Compliant EHR Software for Behavioral & Mental Health Practices

The only behavioral health EMR improving
compliance while reducing documentation time.

Compliant EHR Software

Achieving and maintaining compliance with various state and federal regulations is something that every behavioral health practice must be able to do. In 2019, there are a number of organizations and regulations that govern compliance on a variety of levels. Your electronic health records (EHR) system must be up to date with all applicable regulations if you want your practice to remain in the good graces of the many regulating bodies that demand compliance.

Becoming familiar with the entities that require and demand compliance is the first step to determining the suitability of your EHR for behavioral health services.

Jump to Key Section

Laws, Regulations and Organizations That Impact EHRs

The list of things that affect EHR compliance is long and complex. The following list of seven influential organizations and regulations will help you get a lay of the land and increase your awareness of the most important compliance components.


The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is the most well-known and extensive form of compliance behavioral health professionals have to worry about. HIPAA places strict guidelines on how clinicians and other care professionals can use and share protected health information (PHI).

The central mandates in HIPAA are the Privacy Rule, which governs how you must defend the privacy of PHI, and the Security Rule, which addresses the technological measures you must take to do so. HIPAA violations come with hefty civil penalties up to $1,500,000 annually, and can even lead to jail time if the person who committed the violation did so knowingly.


Medicare is the nation's federal health insurance program, administered by the Centers for Medicare and Medicaid Services (CMS). Clinicians who work with Medicare must meet stringent federal regulations if they want to receive reimbursement and avoid fines. Compliance program guidelines are issued in the Medicare Prescription Drug Benefit Manual and the Medicare Managed Care Manual.


Medicaid is the state-level counterpart of Medicare, and compliance rules are similar to those of Medicare. The main aim of Medicaid compliance programs is maintaining program integrity by reducing fraud and overpayments to providers. The Affordable Care Act (ACA) has a provision that stipulates providers enrolling in Medicaid establish a compliance program that ensures the prevention, detection and correction of misbehavior leading to fraud.


In 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH) was enacted to encourage and broaden the use of technology in the field of health care, with the ultimate goal of getting every person an electronic health record. Notable requirements of the HITECH Act include:

  • Business associates must comply with HIPAA and covered entities have to exercise due diligence on said business associates.
  • Healthcare providers must conduct HIPAA risk assessments to receive incentive payments.
  • All parties must comply with the Breach Notification Rule, and financial penalties are incurred when there is a failure to report a PHI breach.

Meaningful Use

The Medicare EHR Incentive Program, also known as "meaningful use," was established in 2011. This program was meant to encourage clinicians, hospitals and other eligible entities to embrace technology in their practices and operations. To receive funding, candidates had to prove they were using EHRs in ways that promoted better, more efficient care for patients. Meaningful use had five core concepts at its heart:

  • Improving quality, safety, efficiency and reducing health disparities
  • Engaging patients and families in their health
  • Improving coordination of care
  • Improving public and population health
  • Ensuring privacy and security for PHI

In 2019, the meaningful use program pivoted to another title indicative of its new focus. The program is now referred to as the Promoting Interoperability programs.

Merit-Based Incentive Payment System (MIPS)

The Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) implemented MIPS after ending the Sustainable Growth Rate formula. For clinicians who are eligible to participate, this new Quality Payment Program grants you access to new resources and tools which help you provide the best possible care for your patients. MIPS determines how Medicare pays providers, based on four pillars:

  • Quality
  • Improvement activities
  • Advancing care information
  • Cost

MIPS is critical for the adoption of EHRs, because the advancing care information incentive — which directly replaces meaningful use — requires them. Additionally, clinicians may be able to earn bonus points (on top of the performance score) in the quality category if using a certified EHR.

Why Is Compliance So Important for EHR Systems?

There is very little standardization among EHR systems. HIPAA, for example, is the regulation with the most stipulations and the most significant fines for violations, yet there is no legitimate HIPAA certification available for systems. That means it is up to individual vendors to implement the features that will make their EHR compliant with as many applicable regulations as possible. Despite not having an official "certification process" for HIPAA, Administrative Simplification Regulations have been established to ensure there are "electronic standards for administrative transactions" which help to streamline communication in the healthcare industry. It should also be noted that these regulations apply to all healthcare providers who accept electronic transactions, not just those who accept Medicare and Medicaid.

Failing to comply with regulations can result in your practice becoming ineligible for reimbursement for Medicare or Medicaid as well as fined under the ADA or HIPAA. With a HIPAA violation, federal fines and prosecution may even be possible. An EHR must be operated by responsible, trained individuals, but one that keeps up with the latest regulations does give you a much stronger foundation for remaining compliant overall.

Who Sets Standards and Regulations in Health Care?

All these rules and regulations were developed and are currently overseen by a variety of organizations. The following are the five most critical organizations to be aware of in the world of health care regulatory compliance.

Centers for Medicare & Medicaid Services (CMS)

Centers for Medicare and Medicaid Services LogoCMS provides subsidized medical coverage through Medicare, Medicaid and the State Children's Health Insurance Program (SCHIP) and implements MACRA. CMS is responsible in part for ensuring payment and transaction compliance with HIPAA. They have a Division of National Standards which has recently launched a Compliance Review Program on behalf of the U.S. Department of Health and Human Services (HHS), which will audit for compliance among entities covered by HIPAA's Administrative Simplification rules for electronic health care transactions.

CMS also educates health care providers and other HIPAA-covered entities on how to be compliant, while solving complaints related to transaction violations.

The Office for Civil Rights (OCR)

The Office for Civil Rights (OCR) LogoThe HHS Office for Civil Rights is the primary enforcer of HIPAA Rules. Whenever a data breach occurs that affects the PHI of more than 500 individuals, the OCR investigates and determines whether the breach was due to a HIPAA violation.

The OCR also directly takes action on violations and implements warnings or suggestions, civil monetary penalties and criminal penalties where appropriate. Recent updates to the interpretation of the HITECH act have resulted in changes to the structure of fines HIPAA violations, tying fines to levels of culpability and lowering the annual maximum penalties the OCR can levy in most cases.

The OCR also investigates reports of HIPAA violations received through the online complaint portal or through paper submissions.

The Office of the National Coordinator for Health Information Technology (ONC)

The Office of the National Coordinator for Health Information TechnologyThe ONC is responsible for facilitating the implementation and improvement of EHR and health information exchange (HIE). The goal of this organization is to help make every citizen's health records digitized and fully accessible by the patient. To achieve this goal, the ONC developed the Nationwide Interoperability Roadmap detailing a 10-year plan to bring every health care provider up to interoperability standards.

The ONC plays a large role in the development of EHRs, as they are responsible for health IT certification. The ONC Health IT Certification Program only approves technology that has the functionality required for clinicians to qualify for CMS incentive programs.

The ONC will also administer the new EHR Reporting Program that will provide the public with comparative information on various certified health IT products. Criteria for the program will fall into the categories of security, usability, interoperability, conformance to certification testing and other categories that are deemed appropriate.

The Department of Health and Human Services (HHS)

The Department of Health and Human Services (HHS) logoThe HHS is the cabinet-level parent agency of the Office for Civil Rights. Its job is to protect and enhance the well-being of all citizens by improving health and human services. The Office of the Inspector General (OIG) within the HHS helps health care providers comply with applicable regulations by compiling a list of compliance resources.

The HHS developed both HIPAA and the HITECH Act and oversees the ONC in its audits and other compliance activities.

The Agency for Healthcare Research and Quality (AHRQ)

The Agency for Healthcare research and quality logoAHRQ's mission is producing evidence to back policies that make health care safer, more accessible, more affordable and higher quality. The agency works within the HHS and with other partners to build bridges between research and practice. ARQH does not enforce compliance, but they do perform the research that informs regulations around patient safety. One of the ways they have done this is by compiling a list of problems with EHR software that helps clinicians choose the best platforms based on safety risks and their potential outcomes.

Notable Health Care Compliance Accreditation Institutions for Behavioral Health

Unsurprisingly, the task of achieving compliance is difficult for providers to do, and patients need to know their provider is following all the rules. One of the ways providers establish their compliance with the many applicable regulations is to pursue accreditation from a recognized institution. These are five of the leading accreditation institutions behavioral health professionals should know about.

Council on Accreditation (COA)

The COA is an international organization started in 1977. It is an independent nonprofit focused on behavioral health for children and families. Every state recognizes and endorses accreditation from the COA, as do many service organizations on the national and international level.

The Joint Commission (TJC)

TJC is one of the oldest accreditation bodies in the world, founded in 1951. Its original name was the Joint Commission on Accreditation of Hospitals (JCAH) and later changed to Joint Commission on Accreditation of Healthcare Organizations (JCAHO) before being shortened to TJC. In the past, TJC was focused exclusively on hospitals. Today, they offer behavioral health care accreditation with standards designed to improve patient care and outcomes.

Commission on Accreditation of Rehabilitation Facilities (CARF)

CARF has been accrediting rehabilitation facilities for substance abuse disorders since 1966, and the organization is considered the top accreditation institution for rehabs. Today their offerings have expanded to cover aging services, child and youth services and behavioral health accreditation. CARF accreditation assures potential patients that the accredited organization is committed to continually improving the quality of care and programs.

National Committee for Quality Assurance (NCQA)

The NCQA is a nonprofit committed to improving the quality of health care by upholding evidence-based standards. The organization's focus is mainly medical, but they do offer accreditation of managed behavioral health care. NCQA accreditation is widely recognized, and thousands of providers participate in the Report Cards program.

Utilization Review Accreditation Commission (URAC)

URAC is another nonprofit that grants accreditation to many different types of health care organization. URAC is unique in that the accreditation may span the whole organization or focus on a specific functional area of the organization. Some states allow URAC accreditation to be used to meet state regulatory requirements, instead of having to report separately to the state. Some companies in some states actually require URAC accreditation as a condition of operation.

ICANotes for Better Compliance

EHRs built to address the many facets of compliance don't always deliver the best experience for behavioral health professionals. Trying to use a platform designed for medical professionals requires significant adjustments to meet the needs of a mental health care setting, and can decrease the accuracy of your records and notes. ICANotes is the only EHR designed by behavioral health professionals to meet the specific needs of clinicians like you.

ICANotes knows the ins and outs of compliance in the mental health care field and strives to stay ahead of the frequent updates to regulations. Our software is ONC-certified and meets all service standards. With a lighter burden of compliance partially shouldered by your EHR, you can save time and money, create more comprehensive notes and protect yourself in the event of an insurance treatment review or other audit.

We work hard to make every aspect of our software compliant, and we're more than happy to work with you to add any additional integrations you need to use ICANotes to its full potential. Just contact our support team, and we'll see what we can do for you. If you're interested in the most robust behavioral health EHR, see its capabilities with a live demo or try it out for yourself by registering for a free trial.

More Resources on Compliance

Adding and Updating Digital Contact Information in NPPES

Behavioral health providers are no strangers to collaboration and patient file exchanges.…

Read More

Why You Should Share Behavioral Health Notes With Patients

You might feel a little nervous when you think about writing behavioral…

Read More

Client Confidentiality: Best Practices for Behavioral Therapy Patients

Confidentiality is required for therapy to be effective. Without it, clients might…

Read More

Top 5 Reasons Behavioral Health Professionals Get Sued

The role of a behavioral health professional comes with a significant amount…

Read More

What You Need to Know About EHRs and Patient Privacy

The electronic health record, or EHR, is a type of software physicians…

Read More

How Behavioral Health Clinicians Can Avoid a Lawsuit

Most clinicians enter the behavioral health field because they are driven to…

Read More

What Does HIE Mean for You and Your Practice?

Although the majority of patient information is still stored in paper files…

Read More

Understanding North Carolina’s HIE Mandate

Despite inconsistencies in federal and state funding, many electronic health information exchanges…

Read More

Tips for Keeping Patient Records Secure

The vital importance of HIPAA compliance, coupled with the risks inherent in…

Read More

Why Medical Data Needs to be Protected

One of the most pressing issues of our time is that of…

Read More

Enforcing the Law and Caring for Mental Health

Saturday morning cartoons make everything seem so simple, don’t they? Think of…

Read More

Intuitive, Accessible, Time-Saving

ICANotes - the only EHR software that actually thinks like a clinician.