Perspective on Practice

If you electronically transfer protected health information — a broad category that covers a patient's contact information, clinical record or payment history — in connection with insurance claims or other third-party reimbursement, you've likely triggered the need to comply with the Health Information Portability and Accountability Act (HIPAA). If you haven't yet changed your compliance practices and documents to meet the Sept. 23 deadline for the HIPAA Final Rule, you need to act now.

More urgently, if you trigger HIPAA and haven't taken the basic steps to start complying with the HIPAA Privacy Rule and Security Rule, stricter enforcement and penalties under the Final Rule make this oversight risky.

Sept. 23 was the deadline for all providers covered by HIPAA, including psychologists, to comply with the HIPAA Final Rule, which was released in January 2013 by the U.S. Department of Health and Human Services (HHS). The Final Rule increases enforcement and penalties, especially for those who have not tried to comply, and includes penalties of up to $1.5 million per year, per HIPAA requirement violated.

Under the Final Rule, HHS will step up HIPAA audits. In addition, the "breach notice" provisions mean that if your laptop or smartphone is stolen and has unencrypted protected health information on it, you will probably have to notify HHS (and affected patients) of that breach. This could shine a spotlight on the state of your HIPAA compliance.

I know from personal experience that HIPAA compliance can be arduous. I was in private practice in 2005 when the Security Rule went into effect. The APA Practice Organization's (APAPO) "HIPAA Security Rule Online Compliance Workbook" translated the rule's legalese into the required risk assessment tailored for a psychological practice. Even so, I spent a significant amount of time getting into compliance. Despite the time commitment, I knew that I needed to be in compliance with the law, and more important, I wanted to be sure to protect my patients' information.

APAPO has prepared several resources to help practitioners understand the changes and come into compliance. Aside from enforcement and penalties, other important changes in the Final Rule that affect psychologists concern breach notification, notice of privacy practices and business associates. APAPO's The HIPAA Final Rule: What You Need to Do Now is available free for APAPO members and to past and future purchasers of the "HIPAA for Psychologists" compliance product from APAPO. The HIPAA Final Rule resource updates existing HIPAA Privacy Rule compliance information and includes updated language to insert into your HIPAA forms. It is available to APAPO members and can be found on APAPO's Practice Central website.

If you're new to HIPAA compliance and need basic compliance forms and information, consider starting with "HIPAA for Psychologists," a CE course and compliance product developed by APAPO and the APA Insurance Trust. 

The "Privacy Rule Primer," also from APAPO, has been updated to explain how Final Rule changes affect Privacy Rule compliance. The primer provides a refresher for those who started complying years ago and an introduction for new practitioners just starting with HIPAA. It covers HIPAA basics such as who needs to comply with the HIPAA Privacy Rule and the HIPAA Security Rule, and what types of information are protected.

HIPAA resources for you

APAPO has created resources and information to help psychologists comply with the HIPAA Final Rule, Privacy Rule and Security Rule. All resources are available in the HIPAA compliance section of APAPO's Practice Central website. These resources include:

  • "HIPAA for Psychologists," a CE course and online compliance product.
  • The HIPAA Final Rule: What You Need to Do Now.
  • The 2013 "Privacy Rule Primer."
  • "HIPPA Security Rule Online Compliance Workbook."