HIPAA and Behavioral Health: What You Need to Know

You probably already know that you need to meet specific HIPAA standards to be compliant. That’s why you’re reading this in the first place. But what are those standards, and do you ensure that you meet them all? HIPAA behavioral health requirements are generally the same as other medical specialties, with some minor exceptions.

Use and Disclosure of PHI

A significant component of HIPAA regulates the proper use and disclosure of protected health information (PHI). Generally, use and disclosure of PHI is allowed for treatment, payment, and healthcare operations. This means that PHI can only be shared for these purposes unless the patient provides written authorization for another use or disclosure.

To be HIPAA compliant, behavioral health professionals must provide patients with a Notice of Privacy Practices upon intake that outlines how the practice will use and disclose their PHI.

HIPAA also allows behavioral health professionals to discuss information relevant to a person’s care with other members of their healthcare team. HIPAA permits the sharing of factual information, such as names of medications, symptoms, appointment start and end times, and diagnosis. 

Under HIPAA, behavioral health professionals may share pertinent information (information directly related to treatment) with people involved in a person’s care if the person in treatment:

  • Has agreed
  • Has been given an opportunity to object and has not objected
  • Has indicated they want the other person’s involvement, by, for example, bringing the other person to treatment, or having the other person help schedule sessions and pick up prescriptions
  • Is incapable of making decisions as a result of being unconscious, delirious, or otherwise unable to object or agree

HIPAA Release Forms

If your practice requires a disclosure of PHI not covered by payment, treatment, or healthcare operations, then you must ensure that you obtain a HIPAA release form BEFORE any PHI can be disclosed. This is essential to both maintaining the privacy of your patients and protecting your practice from potential HIPAA violations and fines.

Some instances when a HIPAA waiver form is required include for:

  • Disclosure of PHI to a third party for any reason other than treatment, payment, or healthcare operations
  • PHI used in marketing or fundraising efforts
  • PHI shared for research purposes
  • Disclosure of any psychotherapy notes
  • PHI disclosed or shared for monetary compensation

They Trust Us, So Can You

Compliancy Group simplifies compliance for behavioral health providers.

Find out why the APA, NAATP, BHCOE, and others chose us for their members!

Psychotherapy Notes Under HIPAA 

Psychotherapy notes under HIPAA are subject to slightly different rules. Psychotherapy notes contain particularly sensitive information. These notes constitute the provider’s personal notes – notes that usually are not required or useful for treatment, payment, or healthcare operations purposes (other than by the mental health professional who created the notes).

HIPAA Psychotherapy Notes Release Form

HIPAA psychotherapy notes release forms are generally required to be signed by patients for any reason, including disclosure for treatment purposes to a healthcare provider other than the originator of the notes. 

However, a provider does not need authorization to use or disclose psychotherapy notes:

  • For its own training 
  • To defend itself in legal proceedings brought by the individual
  • For HHS to investigate or determine the covered entity’s compliance with the Privacy Rule
  • To avert a serious and imminent threat to public health or safety
  • To a health oversight agency for lawful oversight of the originator of the psychotherapy notes
  • For the legal activities of a coroner or medical examiner

HIPAA Right of Access

The HIPAA Right of Access requires behavioral health professionals to provide patients with copies of their medical records upon request. To follow the right of access standard, requested records must be provided within 30 days of request, in the format the patient requests them in. Behavioral health professionals are also limited to charging a reasonable cost-based fee to supply the records (i.e., you may charge a patient for the cost of a CD but not for the time it took your staff to gather the records). 

Psychotherapy notes are expressly excluded from the right of access.

HIPAA and Behavioral Health: Effective Compliance

HIPAA compliance also requires you to implement an effective HIPAA compliance program that follows HIPAA Privacy, Security, and Breach Notification Rule standards.

Elements of an effective HIPAA compliance program can be found below.

Security Risk Assessments, Gap Identification, and Remediation

HIPAA requires behavioral health professionals to conduct security risk assessments to uncover weaknesses and vulnerabilities in security practices. After you complete your assessments, HIPAA requires you to create remediation plans. Remediation plans list your identified deficiencies and how you plan to address them, including actions and a timeline.

Compliancy Group provides clients with all required risk assessments, with support from Compliance Coaches to instruct you on completing them. Once the assessments are completed and added to our software, gaps in compliance are automatically identified. To close these gaps, the software creates remediation plans specific to your practice, which, once implemented, allow you to meet HIPAA safeguard requirements.

HIPAA Policies and Procedures

To meet HIPAA Privacy, Security, and Breach Notification requirements, your practice must implement written policies and procedures. These policies and procedures must be customized for your practice’s specific needs, applying directly to how it operates. Any changes in your business practices must be included in your policies and procedures where appropriate.

Compliancy Group provides clients with policies and procedures specific to your practice. Each policy also includes a summary section to simplify procedures into language that all employees can easily understand.

HIPAA Training for Behavioral Health

Any employee that has the potential to access PHI must receive annual HIPAA training. Employees must legally attest that they understand and agree to adhere to the training material. HIPAA training for behavioral health is no different from training for other medical specialties.

Compliancy Group’s HIPAA training consists of a series of short educational videos to keep your employees engaged. Administrators can quickly check individual employee training progress and attestations through the software platform.

Business Associate