Did you know that just because you practice health care in the United States, you’re not necessarily legally required to comply with HIPAA? The followup question, of course, is, “Does it really change anything if you’re not?”
For HIPAA, only those folks who qualify as “covered entities” are legally required to comply with the law. For health care providers, this is how the law defines a “covered entity”:
A health care provider that conducts certain transactions in electronic form.
“Certain transactions” — what a mysterious statement. Many have claimed that these transactions are things like sending emails or using Skype to speak with clients. In fact, those things are not true.
These “covered transactions” relate to billing insurance and making inquiries with insurance such as statements of benefits. Specifically, they are the transactions defined in HIPAA’s lesser-known Transaction Rule. You can see a list of those transactions in the Feds’ helpful document, “Are You a Covered Entity?“.
So if your practice has never billed insurance, it is probably not a HIPAA covered entity.
Yes, that sounds odd to me, too. HIPAA covers so much more than just insurance billing. Why would that be the sole rubric? It’s strange, but it is the rule. To be sure, please check out CMS’ “Are You a Covered Entity?” guide and consult with your attorney on making a decision about whether or not to consider your practice as a covered entity.
This definition did not change in the January, 2013 Omnibus Final Rule, by the way.
I don’t directly bill insurance at all. So I don’t have to comply with HIPAA?
Well, that’s not entirely the case.
Consider our professional ethics codes. All of these professional organizations’ ethics codes, at the very least, explicitly require that we take steps to maintain the confidentiality of client data, including in electronic media: ACA, APA, NASW, AAMFT, and NBCC.
Here are some ethics code examples:
Counselors take precautions to ensure the confidentiality of all information transmitted through the use of any medium.
ACA Code of Ethics, 2014, B.3.e emphasis mine
In addition, The ACA code has a whole section on the use of digital tech in counseling. That section (Section H) even defines a few ethical standards around security, but it does not encompass the whole practice and it does not define how to achieve security. So far, HIPAA is our only influencer that does that.
It is the therapist’s or supervisor’s responsibility to choose technological platforms that adhere to standards of best practices related to confidentiality and quality of services, and that meet applicable laws.
AAMFT Code of Ethics, 2015, 6.3
This Ethics Code applies to these activities across a variety of contexts, such as in person, postal, telephone, Internet, and other electronic transmissions.
Ethical Principles of Psychologists and Code of Conduct (“APA Code of Ethics”), Introduction and Applicability
The APA’s code makes a point of noting that the principles of the code extend to the digital realm. The ethical principles themselves also address the need for security in transmissions, but this statement from the Introduction says quite a bit by itself. Once again, however, we see only a partial address of the need for security and privacy in a psychologist’s practice.
Social workers should take reasonable steps to protect the confidentiality of electronic communications, including information provided to clients or third parties. Social workers should use applicable safeguards (such as encryption, firewalls, and passwords) when using electronic communications such as e-mail, online posts, online chat sessions, mobile communication, and text messages.
NASW Code of Ethics, 1.07 (m)
…All electronic therapeutic communication methods shall use encryption and password security.
NBCC Code of Ethics, 54
So if someone is inquiring into the question of whether or not you are complying with these digital confidentiality mandates and taking proper steps to protect clients, what professional standard should they look to? Certainly in the United States, HIPAA is the most well-developed and authoritative set of rules defining standards for security and privacy in health care.
Does this mean you will be subject to all aspects of HIPAA, even if you’re not a covered entity? That’s harder to answer. For example, the Office of Civil Rights’ random audit program is defined as being random audits of covered entities. Non-covered entities cannot be audited (I question whether many mental health providers will be audited at all, but that’s just conjecture.) Complying with the essential standards around security and privacy seems like a no-brainer, however — we need to do it to keep up with standard of care.
So HIPAA defines standard of care around security and privacy?
Maybe. Sometimes. Not always.
For a long time, experts theorized that HIPAA could be invoked as standard of care in situations such as malpractice cases or licensing board actions. For the most part, this is still theory.
We do have a couple of cases now, though. There was a quite decisive decision (repetition intended) from the Ohio Second District Appeals Court in the case of Sheldon v. Kettering Health Network. The judge made a couple of points that are quite relevant to our interests here:
…the plaintiffs contend… that they were not seeking recovery under HIPAA and that they were relying on [HIPAA], at most, to establish a standard of care.
However, we further conclude that federal regulations [e.g. HIPAA]—as opposed to an Ohio statute that sets forth a positive and definite standard of care—cannot be used as a basis for negligence per se under Ohio law.
(all emphasis and items in brackets are my own additions)
In this case, the plaintiffs were suing Kettering Health Network because a doctor there had committed an egregious and nasty violation of the plaintiff’s medical privacy. They argue (quite correctly) that this violation only occurred because the clinic itself was not following its own security policies and thus had slipped out of compliance with HIPAA.
The questions was: can the plaintiffs sue the clinic for negligence? To do so, they have to prove the clinic was not meeting standard of care. The plaintiffs argued that the clinic’s lack of HIPAA compliance indicated they were not meeting that standard.
The judge disagreed that HIPAA — a “federal regulation” — can be used to define standard of care and therefore “cannot be used as a basis for negligence per se under Ohio law.” (emphasis mine.) The clinic is subject to HIPAA enforcement by HHS’s Office of Civil Rights and/or Ohio’s attorney general, of course. That won’t get the plaintiffs any money, though.
The judge did note something else, though:
Despite preemption and the lack of a private right of action, we are aware of three states that have expressed approval of the use of HIPAA regulations as a standard of care. Byrne v. Avery Center for Obstetrics and Gynecology, P.C., 314 Conn. 433, 102 A.3d 32 (2014), R. K. v. St. Mary’s Med. Ctr., Inc., 229 W. Va. 712, 735 S.E. 2d 715 (W. Va. 2012), and Acosta v. Byrum, 180 N.C. App. 562, 568, 638 S.E.2d 246 (N.C. Ct. App. 2006). However, each is dependent on the nuances of applicable state law, the claims pursued, and the unique facts presented.
Amateur (or professional) law scholars among the readership can follow those links for further information. We can see from the quick view, however, that HIPAA as a standard of care is highly dependent on jurisdiction and circumstances. Furthermore, there are still hundreds of jurisdictions in which that question has not yet come up.
Back to the Insurance Thing: So if I stop billing insurance, I can stop being a covered entity?
This is not at all clear. The law seems to imply that once you “break the seal” and make one of those “covered transactions” electronically, you’re a covered entity forever and ever. One could envision a situation where a clinician argues that they are not currently acting as a covered entity as it is described and therefore shouldn’t be treated like one, but I’ve never heard of that argument being tested.
Remember that state laws vary widely on the issue of health care privacy. If you’re interested in “emancipating” from HIPAA, or in any way acting on the educational information in this article, I strongly advise you to consult an attorney. Even if you aren’t a covered entity, many states have laws that mimic HIPAA or are stricter than HIPAA.
HIPAA emancipation will not free any US health care provider from performing duties related to security and privacy in their practices. For many clinicians, HIPAA compliance is a useful approach to meeting their needs for security and privacy because there are so many resources available for achieving it.
In short: we recommend HIPAA compliance or at least something close to it.