Even though psychologists have always placed a high priority on safeguarding patient confidentiality, the privacy rule will increase privacy protection for all health information. The privacy rule resulting from HIPAA will affect psychologists’ practices in many ways.

In general, the rule will require psychologists to

• Provide information to patients about their privacy rights and how that information can be used
• Adopt clear privacy procedures for their practices
• Train employees so that they understand the privacy procedures
• Designate an individual to be responsible for seeing that privacy procedures are adopted and followed, i.e., a privacy officer
• Secure patient records

The privacy rule was developed with the understanding that there are many different types of health care providers who must comply, ranging from large multi-hospital systems to individual solo practitioners. Therefore, the administrative and procedural requirements are designed around the notion of “scalable compliance.”

The administrative requirements of the privacy rule are “scalable,” meaning that a covered entity takes “reasonable” steps to meet the requirements according to its size and type of activities. In other words, the administrative burden on a psychologist who is a solo practitioner will be far less than that imposed on a hospital. For example, a hospital may be required to create a full-time staff position for a privacy officer, while a psychologist may identify herself as the “privacy officer” in her solo practice.

What Needs to Be Done

Following is an overview of the types of administrative processes and other tasks that practicing psychologists will need to handle in order to meet the requirements of the HIPAA privacy rule.

Learning the Terms

Psychologists must learn the legal meaning of terms such as “use,” “disclosure,” “consent” and “authorization” as well as the various types of information that may be kept in health records. A new category of information, “psychotherapy notes,” is also part of the regulation and must be understood.

Policies and Procedures

New office policies and procedures must be implemented with respect to protected health information (PHI) to comply with the requirements of the privacy rule. These policies and procedures must be “promptly” changed, as necessary and appropriate, to comply with any changes in the law that might occur in the future.

Administrative and Physical Safeguards

Appropriate administrative, technical and physical safeguards must be in place to protect the privacy of PHI. For example, a psychologist should be ready to demonstrate that only he or she has access to the computer in which patient records are kept, and that any backup files are accessible only to him or her, and that hard copies of such records are locked in a file cabinet. There will likely be some additional requirements when the final Security Rule is promulgated. The APA Practice Organization and the APA Insurance Trust will incorporate that information into HIPAA compliance materials that the two entities are developing collaboratively when the information is available.

Government Enforcement and Penalties Formal compliance with the HIPAA requirements is necessary because there are real and significant penalties for non-compliance. If a health care provider refuses to become informed or deliberately fails to take appropriate action, the consequences of failing to comply with HIPAA include (from the least to the most severe): Administrative action taken by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights Civil penalties of not more than $100 for each violation, with the total amount imposed on the person for all violations of an identical requirement or prohibition during a calendar year not to exceed $25,000 Fines of up to $250,000, imprisonment for up to 10 years, or both, for knowingly violating “wrongful disclosure of individually identifiable health information” A primary initial aim of the HHS Office for Civil Rights is to work with the health care community to help health care providers understand and implement HIPAA.

Training

All members of a psychologist’s workforce must be trained as necessary and appropriate to carry out their functions under the privacy rule. Training must be documented in accordance with the rule’s documentation requirements.

Sanctions

A psychologist must have and apply appropriate sanctions against members of his or her workforce who fail to comply with the privacy policies and procedures or requirements of the privacy rule. Sanctions must be documented in accordance with the privacy rule’s documentation requirement.

Complaint Process

A patient complaint process regarding compliance with the privacy rule or policies and procedures related to the rule must be in place. This may be as simple as receiving complaints and keeping a file of such complaints.

Documentation of Compliance Procedures

Policies and procedures must be maintained in either electronic or written form. Various types of HIPAA documentation must be retained for six years from the date of creation or the date when it was last in effect, whichever is later.

Duty to Mitigate

A psychologist must mitigate to the extent practical any harmful effect that he or she knows of regarding his or her employee(s)’ or a business associate’s use or disclosure of PHI in violation of policies and procedures or the requirements of the privacy rule. For example, if the receptionist in a small psychology group practice inadvertently sends the wrong patient records to an insurer for reimbursement, the psychologist might be required to request the records back and inform the patient of the error.

Adapted from: “Getting Ready for HIPAA: What You Need to Know Now,” from the APA Practice Organization and the APA Insurance Trust. Additional information including definitions of terms is found in this publication, which was mailed in March 2002 to all APA members who pay the APA Practice Organization special assessment.