Hipaa Laws: Do Counselors Need To Comply?

does hipaa laws apply to counselors

The Health Insurance Portability and Accountability Act, or HIPAA, is a US law that protects the privacy of patients' medical records and health information. It applies to health plans, health care clearinghouses, and healthcare providers that transmit health information electronically in connection with certain administrative and financial transactions. So, do HIPAA laws apply to counselors? The answer is: it depends. If a counselor is considered a covered entity under HIPAA, they would need to comply with the law. A therapist or counselor can be a solo Covered Entity, a hybrid Covered Entity, part of an affiliated Covered Entity, part of an Organized Health Care Arrangement, a Business Associate to a Covered Entity, or an employee of any of the above. Even if they don't fall into any of these categories, they may still need to comply with similar state legislation. During the first visit, counselors provide patients with papers explaining that their sessions are private except in certain circumstances, such as when there is a serious threat to the patient or others, or when required by law.

Characteristics Values
Who does HIPAA apply to? All health care providers, including psychologists and therapists.
Does HIPAA apply to counselors? Yes, counselors are bound by HIPAA to ensure clients can talk freely.
Does HIPAA apply to schools? Generally, no. Schools are not HIPAA covered entities and are not subject to the HIPAA Privacy Rule.
Does HIPAA apply to psychotherapy notes? Yes, the Privacy Rule provides a higher level of protection for psychotherapy notes.
Does HIPAA apply to insurance companies? Yes, but patients can choose to pay for treatment themselves to avoid their insurance company receiving information about their treatment.

lawshun

HIPAA and therapists: solo, hybrid, affiliated, or business associates

The Health Insurance Portability and Accountability Act (HIPAA) applies to therapists, and a therapist can be a solo Covered Entity, a hybrid Covered Entity, part of an affiliated Covered Entity, part of an Organized Healthcare Arrangement, a Business Associate to a Covered Entity, or an employee of any of the above.

A therapist is a solo Covered Entity under HIPAA when they work independently of other healthcare providers and conduct transactions electronically. The Department of Health and Human Services (HHS) has issued standards for these transactions, which can be found in Part 162 of the Administrative Simplification Regulations. These standards relate to processes such as eligibility checks for treatment, authorizations for treatment, and billing for treatment when payment is made by a health plan. A therapist qualifies as a solo Covered Entity whether or not they conduct the transactions themselves or subcontract the processes to a third party. However, HHS does not consider certain transmissions to be electronic (e.g., telephone, paper-to-paper faxes, etc.) if the information being transmitted did not exist in electronic form before being sent. Therefore, if a therapist conducts “covered transactions” by fax, they do not qualify as a Covered Entity under HIPAA.

A hybrid Covered Entity is defined by HHS as “a single legal entity that performs both covered and non-covered functions”. In the context of therapists, an example would be a therapist who bills some clients directly for treatment and others via their health plan. In these circumstances, information relating to clients billed directly would have to be maintained separately from “Protected Health Information” subject to the Privacy, Security, and Breach Notification Rules.

Affiliated Covered Entities are legally separate Covered Entities under common ownership or control that designate themselves as a single Covered Entity for the purposes of complying with HIPAA. This arrangement makes it easier to share Protected Health Information between healthcare providers, but it means that if one healthcare provider violates HIPAA, all the healthcare providers in the affiliated group could share the liability and penalties.

By comparison, an Organized Health Care Arrangement is a system in which Covered Entities under different ownership or control operate as one entity for the purpose of complying with HIPAA. This type of arrangement makes it easier to comply with HIPAA because some requirements – such as Notices of Privacy Practices and facility access controls – can be shared. However, each Covered Entity within the group is individually liable for HIPAA violations.

Therapists who do not qualify as a solo, hybrid, or affiliated Covered Entity may still be subject to partial HIPAA compliance if they provide a service to or on behalf of a Covered Entity as a Business Associate. This scenario is likely when a therapist operates a non-qualifying practice and accepts clients referred by a Covered Entity on a direct-payment basis. The requirement to comply with HIPAA for therapists who are Business Associates is usually limited to Security Rule compliance and Breach Notification compliance. However, depending on the nature of the therapy, compliance with some Privacy Rule standards may also be necessary.

Therapists employed by a Covered Entity are required to comply with HIPAA to the extent that their employer is responsible for developing HIPAA-compliant policies and procedures, and therapists are required to comply with these policies and procedures. Covered employers are also responsible for training, monitoring compliance, and imposing sanctions if therapists violate HIPAA or any other organizational policy for which training has been provided.

lawshun

When does HIPAA apply to psychotherapy notes?

The Health Insurance Portability and Accountability Act (HIPAA) applies to counselors and other mental health professionals who transmit protected health information electronically in connection with certain administrative and financial transactions. This includes psychologists who send patient bills to insurance companies electronically.

HIPAA provides extra protections for mental health information compared with other health information. The Privacy Rule defines psychotherapy notes as notes recorded by a health care provider who is a mental health professional, documenting or analyzing the contents of a conversation during a counseling session. These notes must be kept separate from the rest of the patient's medical record and are typically not accessible to anyone other than the originator of the notes. Psychotherapy notes are given this special protection because they contain particularly sensitive information that is not required or useful for treatment, payment, or healthcare operations purposes.

The Privacy Rule requires a covered entity to obtain a patient's authorization prior to disclosing psychotherapy notes, including for treatment purposes to another healthcare provider. There are a few exceptions to this, including disclosures required by other laws, such as mandatory reporting of abuse, and "duty to warn" situations regarding threats of serious and imminent harm made by the patient.

In summary, HIPAA applies to psychotherapy notes when they are transmitted electronically in connection with certain administrative and financial transactions. Even then, these notes are given special protection, and disclosure typically requires the patient's authorization.

lawshun

What is the difference between 'consent' and 'informed consent' under HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) applies to counselors, as well as other healthcare providers, and outlines rules regarding the use and disclosure of protected health information (PHI). Under HIPAA, counselors must obtain consent or authorization from their clients for the use and disclosure of their PHI. This ensures that clients have control over who accesses their health information and for what purposes.

Now, let's discuss the difference between consent and informed consent under HIPAA:

Consent:

Consent, as defined by the HIPAA Privacy Rule, refers to advance permission from a client for the disclosure of their PHI to third parties. This typically occurs at the start of treatment and is required for routine disclosures, such as for treatment and payment purposes. However, after the August 2002 revisions, consent is not mandated by the Privacy Rule. Instead, many states have their own laws that require consent for these routine disclosures.

Informed Consent:

Informed consent, on the other hand, is not a concept specifically outlined in the HIPAA Privacy Rule. It is a broader principle that applies to the doctor-patient relationship and is governed by state laws and ethical codes. Informed consent refers to a client's decision to allow a counselor or healthcare provider to perform a particular treatment or intervention. To obtain informed consent, counselors must provide understandable information about the risks and benefits of the proposed treatment, ensuring clients can make knowledgeable, informed decisions. This information empowers clients with the autonomy to decide whether to proceed with the treatment, respecting their right to have control over their bodies.

In summary, consent under HIPAA pertains specifically to the disclosure of PHI to third parties, while informed consent focuses on obtaining a client's permission for a specific treatment after providing them with comprehensive information about the associated risks and benefits. Both concepts are essential for counselors to uphold ethical standards and respect clients' rights.

lawshun

When can a mental health professional share information without the patient's consent?

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 requires the Secretary of Health and Human Services to implement national standards to protect the privacy of individually identifiable health information that is transmitted electronically. The final HIPAA regulation was published in 2000 and has since been amended several times. Under the HIPAA Privacy Rule, "covered entities", including health care providers, can disclose protected health information for treatment purposes without patient consent. However, there are exceptions to this rule, such as in the case of "psychotherapy notes", which require authorization for disclosure.

According to the HIPAA Privacy Rule, health information can be disclosed without patient consent if:

  • The disclosure is reasonably necessary for the mental health provider to perform functions or exercise powers under the Act or any other Act.
  • The disclosure is permitted by certain Health Privacy Principles (HPP). For example, HPP 2.1 allows disclosure for the primary purpose for which the information was collected, while HPP 2.2 (a) permits disclosure for a secondary purpose if it is directly related to the primary purpose and the patient would reasonably expect the information to be disclosed.
  • The patient is suspected to be dead, missing, or involved in an accident or misadventure and is incapable of consenting to the disclosure. In this case, disclosure should only be to the extent necessary to identify the patient or locate their immediate family member or relative.
  • The disclosure is made in accordance with guidelines issued by the Health Complaints Commissioner under the Health Records Act and is reasonably necessary to prevent or lessen a serious threat to a person's life, health, safety, or welfare, or to public health, safety, or welfare.
  • The disclosure is reasonably required by another mental health or health service provider to provide health services to the patient.
  • The disclosure is permitted by an Act other than the Health Records Act.
  • The disclosure is made in general terms to the patient's family, carer, or supporter, and it is not contrary to the views and preferences expressed by the patient that the information must not be disclosed to these individuals. This disclosure is subject to certain limitations to protect the patient from family violence or other serious harm.
  • The disclosure is made to a psychiatrist giving a second psychiatric opinion, including providing access to the patient's clinical records or discussing their treatment.
  • The patient is a minor (under 16 years of age) and the disclosure is made to a parent or legal guardian.
  • The disclosure is made to a guardian of the patient and is reasonably required in connection with the performance of a duty or the exercise of a power by the guardian.
  • The disclosure is made to a support person (as defined by the Medical Treatment Planning and Decisions Act) of the patient.

In addition to these circumstances, information sharing without consent may also be permitted in specific situations, such as when sharing information with emergency service providers or when required by other legislation, such as laws related to family violence protection or risk assessment and management.

It is important to note that the HIPAA regulations only permit the sharing of treatment information without consent. The disclosure of "psychotherapy notes", which are a special form of treatment information, generally requires patient authorization. Psychotherapy notes are defined as notes recorded by a mental health professional documenting or analyzing the contents of a private counseling session and are kept separate from the individual's medical record.

State laws may also impose additional restrictions on the sharing of mental health information. Some states require patient consent for any disclosure of mental health records, while others permit disclosure for treatment purposes without consent only in specific situations, such as in an emergency or for continuity of care.

lawshun

What are the privacy rules for minors?

The HIPAA Privacy Rule generally regards a parent or guardian of a minor child as the child's "personal representative". A personal representative is authorised to exercise the HIPAA rights of the individual they represent, on that person's behalf. Therefore, a parent who is a personal representative can exercise a minor's HIPAA Privacy Rule rights with respect to protected health information (PHI), consistently with state law.

In addition, personal representatives have the right to exercise other HIPAA Privacy Rule rights, such as providing written authorisation for the disclosure of PHI. The HIPAA Privacy Rule also gives a personal representative the general right to make medical decisions on the minor's behalf.

However, there are three circumstances under which a parent is not the "personal representative" with respect to certain health information about their minor child. These exceptions generally follow the ability of certain minors to obtain specified health care without parental consent under state law, or standards of professional practice. In these situations, the parent does not control the minor's health care decisions and, therefore, does not control the PHI related to that care. The three circumstances are:

  • When state or other law does not require the consent of a parent or other person before a minor can obtain a particular health care service, and the minor consents to the health care service.
  • When someone other than the parent is authorised by law to consent to the provision of a particular health service to a minor and provides such consent.
  • When a parent agrees to a confidential relationship between the minor and a health care provider.

The HIPAA Privacy Rule does not contravene state laws that expressly address the ability of parents to obtain health information about minors. For example, regardless of whether a parent is the personal representative of a minor child, the HIPAA Privacy Rule permits a covered entity to disclose to a parent, or provide the parent with access to, a minor child's PHI when and to the extent it is permitted or required by state law. If state law allows access, the HIPAA Privacy Rule does.

The privacy rule allows a health care provider or health plan not to treat a parent as a minor's personal representative, given a reasonable belief that the parent has subjected or may subject the minor to domestic violence, abuse or neglect, or that treating the parent as the personal representative could endanger the minor. The provider or plan must also decide that it is not in the minor's best interest to treat the parent as the personal representative.

Frequently asked questions

Generally, HIPAA does not apply to elementary and secondary schools. However, if a student's health records from outside the school setting are involved, then the notes kept by the school counselor may fall under HIPAA regulations.

Yes, HIPAA applies to all therapists and counselors, regardless of whether they are in large multihospital systems or are individual solo practitioners.

The primary purpose of HIPAA is to protect the privacy of people receiving health care services.

Written by
Reviewed by
Share this post
Print
Did this article help you?

Leave a comment