HIPAA for Psychologists

What is the purpose of the HIPAA Privacy Rule?

The HIPAA Privacy Rule, a regulation promulgated by the U.S. Department of Health and Human Services, establishes a minimum level of privacy protection for health care information. The Privacy Rule also establishes a patient's rights regarding the use and disclosure of their health care information. It focuses on the application of effective policies, procedures, and business service agreements to control the access to and use of patient information. The Privacy Rule applies to health care providers, health plans, and health care clearinghouses. 

Will the HIPAA Privacy Rule apply to my practice?

We believe that in the long term, all psychologists providing health care services will be subject to the Rule. Officially, HIPAA applies only to psychologists who have engaged in the electronic transmission of payment- and/or claims-related information at least once since 2003.  Go here to check whether you are currently a HIPAA ‘covered entity’ (i.e., subject to HIPAA regulation): https://www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/HIPAA-ACA/Downloads/CoveredEntitiesChart20160617.pdf. Nevertheless, even if a psychologist is not yet subject to HIPAA, we believe that it is both wise and prudent to be HIPAA compliant for the following reasons: 

  • Insurance and managed care companies have largely moved from paper to electronic online transactions for payment and all health care operations. 
  • Circumstances could arise where the need for compliance is triggered by actions over which you will have no control (e.g., you may be required to submit electronic claims or payment related information).  If this occurs, your entire practice must become HIPAA compliant immediately. 
  • If you submit electronic claims to any third-party payors (e.g., HMO, PPO, Medicare), you will be required to immediately comply with all the HIPAA regulations. 
  • It is likely that most billing services will eventually move to electronic transactions to reduce the cost of manually processing claims. If you use a billing service that involves electronic transactions, you must also be compliant.  
  • The only possible exception to this advice would be the very few psychologists who operate on a total cash basis, have not, and will not in the future, submit any claims or payment-related information in electronic form to a payor. 

Am I exempt if I do not use electronic transmissions?

You may be exempt currently if you do not submit claims electronically or participate in any third-party payment plans. However, it is unlikely you will be able to avoid all electronic transactions in the future and remain exempt, especially if you or a business associate working on your behalf engages in any claims- or payment-related electronic transactions (e.g., billing or payment for services, authorization for treatment, utilization review, and electronic verification of coverage, etc.). That is why we recommend that psychologists who provide health care services become HIPAA compliant.

How does the HIPAA Privacy Rule impact current laws in my state?

This is one of the most important issues that must be addressed. The HIPAA Privacy Rule establishes minimum provisions for the use and disclosure of health care information. If your state law provides a patient with greater access to their healthcare information than does HIPAA, or if your state law provides greater protection from disclosure of a patient’s healthcare information, then your state law will take precedence over the HIPAA standard. Conversely, if your state law provides a patient with less access to their healthcare information than does HIPAA, or if your state law provides less protection from disclosure of a patient’s healthcare information than does HIPAA, then HIPAA standards will prevail. To comply with HIPAA, it is necessary to compare all laws related to health care privacy in your state with the HIPAA regulations. A decision must then be made regarding which regulation or statute provides the greatest level of access to and protection of health care information. Given that the HIPAA regulations are highly technical and voluminous, and that there are hundreds of health care provisions in each state, this will be a daunting task for psychologists.

Does each state require its own state-specific Notice of Privacy Practices Form?

No. HIPAA requires that each patient receive a copy of the practitioner’s Notice of Privacy Practices, which is a template form available for download from the federal Department of Health and Human Services, the entity that administers HIPAA (https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/model-notices-privacy-practices/index.html).  

Nevertheless, in addition to giving each patient a copy of the practitioner’s HIPAA Notice of Privacy Practices, each practitioner should also use an informed consent form that provides state-specific information about the limits of confidentiality, patient access, and related issues.  

Back to top

For more detailed answers, or if your question was not answered here, please call us at 1-800-477-1200.