When starting a group practice, one of the biggest questions is whether to bring on clinicians as independent contractors or employees. Group practice coaches talk about the ups and downs of each choice quite a bit, but we don’t often see discussion of how this choice impacts compliance with the HIPAA Security Rule.
Getting an early understanding of HIPAA’s role in this choice may be more important than you think, even if you don’t intend to tackle HIPAA Security compliance until you’re further down the practice development road.
We’ve seen quite a few groups that were chugging along for years, finally decided to get compliant, and then discovered that their business structure was going to make the compliance process a small nightmare. Not only did they need to restructure, but they also had to convince all their clinicians to change the way they’ve been doing things for years. And we know how clinicians (because clinicians = us) can be plenty ornery when it comes to changing their work processes while handling a full caseload!
HIPAA Security in a Nutshell
If you’ve read our article series on HIPAA compliance for mental health pros, then you know that complying with the HIPAA Security Rule requires periodic risk analysis, some risk management/mitigation planning, and making policies and procedures.
For a group practice, allow me to super-extra emphasize that last bit: policies and procedures.
Every clinician who must comply with HIPAA needs security policies and procedures — and Person Centered Tech offers a full set of HIPAA Security policy templates to our members — but they are especially important for groups.
Why? Well, if it’s just you in the practice, then it’s just you that needs to be looked after. So when you learn something important about security or general HIPAA compliance, you can depend on yourself to act on your learning (or at least you only have yourself to blame if you don’t.)
In a group, HIPAA Security p&ps (people in the know say “p&p” instead of “policies and procedures”) are essential to ensuring that everyone keeps up the security and compliance behaviors that the practice needs for its survival and for the well-being of its clients. If, heaven forbid, the practice were audited for compliance, then the auditors will expect to see p&ps that cover all of HIPAA’s Security standards. They are unlikely to be understanding if such policies are missing or, at the very least, not under active development.
That brings us to an important point: what are the HIPAA Security standards and how do they impact the way in which you write and enforce your security p&ps?
HIPAA Security standards that directly impact a practice’s working members include such gems as sanctions for workforce members who violate policies, procedures for giving someone access to the practice’s information when they start at the practice, procedures for taking it away when they leave, and a few more detailed items.
HIPAA’s standards are written on the assumption that a practice is able to enforce its policies, and that it’s possible to require various kinds of remediation from members of the practice who violate them. That brings us to the next point.
State Employment Laws and Independent Contractors
To be sure: employment status has essentially nothing to do with any of HIPAA’s rules or standards. For example, someone does not have to be a practice’s employee to be a member of its “workforce” under HIPAA. Employment laws can impact your ability to enforce policies and procedures, however. And that’s where the big problems can start.
Every state has its own way of defining when someone who works for you must be considered an employee and when it’s acceptable to hire them as an independent contractor. Although each state is different, the general thrust of these rules is that the more you require someone to do things your way, the less likely it is that you can legally hire them as a contractor.
As described above, you need to have security policies and procedures that get followed and that can be enforced in order to comply with HIPAA. It’s easiest to do that when everyone working in the practice is an employee. Some states, however, have relatively lax rules regarding contractors. We’ve talked to group practice owners before who are confident, based on consultation with their attorneys, that contractor status doesn’t prevent them from being able to enforce their security p&ps. For them, hiring contractors seems to be compatible with HIPAA Security. Group practice owners in other states, however, have sometimes had to completely change their structure in order to make their HIPAA Security compliance processes work.
For practices who much prefer to bring on clinicians as independent sub-business, but may not legally be able to enforce policies in such a structure, there are HIPAA compliance models that can potentially work with your business model. Ask us about a group membership consult and we’ll be happy to discuss the different models during the initial consultation.
When deciding on contractors vs. employees, be sure to think about HIPAA Security p&ps — as well as employee policies and procedures in general! Know how your state’s employment laws impact your ability to write and enforce policies.
And remember that policies are a good thing! Many of us quite rightly chafe at bureaucracy, but a lack of structure can be even worse. Good policies are a real boon, but bad policies are terrible. So make your business structure decisions intentionally and with a mind towards good policies, including the ones you need for HIPAA compliance.
And if you need help with that, our group membership program includes HIPAA Security compliance tools, a full set of template security p&ps, and personal support packages that will make the process much easier on you. Check it out here.
For more education on this topic, see our self-study CE Webinar: