disclosures.

However, because of the nature of behavioral health, there can be many elements of a practitioner´s work that are square pegs in HIPAA´s round holes. For example, career counselling, mediation services, and life coaching are not included in HIPAA´s definition of health services. So, do these activities have the same Privacy Rule protections as psychotherapy notes, or should they be included in a designated record set and be subject to the same protections as health information?

The answer to this question can vary depending on the location of the practice (i.e., state laws may apply), the nature of the practice’s activities (i.e., if it provides services for substance use disorder patients), and the practice´s propensity to risk. With regards to risk, all Covered Entities are required to conduct a HIPAA risk assessment, but what is done with the results of the assessment should be “appropriate to the [Covered Entity´s] circumstances” and therefore open to interpretation.

Security Rule HIPAA Compliance for Behavioral Health Practices

In theory, Security Rule HIPAA compliance for behavioral health practices should also be the same as for any other Covered Entity. However, it can often be much harder to comply with the Technical Safeguards of the Security Rule due to behavioral health practitioners (most often at the request of clients) tending to favor consumer-facing services such as Gmail, Square, and PayPal. This was especially true during the height of the COVID-19 pandemic with regards to remote consultations.

Consumer-facing services rarely have the technical capabilities required by the Security Rule (i.e., automatic log-off, event monitoring, etc.), so they are not compliant with HIPAA. Additionally, consumer-facing services can store copies of communications indefinitely on their servers, communications can be intercepted via Man-In-The-Middle attacks, and many service providers will not sign a Business Associate Agreement. Effectively, there is a lot to overcome.

Consequently, behavioral health practitioners have to very careful about how they use technology; and while the Security Rule has a “flexible approach” clause (see CFR 45 § 164.306(b)), it may be necessary for practitioners to adhere to the policies developed to limit disclosures to the minimum necessary – even when talking to clients, if communications are being transmitted through unsecure channels. Naturally, it is important compliance will the policies is monitored wherever possible.

The Breach Notification Rule and Notification Timeframes

The Breach Notification Rule stipulates when and how clients should be notified of an impermissible disclosure of unsecured Protected Health Information and what information should be included in the notification letter. The Rule also mandates timeframes within which HHS´ Office for Civil Rights has to be notified – and, in some cases, the media.

Generally, the notification timeframe for individuals is within 60 days of a breach being discovered, while HHS´ Office for Civil Rights has to be notified of breaches annually unless a breach impacts more than 500 individuals – in which case the notification timeframe is also within 60 days. Information on the notification requirements can be found in this article.

Although it is not difficult to comply with this Rule, it is important to be aware that most states have privacy laws with much shorter notification timeframes. It is also important to be aware that some state laws extend beyond state borders and relate to data breaches affecting any resident of the state – for example Texas´ Medical Records Privacy Act.

Seek Compliance Advice, Understand, and Document!

In conclusion, it can be hard for a busy practitioner to do their best for clients while struggling with HIPAA compliance for behavioral health practices – notwithstanding the volume of federal and state laws with more stringent privacy protections or security requirements. The best solution for balancing work vs compliance is to seek professional compliance advice, understand what laws apply in what situations, and develop policies and procedures accordingly.

In all cases, document risk assessments, risk analyses, and decisions relating to the HIPAA standards – explaining why, if applicable, an implementation specification has not been implemented. It is also necessary to retain policy documents for a minimum of six years from the date the policy was last in force in case of an audit, review, or investigation. Finally, remember that ignorance of the HIPAA compliance requirements is not an acceptable defense in the event of a data breach.

HIPAA Compliance for Behavioral Health Practices: FAQs

Why are “most”, and not “all” behavioral health practitioners subject to HIPAA?

Some health care professionals – including some behavioral health practitioners – are not subject to HIPAA because either they do not provide qualifying services or they do not transmit individually identifiable health information electronically in a transaction for which the Department of Health and Human Services has developed standards (see CMS´ Transactions Overview for more info).

Alternatively, a practitioner may practice in an environment in which HIPAA does not apply. For example, if a behavioral health practitioner provides services for university students, the students´ medical records are classified as part of their educational records under the Family Educational Rights and Privacy Act (FERPA), so HIPAA does not apply to these medical records.

If a behavioral health practitioner does not qualify as a Covered Entity, but provides a service on behalf a practitioner who is a Covered Entity, what happens then?

In this case, the practitioner who is not a Covered Entity (Practitioner A) provides the service as a Business Associate of the practitioner who is a Covered Entity (Practitioner B). As a Business Associate of Practitioner B, Practitioner will have to comply with some HIPAA Rules, and those that are applicable will be written into the Business Associate Agreement between the two practitioners.

How does my state´s “duty to warn” requirement align with HIPAA?

If a behavioral health practitioner believes there is a serious and imminent threat of a client harming themselves or others, HIPAA generally allows the practitioner to warn the appropriate person(s) (45 CFR §164.512 (j)). However, there are exceptions to this permissible disclosure (see 45 CFR §164.512 (j)(2)) and it is important to be aware how these exceptions may contradict state law.

What Privacy Rule protections do psychotherapy notes have?

Under the General Principles for Uses and Disclosures, even though psychotherapy notes can contain information relevant to a client´s past, present, or future condition, they cannot be disclosed without written authorization from the client – provided they are maintained separately from other health information. However, in some states (i.e., Vermont), psychotherapy notes must be kept with other health information and the Privacy Rule protections would not apply.

How might the Texas Medical Records Privacy Act affect a behavioral health practice in Oklahoma?

If a behavioral health practice in Oklahoma provides services for a client from Dallas, there are fewer permissible uses and disclosures of the client´s individually identifiable health information than allowed by HIPAA, client requests for access to their health information have to be attended to quicker, and all members of the workforce have to undergo refresher training annually.