HIPAA Myths and Misconceptions
If you ever want to see beads of sweat appear on the forehead of a colleague, just say “There’s a phone message from Health and Human Services for you….something about a HIPAA violation…”
The text of the Health Insurance Portability and Accountability Act (HIPAA) is so long (101,000 words, more than 500 pages) and written in such obscure legal language that few people are certain that they are completely in compliance with its mandates. Fewer people have actually read it.
These conditions are the perfect breeding ground for rumors, myths, misinformation, and unjustified fear.
Here are just a few of the HIPAA misconceptions that many therapists hold:
Myth #1: HIPAA is black-or-white law. By reading it thoroughly, you can be certain that you are in compliance.
Not really. Many federal laws are written rather vaguely. In this way, they don’t need to be rewritten every few years to keep up with change, and to cover an infinite variety of clinical situations.One example is a key phrase that describes when it is OK to share client information with staff within an office. If such sharing is “...essential to healthcare operations…” this is OK… but they never define what that phrase means. This is purposeful vagueness that allows HHS some leeway in legal interpretation to decide whether you have been naughty or nice.
Myth #2: Most of HIPAA is about preserving client privacy.
Nope. HIPAA contains five sections, and only one of them is concerned with the privacy of clinical records. The others define data exchange standards, create a system of identification of healthcare providers (the NPI), provide some (rather ineffective) assurance that your healthcare coverage will continue if you lose your job, and define security standards for the protection of healthcare records. HIPAA also sets guidelines for pre-tax medical spending accounts, group health plans, and company-owned life insurance policies.
We focus on the “privacy” part because it concerns us as therapists the most often. But we should be just as concerned about the “security” part of HIPAA. More on this below.
Myth #3: The most common way that electronic healthcare records are stolen is by “hackers” who break into your computer or your online records.
Maybe on TV, but not in real life.The most common way such records are leaked is by losing a laptop computer or storage device, often in a restaurant or airport. If you were to be “hacked” despite maintaining careful data security standards, you would not be in violation of HIPAA – the hacker would.But therapists are famous for poor security practices, such as loaning passwords to admins, creating easily-guessed passwords, failing to delete account access when employees leave, leaving their computers logged in during lunch breaks, and failing to encrypt local files like Word documents that contain PHI. If client data is leaked because you were sloppy with security, the hammer WILL fall.Also remember that credit card numbers should never be stored on your local machine. Hackers are much hungrier for credit card numbers than for juicy clinical information: don’t store something worth stealing, and they won’t put effort into breaking into your machine.
Myth #4: If you share the cost of a front office admin with a group of other therapists, it’s OK for that admin to know who your clients are and have access to their records for scheduling and billing.
Yes and no.
If your group is incorporated (like in an LLC or S-Corp) and your group provides annual HIPAA training to the front office workers, you don’t need to have a BAA (Business Associate Agreement) in place with that admin.
But if your group is really an affiliation of independent therapists sharing space and not a formal legal entity, then you MUST have a signed BAA in place with them, and they must take on the responsibility of training themselves in HIPAA.
An informal group also can’t share client records without the client’s written consent, but an incorporated group can legally do so.
HHS is likely to be a bit more lenient about the written consent if sharing records with independent colleagues is “essential to healthcare operations” as in an emergency situation or vacation coverage consented to by the client.
Myth #5: It is a HIPAA violation to send an appointment reminder to a client, since this is the sort of electronic transaction governed by HIPAA and it betrays the fact that they are in therapy with you.
Curiously, no.
In a rare show of flexibility and clarity, HHS issued a special memo giving leeway to appointment reminders in particular, even though technically they could leak information about their status as clients. They didn’t want people missing appointments; the leeway was the “lesser of two evils.”
They give similar leeway to credit card transactions: you don’t have to have a BAA in place with MasterCard to use their services.
But such leeway is not a blank check. In the case of reminders, you are still supposed to disclose as little as possible about the appointment. “Mary has an appointment with John Doe at 9:00 on Thursday” is MUCH preferable to “Mary Jones has a psychotherapy appointment with Dr. John Doe at the Depression Treatment Center at 9:00 on Wednesday.” Ideally, the reminder could be interpreted as anything from a haircut appointment to a meeting with an accountant.
Also, your client must be given the option to “opt out” of any appointment reminders – they might need this if their email account is shared with their spouse, who doesn’t need to know that your client is in treatment with you.
.jpg)
