Compliant EHR Software for
Behavioral & Mental Health Practices

Improve Compliance 
Reduce Documentation Time

Achieving and maintaining compliance with various state and federal regulations is something that every behavioral health practice must be able to do. In 2019, there are a number of organizations and regulations that govern compliance on a variety of levels.

Your electronic health records (EHR) system must be up to date with all applicable regulations if you want your practice to remain in the good graces of the many regulating bodies that demand compliance.

Becoming familiar with the entities that require and demand compliance is the first step to determining the suitability of your EHR for behavioral health services.

Start Free Trial

Laws, Regulations, and Organizations That Impact EHRs

The list of things that affect EHR compliance is long and complex. The following list of seven influential organizations and regulations will help you get a lay of the land and increase your awareness of the most important compliance components.

icons (32)


The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is the most well-known and extensive form of compliance behavioral health professionals have to worry about. HIPAA places strict guidelines on how clinicians and other care professionals can use and share protected health information (PHI).

The central mandates in HIPAA are the Privacy Rule, which governs how you must defend the privacy of PHI, and the Security Rule, which addresses the technological measures you must take to do so. HIPAA violations come with hefty civil penalties up to $1,500,000 annually, and can even lead to jail time if the person who committed the violation did so knowingly.

icons (35)


In 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH) was enacted to encourage and broaden the use of technology in the field of health care, with the ultimate goal of getting every person an electronic health record. Notable requirements of the HITECH Act include:

  • Business associates must comply with HIPAA and covered entities have to exercise due diligence on said business associates.
  • Healthcare providers must conduct HIPAA risk assessments to receive incentive payments.
  • All parties must comply with the Breach Notification Rule, and financial penalties are incurred when there is a failure to report a PHI breach.
icons (33)


Medicare is the nation's federal health insurance program, administered by the Centers for Medicare and Medicaid Services (CMS). Clinicians who work with Medicare must meet stringent federal regulations if they want to receive a reimbursement and avoid fines. Compliance program guidelines are issued in the Medicare Prescription Drug Benefit Manual and the Medicare Managed Care Manual.

icons (36)

Meaningful Use

The Medicare EHR Incentive Program, also known as "meaningful use," was established in 2011. This program was meant to encourage clinicians, hospitals and other eligible entities to embrace technology in their practices and operations. To receive funding, candidates had to prove they were using EHRs in ways that promoted better, more efficient care for patients. Meaningful use had five core concepts at its heart:

  • Improving quality, safety, efficiency and reducing health disparities
  • Engaging patients and families in their health
  • Improving coordination of care
  • Improving public and population health
  • Ensuring privacy and security for PHI

In 2019, the meaningful use program pivoted to another title indicative of its new focus. The program is now referred to as Promoting Interoperability

icons (34)


Medicaid is the state-level counterpart of Medicare, and compliance rules are similar to those of Medicare. The main aim of Medicaid compliance programs is to maintain program integrity by reducing fraud and overpayments to providers. The Affordable Care Act (ACA) has a provision that stipulates providers enrolling in Medicaid establish a compliance program that ensures the prevention, detection and correction of misbehavior leading to fraud.

icons (37)


The Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) implemented MIPS after ending the Sustainable Growth Rate formula. For clinicians who are eligible to participate, this new Quality Payment Program grants you access to new resources and tools which help you provide the best possible care for your patients. MIPS determines how Medicare pays providers, based on four pillars:

  • Quality
  • Improvement activities
  • Advancing care information
  • Cost

MIPS is critical for the adoption of EHRs because the advancing care information incentive — which directly replaces meaningful use — requires them. Additionally, clinicians may be able to earn bonus points (on top of the performance score) in the quality category if using a certified EHR.

Why is Compliance So Important for EHR Systems?

There is very little standardization among EHR systems. HIPAA, for example, is the regulation with the most stipulations and the most significant fines for violations, yet there is no legitimate HIPAA certification available for systems. That means it is up to individual vendors to implement the features that will make their EHR compliant with as many applicable regulations as possible.

Despite not having an official "certification process" for HIPAA, Administrative Simplification Regulations have been established to ensure there are "electronic standards for administrative transactions" which help to streamline communication in the healthcare industry. It should also be noted that these regulations apply to all healthcare providers who accept electronic transactions, not just those who accept Medicare and Medicaid.

Failing to comply with regulations can result in your practice becoming ineligible for reimbursement for Medicare or Medicaid as well as being fined under the ADA or HIPAA. With a HIPAA violation, federal fines and prosecution may even be possible. An EHR must be operated by responsible, trained individuals, but one that keeps up with the latest regulations does give you a much stronger foundation for remaining compliant overall.

Who Sets Standards and Regulations in Health Care?

All these rules and regulations were developed and are currently overseen by a variety of organizations. The following are the five most critical organizations to be aware of in the world of health care regulatory compliance.

Centers for Medicare & Medicaid Services (CMS)
Untitled design (20)

CMS provides subsidized medical coverage through Medicare, Medicaid, and the State Children's Health Insurance Program (SCHIP) and implements MACRA. CMS is responsible in part for ensuring payment and transaction compliance with HIPAA. They have a Division of National Standards which has recently launched a Compliance Review Program on behalf of the U.S. Department of Health and Human Services (HHS), which will audit for compliance among entities covered by HIPAA's Administrative Simplification rules for electronic healthcare transactions.

CMS also educates healthcare providers and other HIPAA-covered entities on how to be compliant, while solving complaints related to transaction violations.

The Office for Civil Rights (OCR)

Untitled design (23)

The HHS Office for Civil Rights is the primary enforcer of HIPAA Rules. Whenever a data breach occurs that affects the PHI of more than 500 individuals, the OCR investigates and determines whether the breach was due to a HIPAA violation.

The OCR also directly takes action on violations and implements warnings or suggestions, civil monetary penalties and criminal penalties where appropriate. Recent updates to the interpretation of the HITECH act have resulted in changes to the structure of fines HIPAA violations, tying fines to levels of culpability and lowering the annual maximum penalties the OCR can levy in most cases.

The OCR also investigates reports of HIPAA violations received through the online complaint portal or through paper submissions.

The Office of the National Coordinator for Health Information Technology (ONC)

Untitled design (25)

The ONC is responsible for facilitating the implementation and improvement of EHR and health information exchange (HIE). The goal of this organization is to help make every citizen's health records digitized and fully accessible by the patient. To achieve this goal, the ONC developed the Nationwide Interoperability Roadmap detailing a 10-year plan to bring every healthcare provider up to interoperability standards.

The ONC plays a large role in the development of EHRs, as they are responsible for health IT certification. The ONC Health IT Certification Program only approves technology that has the functionality required for clinicians to qualify for CMS incentive programs.

The ONC will also administer the new EHR Reporting Program that will provide the public with comparative information on various certified health IT products. Criteria for the program will fall into the categories of security, usability, interoperability, conformance to certification testing and other categories that are deemed appropriate.

The Department of Health and Human Services (HHS)

Untitled design (21)

The HHS is the cabinet-level parent agency of the Office for Civil Rights. Its job is to protect and enhance the well-being of all citizens by improving health and human services. The Office of the Inspector General (OIG) within the HHS helps healthcare providers comply with applicable regulations by compiling a list of compliance resources.

The HHS developed both HIPAA and the HITECH Act and oversees the ONC in its audits and other compliance activities.

The Agency for Healthcare Research and Quality (AHRQ)

Untitled design (26)

AHRQ's mission is to produce evidence to back policies that make health care safer, more accessible, more affordable, and higher quality. The agency works within the HHS and with other partners to build bridges between research and practice. ARQH does not enforce compliance, but they do perform research that informs regulations around patient safety. One of the ways they have done this is by compiling a list of problems with EHR software that helps clinicians choose the best platforms based on safety risks and their potential outcomes.

Notable Health Care Compliance Accreditation
Institutions for Behavioral Health

Unsurprisingly, the task of achieving compliance is difficult for providers to do, and patients need to know their provider is following all the rules. One of the ways providers establish their compliance with the many applicable regulations is to pursue accreditation from a recognized institution. These are five of the leading accreditation institutions behavioral health professionals should know about.

Council on Accreditation (COA)

The COA is an international organization started in 1977. It is an independent nonprofit focused on behavioral health for children and families. Every state recognizes and endorses accreditation from the COA, as do many service organizations on the national and international levels.

The Joint Commission (TJC)

TJC is one of the oldest accreditation bodies in the world, founded in 1951. Its original name was the Joint Commission on Accreditation of Hospitals (JCAH) and later changed to Joint Commission on Accreditation of Healthcare Organizations (JCAHO) before being shortened to TJC. In the past, TJC was focused exclusively on hospitals. Today, they offer behavioral health care accreditation with standards designed to improve patient care and outcomes.

Commission on Accreditation of Rehabilitation Facilities (CARF)

CARF has been accrediting rehabilitation facilities for substance abuse disorders since 1966, and the organization is considered the top accreditation institution for rehabs. Today their offerings have expanded to cover aging services, child and youth services, and behavioral health accreditation. CARF accreditation assures potential patients that the accredited organization is committed to continually improving the quality of care and programs.

National Committee for Quality Assurance (NCQA)

The NCQA is a nonprofit committed to improving the quality of health care by upholding evidence-based standards. The organization's focus is mainly medical, but they do offer accreditation for managed behavioral health care. NCQA accreditation is widely recognized, and thousands of providers participate in the Report Cards program.

Utilization Review Accreditation Commission (URAC)

URAC is another nonprofit that grants accreditation to many different types of healthcare organizations. URAC is unique in that the accreditation may span the whole organization or focus on a specific functional area of the organization. Some states allow URAC accreditation to be used to meet state regulatory requirements, instead of having to report separately to the state. Some companies in some states actually require URAC accreditation as a condition of operation.

ICANotes for Better Compliance

EHRs built to address the many facets of compliance don't always deliver the best experience for behavioral health professionals. Trying to use a platform designed for medical professionals requires significant adjustments to meet the needs of a mental health care setting, and can decrease the accuracy of your records and notes. ICANotes is the only EHR designed by behavioral health professionals to meet the specific needs of clinicians like you.

ICANotes knows the ins and outs of compliance in the mental health care field and strives to stay ahead of the frequent updates to regulations. Our software is ONC-certified and meets all service standards. With a lighter burden of compliance partially shouldered by your EHR, you can save time and money, create more comprehensive notes and protect yourself in the event of an insurance treatment review or other audits.

We work hard to make every aspect of our software compliant, and we're more than happy to work with you to add any additional integrations you need to use ICANotes to its full potential. Just contact our support team, and we'll see what we can do for you. If you're interested in the most robust behavioral health EHR, see its capabilities with a live demo or try it out for yourself by registering for a free trial.

More Resources on Compliance

Intuitive, Accessible, Time-Saving

ICANotes - the only EHR software that actually thinks like a clinician.