clinical social work association

The National Voice of Clinical Social Work 

Log in

The Fundamentals of HIPAA

Privacy, Security and Electronic Data Transfer in Clinical Settings: What We Need to Know

It has been twelve years since the Federal Government enacted the Health Insurance Portability and Accountability Act of 1996's privacy regulations. When the privacy regulations first went into effect, the Clinical Social Work Association conducted a series of regional trainings across the country to help practitioners understand what the regulations were and how they affected practice in each state. In the five years since these regulations were enacted, many practitioners have joined the field and have little or no awareness of how HIPAA may or may not affect their practice. This article will cover the basics of the HIPAA Privacy and in a later article, the more recently enacted Security rules.

Title I of HIPAA provides continuation and portability of health insurance coverage. This allows employees the ability to continue their health care benefits when they are no longer employed. This part of HIPAA was enacted soon after it was passed in the mid-1990s and continues today. Title II, the "Administrative Simplification" provisions of HIPAA mandate a federal regulatory scheme governing the privacy, security, and electronic transfer of health care information. It is Title II that we are concerned about in this article.

In December 2000 the Department of Health and Human Services (HHS) issued the Privacy Standards establishing federally mandated policies regarding how health information can be used and disclosed, new individual rights, and new administrative requirements. The Privacy Standards were revised and amended by HHS in May and August 2002 and became effective April 14, 2003. A complete copy of the final regulation text is available at The Security Standards went into effect April 20, 2005.

Although this overview will focus on the Privacy Standards, it is important to have a basic understanding of the other two major components of HIPAA's Administrative Simplification provisions, the Transaction and Code Set Standards.

Transaction and Code Set Standards

The HIPAA Transaction Standards are rules that standardize the electronic exchange of health care information. They are based on electronic data interchange ("EDI") standards, which allow electronic exchange of information from computer to computer without human involvement.

Code Set Standards to standardize what types of codes health care practitioners use when communicating with insurance companies. What is important for mental health practitioners to know is that HIPAA set the Current Procedural Terminology (CPT) as the standard for procedure codes and International Classification of Diseases (ICD) as the standard for diagnoses. The ICD was chosen over the Diagnostic and Statistical Manual (DSM), as it included both medical and mental health diagnoses. The DSM IV TR has been changed to mirror the diagnostic codes in the ICD-9.

The Difference Between Privacy and Security Standards

There is confusion about the difference between privacy standards and security standards as described by HIPAA. Privacy standards are about who has the right to disclose and use protected health information and when they can do so. This standard applies to all protected health information (PHI) whether expressed orally, in writing on paper, or electronically transmitted. Furthermore, "reasonable steps" must be taken to protect the security of PHI according to the HIPAA privacy standards.

Security standards apply only to the protection of electronically stored or transmitted information from corruption by viruses or theft by ‘hackers' and/or sending PHI on unsecured channels. The security standards are not intended to address how paper information is stored. The Security Standards mandate safeguards for physical storage and maintenance, protection, and access to individual health information.

How HIPAA standards have changed mental health privacy and security practices

I have talked to several clinicians lately who are still not familiar with the HIPAA standards that went into effect in April, 2003.  Clinicians who do not use insurance or send information electronically to billing services, feel the standards do not apply to them. However, these standards are likely to become the de facto standard for all mental health clinicians, whether they are ‘covered entities’ or not.  Below are listed the areas of HIPAA standards that differ from standard practice that all mental health clinicians may want to consider: 

  1. Electronic Transmission of Patient Information – clinicians must be HIPAA-compliant BEFORE any patient information is sent electronically (by computer, computer fax, or telephone key pad),  This means that clinicians have created their own privacy Policies and Procedures; their Notice of Privacy Practices; their Business Associate Agreement; designate a Privacy Officer; 4) keep all records, paper and electronic, secured, i.e., locked file cabinets and password and/or encrypted computers; 5) develop Authorization and Revocation of Authorization Forms to allow release of protected health information. 
  2. Disclosure Statements (NPP - Notice of Privacy Practices) – while a handful of states already require a Disclosure Statement which details the clinician’s privacy practices, the NPP makes this a requirement that includes specific information about when a clinician will or will not release patient information.
  3. Contracts with Business Associates (BAA - Business Associate Agreement) – while some prudent clinicians may already have contracts with non-clinicians who have access to patient material (PHI), the majority of clinicians do not.  HIPAA standards will require all non-clinicians – “Business Associates” – who have access to PHI to have a contract with the clinician on how and when they can release the PHI.
  4. Psychotherapy Notes Protection – if a clinician wishes to have the protections the “Psychotherapy Notes” section of HIPAA standards offers, a separate record will have to be maintained from the record that contains TPO (treatment, payment and health care operations) information.
  5. Secure Faxes – to assure faxed material is going to a fax machine where privacy can be maintained, a clinician should ask the recipient if the receiving fax is a “secure” or “protected” fax machine.
  6. Privacy GAP Analysis – for clinicians who wish to be HIPAA compliant (and all prudent clinicians should work toward this goal), a Privacy GAP analysis of current privacy practices should be done to assure all areas of compliance are being addressed. 
  7. Security Risk Assessment – for clinicians who wish to be HIPAA compliant (and all prudent clinicians should work toward this goal), a Security GAP analysis of current security practices should be done to assure all areas of compliance are being addressed.
  8. Risk Management Plan – development of a Security plan to make sure all HIPAA Security Standards are in place.
  9. Back up Mechanisms – all ePHI must be ‘backed up’ on a disc or CD.
  10. Regular Changes to Passwords – computer passwords must be changed regularly to comply with HIPAA Security Standards.

 © 2009, Laura W. Groshong, L.I.C.S.W.  --  Material not to be used without permission of author.

Who is required to be covered by HIPAA?

The definition of who is covered by HIPAA is a bit circular. If you engage in "covered transactions" you must conform to HIPAA regulations. Individuals and organizations like health care practitioners, hospitals and insurance companies who engage in covered transactions are known as "covered entities."

HIPAA regulations directly affect only those who meet the definition of a covered entity. In general, clinicians or organizations who engage in electronic billing or who check eligibility for insurance coverage using a computer and web based system will fall within scope of the HIPAA standards. If you do not bill electronically or otherwise transmit health information in connection with one of the defined "covered transactions" under HIPAA, you are not covered by the regulations.

Covered Transactions

A covered transaction is any computer-to-computer transmission of healthcare claims, payment and remittance, benefit information, or health plan eligibility information. As a health care provider, if we submit any bills (even for a single client) electronically to insurers, or any other party directly or through a billing service, we are a covered entity. There are other electronic transactions besides billing and checking eligibility information online (eight in total) that initiate covered entity status. Most of these are not common to individual practitioners.

Protected Health Information (PHI)

In order to fully understand the Privacy Standards, we need to start with an understanding of protected health information, or PHI, as it is defined in the regulations. Generally stated, PHI is health information that is identifiable to a specific individual and that is maintained or transmitted by a covered entity in any form, whether oral, paper, or electronic. A chart, a bill for services, or even a hallway conversation between two clinicians about an individual's care is a conversation involving PHI.

Information is considered to be individually identifiable if it identifies the individual or if there is a reasonable basis to believe that the information can be used to identify the individual. Thus, PHI includes demographic information such as name, address, and age.

Treatment Payment and Health Care Operations (TPO)

The Privacy Standards generally prohibit the use and disclosure of PHI without an individual's prior written authorization. The most significant exception to this general rule is that a covered entity may use and disclose PHI, without prior authorization, for purposes of treatment, payment, and health care operations once a client has received notification of the practitioner's privacy practices (Notice of Privacy Practices).

Treatment involves being able to speak with supervisors, consultants or anyone else associated with a person's treatment team and allows those involved in the treatment to converse without authorization. Payment means that the covered entity does not need an authorization to bill a third party on behalf of the client. Heath care operations means that you can use a client's medical information for quality assurance or to improve the effectiveness or efficiency of a facility or practice. The practical implication of this exception is that for most purposes, an individual and especially an organization will not need to obtain a client's written approval in order to deliver treatment, facilitate payment, and otherwise operate a facility. Any other reason for disclosure of information (excluding certain disclosures permitted or required by law such as disclosures to child protection agencies) requires a separate authorization signed by the patient.

Notice of Privacy Practices (NPP)

To insure that clients know their privacy rights, HIPAA requires practitioners to provide clients a Notice of Privacy Practices (NPP) at the time of the first session. The NPP should detail how the practitioner will treat the client's PHI and under what conditions that information will or will not be disclosed. A practitioner must maintain documentation that the client received the NPP. If for some reason, a practitioner is unable to obtain a client's signature, (s)he must document attempts to do so and the reasons why a signature was not obtained. The only time a practitioner is not required to make a good faith effort to obtain receipt of the NPP is in emergency treatment situations.

Uses and Disclosures of Protected Health Information (PHI)

According to HIPAA standards, once a patient has acknowledged receipt of the Notice of Privacy Practices, there is no need to have the patient sign a separate form for the disclosure of information for TPO purposes. HIPAA standards require that an authorization only be signed for the disclosure of psychotherapy notes (see below). However, since HIPAA defines minimum standards for treatment of PHI, any practitioner or organization can set standards that provide greater protection or allow the client greater access to their own record. For example, an organization may require a release of information to use information for TPO if they so choose as long as no other law is violated.

A covered entity under HIPAA, must allow clients to request that it restrict the use and disclosure of PHI. However, HIPAA regulations say that a practitioner is not necessarily required to agree with the restriction. Under HIPAA, clients cannot restrict disclosure for treatment, payment and health care operations (TPO). Furthermore, disclosures are permitted for involvement in the individual's care and notification purposes. For example, while a client may ask you not to talk with their physician who is prescribing psychotropic medication for them, you are not required to adhere to this restriction. This is one of the requirements in HIPAA that generally goes against good psychotherapy practice. The ability to release information without client consent goes against codes of ethics in virtually all mental health fields. However, remember that HIPAA standards define the floor, and practitioners can set policies so that they are more "stringent" than the HIPAA standards.

Another area where the HIPAA "floor" for privacy standards differs significantly from best psychotherapy practices is that PHI may be disclosed to family members or for public health activities. Generally, it is best to only release information without a written authorization if the client represents a danger to him/herself or others.

Patient Rights

The HIPAA Privacy Standards grant new federal rights to patients with respect to health information about them. These include the right to receive a health care provider's Notice of Privacy Practices, and the opportunity to object or opt-out of certain types of communications including disclosures for marketing or fundraising purposes. The Privacy Standards also provide individuals the right to access PHI, and the right to request amendments to PHI. One of the things HIPAA attempts to do is make it easier for individuals to access their PHI. As such, clients have the right to inspect and copy their PHI, in whole or in part, for as long as the covered entity maintains the information.

Clients also have the right to amend their record for as long as the record is kept. A covered entity must accommodate reasonable requests by clients to receive information about their PHI by alternative means or at alternative locations. This means that a practitioner cannot require the client to come to their office to pick up the record. If they request that the record be mailed or faxed, the practitioner cannot refuse to do so as long as it is "reasonable."

A client has the right to receive an accounting of disclosures a covered entity or its business associates (see below) make of PHI in the six-year period preceding the date on which the accounting is requested. This begins on April 14, 2003, and is not retroactive before that date. Accounting of disclosures must be kept for all disclosures that are not authorized by the client and that do not involve disclosures for TPO.

Finally it is important to note that under HIPAA, a client has the right to request that a clinician agree to additional restrictions on uses and disclosures of information that go beyond what the Standards require. Although a clinician is not required to agree to such restrictions, if a clinician does agree, he/she must document and comply with that agreement.

Psychotherapy Notes

Psychotherapy Notes are a specific category in the HIPAA rule. Psychotherapy notes are what most clinicians call "process notes" or the actual verbal and non-verbal record of what takes place in the therapy session. The HIPAA description of psychotherapy notes is "raw data." Psychotherapy notes are specifically protected in the HIPAA rule and belong to the clinician. The general rule is that a clinician may not use or disclose psychotherapy notes for any purpose, including most treatment, payment and healthcare operations, unless the client's authorization is obtained. Specific exceptions where an authorization is not required include use by the originator of the notes for supervision and training purposes; and uses for defense in a legal action. While the clinician is not required to show the patient their Psychotherapy notes, there is nothing in the rule that prohibits such a practice.

In order to have the protection afforded Psychotherapy notes, notes must be kept "physically separate" from the rest of the client's record. The term "physically separate" is not defined in the HIPAA rules, so it is not clear if this means in a separate file, a separate file cabinet or simply in a separate part of the same file as the rest of the record. It is probably safer to at least keep the information in a separate file folder.

It is clear that a covered entity enjoys the protections that the psychotherapy notes rule provides. However, the question as to whether a non-covered entity could claim those protections is an interesting one. A legal opinion obtained for this article states that unless there is a state law that extends the psychotherapy notes rule to practitioners in that state, a non-covered entity cannot claim protection for their process notes under the psychotherapy notes rule.

"Minimum Necessary" Information

The concept of "minimum necessary" is an important one in HIPAA standards. Minimum necessary means that when a covered entity discloses information without authorization to do so, they must disclose only the "minimum necessary" information to accomplish the purpose of the disclosure. This means that the practitioner must be careful to understand the nature of the disclosure and to provide only that information necessary to fulfill the intent of the disclosure. This rule does not apply for disclosures with an authorization (although practitioners may want to adhere to this principle anyway). For example, a report to Child Protective Services (which can be done without authorization) requires a practitioner to disclose why they think a child is in danger, which can be done without disclosing an extensive history of the suspected abuser.

Business Associates

Individuals, and especially organizations, often have other entities who have access to their client's PHI. Auditors, attorneys, funding organizations and even computer repair people, could have access to the PHI a practitioner holds. Since these individuals and organizations are not themselves covered entities, HIPAA says that you must enter into a "business associate agreement" (BAA) with them. This agreement extends the protections provided by HIPAA to these other entities effectively making them "covered entities."

The definition of business associate excludes employees, volunteers and other members of a workforce. The Privacy Standards also specifically excludes from the business associate standards the disclosure of PHI from a covered entity to a health care provider when the purpose of the disclosure is for treatment of an individual.

HIPAA requires you to take remedial action or terminate the BAA with any business associate that violates the agreement.

Preemption of State Law

HIPAA regulations apply in every state. There are situations throughout the country where HIPAA conflicts with certain aspects of state law. In those circumstances, state laws that are more stringent than HIPAA regulations take precedence. A more stringent law is one that allows a client greater access to their own record or that greater restricts access by a third party.

General Security Standards

The privacy standards provide some guidelines for overall security standards. It is important for practitioners to have appropriate safeguards to protect PHI and reasonably guard it from any intentional or unintentional disclosure or other use. Such practices as placing PHI in locking file cabinets, limiting conversations to private locations, establishing security policies, being aware of how we answer the phone, handle and transport files, fax and talk on cell phones are all things practitioners must do to limit the unintentional disclosure of PHI. Furthermore, practitioners should assure that computers containing PHI require logins and passwords to gain access to them.

Administrative Requirements - Privacy Official, Complaints and Grievances

All covered entities must designate a privacy official who is responsible for the development and implementation of HIPAA policies and procedures as well as a contact person to receive complaints and provide further information about the covered entity's privacy practices. For solo practitioners, the practitioner themselves is the privacy official.


Any person who believes a practitioner or organization is not complying with HIPAA requirements may file a complaint with the Secretary of the Federal Department of Health and Human Services (HHS). HIPAA requires practitioners to have policies in place that detail sanctions for those who do not comply with privacy policies and procedures. Furthermore, HIPAA requires that one must establish a process for both clients and employees (if any) to make complaints regarding policies and procedures. One may not intimidate, threaten, coerce, discriminate or retaliate against any client or employee making a complaint.

All complaints must be filed in writing, either on paper or electronically; must name the entity that is the subject of the complaint and describe the acts or omissions believed to be in violation; and it must be filed within 180 days of when the client knew or should have known about the violation. However, the Secretary of HHS may, for good cause, waive the timeline.

While HHS receives the complaint, the Office of Civil Rights (OCR) is the agency (which is under HHS) that investigates the complaint. This task was likely to have been assigned to OCR because they already had an investigative function and staff.

Compliance and Enforcement

If a complaint is filed, a practitioner is required to cooperate with the investigation and in the review of their policies and procedures. The practitioner must permit access by HHS during regular business hours to:

  • Facilities
  • Books
  • Records
  • Accounts and other sources of information, and
  • PHI

This access is to determine if the covered entity is in compliance with HIPAA regulations. If HHS determines that the practitioner is hiding or destroying information, they must permit access at any time without notice. HHS is much more interested in compliance than punishment and they will attempt to correct a practitioner's policies and procedures before looking to punish. However, if a practitioner is willfully and maliciously violating HIPAA regulations, or refusing to cooperate with an investigation, punishment can be fines up to $250,000 and/or five years in jail.


The Privacy Standards:

  • Limit the non-consensual use and release of private health information;
  • Give federally mandated patient rights including the right to access medical records and to know who else has accessed them;
  • Restrict disclosures of health information to the minimum needed for the intended purpose;
  • Impose criminal and civil sanctions for improper use or disclosure;
  • Provide notice of how PHI is protected;
  • Require the development of Business Associate Agreements;
  • Devise reasonable ways of protecting information in written, oral or electronic form; and
  • Provide a higher level of protection for psychotherapy notes.


{Article written by R. Keith Myers, LICSW, for Access, Summer 2008} ©CSWA2008

PO Box 105
Granville, Ohio  43023

Powered by Wild Apricot Membership Software