Episode 417: What You Should Know About HIPAA Covered Entity Status Transcript

Evan Dumas

You’re listening to Group Practice Tech, a podcast by Person Centered Tech, where we help mental health group practice owners ethically and effectively leverage tech to improve their practices. I’m your co-host Evan Dumas.

 

Liath Dalton 

And I’m Liath Dalton and we are Person Centered tech.

 

Liath Dalton 

This episode is brought to you by Therapy Notes. Therapy Notes is a robust online practice management and Electronic Health Record system to support you in growing your thriving practice. Therapy Notes is a complete practice management system with all the functionality you need to manage client records. Meet with clients remotely, create rich documentation, schedule appointments, and bill insurance all right at your fingertips. To get two free months of Therapy Notes as a new Therapy Notes user, go to therapynotes.com and use promo code PCT.

 

Evan Dumas 

Hello and welcome to Episode 417: What You Should Know About HIPAA Covered Entity Status.

 

Liath Dalton 

Ah yes, the question as old as time, or rather as old as since HIPAA was enacted, as a federal regulation has been the question of “Am I a HIPAA covered entity?” Or “Is my organization my institution, a HIPAA covered entity? What does it matter if I am or I am not?”

 

Liath Dalton 

And there’s a lot to unpack here. That is, while not the sexiest of topics really important to understand, because the implications for your your practice are significant. And there are some really key pieces to be aware of. So let’s dive right in.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

So to begin with, what we want to look at is what actually makes someone a covered entity?

 

Evan Dumas 

Mhm.

 

Liath Dalton 

And that part is a little complex, because it’s based on what is defined as a covered transaction.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

And a covered transaction, the easiest way to distill it down, is an electronic communication with insurance.

 

Evan Dumas 

Yup, yeah.

 

Liath Dalton 

That’s the simplest way to put it. And so from that, a lot of providers will make a determination “Oh, I’m not an insurance based practice. So I’m not having direct communications with insurance. So therefore, I’m not a HIPAA covered entity. And HIPAA doesn’t apply, and I don’t need to worry about it.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

But unfortunately, there are still things that can qualify as a covered transaction. One area where we’ve seen this come up is with practices that contract with EAPs, because the amount of information that needs to be provided for those claims to get processed, is still something that qualifies as a covered transaction.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

So it is not a de facto case that you are not a HIPAA covered entity if you don’t currently take insurance.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

The other piece related to this is that if you have been a covered entity at any point, we mean you’ve performed covered transactions, so electronic communications with payers, even if it’s a out of network benefits verification for a client, that has conferred HIPAA covered entity status, and once that status is conferred, it is in place forever and ever.

 

Liath Dalton 

It is not something that stops when you, for example, switch from being an insurance based practice to a private pay only practice. So that’s really important to to note, and it’s an area where we’ve seen some some confusion amongst folks and understandably so. Because if performing a covered transaction makes you a HIPAA covered entity, it would seem that there should be a way to then elect not to be a HIPAA covered entity if you cease performing covered transactions, but that’s getting into the weeds a little bit, because really what we want to talk about is how it matters to follow HIPAA, regardless of whether or not you are, in fact, a HIPAA covered entity, for a multitude of reasons and, and benefits.

 

Liath Dalton 

So, one component there is that HIPAA is an incredibly useful framework for meeting the ethical requirements of each of the therapy professions.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

Each of the ethics standards specify, to a certain extent, how client information and electronic client information needs to be protected and safeguarded, but does not provide the level of specificity or flexibility that HIPAA does.

 

Evan Dumas 

No.

 

Liath Dalton 

And it is much easier when you’re evaluating a service provider, to be looking at whether or not they understand HIPAA, and are prepared to execute a HIPAA Business Associate Agreement with you, then it is to approach a service provider and say, I am a clinical social worker, and I have these ethical responsibilities that I have to uphold and have to make sure the safeguards are in place. So can you give me assurances that you will do that?

 

Evan Dumas 

Mhm.

 

Liath Dalton 

That’s not something that is realistically feasible. But thankfully, the concept of HIPAA Business Associates and it being a federal regulation makes it much easier in terms of being a known quantity amongst service providers that serve the healthcare profession.

 

Evan Dumas 

Yeah. Yeah.

 

Liath Dalton 

Evan, you also had a really excellent point about the components for Safe Harbor that ties into this useful framework.

 

Evan Dumas 

Yeah, so there’s this wonderful topic or thing called Safe Harbor. Now, it’s used in lots of different industries. Basically, it’s a term saying when your, whatever, generally devices meet the standards, they are considered safe, you don’t have to go above and beyond it. If it’s lost or stolen, it’s not, it’s you know, it’s not it’s a considered a brick.

 

Evan Dumas 

So Safe Harbor’s lovely, because you’re like, oh, sweet, I only have to do these things, I’ll get them checked off. Now, I don’t know of any trainings or any information out there that’s like, and here’s how you comply with your state’s data privacy laws for your device needs. Because all of this stuff is buried pretty deep in the legislation, and regulations.

 

Evan Dumas 

But for HIPAA Safe Harbor, that stuff’s totally published. And we have trainings on it, other people do, too.

 

Liath Dalton 

Mhm.

 

Evan Dumas 

So introduces you to the concept of Safe Harbor, lets you be like breathe at night, knowing Hey, oh, I won’t have to worry if it’s lost or stolen. I don’t have to I don’t have to file a breach. And so it says, Hey, do these things. It just so happens that the Safe Harbor standards that HIPAA proposes covers you for your state based regulations you need to comply with. So it’s really taking care of a lot of things at once by by doing the HIPAA route.

 

Liath Dalton 

Exactly.

 

Liath Dalton 

So if you have devices that are used for any practice work secured according to the standards for Safe Harbor under HIPAA, then that means that you are also covered in terms of state data breach laws, which apply whether or not you are a HIPAA covered entity. They actually apply regardless of whether you’re a healthcare provider or not, though there are kind of a higher level of requirements for health care data. So that is something that applies across the board regardless of covered HIPAA covered entity status. But if you’re covering yourself under HIPAA, you’re covered under state as well. And so it’s a nice two birds one feeder solution there.

 

Liath Dalton 

And kind of following from  that is another area where we’ve seen folks who really haven’t performed a covered transaction, still conferring HIPAA covered entities status on themselves by virtue of giving a HIPAA Notice of Privacy Practices form to clients. And it’s understandable how this happens as well, right? You get your sort of practice paperwork startup set, either from an attorney or from colleagues, or maybe you’ve compiled it based on some of the templates that were used at previous places of employment. And this is something, the HIPAA Notice of Privacy Practices that is just sort of standard and feels default.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

So it can easily in those sorts of circumstances be something that you have adopted in your paperwork, even if you have not performed covered transactions and do not, in fact, have HIPAA covered entity status.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

So once a once you have told clients that they have rights under HIPAA, you you have to uphold those rights and you are subjected to those those requirements and responsibilities and liabilities. So, and I can’t tell you actually how many practices we’ve done consults with where they have said, we’re we are all private pay, so we’re not a HIPAA covered entity. We still follow some basic principles like getting BAAs with service providers, but we’re not a covered entity, so do we need to worry about the formal HIPAA risk analysis or policies and procedures and those sorts of things?

 

Liath Dalton 

And our guidance is always if you are going to operate as though you are not a HIPAA covered entity, you must ensure that you are in fact truly not a HIPAA covered entity and do so in a way that is going to be protective and defensible for you. That determination should be made on an evaluation by a HIPAA attorney specifically.

 

Liath Dalton 

And so when I’ve been doing these consults, and gotten into a conversation around it, there have been so many times when we’ve discovered that it’s a moot point to do that consult with an attorney, because they have the Notice of Privacy Practices, also referred to as the HIPAA form as part of what they’re providing to clients.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

So that’s kind of, you know, another good point for the whole consideration of it, whether or not you are HIPAA covered entity, there are so many benefits and compelling reasons to still follow all of the standards that it includes and to only make informed decisions about not following those, if you truly and verifiably are not a HIPAA covered entity.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

That going through some of the sort of processes and hoops to obtain that status or verify that you have that status and then ensure that you never do anything that is a covered transaction and confers covered entity status is a lot of rigamarole to to manage.

 

Liath Dalton 

So going back to one of PCT’s very first articles, which was “Am I HIPAA covered entity and how much does it matter if I am or not?” Our position on that has not changed. But the reasons why we we still make the argument that we do have only sort of been bolstered by further learning as HIPAA has been around longer, as there’s been more case law. Increasingly we also see some licensing boards rules and regulations explicitly mention HIPAA compliance in terms of requirements for safeguarding client information.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

So it is not something that I think we want to try to avoid just out of the box because of a sense that if HIPAA doesn’t apply that things are going to be easier. Rather we’d make the case that acting as though HIPAA applies is the easiest and most straightforward way to have both specificity and flexibility in terms of guidance and mechanisms available to you to safeguard client information, cover yourself in terms of ethical requirements, and your state data privacy laws and rules. So it’s a win win win on on each of those fronts. And I hope that we can all kind of reframe a little bit how we think of HIPAA, in in that way, right?

 

Liath Dalton 

Looking at it, leaning into it being a useful tool that really is supportive of a healthy practice, and healthy in a in a holistic sense, rather than this restrictive imposition, that makes things harder for our practice.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

So that’s the kind of takeaway reframe, for how I would love to see us engaging with with HIPAA as a regulatory framework and something that applies in our practice settings.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

Any other pieces, you would add to that, Evan?

 

Evan Dumas 

Well, it’s just nice, because like, sort of speaking to the training piece, there’s trainings out there on how to follow HIPAA and what to do about HIPAA and whatnot. And, you know, it’s it’s big, scary monster if you don’t know what to do. But a lot of folks don’t know that there’s already things you have to comply with. State based regulations, regulations from your license code of ethics, that type of thing, that HIPAA sort of covers.

 

Evan Dumas 

And so, it would be much harder to hunt down, oh, what is my local state’s trainings on data safety, or, like security practices for communication? When you could just take a HIPAA training and just be like, you know. It’s of the two choice, if you think, Hey, am I a HIPAA covered entity? Well, I might as well act as though I am, so I can do all these safety things. And then you’re fine. And maybe find out down the road, you’re not, but I mean, I mean, you are because you put the NPP in.

 

Evan Dumas 

But the other side of the coin is, if you’re someone who says, you know, I’m just gonna think that I’m not a HIPAA covered entity, but then later down the road, you find out you are and you haven’t been doing it and bad things happen, like, err on the side of caution. Here, look, look at all these wonderful, helpful tips that this agency is giving you on how to do these things and be cautious. Like they’ve done the research. So might as well just follow what’s out there and know that it’s all written down, and you can just follow the steps rather than having to hunt down your your local regulations yourself.

 

Liath Dalton 

Exactly. And want to also emphasize this this last point, because it’s something that came up in discussion of this exact question in last week’s Group Practice Office Hours, which was the Eric Day session of the month, when we have it co facilitated by Eric Strom, who’s a HIPAA and teletherapy attorney as well as a clinician, and Eric was highlighting the fact that in these sorts of reviews that he has done for his mental health care clients, that it is exceedingly rare that he has ever found someone to truly not be a covered entity, and to ever obtain that status.

 

Liath Dalton 

So that just kind of emphasizes that it’s, it’s pretty challenging to actually be a healthcare provider, have worked in different settings as well, prior to launching your current practice, and to have done so without having obtained covered entity status in one of those prior therapy work settings. Right?

 

Evan Dumas 

Mhm.

 

Liath Dalton 

So, hopefully, this is is helpful in terms of clarifying some of the pieces around HIPAA covered entity status and in an even broader and maybe more useful sense as well, just looking at how we can lean into an embrace it being a helpful tool.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

We’ll talk to you next time.

 

Evan Dumas 

Yeah, talk to you next time everybody.

 

Liath Dalton 

This has been Group Practice Tech. You can find us at PersonCenteredTech.com For more podcast episodes, you can go to personcenteredtech.com/podcast or click podcast on the menu bar.