HIPAA and Behavioral Health: What You Need to Know
You probably already know that you need to meet specific HIPAA standards to be compliant. That’s why you’re reading this in the first place. But what are those standards, and do you ensure that you meet them all? HIPAA behavioral health requirements are generally the same as other medical specialties, with some minor exceptions.
Use and Disclosure of PHI
A significant component of HIPAA regulates the proper use and disclosure of protected health information (PHI). Generally, use and disclosure of PHI is allowed for treatment, payment, and healthcare operations. This means that PHI can only be shared for these purposes unless the patient provides written authorization for another use or disclosure.
To be HIPAA compliant, behavioral health professionals must provide patients with a Notice of Privacy Practices upon intake that outlines how the practice will use and disclose their PHI.
HIPAA also allows behavioral health professionals to discuss information relevant to a person’s care with other members of their healthcare team. HIPAA permits the sharing of factual information, such as names of medications, symptoms, appointment start and end times, and diagnosis.Â
Under HIPAA, behavioral health professionals may share pertinent information (information directly related to treatment) with people involved in a person’s care if the person in treatment:
- Has agreed
- Has been given an opportunity to object and has not objected
- Has indicated they want the other person’s involvement, by, for example, bringing the other person to treatment, or having the other person help schedule sessions and pick up prescriptions
- Is incapable of making decisions as a result of being unconscious, delirious, or otherwise unable to object or agree
HIPAA Release Forms
If your practice requires a disclosure of PHI not covered by payment, treatment, or healthcare operations, then you must ensure that you obtain a HIPAA release form BEFORE any PHI can be disclosed. This is essential to both maintaining the privacy of your patients and protecting your practice from potential HIPAA violations and fines.
Some instances when a HIPAA waiver form is required include for:
- Disclosure of PHI to a third party for any reason other than treatment, payment, or healthcare operations
- PHI used in marketing or fundraising efforts
- PHI shared for research purposes
- Disclosure of any psychotherapy notes
- PHI disclosed or shared for monetary compensation
Psychotherapy Notes Under HIPAAÂ
Psychotherapy notes under HIPAA are subject to slightly different rules. Psychotherapy notes contain particularly sensitive information. These notes constitute the provider’s personal notes – notes that usually are not required or useful for treatment, payment, or healthcare operations purposes (other than by the mental health professional who created the notes).
HIPAA Psychotherapy Notes Release Form
HIPAA psychotherapy notes release forms are generally required to be signed by patients for any reason, including disclosure for treatment purposes to a healthcare provider other than the originator of the notes.Â
However, a provider does not need authorization to use or disclose psychotherapy notes:
- For its own trainingÂ
- To defend itself in legal proceedings brought by the individual
- For HHS to investigate or determine the covered entity’s compliance with the Privacy Rule
- To avert a serious and imminent threat to public health or safety
- To a health oversight agency for lawful oversight of the originator of the psychotherapy notes
- For the legal activities of a coroner or medical examiner
HIPAA Right of Access
The HIPAA Right of Access requires behavioral health professionals to provide patients with copies of their medical records upon request. To follow the right of access standard, requested records must be provided within 30 days of request, in the format the patient requests them in. Behavioral health professionals are also limited to charging a reasonable cost-based fee to supply the records (i.e., you may charge a patient for the cost of a CD but not for the time it took your staff to gather the records).Â
Psychotherapy notes are expressly excluded from the right of access.
HIPAA and Behavioral Health: Effective Compliance
HIPAA compliance also requires you to implement an effective HIPAA compliance program that follows HIPAA Privacy, Security, and Breach Notification Rule standards.
Elements of an effective HIPAA compliance program can be found below.
Security Risk Assessments, Gap Identification, and Remediation
HIPAA requires behavioral health professionals to conduct security risk assessments to uncover weaknesses and vulnerabilities in security practices. After you complete your assessments, HIPAA requires you to create remediation plans. Remediation plans list your identified deficiencies and how you plan to address them, including actions and a timeline.
Compliancy Group provides clients with all required risk assessments, with support from Compliance Coaches to instruct you on completing them. Once the assessments are completed and added to our software, gaps in compliance are automatically identified. To close these gaps, the software creates remediation plans specific to your practice, which, once implemented, allow you to meet HIPAA safeguard requirements.
HIPAA Policies and Procedures
To meet HIPAA Privacy, Security, and Breach Notification requirements, your practice must implement written policies and procedures. These policies and procedures must be customized for your practice’s specific needs, applying directly to how it operates. Any changes in your business practices must be included in your policies and procedures where appropriate.
Compliancy Group provides clients with policies and procedures specific to your practice. Each policy also includes a summary section to simplify procedures into language that all employees can easily understand.
HIPAA Training for Behavioral Health
Any employee that has the potential to access PHI must receive annual HIPAA training. Employees must legally attest that they understand and agree to adhere to the training material. HIPAA training for behavioral health is no different from training for other medical specialties.
Compliancy Group’s HIPAA training consists of a series of short educational videos to keep your employees engaged. Administrators can quickly check individual employee training progress and attestations through the software platform.
Business Associate Agreements
You likely work with business associates to run your practice. HIPAA defines a business associate as any entity that performs a service for your practice that gives them the potential to access PHI. Common examples of business associates include electronic health records platforms, email service providers, online appointment scheduling software, and cloud storage providers.Â
Business associate agreements must be signed with each of your business associate vendors.Â
Compliancy Group allows practices to send each of their business associates BAAs easily. It also assigns them a vendor questionnaire, similar to your self-audits, to assess their compliance. Once vendors have completed both, their responses are recorded, and agreements are stored in the software platform.
Incident Management and Audit Support
The HIPAA Breach Notification Rule requires practices to have a system to detect, respond to, and report breaches. Employees must also have the means to report incidents anonymously and know what to do if they suspect a breach has occurred. Healthcare organizations that suffer a breach and cannot prove their HIPAA compliance are often audited and fined.Â
Compliancy Group’s software makes it easy for employees to report suspected incidents anonymously. Clients that suffer a breach are provided with breach support from our on-staff regulatory attorneys. We also offer audit support to clients, providing all of the documentation required by the Office for Civil Rights (OCR) to prove their “good faith effort” towards HIPAA compliance. No client that has completed our process has ever failed an audit!