Everything You Wanted to Know About HIPAA (But Were Afraid to Ask)

What You Need to Know About HIPAA

Are you confused about HIPAA and how it affects your private practice? You’re not alone. HIPAA can be hard to navigate when you’re working for yourself and by yourself in private practice. If you have a ton of questions about HIPAA, this article is a great place to start.

Below, we’ll tackle the most commonly asked (and confusing) questions about HIPAA.

What is HIPAA, Anyway?

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996.

HIPAA requires that any information about your clients be kept confidential in accordance with the Act. Whether the information is delivered through electronic devices, on paper, or orally, it must be protected from any unauthorized entity.

Although this post only concentrates on one part of the Act, HIPAA is comprised of five titles. They are:

  • Title I, which regulates access and availability to health care plans. It also covers portability and renewability of coverage. For example, this title regulates how group insurance plans can handle new enrollees with preexisting conditions.
  • Title II, which is the focus of this post. It includes the Privacy Rule and regulates how you may share Protected Health Information (PHI) with covered entities, such as insurers or health care clearinghouses.
  • Title III, which tackles medical savings accounts (MSA) and standardizes how much an individual can save for such accounts.
  • Title IV, which focuses on how group health plans can be applied and enforced.
  • Title V, which regulates tax deductions for employers related to life insurance premiums.

What is PHI?

PHI stands for Protected Health Information. It refers to 18 specific HIPAA identifiers that  can be traced back to your client. PHI includes the following identifiers:

  • Name
  • Location
  • Personal dates related to client but does not include year (birth date, date of death, discharge date)
  • Phone numbers
  • Fax numbers
  • Email addresses
  • Social Security number
  • Medical record number
  • Health insurance plan beneficiary number
  • Account numbers
  • License or certificate numbers
  • Vehicle numbers (license plate number)
  • Device numbers
  • Web URL
  • Internet Protocol (IP) address
  • Biometric identifiers (fingerprint, voice, retinal scans)
  • Photograph (not limited to face)
  • Any other distinct identifying characteristic, number, or code

Am I Required to Keep a Record of PHI Disclosures?

Yes. You must keep on file any signed PHI disclosures.

Create a standard privacy policy for your office that reflects the HIPAA Privacy Rule and share this policy with your clients before meeting with them. Your clients should be aware of how you handle their Protected Health Information. If you anticipate sharing their Protected Health Information with a third party (such as a healthcare payer), you must ask for your client’s permission to do so. This permission must be granted in writing (through the client’s signature). Keep this signature for your records.

In addition to your intake forms, boldly display the notice of your privacy practices in your office too.

There are various ways you can comply with this HIPAA requirement. Many offices choose a highly visible area, such as the reception desk or a focal wall, to display the notice of privacy practices. You may also print out the notice of privacy practices in booklet form and have these forms easily accessible on a desk, coffee table, or side table in your reception area.

What Should My Notice of Privacy Practices Include?

Fortunately, you don’t have to create your own unless you’re so inclined. HIPAA includes editable PDF templates of the notice of privacy practices in three formats: booklet, layered notice, and full page.

You can insert your practice’s information (name, address, phone number, etc.) and print out the notice in full color. Or, if you prefer, you can opt for an all text, black and white version of the notice of privacy practices. This editable template is available as a .doc file, and is also provided on the HHS.gov site.

Here’s the direct link to each editable template:

If My Client Asks, Am I Required to Give Them a Copy of Their Health Information?

Yes. If your client asks for a paper or electronic copy of their medical record, you are required to comply. However, there are two notable exceptions.

You may use your professional judgment to deny health information access. If you believe that access to these health records would be harmful to the client or another person, you can refuse access.

You are also not obligated to provide your personal psychotherapy notes. These notes should be filed away separately from the rest of the team.

Am I Allowed to Discuss My Client’s Treatment With Others?

As a standard practice, you may only discuss your client’s diagnosis and treatment plans with others if you have the client’s permission. There are exceptions to this rule, which we’ll highlight below.

If I’m Worried About My Client, Can I Reach Out to Family Members?

If you believe, in your professional judgment, that your client is in imminent harm or poses a threat to self or others, you may act in good faith and contact law enforcement and/or family members. The Privacy Rule allows you to share only what’s necessary to protect your client from harm or from harming others.

Can I Contact the Police if I’m Worried About My Client?

Yes, same as above. You may act in good faith and contact law enforcement for or about your client.

Can Minors Make Their Own Decisions About Mental Health Treatment?

The answer to this question varies by state. Most states consider any individual under the age of 18 to be a minor and therefore unable to consent to treatment. Although, some states do allow minors as young as 12 to consent to treatment.

Check with your state laws to find out if minors in your state are able to make their own decisions regarding mental health.

Do I Need to Share My Minor Client’s Health Records With Their Parents?

The answer depends on your state laws, specifically whether or not minors in your state are able to give consent to treatment and if parents/guardians may act as a minor’s personal representative.

In most states, the parent or guardian will have either complete or limited access to the minor’s records. If you request it, the parent or guardian may also agree to respect the confidentiality between you and your client, their minor child.

Even if parents or guardians are not granted access to minor’s records by law, you may choose to share your minor client’s personal health information with them if you believe it can prevent harm to your client or others.

Neither minor clients nor their parents or guardians have the right to access your psychotherapy notes. These notes should be kept separately from the client’s protected health information records.

Minor clients and, in certain states or circumstances, parents and guardians can receive information such as symptoms, diagnosis, and treatment plans.

Can Concerned Family and Friends Share Information With Me?

Yes, if your client’s family or friends are concerned, they are able to come to you and share information. This information should be kept in confidence. It is not necessary for you to disclose this information to your client.

How Does HIPAA Define Business Associates?

Under the Privacy Rule, a business associate is any business or individual that may have access to your clients’ protected health information. Business associates may include attorneys, accountants, and services such as TheraNest.

Additional Resources

Before you go, check out these related resources: