How to Make Your Mental Health Practice HIPAA Compliant?
As a mental health provider, you have to deal with lots of patients’ sensitive information on a daily basis. You can lock your cabinet, put the records in the safe box and switch on the alarm, but these security measures are only a part of what you should do to protect the data that is stored in your electronic system.
Each year we read about cases connected with health records compromising. When it turns out that the system used by a medical organization was not HIPAA-compliant, the penalties are increasing.
How to stay on the safe side and make your system protected following HIPAA guidelines? We know how overwhelming it can be to read all the HIPAA rules and moreover implement them in practice, being sure that everything is correct. That’s why we jointly with our partner Greenice created this guide that will explain the main regulations and give you a structured understanding of how to prevent the data breach.
Why Does Mental Health Practice Need to Comply with HIPAA?
HIPAA is the Health Insurance Portability and Accountability Act signed by President Bill Clinton in 1996. In brief, this is a scope of rules for individuals and organizations that must be fulfilled to protect patient information. The set of documents explain how medical organizations and individuals should treat their patient information, what information should be protected, what the patient's rights are, when it is possible to disclose information, etc.
If you handle patient data and bill insurance, then most likely you need to be HIPAA-compliant. To be sure, however, do not hesitate to check using the official tool here.
The worst thing is that only the fact that your organization is not HIPAA-compliant can lead to a penalty. In case of government checks or investigations, a mere suspicion that the data was left unprotected (like a laptop left open unsupervised) can be regarded as a violation. Even if no breach has happened yet.
By 2019, OCR audits have resolved over 27,015 cases and fined organizations with a total amount of $102,681,582. To escape any fines, you need to study HIPAA rules and implement them into your electronic records solution. The Act is big enough to demotivate anyone to start, so we elaborated it into step-by-step instructions that should explain to you what to do to become HIPAA compliant. Let’s start with data collection.
How to Correctly Collect Mental Health Data
Note: “Protected Health Information (or PHI) is any information that is held by a covered entity or its business partners regarding health status, provision of health care, or health care payment that can be linked to any individual”.
What does it mean when we talk about the data that needs to be protected? Here is the example list of what it can mean when we talk about mental health practice:
- records on person’s state, behavior, feelings, the progress of treatment and alike;
- information about relationships between the psychotherapists and patient (appointment scheduling, list of services provided to the patients, records of online sessions);
- prescriptions of medications;
- email and other electronic communications;
- assessments and reports of the patient’s state and progress;
- psychotherapy notes;
- sums of payments for services and payment details, receipts and invoices; and
- back-up copies of all stored patient data.
Before setting up a practice, register for National Provider Identifier (NPI) and Employer Identification Number (EIN). These two identification numbers need to be received at respective government agencies and used in contracts and transactions with patients and employees respectively.
When collecting PHI, stick to the following basic rules:
- Do not ask for extra data. Follow the principle “less is better”. Minimum collected data means minimum data loss in case of a breach. If you do not need some personal data for providing your services, for example, address details, better escape asking for it.
- Ask for a patient’s permission. It means that if you are going to use patient data for purposes other than treatment (e.g., marketing), you should receive the patient’s written authorization for collecting and processing the patient’s data.
- Create Privacy Notices. This document should explain to a patient all your conditions of collecting and using PHI. This will include explanations on how you are going to collect, store, protect and use it, what are the patient’s rights, in what cases the data can be disclosed, what are your legal duties, etc. Make this document short and intelligible, using clear and plain language, so that a patient could quickly read it and understand.
Security of Information
Now that the data is collected, you need to provide secure storage and transfer methods. Here HIPAA describes Administrative, Physical and Technical safeguards that should be fulfilled. Let’s review all of them.
Administrative Safeguards include:
Risk assessment and mitigation. You need to identify all possible risks and prepare a risk management plan on how you will mitigate the discovered risks. Create rules for employees to explain to them the responsibilities and consequences in case of a data breach. Make revisions of data security rules compliance regularly.
- Security official and privacy officer. These team members should be responsible for executing HIPAA rules in practice. These roles can be fulfilled by one or several people and can be either assigned to your employees or delegated to a specially hired people.
- Data access management. Make sure that only authorized people have access to electronic records. If necessary, separate the access roles to provide different levels of data access. Prevent access to the employees who terminated the contract with your company.
- Employee security. All employees should be instructed on how to provide and execute the security measures and regularly trained and reminded on security measures.
- Security incident procedures and contingency plan. You should create a step-by-step guide on what to do in case of an attempt or successful unauthorized access to data. Create a document that will cover instructions on what to do in case of an emergency incident, e.g., in a power outage cases. It should include Data Backup rules and Disaster Recovery plan. The procedures should be tested and revised from time to time.
- Testing, reassessment, and evaluation. All the above-mentioned measures should be regularly revised for HIPAA-compliance by Security Officer.
Physical safeguards include:
Facility Access Controls. Make sure that only authorized people have access to facilities and equipment. Computers are kept in a locked location, all employees have personal IDs and do not share the passwords, people responsible for disaster recovery have access to all necessary facilities.
- Workstation Use. By workstation, we mean any device like PC, laptop or smartphone, engaged in your practice. All the deceives containing sensitive data should be securely protected and allow authorized access only.
- Device and Media Controls. There should be ruleson how all hardware(hard drives, memory cards, CDs)that storeePHI are managed and disposed of when are no longer needed. Also, think about the situations when ePHI should be backed-up.
Technical safeguards include:
Access Control. In the technical aspect, the access controlmeans, providing such measures of protectionas assigninguniqueusernames and passwords, implementing automatic logoffs, giving full access to the system to a person responsible for data recovery;
- Audit Controls. You should keep logging all interactions within your systems and review these logs regularly to be ablequickly to notice some behavioror prove that there was no fault of your employees in case of a breach;
- Integrity. Protect the integrity of ePHI by creating measures to prevent unauthorized change or deletion of data, including the use of firewalls and antiviruses, data encryption;
- Transmission Security. Transfer sensitive data using encryption and secure channels of transmission.
When You Can Disclose the Data
Though HIPAA is about preventing data disclosure, in your practice you may face many situations when you have to disclose the data. For example, the family may require information on their relative’s state and treatment or governmental authorities may require disclosure.
How to do it without breaking the law? Here are the key aspects.
In most cases, you need to obtain a patient’s permission for data disclosure whether to provide data to their relatives or third parties (e.g., other clinics);
- In case a patient is incapable to sign permission, you can decide whether to disclose the information or not if it may cause harm to a patient;
- When disclosing your psychotherapy notes, you will have to obtain the patient’s consent as well. At the same time, the patient cannot ask you to disclose psychotherapy notes against you will or without your authorization;
- You do not need permission in case you share information for payments, billing, consultation with another professional regarding the patient treatment; and
- Group therapies do not require authorization to disclose PHI in front of other participants.
Business Associate Agreement:
By using SaaS software like CRM, EHR or ERM, you give access to the data to the vendor o the solution. You’ll need to sign with them Business Associate Agreement to ensure non-disclosure of PHI in your possession and compliance with HIPAA.
Remember, you are primarily responsible before the patients for the data you collected from them. Misbehavior on the side of your service providers without appropriate contractual safeguards will be your concern.
You have to disclose protected health information in the following cases:
- disclosure is required by a legal act;
- required by court order or official inquiries;
- in case of public health activities (domestic violence, child abuse); and
- for patient’swork compensation.
Should this happen, you can do it without obtaining additional authorizations from the patients.
How to report a data breach
In case a data was unlawfully disclosed or compromised, you have to report on the breach the following parties after the discovery of the breach:
- Affected patients– within 60 days;
- The U.S. Department of Health and Human Services (HHS) – on an annual basis here; and
- Local mediaoutlets and HHS Website publication – within 60 days, if a breach affects more than, 1500 individuals from one State or jurisdiction.
How to Apply This to Your Practice
We understand that this topic is too large to explain it in a few pages and it is always better to deeper investigate through the official documents. Now, at least, it should not fear you with a volume of the letters and legal language written in the Act.
Many aspects of the legislation repeat and the main points, like elaborate on disclosure rules, security measures and plans for cases of emergency and data breach to be ready to quickly eliminate the negative consequences. To get a more profound understanding, good advice on the edge of technology and law can help you out. This was the reason why we partnered with Greenice to create end-to-end solutions, where both technical and legal expertise is required.
Greenice is a web development team that has a substantial experience in developing custom medical software. They specialize in developing solutions that are secure and tailored to the exact needs of their clients.
Disclaimer: the information in this article is provided for informational purposes only. You should not construe any such information as legal, tax, investment, trading, financial, medical, or other advice.
Vlad Nekrutenko, Privacy Lawyer at Legal Nodes
Kateryna Reshetilo, Head of Marketing at Greenice.net
Need a lawyer in this area?
3 years in data protection