HIPAA-Compliant TeleMental Health

HIPAA and TeleMental Health: Get Compliant!

Is your telemental health practice HIPAA compliant? It’s a question that can cause a knot in the stomach of even the most experienced telemental health professionals. For those just starting out in telehealth, it may even cause a bout of panic. Exactly how does HIPAA impact counselors who are using telehealth? Are the rules different than the rules for in-person therapy?

Even if you’ve taken a continuing education class covering HIPAA, it may not have covered telemental health and you may have questions. 

Let’s start with some basics: 

What is HIPAA? HIPAA is the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191). It was signed into law by Pres. Bill Clinton on Aug. 21, 1996.

It wasn’t actually intended to make healthcare providers panic. Instead, it was primarily meant to “improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes.”

HIPAA also includes the Privacy Rule and the Security Rule to set limits on who can access protected health information (PHI) and electronically protected health information (e-PHI). If you want to add to your angst, you can read all HIPAA regulatory standards in one document. There also are rules regarding technology in the HITECH Act of 2009.

It’s all of these rules and more that cause feelings of dread and anxiety for counselors and other healthcare professionals who fear accidentally disclosing PHI through a hack or lost laptop. 

I want to protect my clients’ privacy. How do I make sure I’m complying with the law? 

First, determine if the law applies to you. Generally, you are a “HIPAA-covered entity” if you transmit protected health information (PHI) in electronic form. For example, if you submit an electronic claim to an insurance company, then you are a HIPAA-covered entity. Here’s a tool to determine if you’re a covered entity. 

OK, I’m a covered entity. What should I do next?

Even if you are an accomplished do-it-yourselfer, HIPAA is not an area where you want to go it alone or wing it. 

We have a free one hour HIPAA compliance review video and HIPAA compliance checklist provided by Compliancy Group that’s worth reviewing. This will help you identify the main areas where you need to improve your security.

HIPAA compliance classes are available and they typically count toward your required continuing education credits. Look for classes specifically for telemental health providers. 

The people who brought you HIPAA also offer you free resources, tools, and education at HealthIT.gov. Be forewarned that these resources are generic and are not tailored to counselors practicing telemental health. That said, there is a lot of information about HIPAA and it’s free. 

If you are completely overwhelmed by HIPAA, you can hire a consultant. This could get pricey, but some companies may adjust their rates depending on the size of your practice. 

What are some specific HIPAA rules for telehealth providers?

Remember, as a telehealth provider, you not only have to comply with the general HIPAA rules, you have to adhere to additional rules involving telehealth technology. For example, telemental health providers must make sure clients are in a secure, private location so that their private health care information is not disclosed. If you are using video conferencing for your telehealth sessions, you have to be careful which platform you use. HIPAA requires you receive a HIPAA Business Associate Agreement from the technology vendor and that you obtain satisfactory assurances that the vendor will appropriately safeguard all PHI.

What happens if I have a PHI breach? 

The HIPAA Breach Notification Rule requires you to notify your clients when there is a breach involving their PHI. You also have to notify HHS and the media will be alerted to breaches involving large numbers of clients. You also could face a fine.

The bottom line

The bottom line is that HIPAA is complicated. Being a telehealth provider adds to the complexity because of the technology involved. To be HIPAA compliant means dedicating yourself to ensuring privacy for your clients. This likely means pursuing ongoing training and consultation with colleagues. 

 

By Amanda Barnett, LPC, NCC, EdS

 

Key Resources

Centers for Medicare: Covered Entity Guidance Tool

HealthIT.gov: Privacy and Security Resources for Providers

Health Insurance Portability and Accountability Act of 1996

HHS’s HIPAA for Professionals

HHS.gov Telehealth

Telehealth Discretion During Coronavirus

Keep up with HIPAA Privacy & Security Rules

 

Media

hipaa-compliant-telemental-health

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.