OVERVIEW
All mental health practitioners are now required to be in
compliance with the federal Health Information Privacy and Portability Act (HIPAA). Willful noncompliance is punishable by fines
up to $250,000 and ten years imprisonment!
A widespread false rumor has it that if you are a solo practitioner
accepting only cash for services and not storing or transmitting client
information electronically that you do not have to comply with HIPAA. This is simply not true for reasons I will
explain—you must comply now or risk federal punishment as well as licensing
board discipline and/or malpractice charges for practicing below the standard
of care!
WHAT
TO DO NOW:
1.
Take some time to go over this document thoughtfully so you know what HIPAA is about and so that you are clear what
your basic obligations are. At this
point in time we are in a transition and compliance period and no one
understands all of the fine points or their implications for the future. Content yourself to have an overview and to
put basic procedures in place as soon as possible.
2.
Begin two new file folders for yourself—one on HIPAA Compliance Information that
will include this document and any articles or other information you come
across to be saved for future reference.
The second folder will contain HIPAA
Compliance Documentation, various signed and dated
statements of policies and procedures you have adopted that document clearly
how you are in compliance with the new federal laws.
3.
Develop the essential forms you will use for compliance. The forms you need to get started are on the
websites of all of our professional organizations. Start downloading forms and adapting them to
your practice. (For websites see
footnote below.)
4.
Prepare your basic privacy policy statement and go over it personally
with each client having them sign at the bottom indicating that they have (a) gone
over it with you; (b) asked whatever questions they have; (c) have been
informed about who your Privacy Officer is for questions and requests (probably
yourself); and (d) have been informed about their patient rights.
5.
Good News! At long last federal
legislation recognizes the absolute privacy of our Psychotherapy
Notes—they are “for the exclusive use of the treating professional who
created them.” No one, including the
client, has a right to access them!
They are your notes, your personal property, created for your
exclusive use and protection and are not subject to release by subpoena or
any other form of coercion—with a few very rare and very extreme exceptions to
be explained later.[2]
You
must create two separate file folders for each and every client
beginning the date of your compliance which should have been 2003—this is federal
law! All past storage folders should be
labeled “Non-HIPAA Compliant.”[3]
The
first client file folder contains Protected Health Information
(PHI)—this is the basic client record as we have always
known it that can be released with the client’s permission and inspected by the
client. In the PHI folder you will have
the client face sheet, basic intake information, diagnosis and treatment plan,
informed consents, billing and insurance information, periodic case review
summaries, medication information, a basic release of treatment information
signed and dated, and, when the case closes, a dated termination summary on top
(that includes the client’s birth date) so it is easy to see when the
case was closed so that the file can be purged (sample provided later). [Case law holds that psychotherapy records
must be maintained ten years from the date of termination or from when the
client becomes an adult.]
The
second client file folder must be clearly labeled “Psychotherapy
Notes” and must be kept in a separate locked file
cabinet accessible only by you—it’s the law! This folder will contain what we have always
called “process notes” of all client contacts along with other personal materials
provided by the client or generated by the therapist describing interactions
with the client as well as notes on case consultations.
I
recommend putting all documents generated by third parties (e.g., test reports,
letters from other health care providers, and prior treatment records) in the
Psychotherapy Notes folder since by law you do not have the right to release
these documents to anyone. Putting them
here keeps them safe from accidental release.
If they are later required, you can consult an attorney on their
appropriate release.
The
last three pages of this document contain 6-per-page labels which you can copy
or print onto Avery labels. Every
patient file folder should have a label on the front. One label is for storage files making clear that
they are not HIPAA compliant and giving instructions how to handle the
materials in the folder. Another label
is for the Client Record and another for Psychotherapy Notes—each with proper
instructions. These labels are devised
to keep you, and anyone else who ever has occasion to handle your files, straight
on how to manage each folder.
If you work in a clinic or agency the administration
may require—for its accreditation purposes—a note on every client contact other
than simply the financial information.
Your Psychotherapy Notes do not
belong in the Client Clinic Record because they are your property for your
exclusive use only! I recommend minimal
compliance with the agency’s administrative needs. For example, simply a log entry with
nondescript statements that contain little or no personal information or use of
some general form (two samples attached) that provide only mental status
information and/or assessments of legal concerns such as suicide, homicide,
and/or abuse but no other information regarding the personal content of the
session.
6.
Put an “Account of Disclosures” form
in each and every folder (sample attached) on which you must record each and
every piece of information you ever release from the folder.
A
new patient right under HIPAA is that the patient has the right to request a
copy of this disclosure sheet of released information at any time. Patients have the right to know what
PHI you have provided, to whom and when you provided it, and the
purpose for which it was provided.
This is because under HIPAA once they have signed a general release for
your files their PHI information can automatically be released whenever
appropriate to people involved in TPO—Treatment, Payment,
or health care Operations
until and unless the client revokes it.
Note: even though no one has the right to access
your Psychotherapy Note file folders, automatically put an Account of
Disclosures sheet in those folders anyway in case, with the special client Release
for Psychotherapy Notes form (attached), you should ever choose to release
any of it. A general release form is
insufficient, this is an entirely new form that specifies a number of new
details such as why the information is being released and when it will be
returned to you or shredded! As always, release of information that includes more than one person
require each person’s signature.
HIPAA
requires that when seeking consultation from another provider for treatment
purposes we may disclose phi without additional
authorization, but that a special authorization is required for disclosure of
psychotherapy notes to a consultant.
However, HIPAA does not supersede ethical and legal standards that allow
us (in fact, mandate us) to use any information for consultation we need without
client permission so long as it is carefully disguised.
7.
HIPAA requires that you must train each and
every employee and every other person who handles any of your patient business. You must go over your Privacy Policy
Statement with every such person, explaining that deliberate
or even accidental failure to comply may result in federal penalties and loss
of their job—that you and they could face major law suit if any slips are
made. Impress upon them the importance
of taking HIPAA seriously. You might
give a copy of this document to your employees and others.
As
a part of your training of staff and outside others who handle patient names
and date, prepare a brief form for them to sign
certifying
(a)
that on a certain date you conducted a personal training session with them
going over your policies, (b) that you gave them a copy of this (or some other)
document explaining what HIPAA is and how people must comply, and (c) that you
or someone you have appointed is the Privacy Officer who is available for
further information and questions, and that (d) in your training session any
questions they had were answered and discussed.
Do this when hiring new employees or contracting with outside
entities.
8.
The Electronic Transaction and Security
Rules
Congress
has been concerned that uniform standards for transmission of electronic
health care information and that stringent security standards for the
maintenance and storage of electronic information be established nationwide and
that all health care providers be in compliance.
The
Transaction Rule addresses the
technical aspects of electronic health care requiring the use of standardized
formats whenever information is sent or received. For example, each insurance company you
transact business with will provide you with appropriate software to maintain
these standards.
The
Security Rule seeks to assure the
security of client information. For
example, each health care provider must address certain administrative,
physical and technical procedures such as access to files and computers and the
means by which electronic data is securely maintained and stored. You must systematically consider a
series of possibilities and how you intend to address them in your
practice. Further, you must make a
written record of the security considerations that affect your practice. How to go about assessing your security
issues, documenting your HIPAA compliance, and periodically reviewing and
updating your policies will be discussed later.
HIPAA COMPLIANCE IS NOT ONLY
MANDATED BY FEDERAL LAW, BUT, MORE IMPORTANTLY, AS A NATION WE NEED TO BE
ASSURED OF THE PRIVACY AND SECURITY OF OUR PERSONAL HEALTH CARE
INFORMATION. AS PRACTITIONERS, WE MUST
DO OUR PART IN ESTABLISHING PRIVACY AND SECURITY FOR OUR CLIENTS AND FOR
OURSELVES IN THIS ADVANCING TECHNOLOGICAL ERA.
YES, GETTING IN COMPLIANCE IS INITIALLY TEDIOUS, BUT IN THE LONG RUN IT
BECOMES A MUCH-NEEDED MATTER OF ROUTINE THAT IS IMPORTANT FOR US TO COMPLY
WITH!
The Big Picture:
What HIPAA Is All About
and Why We Need HIPAA[4]
1.
The Health Insurance
Portability and Accountability Act (HIPAA) was
the result of a bill sponsored by Senators Nancy Kassebaum and Ted Kennedy,
which was signed into law in August 1996 demanding compliance by 2003.
2.
The “portability” part of the act
was designed to protect Americans who were previously ill from losing their
health insurance when they changed jobs or residences.
3.
The “privacy” intent of the
law was to streamline the national health care system through the adoption of
consistent standards for transmitting uniform electronic health care claims. In
order to make this work, it also became necessary to adopt standards for
securing the storage of that information and for protecting an individual's
privacy. When the rules are in place, it is believed that the health care
industry will have a standardized way of transmitting electronic claims with
increased privacy and security protection for the electronic dissemination of
health care information.
4.
Do not think you can evade HIPAA
compliance because you only transmit information by fax or
phone or only receive cash payments.
Faxes sent to many private parties, insurance companies and most other
large agencies are received by computers (quite unbeknownst to you) and your
client’s private information becomes electronically stored—automatically making
you a “covered entity” even without your consent or knowledge. The same is true for voice mails you leave on
electronic systems which either have computerized voice recognition systems or
some form of data entry that immediately involves you. Even
receiving a third party check that has been computer generated immediately
makes you a covered entity. Even if you
only accept cash payments and do not fill out insurance forms, when your client
submits your bill for reimbursement, information generated by you will then be
transmitted and/or stored electronically.
One piece of information created by you, if electronically
transmitted or stored anywhere by anyone mandates HIPAA compliance for you—whether
you were responsible for that trigger or not!
5.
Start collecting now
all articles and forms regarding HIPAA from your insurance company and
professional organization. New rules are
appearing daily and will continue to do so.
You must keep up to date! Put them
in a new “HIPAA Information” folder.
Formal compliance with the
HIPAA requirements is a necessity because there are real and
significant penalties for non-compliance.
If a health care provider refuses to become informed or deliberately
fails to take appropriate action, the consequences of failing to comply with
HIPAA include:
·
Administrative action taken by
the HHS Office.
·
Civil Penalties of not more
than $100 for each violation with the total amount during a calendar year not
to exceed $25,000.
·
Fines of up to $250,000,
imprisonment for up to 10 years, or both for knowingly violating "wrongful
disclosure of individually identifiable health information."
1. The privacy rule
focuses on the application of effective policies, procedures and business
service agreements to control the access and use of patient information.
3. The security rule
addresses the provider/organization's physical infrastructure such as access to
offices, files and computers to assure secure and private communication and
maintenance of confidential patient information.
3. The transaction rule sets
up standard formatting for electronic transactions and at present requires the
use of ICD-9 and CPT-4 codes so DSM IV may become obsolete.[5] For those who transmit claims electronically,
practice management software or an outside party such as a health care
clearinghouse will be needed to handle the conversion of data to meet the
requirements.
1. THE PRIVACY RULE
What to Do In Order To Achieve
Compliance with HIPAA Now:
·
To get started create two new
file folders, one on “HIPAA Compliance Information” and one on “HIPAA
Compliance Documentation.” In the
first, collect on an ongoing basis articles, web downloads, handouts, etc. that
will aid you in the event of questions—how to think, whom to contact, sources
of information. In the second—which you
might keep in your confidential patient file so no one has access to it but you—keep
copies of forms you use, signed employee training forms, any complaints,
restrictions, revisions—in short, all documentations that you are doing things
correctly if anyone should ever demand documentation of full compliance. Any person who suspects you may not be in
compliance (i.e., a disgruntled patient) can, in principle, have you
investigated by a HIPAA compliance officer.
Safeguard your HIPAA Compliance Documentation file so that only you have access to it!
·
Begin a check list of
items to be considered periodically and keep it in your “HIPAA Compliance”
file. I suggest that all files be
labeled (attached samples) as either Patient Record or Psychotherapy Notes and
that all inactive files be put in storage clearly labeled as Non-HIPAA Compliant.
·
Note: Patients do not have the right to review
their Psychotherapy Notes but they have the right to
authorize release of them and there are certain legal conditions in which your
confidential Psychotherapy Notes can be opened so be sure your patient will not
be surprised or enraged if she or he ever reads them. While
confidential Psychotherapy Notes now have an extra measure of federal
protection, always assume that they are not totally immune from disclosure.
·
Note: There
are special rules under which a therapist may provide a timely written denial of access to patient PHI
(HIPAA 30 days, California 5 working days,) provided that the denial is open to
review by a third party mental health professional. Summaries of either PHI or Psychotherapy Notes
may be provided to patients upon the professional discretion of the
therapist. Be prepared to seek
consultation on such issues—usually they entail the potential risk of harm to
the patient.
·
Note: Third parties do not have the
right to review your notes nor to coerce patients to sign authorizations for
the release of your notes. Psychotherapy
Notes may not be released to other treating professionals without an
authorization. Psychotherapy Notes
can be disclosed without the patient’s authorization when mandated by a court of
law; for training, research and supervision (de-identified); when needed for
oversight of the therapist who created them; when needed to avert imminent
serious threat to health or safety of person or public (only to persons who can
be expected to prevent or reduce that threat, including the person threatened);
and to medical examiners or coroners for identification.
·
Note: Documents received from another therapist
should be kept in your confidential psychotherapy file and may not be
re-disclosed except by authorization of the person who created them AND the
client.
·
New patient rights
are: (1) to receive notice of privacy
policies, (2) to request to restrict the use and disclosure of PHI, (3) to
access their own PHI, (4) to request amendments to PHI, (5) to obtain an Accounting
of Disclosures of their PHI.
·
Note: Patients do not have the right to view
information compiled for a civil, criminal or administrative proceeding.
·
Minors: HIPAA generally
recognizes parents or legal guardians as personal representatives of their
children for purposes of accessing PHI.
·
You must post in a conspicuous
place in your office your privacy policies and procedures along with a statement of who the
Privacy Officer is who can answer questions and receive complaints and how this
person can be reached.
·
You must train employees and
all other persons who handle client data so
that they understand the privacy procedures.
Have each employee sign and date a copy of the privacy procedures,
stating in their handwriting that she/he has received a copy and that you have
had a meeting with them to go over in detail the policies and procedures and to
discuss any questions they have.
·
Document the training sessions
and file copies of signed
statements of current and all new employees in your secured “HIPAA Compliance
File.” Your training must include a
documented statement of sanctions, complaint processes and duty to mitigate
concerns and infractions of privacy policies.
Consider putting in writing how all employees must insure that emails,
faxes, billing sheets, correspondence, and voice mails remain secured. Retrain
annually and document carefully.
Remember, full HIPAA compliance will become a national standard of care
and you may be required at any time by a federal officer or a court to document
your full compliance.
·
Designate a Privacy Officer to be
responsible for seeing that privacy procedures are adopted and followed [in a
small private practice the therapist may appoint him/herself the Privacy Officer.].
·
Physically separate from the Patient
Record portions of the file and begin a new “Psychotherapy Notes” file on all
clients actively under your care. These
confidential psychotherapy files are by federal law being created exclusively
for the use of the treating professional.
They will include all notes on sessions and records of other contacts
such as emails, faxes, telephone messages, cards, etc.
·
Note: The above considerations also apply to all
confidential psychotherapy materials that are computer stored. Only you can have access to the encryption
and file passwords for Psychotherapy Notes.
·
If
you deal with insurance companies or managed care companies they are required
to supply you with HIPAA compliant software and contracts. The same is true for contracts and
transaction software for use of outside contracted agencies such as billing
services, answering services and collection agencies. You must have in your “HIPAA Compliance”
file documentation that all companies and agencies that you deal with have
provided you with a HIPAA compliant contract.
To What Kind of Information does the Privacy Rule Apply?
In order to understand how the
privacy rule treats health information, it is important to briefly review four
definitions that are included in the rule:
1. Health Information: Any
information, whether oral or recorded in any form, created or used by health
care professionals or health care entities.
2. Individually Identifiable Health Information:
A subset of Health Information that either identifies the individual or
that can be used to identify the individual.
3. Protected Health Information (PHI):
Individually identifiable health information becomes Protected Health
Information (PHI) when it is transmitted or maintained in any form or medium. More specifically, PHI is information that
relates to the past, present or future physical or mental health condition of
an individual; the provision of health care to an individual; or the payment
for the provision of health care to an individual; and that identifies the
individual or could reasonably be used to identify the individual.
4. Psychotherapy Notes: HIPAA
standards are designed to echo the Jaffee vs.
The
definition in the privacy rule specifically excludes
information pertaining to medication prescriptions and monitoring,
counseling session start and stop times, the modalities and frequencies of
treatment furnished, results of clinical tests and any summary of the following
items: diagnosis, functional status, the treatment plan, symptoms, prognosis
and progress to date. In the regulatory
definition, one of the requirements for notes to qualify as "Psychotherapy
Notes" is that they must be "separated from the rest of an
individual's medical record." Due
to the additional protection associated with Psychotherapy Notes, a conservative analysis is that psychotherapists
have to segregate this information into different labeled file folders and ensure
that increased procedural requirements for Psychotherapy Notes are met. The
labels I use are attached.
Once triggered (and you can’t
realistically avoid triggering), the privacy rule applies to a
psychotherapist's entire operation, not just to information in
electronic form. The privacy rule does
not allow for a psychotherapist to segregate that part of his or her practice
to which HIPAA standards apply.
Plaintiff attorneys clearly
intend to make full compliance into a national standard of care which will be
applied to you in the event of ethical or administrative complaint or
malpractice litigation. Don’t be a fool
and try to avoid HIPAA compliance.
Psychotherapists must obtain a patient's consent prior to
using PHI to carry out “treatment,” "payment,” and
"health care operations", TPO. A generalized consent
form will be necessary when dealing with third parties and, as a practical
matter, should be secured at the outset of treatment rather than waiting until
the information is shared. This form differs from and is not a substitute
for the "informed consent" that is also typically obtained prior to
the initiation of treatment. .
Providers can secure both
forms of consent at the same time; however, the generalized consent form
must be visually and organizationally separate from other legal permissions and
must be separately signed and dated. The consent form must indicate that
the individual has the right to revoke consent in writing. Any actions the
psychotherapist may have taken before receiving notice that the consent has
been revoked would not be covered by the revocation.
Special Authorization for
Release of Psychotherapy Notes
The Privacy Rule contains a
definition of Psychotherapy Notes similar to what we in the profession have
historically referred to as "process notes." Authorizations are forms that
psychotherapists typically refer to as releases, which meet certain
requirements specified by the privacy rule. Briefly stated, an authorization
for release of psychotherapy notes must contain the following:
·
A specific definition of the
information to be used or disclosed
·
To whom the information is
going to be disclosed
·
The purpose of the disclosure
·
An expiration date
·
The right to revoke
·
The right not to authorize the
disclosure
[Sample form attached]
The privacy rule states
that a general consent alone is insufficient when a third party requests
Psychotherapy Notes; it requires psychotherapists (and other
"covered entities”) to obtain specific patient authorization for the use
and disclosure of such notes.
Psychotherapists will have to ensure that any entity requesting
Psychotherapy Notes has provided a valid authorization before releasing those
notes. Or, alternatively, psychotherapists will have to secure authorization
from the patient before providing information contained within the
Psychotherapy Notes in response to requests. Additionally, when seeking
consultation from another provider for treatment purposes, patient
authorization must be obtained in order to disclose information in
Psychotherapy Notes. Simply because a
client requests release of Psychotherapy Notes does not mean the practitioner
must comply since the notes are “for the exclusive use of the therapist who
created them.”
|
|
Minimum Necessary Disclosure
When PHI is disclosed or used, the privacy rule requires
psychotherapists to share the minimum amount of information necessary to
conduct the activity.
The privacy rule also applies
to PHI available internally to employees so they can do their jobs (e.g., a
billing clerk may have access to the minimum amount of information needed to
perform the billing role that would not include clinical information).
In a treatment context, the
minimum necessary provision does not apply. Therefore, psychotherapists are
free, as permitted by state law, to share information they wish with another
provider for the purpose of providing treatment, as permitted by
authorization. Minimum necessary
disclosure does not apply to requests for information that require
authorization above and beyond the general consent, such as with Psychotherapy
Notes. This is because the information
to be disclosed is specifically described by the authorization itself.
There are a number of
circumstances in which the privacy rule permits psychotherapists to make
certain disclosures without consent or authorization. These may include
providing information to or related to:
·
A public health authority
·
A health oversight agency
·
A coroner or medical examiner
·
The military, Veterans Affairs
or another entity for national security purposes [E.g., per The Patriot Act?]
·
A hospital or other type of
facility for its facility directory
·
Workers' Compensation Laws
·
Victims of abuse, neglect and
domestic violence
·
Other situations as required
by law—consult your attorney!
|
|
Patients: Their Rights and Records
Under HIPAA, patients in many
states will now have greater access to their records and greater knowledge of
how their records will be used than ever before. They will also benefit from
the enhanced protection of Psychotherapy Notes.
Patients have the right to:
1.
Consent to use and disclosure
of their PHI
2.
Receive notice of use and
disclosure of their PHI
3.
Access their PHI for
inspection and amendment
4.
To request amendments to their
PHI
5.
An accounting of how their PHI
was used and shared
Under the HIPAA privacy rule,
patients have the right of notice. This means the obligation is on the
psychotherapist to inform patients about potential uses and disclosures
of their PHI and their right to limit those uses and disclosures. Provision of health care services may
be conditioned on the patient's willingness to provide consent to disclose.
As part of the consent
process, psychotherapists must inform patients
that they have the right to request restrictions on the use and disclosure
of PHI for treatment, payment and health care operations (TPO) purposes.
The consent also must state that the
psychotherapist is not required to agree to an individual's request. However, the psychotherapist must agree
to "reasonable requests" for restrictions such as a request that
information not be sent to specific individuals or a request that information
be sent to a particular location. If the
psychotherapist does agree to a particular restriction, that agreement is
binding. As is currently the case,
psychotherapists are not required to accept disclosure restrictions that could
compromise their professional judgment or conclusions.
With limited exception, a
patient is allowed to inspect and obtain a copy of the PHI record. The privacy
rule defines a "designated record set" as the medical and billing
records maintained by the provider and used to make decisions about the patient. Psychotherapists can require that the request
be made in writing. The request must be
fulfilled within 30 days (5 days in
Patients do not have the right to:
·
Inspect or obtain a copy of
Psychotherapy Notes
·
Inspect information compiled
in "reasonable anticipation" of, or for use in, a civil, criminal or
administrative action
·
Access information systems
that are used for quality control or peer-review analysis
Psychotherapists will be
required to have policies and procedures for assuring individuals' access to
their PHI. This will include putting a process in place to document the records
that are accessed and by whom.
It is important to note that in states that have laws guaranteeing
patient access to all the psychotherapist's records, including Psychotherapy
Notes, these laws will apply since they enhance a patient's right of access
to information.
"Right of amendment"
refers to patients' right to request a change in their PHI if they feel the PHI
is incorrect. A psychotherapist can deny requests for Record amendments if he
or she is not the originator of the information or if the information recorded is
accurate and complete.
"Right of Accounting"
refers to the individual's right to receive a listing of all disclosures of any
PHI for the previous six years in which the information has been maintained.
Tracking must begin on the
scheduled compliance date. It
will not be required for occurrences before that date. The accounting for each
disclosure must include the date, name and address of the entity receiving the
PHI, a brief description of what was disclosed and a brief statement of the
purpose of the disclosure or, in place of such a statement, a copy of the
patient's written authorization.
An accounting must be made
within 60 days of the request. Individuals have the right to receive one free
accounting per twelve-month period. For
each additional accounting, a psychotherapist may charge a reasonable cost-based
fee.
“Business Associate”—a new
category of person or agency (not defined by HIPAA as a covered health service
entity) is created by HIPAA defined as a person or organization other than a
member of the therapist’s work force who receives PHI from the therapist to
provide services to, or on behalf of, the therapists. Business associates include bookkeepers,
lawyers, collection agencies, clearinghouses, shredding services, computer
repair service, transcription agencies, accountants off-site storage, paging
services, voice mail services. PHI may
only be disclosed to business associated after the therapist has obtained a
written contract that the business associate will appropriately safeguard the
information under HIPAA compliance information.
Operationally, this should minimally include a compliance contract
with your Notice of Privacy Policy attached.
You might include a clause that you have personally reviewed your
policies and that your contractor has had an opportunity to ask questions and
discuss your policies with you. Also
include a clause that any subcontractors be held to the same policies and that
sanctions are provided for breaches.
Review periodically, and in case of breach document the steps you have
taken to repair the breach including canceling the contract if necessary. Professional websites have sample Business
Associate contracts. HIPAA allows
disclosure of PHI to your malpractice carrier for purposes of obtaining or
maintaining coverage, or for purposes of obtaining benefits or reporting claims
or threats of claims
Overview: The security rule is about the protection of
confidential Protected Health Information (PHI) that is maintained,
transmitted, and/or stored electronically (EPHI). The security rule seeks to assure the confidentiality,
integrity, and availability of EPHI.
Since the security rule applies to entities as small as the solo
practitioner and also to large mega-corporations, each health provider is
required to address a series of security risks and then to document that
assessment and how those risks are being addressed and periodically
updated.
This means that you must
conduct and document a full risk analysis of potential security breaches in
your office, computers, and storage locations such as break-ins, computer
viruses, fires, floods, and internet hackers.
You must also document how you are addressing each security concern
and how you will periodically re-assess your security issues.[6] Keep your assessment and your security
plan in your new “HIPAA Compliance” file folder. What follows is a brief
overview of what you must do.
The three HIPAA Security Rule
standards: In conducting
and documenting your risk assessment there are three categories of Security
Rule standards that must be addressed as well as a series of “required” and “addressable”
Implementation Specifications (not optional) that accompany each set of three standards.[7]
1.
Administrative Standards address the
implementation of office policies and procedures, staff training, and other
measures designed to carry out security requirements. The Administrative Standards are:
·
Assigned Security
Responsibility: You must appoint a HIPAA
Security Officer (yourself?) who is responsible for developing and implementing
security protocols and who can answer client questions.
·
Security Management
Process: The HIPAA Security Officer must
create and implement practices designed to prevent, detect, contain, and
correct HIPAA violations.
·
Workforce Security: The Security Officer must create a system
that insures and limits appropriate employee access to EPHI.
·
Information Access
Management: You must create a system of
passwords to guarantee that only authorized people have access to each type of
client information.
·
Security Awareness and
Training: You must implement and
document training of all people who have access to any EPHI.
·
Security Incident
Procedures: You must implement
prodedures to detect, correct, and discipline any breaches in EPI security.
·
Contingency Plan: You must establish emergency procedures for responding
to threats of security such as vandalism, fire system failures, and natural
disasters.
·
Evaluation: You must document the ways you regularly
review and update your security standards.
·
Business Associate
Contracts: You must insure that all
business associates (answering services, billing services, shredders, etc.) are
trained properly and in compliance with HIPAA security rules.
2.
Physical Standards
relate to limiting access to the physical area in which electronic information
are housed.
·
Facility Access Controls: You must control physical access to all
locations where EPHI is stored to assure only appropriate people have access to
or can remove EPHI.
·
Workstation Use: You must assure that each workstation that
can access EPHI can only be used by authorized personnel.
·
Workstation Security: All devices must be secure so they cannot be
moved or observed by non-authorized personnel.
·
Device and Media Control: You must insure that any devices or media
(discs, etc.) are secure when changing locations or discarding.
3.
Technical Standards concern
authentication, transmission and other issues that may arise when authorized
personnel access EPHI via computer or any other electronic devices.
·
Access Controls: You must ensure only appropriate access to
EPHI by authorized users.
·
Audit Controls: You must create procedures that monitor for
EPHI security breaches.
·
Integrity: You must create safeguards to protect from
improper alteration or destruction of EPHI.
·
Person or Entity
Authentication: You must implement procedures
that ensure that the person attempting to access EPHI is in fact that person.
·
Transmission Security: You must implement procedures that guard
against unauthorized access to EPHI that is being transmitted over an
electronic transmissions network.
The transaction rule requires
standard formatting of electronic transactions and Electronic Data Interchange
standards including the internet, leased lines, dial-up lines, or the physical
movement of magnetic tapes, diskettes or compact discs to new locations. ICD-9-CM will be the code set for
diagnoses and CPT-4 and HCPCS codes for outpatient procedures. We have yet to hear a legal rejoinder
from the American Psychiatric Association on switching from DSM IV to ICD-9-CM,
so prudence says try to use both codes for the present. See earlier footnote on the DSM.
If
you plan to use a clearing house for transactions you must have a Business
Associates contract with them agreeing to HIPAA compliance.
MISCELLANEOUS ISSUES
Federal Substance Abuse
Confidentiality Requirement
The federal confidentiality of substance abuse patient
records statute establishes confidentiality requirements for patient records
that are maintained in connection with the performance of any federally assisted
specialized alcohol or drug abuse program. According to an analysis conducted
by HHS of the interaction of this law (and regulations) with HIPAA, in most
cases a conflict will not exist and health care professionals covered by both
will be able to comply with both sets of requirements.
Joint Consents may be obtained by a group of
providers who also provide a joint Notice
of Privacy Practices. All covered
individuals must be identified on both forms.
Note that if a client revokes a joint consent then the therapist is
under an obligation to inform in writing all individuals named on the joint
consent of the revocation.
Combined Consents: HIPAA allows you to combine a consent for disclosure of PHI with other informed consents so long as it is spatially and visually separate and separately signed and dated. However, authorizations for disclosure of Psychotherapy Notes must be a separate form.
HIPAA National Provider Identification Rule
By
BASIC
FORMS YOU
1.
Notice of Privacy Practices
that explains to clients, employees, and contractors your HIPAA compliance
policies. Copies must be readily
available at the office or sent upon request.
YOUR NOTICE OF PRIVACE PRACTICES MUST BE POSTED IN A CONSPICUOUS PLACE
IN YOUR OFFICE WHERE PATIENTS CAN READ IT.
Should there be a phone intake or an emergency situation the NPP and
Informed Consent must be sent and or provided for signature as soon as
possible. IF YOU HAVE A WEBSITE POST
BOTH ON IT FOR INFORMATION AS WELL AS DOWNLOADING.
2.
Your Informed Consent for
Treatment that you have always used explaining therapy,
limits of confidentiality, cancellation policies, financial responsibility for
legal fees, etc.— the consent for use of disguised client information for the
purposes of research, consultation, and training may be included here. Should you be using any of this information
for marketing products be certain to include that release as well. The
suggestion now is that you either fax or email the short Informed Consent for
Assessment Consultation or have it available in your waiting room prior to the
first personal contact (sample form on CD-Rom).
You could then easily accompany it with your Notice of Privacy Practices
and ask for both to be filled out and signed ahead of time—simply explain that
the federal government now requires it.
3.
General Consent for Release of
Information to use or disclose information for TPO purposes
(Treatment, Payment, and health care Operations).
4.
Authorization to Disclose Psychotherapy Notes including:
what you have provided, to whom and when you provided it,
and the purpose for which it was provided. This form may not be combined with any
other form. (Sample form attached.)
5.
Request for Amendment of Personal Health Information
6.
A HIPAA Compliance Checklist
signed, dated, and periodically updated to document your compliance.
7.
Business Associate contracts.
TAKE HIPAA SERIOUSLY AS YOUR WAY OF CONTRIBUTING
TO PRIVACY IN A SOCIETY WHERE PERSONAL PRIVACY IS GRAVELY THREATENED. PUT SOME WORK INTO IT IN GOOD FAITH WITH THE
AWARENESS THAT WE MUST ALL DO OUR PART TO ENSURE OUR INDIVIDUAL PRIVACY!
Disclaimer:
Impact of HIPAA on the forms available with this book
Changes in the federal law
known as the Health Insurance Portability
and Accountability Act (HIPAA –
45 CFR 160 et seq.) have begun to
impact the ways in which health care information is obtained, stored, used and
disclosed. Due to HIPAA’s “preemption
clause,” which bars HIPAA from
preempting state laws that offer as much or more protection for patient privacy
than HIPAA itself, various state
offices have been set up to clarify practitioner obligations. The forms in this book may not be sufficient
for where you practice so check with your local professional organizations and
offices of state government.
How HIPAA applies to the forms with this
Updated Edition: The reader is
advised to make sure to provide copies of the Notice of Privacy Policies
(available for the professions at the society websites above) in conjunction
with use of the following documents provided with this updated Edition:
1.
Informed Consent for Psychotherapy Assessment Consultation
2.
Informed Consent for Dynamic Psychotherapy or Psychotherapeutic
Consultation (Individual, Couple, Group, and
Family)
3.
Informed Consent for Infant Relationship-Based Therapy
4.
Informed Consent for Work with Children and Adolescents
In addition, the
reader is advised to provide the following information along with the Notice of
Privacy Policies:
“Federal
law requires me to provide you with the Notice of Privacy Policies for
safeguarding your personal and protected health information. However, because the federal law is not as
yet fully implemented in
Addendum to
Photograph Form
a. Should include both permission to make the photo/video,
but also to show it and should address the issue of right to withdraw consent
to show it and to destroy it.
b. Should also have a clause that holds the
therapist harmless from any damage resulting from showing it before the patient
says to stop.
c. Should also include clause that suggests that
patient consider it and discuss it with counsel or trusted advisor before
agreeing to it – like making
sure the patient has capacity to sign and doesn’t sign out
of undue influence.
SAMPLE FORMS FOLLOW
Release of
Information for Outpatient Psychotherapy Records
I, _______________________________________________________________
(Patient)
authorize _________________________________________________________
(Professional)
to release information as follows:
I. Specific information
requested and its intended use: (to whom, for what)_____
_______________________________________________________________________
_______________________________________________________________________
II. Length of time the
information will be kept before being destroyed or disposed of:
___________________________________________________________
(I understand that, in order to keep the information longer than the
time specified, I must be notified of the extension and the specific reason for
the extension, the intended use of the information during the extended time and
the expected date of the destruction of the information.)
III. I understand that the
information will not be used for any purpose other than its intended use.
IV. I understand that the
person/entity requesting the information will destroy it and all copies of it
in the person/entity’s control, will cause it to be destroyed or will return it
and all copies of it to me, before or immediately after the length of time
specified in item II (above) has expired.
V. I have received a copy
of this written request 30 days prior to sending the requested information, or
I have signed a written waiver in the form of a letter submitted to the
provider of healthcare (“Professional,” above) waiving notification.
VI. The professional (above)
is not authorized to disclose information to any other person/entity without my
consent.
Name (printed):
_____________________________________________________
Signature:
_____________________________________________________
Date: ______________________
Progress Note/Clinical Record
Patient
name:____________________________________________________________
Date of Service________________
Length of Session_______ Start______ Stop _____
CPT: 90806/90818/90847/90853/Other____________
Diagnoses:_________________
Symptoms:
____________________________________________________________
Axis IV Psychosocial
and Environmental problems addressed:
____Primary support group
problems ____Self-care problems
____Social environment problems
____Economic stressors
____Physical health problems ____Current victimization
____School/work problems ____Other psychosocial
stressors
____Housing problems
Current GAF___________________; Highest GAF this
year________________.
Current
Meds.__________________________________________________________.
Risk issues
assessed_____________________________________________________.
Consultations:___________________________________________________________.
Tx
Plan________________________________________________________________.
Informed consent issues discussed this
session:________________________________
______________________________________________________________________
______________________________________________________________________
_____________________________________________________________________
(Signature)____________________________________________________________
Psychotherapy Note
Patient Name
____________________________________________Date__________
Disclosures this
session__________________________________________________
_____________________________________________________________________
Interventions this session
________________________________________________
_____________________________________________________________________
_____________________________________________________________________
Patient
Comments/Behaviors______________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
Homework____________________________________________________________
Signature_____________________________________________________________
California Health
& Safety Code 123130 holds that a treatment summary may be prepared in lieu
of a patient record, within 10 working days of the request (if a record is
unduly long or a patient is recently discharged, 30 days are allowed, but the
patient must be notified in writing).
Summaries must include:
(1) Chief complaint or complaints including pertinent history.
(2) Findings from consultations and referrals to other health care
providers.
(3) Diagnosis, where determined.
(4) Treatment plan and regimen including
medications prescribed.
(5) Progress of the treatment.
(6) Prognosis including significant continuing problems or conditions.
(7) Pertinent reports of diagnostic procedures and tests and all
discharge summaries.
(8) Objective findings from the most recent physical examination, such as
blood pressure, weight, and actual values from routine laboratory tests.
Fees:
The
health care provider may charge no more than a reasonable fee based on actual
time and cost for the preparation of the summary. The cost shall be based on a
computation of the actual time spent preparing the summary for availability to
the patient or the patient's representative.
It is the intent of the Legislature that summaries of the records be
made available at the lowest possible cost to the patient.
Account of
Disclosures
Client Name:
___________________________________________________________
Date of Birth:
___________________________________________________________
|
Disclosures to: (Name and address) |
Purpose of Disclosure |
Date |
|
|||
|
|
|
|
|||
|
NOTICE: This is the Client
Record WARNING! All materials
intended for exclusive use of therapist must be kept in a separate “Confidential Psychotherapy Notes” folder. The contents of this Record are ONLY to include: face sheet
information, informed consents, patient information, general
diagnosis, functional status, treatment plan progress, billing and insurance
information form, appointment information, length of session (starting and ending times),
medication and referral information, and a termination summary. A general release of information must be
signed and dated by client before information from this folder can be
released. With a signed release and/or
subpoena the
appropriate portions may be released.
The client; (a) has a right to review this folder and to request a copy, (b) the client
has a right to revoke consent.
Further, the client has a right to amend this record,
(but legal consultation must be sought before amendment is included). All released information must be logged in this folder on
special log sheet: to whom, for what purpose, what was sent, date
released, signed and notarized (if there is any question of identity), client release
or government subpoena. Client
releases must accompany attorney’s subpoena. Seek legal consultation regarding
questions. |
|
NOTICE: This is the Client
Record WARNING! All materials
intended for exclusive use of therapist must be kept in a separate “Confidential Psychotherapy Notes” folder. The contents of this Record are ONLY to include: face sheet
information, informed consents, patient information, general
diagnosis, functional status, treatment plan progress, billing and insurance
information form, appointment information, length of session (starting and ending times),
medication and referral information, and a termination summary. A general release of information must be
signed and dated by client before information from this folder can be
released. With a signed release and/or
subpoena the
appropriate portions may be released.
The client; (a) has a right to review this folder and to request a copy, (b) the client
has a right to revoke consent. Further,
the client has a right to amend this record,
(but legal consultation must be sought before amendment is included). All released information must be logged in this folder on
special log sheet: to whom, for what purpose, what was sent, date released,
signed and notarized (if there is any question of identity), client release
or government subpoena. Client
releases must accompany attorney’s subpoena. Seek legal consultation regarding
questions. |
|
NOTICE: This is the Client
Record WARNING! All materials
intended for exclusive use of therapist must be kept in a separate “Confidential Psychotherapy Notes” folder. The contents of this Record are ONLY to include: face sheet
information, informed consents, patient information, general
diagnosis, functional status, treatment plan progress, billing and insurance
information form, appointment information, length of session (starting and ending times),
medication and referral information, and a termination summary. A general release of information must be
signed and dated by client before information from this folder can be
released. With a signed release and/or
subpoena the
appropriate portions may be released.
The client; (a) has a right to review this folder and to request a copy, (b) the client
has a right to revoke consent.
Further, the client has a right to amend this record,
(but legal consultation must be sought before amendment is included). All released information must be logged in this folder on
special log sheet: to whom, for what purpose, what was sent, date
released, signed and notarized (if there is any question of identity), client release
or government subpoena. Client
releases must accompany attorney’s subpoena. Seek legal consultation regarding
questions. |
|
NOTICE: This is the Client
Record WARNING! All materials
intended for exclusive use of therapist must be kept in a separate “Confidential Psychotherapy Notes” folder. The contents of this Record are ONLY to include: face sheet
information, informed consents, patient information, general
diagnosis, functional status, treatment plan progress, billing and insurance
information form, appointment information, length of session (starting and ending times), medication
and referral information, and a termination summary. A general release of information must be
signed and dated by client before information from this folder can be
released. With a signed release and/or
subpoena the
appropriate portions may be released.
The client; (a) has a right to review this folder and to request a copy, (b) the client
has a right to revoke consent.
Further, the client has a right to amend this record,
(but legal consultation must be sought before amendment is included). All released information must be logged in this folder on
special log sheet: to whom, for what purpose, what was sent, date
released, signed and notarized (if there is any question of identity), client release
or government subpoena. Client
releases must accompany attorney’s subpoena. Seek legal consultation regarding
questions. |
|
NOTICE: This is the Client
Record WARNING! All materials
intended for exclusive use of therapist must be kept in a separate “Confidential Psychotherapy Notes” folder. The contents of this Record are ONLY to include: face sheet
information, informed consents, patient information, general
diagnosis, functional status, treatment plan progress, billing and insurance
information form, appointment information, length of session (starting and ending times),
medication and referral information, and a termination summary. A general release of information must be
signed and dated by client before information from this folder can be
released. With a signed release and/or
subpoena the
appropriate portions may be released.
The client; (a) has a right to review this folder and to request a copy, (b) the client
has a right to revoke consent.
Further, the client has a right to amend this record,
(but legal consultation must be sought before amendment is included). All released information must be logged in this folder on
special log sheet: to whom, for what purpose, what was sent, date
released, signed and notarized (if there is any question of identity), client release
or government subpoena. Client
releases must accompany attorney’s subpoena. Seek legal consultation regarding
questions. |
|
NOTICE: This is the Client
Record WARNING! All materials
intended for exclusive use of therapist must be kept in a separate “Confidential Psychotherapy Notes” folder. The contents of this Record are ONLY to include: face sheet
information, informed consents, patient information, general
diagnosis, functional status, treatment plan progress, billing and insurance
information form, appointment information, length of session (starting and ending times),
medication and referral information, and a termination summary. A general release of information must be
signed and dated by client before information from this folder can be
released. With a signed release and/or
subpoena the
appropriate portions may be released.
The client; (a) has a right to review this folder and to request a copy, (b) the client
has a right to revoke consent.
Further, the client has a right to amend this record,
(but legal consultation must be sought before amendment is included). All released information must be logged in this folder on
special log sheet: to whom, for what purpose, what was sent, date
released, signed and notarized (if there is any question of identity), client release
or government subpoena. Client
releases must accompany attorney’s subpoena. Seek legal consultation regarding questions. |
|
This Folder Contains Psychotherapy Notes WARNING! Criminal Penalties Federal HIPAA Legislation caused this CONFIDENTIAL PSYCHOTHERAPY file to be
created for the exclusive use of the treating therapist.
for release of any part of this file
for subpoenas of any kind!
(b) legal consultation.
|
|
This Folder Contains Psychotherapy Notes WARNING! Criminal Penalties Federal HIPAA Legislation caused this CONFIDENTIAL PSYCHOTHERAPY file to be
created for the exclusive use of the treating therapist.
for release of any part of this file
for subpoenas of any kind!
(b) legal consultation. 5.
Any material released from this folder must be logged on the log sheet (to whom, for what purpose,
what was sent, what date, signed and notarized if
there is any question of identity release from client). |
|
This Folder Contains Psychotherapy Notes WARNING! Criminal Penalties Federal HIPAA Legislation caused this CONFIDENTIAL PSYCHOTHERAPY file to be
created for the exclusive use of the treating therapist.
for release of any part of this file
for subpoenas of any kind!
(b) legal consultation. 5.
Any material released from this folder must be logged on the log sheet (to whom, for what
purpose, what was sent, what date, signed and notarized if
there is any question of identity release from client). |
|
This Folder Contains Psychotherapy Notes WARNING! Criminal Penalties Federal HIPAA Legislation caused this CONFIDENTIAL PSYCHOTHERAPY file to be
created for the exclusive use of the treating therapist.
for release of any part of this file
for subpoenas of any kind!
(b) legal consultation. 5.
Any material released from this folder must be logged on the log sheet (to whom, for what
purpose, what was sent, what date, signed and notarized if
there is any question of identity release from client). |
|
This Folder Contains Psychotherapy Notes WARNING! Criminal Penalties Federal HIPAA Legislation caused this CONFIDENTIAL PSYCHOTHERAPY file to be
created for the exclusive use of the treating therapist.
for release of any part of this file
for subpoenas of any kind!
(b) legal consultation. 5.
Any material released from this folder must be logged on the log sheet (to whom, for what
purpose, what was sent, what date, signed and notarized if
there is any question of identity release from client). |
|
This Folder Contains Psychotherapy Notes WARNING! Criminal Penalties Federal HIPAA Legislation caused this CONFIDENTIAL PSYCHOTHERAPY file to be
created for the exclusive use of the treating therapist.
for release of any part of this file
for subpoenas of any kind!
(b) legal consultation. 5.
Any material released from this folder must be logged on the log sheet (to whom, for what
purpose, what was sent, what date, signed and notarized if
there is any question of identity release from client). |
|
NON-HIPAA COMPLIANT FILE WARNING: CRIMINAL
PENALITIES: Do Not Release any part of this folder without the therapist or
his/her legally designated representative reviewing and authorizing it. WARNING!
RELEASE OF PARTS OF THIS CONFIDENTIAL FOLDER WITHOUT PROPER AUTHORIZATION IS A FEDERAL CRIME
AND MAY RESULT IN IMPRISONMENT OR UP TO $250,000 FINES TO THE PERSON
RESPONSIBLE. LEGAL CONSULTATION MUST BE SOUGHT REGARDING ANY QUESTIONS OF RELEASE. Compliance with the Federal HIPAA Legislation was required in inactive prior to that time and so has not been reviewed to assure |
|
NON-HIPAA COMPLIANT FILE WARNING: CRIMINAL
PENALITIES: Do Not Release any part of this folder without the therapist or
his/her legally designated representative reviewing and authorizing it. WARNING!
RELEASE OF PARTS OF THIS CONFIDENTIAL FOLDER WITHOUT PROPER AUTHORIZATION IS A
FEDERAL CRIME
AND MAY RESULT IN IMPRISONMENT OR UP TO $250,000 FINES TO THE PERSON RESPONSIBLE. LEGAL CONSULTATION MUST BE SOUGHT REGARDING ANY QUESTIONS OF RELEASE. Compliance with the Federal HIPAA Legislation was required in inactive prior to that time and so has not been reviewed to assure |
|
NON-HIPAA COMPLIANT FILE WARNING: CRIMINAL
PENALITIES: Do Not Release any part of this folder without the therapist or
his/her legally designated representative reviewing and authorizing it. WARNING!
RELEASE OF PARTS OF THIS CONFIDENTIAL FOLDER WITHOUT PROPER AUTHORIZATION IS A
FEDERAL CRIME
AND MAY RESULT IN IMPRISONMENT OR UP TO $250,000 FINES TO THE PERSON
RESPONSIBLE. LEGAL CONSULTATION MUST BE SOUGHT REGARDING ANY QUESTIONS OF RELEASE. Compliance with the Federal HIPAA Legislation was required in inactive prior to that time and so has not been reviewed to assure |
|
NON-HIPAA COMPLIANT FILE WARNING: CRIMINAL
PENALITIES: Do Not Release any part of this folder without the therapist or
his/her legally designated representative reviewing and authorizing it. WARNING!
RELEASE OF PARTS OF THIS CONFIDENTIAL FOLDER WITHOUT PROPER AUTHORIZATION IS A
FEDERAL CRIME
AND MAY RESULT IN IMPRISONMENT OR UP TO $250,000 FINES TO THE PERSON
RESPONSIBLE. LEGAL CONSULTATION MUST BE SOUGHT REGARDING ANY QUESTIONS OF RELEASE. Compliance with the Federal HIPAA Legislation was required in inactive prior to that time and so has not been reviewed to assure |
|
NON-HIPAA COMPLIANT FILE WARNING: CRIMINAL
PENALITIES: Do Not Release any part of this folder without the therapist or
his/her legally designated representative reviewing and authorizing it. WARNING!
RELEASE OF PARTS OF THIS CONFIDENTIAL FOLDER WITHOUT PROPER AUTHORIZATION IS A
FEDERAL CRIME
AND MAY RESULT IN IMPRISONMENT OR UP TO $250,000 FINES TO THE PERSON
RESPONSIBLE. LEGAL CONSULTATION MUST BE SOUGHT REGARDING ANY QUESTIONS OF RELEASE. Compliance with the Federal HIPAA Legislation was required in inactive prior to that time and so has not been reviewed to assure |
|
NON-HIPAA COMPLIANT FILE WARNING: CRIMINAL
PENALITIES: Do Not Release any part of this folder without the therapist or
his/her legally designated representative reviewing and authorizing it. WARNING!
RELEASE OF PARTS OF THIS CONFIDENTIAL FOLDER WITHOUT PROPER AUTHORIZATION IS A
FEDERAL CRIME
AND MAY RESULT IN IMPRISONMENT OR UP TO $250,000 FINES TO THE PERSON
RESPONSIBLE. LEGAL CONSULTATION MUST BE SOUGHT REGARDING ANY QUESTIONS OF RELEASE. Compliance with the Federal HIPAA Legislation was required in inactive prior to that time and so has not been reviewed to assure |
[1] The main sources of information consulted for this document are the American Psychological Association Insurance Trust [APAIT.org] , the California Association of Marriage and Family Therapists [camft.org], and the American Association of Marriage and Family Therapists [aamft.org]. Dr. Ofer Zur’s HIPAA Compliance Kit (http://www.drzur.com) and the American Psychological Association’s compliance kit were also consulted. Required forms and basic guidelines are on all of these websites.
[2] HIPAA was passed in 1996 guaranteeing the sanctity of our psychotherapy notes. The same year the Redmond Supreme Court Case (see main book text for summary) also guaranteed the absolute privacy of psychotherapy notes. At this point should you receive any type of demands whatsoever for your notes—from insurance companies, public agencies, attorneys, or private parties—explain that you cannot comply with the demand due to Federal HIPAA laws and the Redmond Supreme Court Decision. If pressed, ask to speak with their attorney so you can explain, or speak with your own attorney so that you do not respond inappropriately. Further, ot only does HIPAA prohibits any coercion of your clients for their psychotherapy records or notes, but even with the special HIPAA client Release of Psychotherapy Notes form (attached) the psychotherapy notes by law belong to you for your exclusive use so that you alone may choose to release only a summary, only selected portions, or nothing at all!.
[3] Because disability or death could happen to us at any time, or because we might leave the setting in which records were created, throughout this document I suggest that all folders have a clear label on front so that later anyone, ourselves included, encountering the folder later can at a glance see its HIPAA status. Three pages of sample labels are provided at the end of this document to assist you. Each folder should have a dated termination summary (sample provided in clear view for the same reason—i.e., so that we or a custodian of our records can letter tell at a glance how long the record should be kept. And so that when the file folder is purged and shredded the termination summary can be easily removed for permanent storage as a record that we did see the client.
[5] It seems highly unlikely to me that the American Psychiatric Association will tolerate for long the federal government scrapping the DSM that it has spent decades and millions of dollars developing, but so far the rule is ICD-9 diagnoses. Most clinicians continue to use DSM until some clerical worker at an insurance company rejects the diagnosis. Try to educate the worker about the DSM and its importance. Then ask to speak with a supervisor and if the call for ICD-9 persists have them fax you a copy of the possible mental health diagnosis—there are only a few and they are badly developed. I would not recommend ordering the very expensive AMA code books, they include all medical diagnoses and only have a few pages for us. Make the insurance company send you the few pages or copy them from your doctor’s office if necessary.
[6] All of our national mental health association
maintain on their websites (see footnote, page 1) information on how to comply
with the security rule. A particularly useful guide is “The HIPAA
Security Rule Primer” available at www.apapractice.org. Also available at the same site is a workbook
that can take you systematically through all of the relevant concerns and
suggest ways of addressing them.
[7] The Implementation Specifications can also be found in the Security Rule itself located at: www.cms.hhs.gov/HIPAA/HIPAA2/regulations/security/default.asp.