The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HIPAA for Therapists

Posted By on Dec 7, 2023

When discussing HIPAA for therapists, it is important to be aware that a therapist can be a solo Covered Entity, a hybrid Covered Entity, part of an affiliated Covered Entity, part of an Organized Health Care Arrangement, a Business Associate to a Covered Entity, or an employee of any of the above. Even when none of these options apply, therapists may still need to comply with HIPAA-style privacy, security, and breach notification requirements mandated by state legislation.

When is a Therapist a Solo Covered Entity?

A therapist is a solo Covered Entity under HIPAA when they work independently of other healthcare providers and conduct transactions electronically for which the Department of Health and Human Services (HHS) has issued standards. The standards can be found in Part 162 of the Administrative Simplification Regulations and relate to processes such as eligibility checks for treatment, authorizations for treatment, and billing for treatment when payment is made by a health plan.

A therapist qualifies as a solo Covered Entity whether or not they conduct the transactions themselves or subcontract the processes to a third party. However, HHS does not consider certain transmissions to be electronic (i.e., telephone, paper-to-paper faxes, etc.) if the information being transmitted did not exist in electronic form before being transmitted. Therefore, if a therapist conducts “covered transactions” by fax, they do not qualify as a Covered Entity under HIPAA.

What is a Hybrid Covered Entity?

HHS defines a hybrid Covered Entity as “a single legal entity that performs both covered and non-covered functions”. In the context of HIPAA for therapists, an example of this definition would be a therapist who bills some clients directly for treatment, and others via their health plan. In these circumstances, information relating to clients billed directly would have to be maintained separately from “Protected Health Information” subject to the Privacy, Security, and Breach Notification Rules.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

There is little benefit to maintaining information separately as a hybrid Covered Entity because state privacy and security laws will likely require similar safeguards to HIPAA. However, a therapist will qualify as a hybrid Covered Entity if they provide therapy services to a school as well as maintain a covered practice. This is because students´ medical records are considered to be part of their education records under the Family Educational Rights and Privacy Act and are not subject to HIPAA.

Affiliated Entities and Organized Health Care Arrangements

Affiliated Covered Entities are legally separate Covered Entities under common ownership or control that designate themselves as a single Covered Entity for the purposes of complying with HIPAA. This arrangement makes it easier to share Protected Health Information between healthcare providers, but it does mean that if one healthcare provider violates HIPAA, all the healthcare providers in the affiliated group could share the liability – and the penalties for violating HIPAA.

By comparison, an Organized Health Care Arrangement is a system in which Covered Entities under different ownership or control operate as one entity for the purpose of complying with HIPAA. This type of arrangement makes it easier to comply with HIPAA for therapists because some requirements – such as Notices of Privacy Practices and facility access controls – can be shared. However, each Covered Entity within the group is individually liable for HIPAA violations.

HIPAA for Therapists Who Are Business Associates

Therapists who do not qualify as a solo, hybrid, or affiliated Covered Entity may still be subject to partial HIPAA compliance if they provide a service to or on behalf of a Covered Entity as a Business Associate.  The most likely circumstance for this scenario is if a therapist operates a non-qualifying practice and accepts clients referred by a Covered Entity on a direct-payment basis if the Covered Entity discloses Protected Health Information to the therapist to assist with the client´s treatment.

The requirement to comply with HIPAA for therapists who are Business Associates is usually limited to Security Rule compliance and Breach Notification compliance. However, depending on the nature of the therapy being provided to the client, compliance with some Privacy Rule standards may also be necessary. In such cases, which standards the therapist is required to comply with should be written into the Business Associate Agreement between the therapist and the Covered Entity.

HIPAA for Therapists Employed by a Covered Entity

Therapists employed by a Covered Entity are required to comply with HIPAA to the extent that their employer is responsible for developing HIPAA-compliant policies and procedures, and therapists are required to comply with the policies and procedures. Covered employers are also responsible for training therapists on the policies and procedures, monitoring compliance, and imposing sanctions if therapists violate HIPAA or any other organizational policy for which training has been provided.

It is rarely the case, but conceivable, that a therapist would be employed by a Business Associate (i.e. the business offers therapy services but does not qualify as a Covered Entity). In this scenario, the therapist´s employer would be responsible for implementing Security Rule safeguards and having procedures in place to notify a Covered Entity of a security incident. Any other compliance requirements would be subject to the content of a Business Associate Agreement.

HIPAA Status Should Not be the Only Consideration

If a therapist does not fall into any of the categories above, they are not required to comply with HIPAA. However, many states have passed legislation with privacy, security, and breach notification provisions which individuals and organizations that do not qualify as Covered Entities have to comply with. Most states have HIPAA-style requirements, which is why Covered Entities and Business Associates are often exempted from the legislation.

Therefore, unless you are employed by a Covered Entity with the responsibility for complying with HIPAA, you should protect the privacy of individually identifiable health information using measures similar to – if not more stringent than – those published in the HIPAA Privacy, Security, and Breach Notification Rules. For further information about these Rules, review our HIPAA compliance checklist, or seek advice from a HIPAA compliance professional.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist