Transcript
Episode 417: What You Should Know About HIPAA Covered Entity Status Transcript
Evan Dumas
You’re listening to Group Practice Tech, a podcast by Person Centered Tech, where we help mental health group practice owners ethically and effectively leverage tech to improve their practices. I’m your co-host Evan Dumas.
Liath Dalton
And I’m Liath Dalton and we are Person Centered tech.
Liath Dalton
This episode is brought to you by Therapy Notes. Therapy Notes is a robust online practice management and Electronic Health Record system to support you in growing your thriving practice. Therapy Notes is a complete practice management system with all the functionality you need to manage client records. Meet with clients remotely, create rich documentation, schedule appointments, and bill insurance all right at your fingertips. To get two free months of Therapy Notes as a new Therapy Notes user, go to therapynotes.com and use promo code PCT.
Evan Dumas
Hello and welcome to Episode 417: What You Should Know About HIPAA Covered Entity Status.
Liath Dalton
Ah yes, the question as old as time, or rather as old as since HIPAA was enacted, as a federal regulation has been the question of “Am I a HIPAA covered entity?” Or “Is my organization my institution, a HIPAA covered entity? What does it matter if I am or I am not?”
Liath Dalton
And there’s a lot to unpack here. That is, while not the sexiest of topics really important to understand, because the implications for your your practice are significant. And there are some really key pieces to be aware of. So let’s dive right in.
Evan Dumas
Yeah.
Liath Dalton
So to begin with, what we want to look at is what actually makes someone a covered entity?
Evan Dumas
Mhm.
Liath Dalton
And that part is a little complex, because it’s based on what is defined as a covered transaction.
Evan Dumas
Mhm.
Liath Dalton
And a covered transaction, the easiest way to distill it down, is an electronic communication with insurance.
Evan Dumas
Yup, yeah.
Liath Dalton
That’s the simplest way to put it. And so from that, a lot of providers will make a determination “Oh, I’m not an insurance based practice. So I’m not having direct communications with insurance. So therefore, I’m not a HIPAA covered entity. And HIPAA doesn’t apply, and I don’t need to worry about it.
Evan Dumas
Yeah.
Liath Dalton
But unfortunately, there are still things that can qualify as a covered transaction. One area where we’ve seen this come up is with practices that contract with EAPs, because the amount of information that needs to be provided for those claims to get processed, is still something that qualifies as a covered transaction.
Evan Dumas
Yeah.
Liath Dalton
So it is not a de facto case that you are not a HIPAA covered entity if you don’t currently take insurance.
Evan Dumas
Mhm.
Liath Dalton
The other piece related to this is that if you have been a covered entity at any point, we mean you’ve performed covered transactions, so electronic communications with payers, even if it’s a out of network benefits verification for a client, that has conferred HIPAA covered entity status, and once that status is conferred, it is in place forever and ever.
Liath Dalton
It is not something that stops when you, for example, switch from being an insurance based practice to a private pay only practice. So that’s really important to to note, and it’s an area where we’ve seen some some confusion amongst folks and understandably so. Because if performing a covered transaction makes you a HIPAA covered entity, it would seem that there should be a way to then elect not to be a HIPAA covered entity if you cease performing covered transactions, but that’s getting into the weeds a little bit, because really what we want to talk about is how it matters to follow HIPAA, regardless of whether or not you are, in fact, a HIPAA covered entity, for a multitude of reasons and, and benefits.
Liath Dalton
So, one component there is that HIPAA is an incredibly useful framework for meeting the ethical requirements of each of the therapy professions.
Evan Dumas
Yeah.
Liath Dalton
Each of the ethics standards specify, to a certain extent, how client information and electronic client information needs to be protected and safeguarded, but does not provide the level of specificity or flexibility that HIPAA does.
Evan Dumas
No.
Liath Dalton
And it is much easier when you’re evaluating a service provider, to be looking at whether or not they understand HIPAA, and are prepared to execute a HIPAA Business Associate Agreement with you, then it is to approach a service provider and say, I am a clinical social worker, and I have these ethical responsibilities that I have to uphold and have to make sure the safeguards are in place. So can you give me assurances that you will do that?
Evan Dumas
Mhm.
Liath Dalton
That’s not something that is realistically feasible. But thankfully, the concept of HIPAA Business Associates and it being a federal regulation makes it much easier in terms of being a known quantity amongst service providers that serve the healthcare profession.
Evan Dumas
Yeah. Yeah.
Liath Dalton
Evan, you also had a really excellent point about the components for Safe Harbor that ties into this useful framework.
Evan Dumas
Yeah, so there’s this wonderful topic or thing called Safe Harbor. Now, it’s used in lots of different industries. Basically, it’s a term saying when your, whatever, generally devices meet the standards, they are considered safe, you don’t have to go above and beyond it. If it’s lost or stolen, it’s not, it’s you know, it’s not it’s a considered a brick.
Evan Dumas
So Safe Harbor’s lovely, because you’re like, oh, sweet, I only have to do these things, I’ll get them checked off. Now, I don’t know of any trainings or any information out there that’s like, and here’s how you comply with your state’s data privacy laws for your device needs. Because all of this stuff is buried pretty deep in the legislation, and regulations.
Evan Dumas
But for HIPAA Safe Harbor, that stuff’s totally published. And we have trainings on it, other people do, too.
Liath Dalton
Mhm.
Evan Dumas
So introduces you to the concept of Safe Harbor, lets you be like breathe at night, knowing Hey, oh, I won’t have to worry if it’s lost or stolen. I don’t have to I don’t have to file a breach. And so it says, Hey, do these things. It just so happens that the Safe Harbor standards that HIPAA proposes covers you for your state based regulations you need to comply with. So it’s really taking care of a lot of things at once by by doing the HIPAA route.
Liath Dalton
Exactly.
Liath Dalton
So if you have devices that are used for any practice work secured according to the standards for Safe Harbor under HIPAA, then that means that you are also covered in terms of state data breach laws, which apply whether or not you are a HIPAA covered entity. They actually apply regardless of whether you’re a healthcare provider or not, though there are kind of a higher level of requirements for health care data. So that is something that applies across the board regardless of covered HIPAA covered entity status. But if you’re covering yourself under HIPAA, you’re covered under state as well. And so it’s a nice two birds one feeder solution there.
Liath Dalton
And kind of following from that is another area where we’ve seen folks who really haven’t performed a covered transaction, still conferring HIPAA covered entities status on themselves by virtue of giving a HIPAA Notice of Privacy Practices form to clients. And it’s understandable how this happens as well, right? You get your sort of practice paperwork startup set, either from an attorney or from colleagues, or maybe you’ve compiled it based on some of the templates that were used at previous places of employment. And this is something, the HIPAA Notice of Privacy Practices that is just sort of standard and feels default.
Evan Dumas
Mhm.
Liath Dalton
So it can easily in those sorts of circumstances be something that you have adopted in your paperwork, even if you have not performed covered transactions and do not, in fact, have HIPAA covered entity status.
Evan Dumas
Mhm.
Liath Dalton
So once a once you have told clients that they have rights under HIPAA, you you have to uphold those rights and you are subjected to those those requirements and responsibilities and liabilities. So, and I can’t tell you actually how many practices we’ve done consults with where they have said, we’re we are all private pay, so we’re not a HIPAA covered entity. We still follow some basic principles like getting BAAs with service providers, but we’re not a covered entity, so do we need to worry about the formal HIPAA risk analysis or policies and procedures and those sorts of things?
Liath Dalton
And our guidance is always if you are going to operate as though you are not a HIPAA covered entity, you must ensure that you are in fact truly not a HIPAA covered entity and do so in a way that is going to be protective and defensible for you. That determination should be made on an evaluation by a HIPAA attorney specifically.
Liath Dalton
And so when I’ve been doing these consults, and gotten into a conversation around it, there have been so many times when we’ve discovered that it’s a moot point to do that consult with an attorney, because they have the Notice of Privacy Practices, also referred to as the HIPAA form as part of what they’re providing to clients.
Evan Dumas
Yeah.
Liath Dalton
So that’s kind of, you know, another good point for the whole consideration of it, whether or not you are HIPAA covered entity, there are so many benefits and compelling reasons to still follow all of the standards that it includes and to only make informed decisions about not following those, if you truly and verifiably are not a HIPAA covered entity.
Evan Dumas
Yeah.
Liath Dalton
That going through some of the sort of processes and hoops to obtain that status or verify that you have that status and then ensure that you never do anything that is a covered transaction and confers covered entity status is a lot of rigamarole to to manage.
Liath Dalton
So going back to one of PCT’s very first articles, which was “Am I HIPAA covered entity and how much does it matter if I am or not?” Our position on that has not changed. But the reasons why we we still make the argument that we do have only sort of been bolstered by further learning as HIPAA has been around longer, as there’s been more case law. Increasingly we also see some licensing boards rules and regulations explicitly mention HIPAA compliance in terms of requirements for safeguarding client information.
Evan Dumas
Mhm.
Liath Dalton
So it is not something that I think we want to try to avoid just out of the box because of a sense that if HIPAA doesn’t apply that things are going to be easier. Rather we’d make the case that acting as though HIPAA applies is the easiest and most straightforward way to have both specificity and flexibility in terms of guidance and mechanisms available to you to safeguard client information, cover yourself in terms of ethical requirements, and your state data privacy laws and rules. So it’s a win win win on on each of those fronts. And I hope that we can all kind of reframe a little bit how we think of HIPAA, in in that way, right?
Liath Dalton
Looking at it, leaning into it being a useful tool that really is supportive of a healthy practice, and healthy in a in a holistic sense, rather than this restrictive imposition, that makes things harder for our practice.
Evan Dumas
Yeah.
Liath Dalton
So that’s the kind of takeaway reframe, for how I would love to see us engaging with with HIPAA as a regulatory framework and something that applies in our practice settings.
Evan Dumas
Yeah.
Liath Dalton
Any other pieces, you would add to that, Evan?
Evan Dumas
Well, it’s just nice, because like, sort of speaking to the training piece, there’s trainings out there on how to follow HIPAA and what to do about HIPAA and whatnot. And, you know, it’s it’s big, scary monster if you don’t know what to do. But a lot of folks don’t know that there’s already things you have to comply with. State based regulations, regulations from your license code of ethics, that type of thing, that HIPAA sort of covers.
Evan Dumas
And so, it would be much harder to hunt down, oh, what is my local state’s trainings on data safety, or, like security practices for communication? When you could just take a HIPAA training and just be like, you know. It’s of the two choice, if you think, Hey, am I a HIPAA covered entity? Well, I might as well act as though I am, so I can do all these safety things. And then you’re fine. And maybe find out down the road, you’re not, but I mean, I mean, you are because you put the NPP in.
Evan Dumas
But the other side of the coin is, if you’re someone who says, you know, I’m just gonna think that I’m not a HIPAA covered entity, but then later down the road, you find out you are and you haven’t been doing it and bad things happen, like, err on the side of caution. Here, look, look at all these wonderful, helpful tips that this agency is giving you on how to do these things and be cautious. Like they’ve done the research. So might as well just follow what’s out there and know that it’s all written down, and you can just follow the steps rather than having to hunt down your your local regulations yourself.
Liath Dalton
Exactly. And want to also emphasize this this last point, because it’s something that came up in discussion of this exact question in last week’s Group Practice Office Hours, which was the Eric Day session of the month, when we have it co facilitated by Eric Strom, who’s a HIPAA and teletherapy attorney as well as a clinician, and Eric was highlighting the fact that in these sorts of reviews that he has done for his mental health care clients, that it is exceedingly rare that he has ever found someone to truly not be a covered entity, and to ever obtain that status.
Liath Dalton
So that just kind of emphasizes that it’s, it’s pretty challenging to actually be a healthcare provider, have worked in different settings as well, prior to launching your current practice, and to have done so without having obtained covered entity status in one of those prior therapy work settings. Right?
Evan Dumas
Mhm.
Liath Dalton
So, hopefully, this is is helpful in terms of clarifying some of the pieces around HIPAA covered entity status and in an even broader and maybe more useful sense as well, just looking at how we can lean into an embrace it being a helpful tool.
Evan Dumas
Mhm.
Liath Dalton
We’ll talk to you next time.
Evan Dumas
Yeah, talk to you next time everybody.
Liath Dalton
This has been Group Practice Tech. You can find us at PersonCenteredTech.com For more podcast episodes, you can go to personcenteredtech.com/podcast or click podcast on the menu bar.
Your Hosts:
PCT’s Director Liath Dalton
Senior Consultant Evan Dumas
Welcome solo and group practice owners! We are Liath Dalton and Evan Dumas, your co-hosts of Group Practice Tech.
In our latest episode, we explain the ins and outs of who is considered a covered entity in a group practice context.
We discuss covered transactions; common reasons why practice owners believe they’re not a covered entity; how long covered entity status lasts; why it matters to follow HIPAA, regardless of covered entity status; Safe Harbor; and a reframe for thinking about HIPAA in group practice.
Resources are available for all Group Practice Tech listeners below:
Therapy Notes proudly sponsors Group Practice Tech!
TherapyNotes is a behavioral health EMR/EHR that helps you securely manage records, book appointments, write notes, bill, and more. We recommend it for use by mental health professionals. Learn more about TherapyNotes and use code “PCT” to get two months of free software.
*Please note that this offer only applies to brand-new TherapyNotes customers
Resources for Listeners
Resources & further information
Resources:
PCT Resources:
- From our article archives: Am I a HIPAA Covered Entity? (How Much Does it Matter If I Am Not)
- Group Practice Care Premium
- weekly (live & recorded) direct support & consultation service, Group Practice Office Hours
- + assignable staff HIPAA Security Awareness: Bring Your Own Device training + access to Device Security Center with step-by-step device-specific tutorials & registration forms for securing and documenting all personally owned & practice-provided devices (for *all* team members at no per-person cost)
- + assignable staff HIPAA Security Awareness: Remote Workspaces training for all team members + access to Remote Workspace Center with step-by-step tutorials & registration forms for securing and documenting Remote Workspaces (for *all* team members at no per-person cost) + more
- HIPAA Risk Analysis & Risk Mitigation Planning service for mental health group practices — care for your practice using our supportive, shame-free risk analysis and mitigation planning service. You’ll have your Risk Analysis done within 2 hours, performed by a PCT consultant, using a tool built specifically for mental health group practice, and a mitigation checklist to help you reduce your risks.
Please do audiogram for social media. Thank you!
Group Practices
Get more information about how PCT can help you reach HIPAA compliance while optimizing and streamlining your practice.
Solo Practitioners
Get more information about how PCT can help you reach HIPAA compliance while optimizing and streamlining your practice.