How to Identify HIPAA Protected Health Information: Finding Your Clients’ Sensitive Information Wherever It Goes
1 CE Credit Hour. Legal-Ethical. Continuing Education Session Replay
Developed by: Roy Huggins, LPC NCC
Presented By: Roy Huggins, LPC NCC; Liath Dalton
HIPAA is all about the privacy and security of our clients’ sensitive information. Even without HIPAA and other similar laws, mental health professionals have ethical duties to keep client information private and secure. Are HIPAA’s rules for maintaining privacy the same as our professional ethics codes? In many ways they are, and in some important ways they are not.
When a client first reaches out to make an appointment, is the information they send you protected under HIPAA? If you use clients’ initials instead of their names in your contact book, is that information still protected under HIPAA? If the answer to either question is yes, what does HIPAA require you to do? We will answer these questions and more in this CE for OH session.
This introductory-level course for counselors, clinical social workers, marriage and family therapists, and clinical and counseling psychologists helps learners make sense of when HIPAA applies and when it doesn’t in the many contexts where mental health clinicians use client information.
- Determine when information is personally identifying using HIPAA’s list of 18 identifiers
- Determine when PHI is the responsibility of the learner’s practice under HIPAA
- Identify when services and software tools may be handling HIPAA protected health information
- What, precisely stated, is “Protected Health Information?”
- PHI as defined under HIPAA
- Examples of “health information.”
- “PHI,” the HIPAA concept vs. “Confidential information,” the professional ethical concept
- Precision in definition
- Boundaries of scope
- PHI as defined under HIPAA
- How does HIPAA determine what is “personally identifying” and what is not?
- HIPAA’s 18 identifiers
- Applying the identifiers to information typically found in mental health practices
- When does “personally identifying health information” become my practice’s PHI, and by extension my/our responsibility under HIPAA?
- “Scope” in security and privacy regulations
- The scope of HIPAA’s various rules
- Concrete examples of the likely edges of HIPAA PHI in mental health practices
- How do I know when PHI is being handled by my devices, service professionals, and cloud services?
- Following information flow
- Which identifiers to look for based on where you’re looking
- Identifiers on smartphones
- Identifiers on cloud services in general
- Identifiers on email and texting services
- Identifiers and service professionals
- US Dept. of Health and Human Services. (2006). HIPAA Administrative Simplification . Washington, DC: Author.
- US Dept. of Health and Human Services. (2013). HIPAA Omnibus Final Rule . Washington, DC: Author.
Roy Huggins, LPC NCC, is a counselor in private practice who also directs Person-Centered Tech. Roy worked as a professional Web developer for 7 years before changing paths, and makes it his mission to grow clinicians’ understanding of the Internet and other electronic communications mediums for the future of our practices and our professions.
Roy is an adjunct instructor at the Portland State University Counseling program where he teaches Ethics, and is a member of the Zur Institute advisory board. He has acted as a subject matter expert on HIPAA, security and clinical use of technology for Counseling licensure boards and both state and national mental health professional organizations. He has co-authored or authored 2 book chapters, and he routinely consults with mental health colleagues on ethical and practical issues surrounding tech in clinical practice. He served for 5 years on the board of the Oregon Mental Health Counselors Association and then the Oregon Counseling Association as the Technology Committee Chair.
He really likes this stuff.
Liath Dalton is a Ph.D candidate in Religious Studies. She began her academic career at Reed College and continued her graduate work at the University of Cape Town.
Liath is the Deputy Director for Person Centered Tech and runs our HIPAApropriateness review program. Through her combination of experience evaluating products for their utility and security in regards to how they can meet risk management needs and providing guidance to members around what product options will best meet their specific practice needs, Liath has an intimate knowledge of both what the practice tech needs are for mental health professionals and what it takes for a product to meet those needs.
Accuracy, Utility, and Risks Statement: The contents of this program are based on publications and reports from the federal Department of Health and Human Services; consultation with experts on HIPAA Security standards and their implementation; and personal study from the program developers. Some interpretation and analysis presented is made by the presenter, in consultation with knowledgeable colleagues and expert consultants. Statements about applications to technology are according to presenter’s understanding of the technology at the time of the program. The presenter may not know how to apply all principles discussed to every technology type or product. This program discusses strategies for complying with HIPAA and covered ethics codes. It may not include information on all applicable state laws. Misapplication of the materials, or errors in the materials, could result in security problems, data breaches, or non-compliance with applicable laws or ethics codes.
Conflicts of Interest: None.
Commercial Support: None.