**An update to this article was posted in 2024. Please also enjoy Understanding HIPAA Covered Entity Status: What You Need to Know **
Did you know that just because you practice health care in the United States, you’re not necessarily legally required to comply with HIPAA? The followup question, of course, is, “Does it really change anything if you’re not?”
For HIPAA, only those folks who qualify as “covered entities” are legally required to comply with the law. For health care providers, this is how the law defines a “covered entity”:
A health care provider that conducts certain transactions in electronic form.
“Certain transactions” — what a mysterious statement. Many have claimed that these transactions are things like sending emails or using Skype to speak with clients. In fact, those things are not true.
These “covered transactions” relate to billing insurance and making inquiries with insurance such as statements of benefits. Specifically, they are the transactions defined in HIPAA’s lesser-known Transaction Rule. You can see a list of those transactions in the Feds’ helpful document, “Are You a Covered Entity?“.
So if your practice has never billed insurance, it is probably not a HIPAA covered entity.
Yes, that sounds odd to me, too. HIPAA covers so much more than just insurance billing. Why would that be the sole rubric? It’s strange, but it is the rule. To be sure, please check out CMS’ “Are You a Covered Entity?” guide and consult with your attorney on making a decision about whether or not to consider your practice as a covered entity.
This definition did not change in the January, 2013 Omnibus Final Rule, by the way.
I don’t directly bill insurance at all. So I don’t have to comply with HIPAA?
Well, that’s not entirely the case.
Consider our professional ethics codes. All of these professional organizations’ ethics codes, at the very least, explicitly require that we take steps to maintain the confidentiality of client data, including in electronic media: ACA, APA, NASW, AAMFT, and NBCC.
Here are some ethics code examples:
Counselors take precautions to ensure the confidentiality of all information transmitted through the use of any medium.
ACA Code of Ethics, 2014, B.3.e emphasis mine
In addition, The ACA code has a whole section on the use of digital tech in counseling. That section (Section H) even defines a few ethical standards around security, but it does not encompass the whole practice and it does not define how to achieve security. So far, HIPAA is our only influencer that does that.
It is the therapist’s or supervisor’s responsibility to choose technological platforms that adhere to standards of best practices related to confidentiality and quality of services, and that meet applicable laws.
AAMFT Code of Ethics, 2015, 6.3
This Ethics Code applies to these activities across a variety of contexts, such as in person, postal, telephone, Internet, and other electronic transmissions.
Ethical Principles of Psychologists and Code of Conduct (“APA Code of Ethics”), Introduction and Applicability
The APA’s code makes a point of noting that the principles of the code extend to the digital realm. The ethical principles themselves also address the need for security in transmissions, but this statement from the Introduction says quite a bit by itself. Once again, however, we see only a partial address of the need for security and privacy in a psychologist’s practice.
Social workers should take reasonable steps to protect the confidentiality of electronic communications, including information provided to clients or third parties. Social workers should use applicable safeguards (such as encryption, firewalls, and passwords) when using electronic communications such as e-mail, online posts, online chat sessions, mobile communication, and text messages.
NASW Code of Ethics, 1.07 (m)
…All electronic therapeutic communication methods shall use encryption and password security.
NBCC Code of Ethics, 54
So if someone is inquiring into the question of whether or not you are complying with these digital confidentiality mandates and taking proper steps to protect clients, what professional standard should they look to? Certainly in the United States, HIPAA is the most well-developed and authoritative set of rules defining standards for security and privacy in health care.
Our free, informative articles are brought to you by Hushmail,
who is offering our readers 15% off for life!
Wondering why this is here? See our sponsorship policy for details.
Roy says: Hushmail is one of several secure email options that serves health care practitioners like us. Hushmail is highly trusted, affordable, includes secure web forms that accept e-signatures, and has earned a recommendation from us for use by mental health professionals. Learn more about Hushmail for Healthcare and get 15% off for life.
Does this mean you will be subject to all aspects of HIPAA, even if you’re not a covered entity? That’s harder to answer. For example, the Office of Civil Rights’ random audit program is defined as being random audits of covered entities. Non-covered entities cannot be audited (I question whether many mental health providers will be audited at all, but that’s just conjecture.) Complying with the essential standards around security and privacy seems like a no-brainer, however — we need to do it to keep up with standard of care.
So HIPAA defines standard of care around security and privacy?
Maybe. Sometimes. Not always.
For a long time, experts theorized that HIPAA could be invoked as standard of care in situations such as malpractice cases or licensing board actions. For the most part, this is still theory.
We do have a couple of cases now, though. There was a quite decisive decision (repetition intended) from the Ohio Second District Appeals Court in the case of Sheldon v. Kettering Health Network. The judge made a couple of points that are quite relevant to our interests here:
…the plaintiffs contend… that they were not seeking recovery under HIPAA and that they were relying on [HIPAA], at most, to establish a standard of care.
…
However, we further conclude that federal regulations [e.g. HIPAA]—as opposed to an Ohio statute that sets forth a positive and definite standard of care—cannot be used as a basis for negligence per se under Ohio law.
(all emphasis and items in brackets are my own additions)
In this case, the plaintiffs were suing Kettering Health Network because a doctor there had committed an egregious and nasty violation of the plaintiff’s medical privacy. They argue (quite correctly) that this violation only occurred because the clinic itself was not following its own security policies and thus had slipped out of compliance with HIPAA.
The questions was: can the plaintiffs sue the clinic for negligence? To do so, they have to prove the clinic was not meeting standard of care. The plaintiffs argued that the clinic’s lack of HIPAA compliance indicated they were not meeting that standard.
The judge disagreed that HIPAA — a “federal regulation” — can be used to define standard of care and therefore “cannot be used as a basis for negligence per se under Ohio law.” (emphasis mine.) The clinic is subject to HIPAA enforcement by HHS’s Office of Civil Rights and/or Ohio’s attorney general, of course. That won’t get the plaintiffs any money, though.
The judge did note something else, though:
Despite preemption and the lack of a private right of action, we are aware of three states that have expressed approval of the use of HIPAA regulations as a standard of care. Byrne v. Avery Center for Obstetrics and Gynecology, P.C., 314 Conn. 433, 102 A.3d 32 (2014), R. K. v. St. Mary’s Med. Ctr., Inc., 229 W. Va. 712, 735 S.E. 2d 715 (W. Va. 2012), and Acosta v. Byrum, 180 N.C. App. 562, 568, 638 S.E.2d 246 (N.C. Ct. App. 2006). However, each is dependent on the nuances of applicable state law, the claims pursued, and the unique facts presented.
Amateur (or professional) law scholars among the readership can follow those links for further information. We can see from the quick view, however, that HIPAA as a standard of care is highly dependent on jurisdiction and circumstances. Furthermore, there are still hundreds of jurisdictions in which that question has not yet come up.
Back to the Insurance Thing: So if I stop billing insurance, I can stop being a covered entity?
This is not at all clear. The law seems to imply that once you “break the seal” and make one of those “covered transactions” electronically, you’re a covered entity forever and ever. One could envision a situation where a clinician argues that they are not currently acting as a covered entity as it is described and therefore shouldn’t be treated like one, but I’ve never heard of that argument being tested.
Remember that state laws vary widely on the issue of health care privacy. If you’re interested in “emancipating” from HIPAA, or in any way acting on the educational information in this article, I strongly advise you to consult an attorney. Even if you aren’t a covered entity, many states have laws that mimic HIPAA or are stricter than HIPAA.
HIPAA emancipation will not free any US health care provider from performing duties related to security and privacy in their practices. For many clinicians, HIPAA compliance is a useful approach to meeting their needs for security and privacy because there are so many resources available for achieving it.
In short: we recommend HIPAA compliance or at least something close to it.
Great summary, Roy! I want to emphasize and underline your last statement. Some states have laws that are even more stringent than HIPAA (I believe Texas is one), so it’s very important that people know ALL the laws that impact them where they practice.
As to the part about becoming a “non-Covered Entity”, my feedback from OCR on this is that you can do it. As with so many things involving HIPAA, it requires that you document the rationale and decision to cease covered transactions and declare yourself no longer a Covered Entity. Of course, as with so many things with HIPAA, this isn’t documented anywhere. Just the feedback I received from their representative. And it still wouldn’t necessarily release you from any of the state laws and ethical codes that might apply.
Rob, I think that interview you managed to get with the OCR rep has made you one of the most well-informed professionals on HIPAA in the United States. :) That is really useful information about “renouncing” covered entity status. Thanks for sharing it here.
Nice approach Roy with the backward questions to HIPAA CE. We seem to state only the “have tos” to clients so this approach is refreshing. I agree that at this stage in the game it is very important to seek legal advice. Even our holistic providers in Florida are accepting that HIPAA is part of their practice and are adopting the procedures.
Next, you can write a set of questions from the Business Associate perspective. That will be interesting as well. We all have to do our due diligence.
Warmly,
Rebecca
Hi Rebecaa,
Thanks much. :) So far my audience is just clinicians, so I likely won’t write anything aimed at Business Associates. I imagine that would be a more complicated article.
I have found your website and articles extremely informational and helpful! If a counselor is not a covered entity because they do not submit to insurance, is there any harm to being cautious and still having clients fill out a HIPAA form? And if they do, are there classes, etc. that the counselor has to take in order to do that?
Hi Chantal,
If you are not legally required to distribute a Notice of Privacy Practices (often called the “HIPAA form”) by any regulating body (e.g. the feds, your state or your licensing board), then remember that by distributing one anyways you are promising clients that you will abide by the policies contained in the form. You can decide if that’s a good or bad thing for you. :)
That makes sense. So if a counselor is not a covered entity under HIPAA and is using a cloud based system for records, client billing, etc. (I’m currently looking into Counsol.com) does the counselor still need a BAA with them?
That is a grey area. I don’t know if any court, licensing board, etc has acted as if the Business Associate rule is also part of the standard of care defined by HIPAA. Some experts think it’s part of the standard of care, others do not. You’ll want to make your own decision. Remember that you have a mandate to maintain confidentiality and vet your service providers no matter what. Simply following rules is not the same as acting ethically, right? ;)
Thoughtful article . I loved the specifics – Does someone know if I could locate a sample Employee Warning Notice form to complete ?
Thanks for the positive feedback, we’re glad you found the article useful! We don’t, at this time, have a sample Employee Warning Notice form. Best of luck!
Hi Shalon, my assistant found a template Employee Warning Notice example at this place https://goo.gl/3cC7q2.
Thanks, Toshiko. Thanks a great share!
Your article is quite illuminating. As a client I recently learned that my therapist was not a covered entity under HIPAA. For me struggling with depression and anxiety, filling out a simple electronic form w/the Office of Civil Rights was an easy and limited stress way of reporting privacy violations(sending unencrypted videos of our sessions by email, sharing email addresses/names in a group email to all members of a group therapy class, texting over iMessage on my mental health issues and with family members, and more). I appreciate the protection of the HIPAA violation penalty. Yes, there are ethical and licensing issues, but it is far more challenging for a client to make professional ethics complaints. We need an easier mechanism from which to share our legitimate privacy concerns.
Thank you for sharing here, Marie. This is useful feedback for all of us.
This feedback, and the article along with resources, are pure gold! You guys have done it again ;)
Thanks, Maelisa!
Roy, this article was absolutely terrific! Practical nuts and bolts without the jargon. Well done.
Scott, so glad you found it useful!