HIPAA-Compliant EHR Solutions for Your Practice
HIPAA compliance is an essential standard for all behavioral and mental health professionals to uphold. Though it's a complex topic, adherence to HIPAA will save you and your practice from costly fines that can shut your doors for good. This guide to HIPAA for behavioral health professionals will help you stay within the guidelines and avoid HIPAA violations.
Jump to Key Section
Learn More About Compliance
Start Your Free Trial Today
HIPAA Quick Stats
Here's a quick run-down of the basics about HIPAA:
Official Title: Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Year Enacted: 1996
Aliases: Kassebaum-Kennedy Act, Kennedy-Kassebaum Act
Jurisdiction: Federal — applies to all U.S. states and territories
Most Recent Update to HIPAA: April 2019, modification of fines for HIPAA violations
HIPAA Compliance and Enforcement: U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR)
What Is HIPAA?
The Health Insurance Portability and Accountability Act was the first law establishing a nation-wide set of standards designed to safeguard certain types of health information. HIPAA was one of the first laws to anticipate the growing use of electronic health records (EHR) and electronic medical records (EMR) and protects that data.
The law applies to health plans, clearinghouses, business associates and any health care provider that transmits patient health information electronically. Given that the use of digitized health records is almost universal today, HIPAA applies to everyone who comes in contact with patient information.
What Patient Information Is Protected Under HIPAA?
HIPAA safeguards protected health information (PHI). PHI is defined as any "individually identifiable" health information, which includes any data relating to:
- A patient's past, present or future mental or physical condition or health
- The provision of health care to a patient
- The past, present or future payment for the provision of health care
PHI also encompasses any data that identifies a patient or that someone could reasonably believe one could use to identify the individual. Anything containing a name, address, birth date or a Social Security number is considered protected health information. Other examples of PHI include:
- Dates more specific than a year which are directly related to a patient
- Email addresses
- Fax numbers
- Medical record numbers
- Account numbers
- Insurance beneficiary numbers
- Certificate or license numbers
- Vehicle identifiers including license plate numbers and serial numbers
- Web URLs
- Device serial numbers and identifiers
- IP addresses
- Biometric information
- Full face photograph or images
Essentially, any piece of information that could be matched to an individual patient is protected. Professionals should note that if all identifiers are removed from a piece of data, it is no longer PHI under HIPAA.
The Most Common HIPAA Violations
HIPAA requires that all covered entities protect PHI against security threats by implementing safeguards against "reasonably anticipated threats." These safeguards must protect the integrity and confidentiality of PHI as well as its availability. Failing to do so will result in a violation. Take a look at these seven common HIPAA violations that can spell disaster for behavioral health practices.
Lost or Stolen Devices
Losing a laptop, smartphone, tablet or other device is always stressful, but the stakes are significantly higher when the lost or stolen device provides a gateway to PHI. The most common and dangerous element of lost or stolen devices is a lack of password protection or encryption. One notable example occurred in 2017 under the watch of the company Lifespan.
One of its employees had left a laptop in a vehicle, which was promptly stolen. Upon investigation, it was discovered that there wasn't so much as a password, let alone the recommended encryption on the device. Electronic PHI was sitting in the employee's email account, just waiting to be stolen. All the data the device contained could have been accessed by anyone, although there was no evidence it was actually misused. Even so, the information of more than 20,000 patients was exposed.
Even with HIPAA-compliant EHR system, it's up to practices to ensure all employees are thoroughly trained on the rules of HIPAA and how to handle patient records. An employee who isn't aware of proper protocol in patient privacy can easily slip up and cause a violation. Thorough training on data breaches isn't just a recommendation — it's actually a stipulation of the law. Additionally, employees must receive training on the policies and procedures in place at the practice level.
Employees gossip. In the behavioral health care field, this unfortunate tendency can sometimes slip over from harmless topics to PHI. It's important to emphasize that PHI should always be off-limits as a topic unless the employees in question are directly discussing care. When PHI is acceptable to discuss among appropriate staff members, employees should always do in private areas and pay attention to who may be listening.
The transmission of PHI must be done through secure channels to be HIPAA-compliant. That means any form of unencrypted transmission is considered a violation. One major culprit of HIPAA violations is texting. A clinician or staff member might think it's okay to send something like a patient name and age over text, for example. Even if the information is going to a staff member with authorized access, this form of communication still constitutes a violation.
Communication involving PHI must be conducted through appropriate channels, such as an EHR that encrypts all data. Encryption with a 128-bit key is more than sufficient to meet HIPAA standards.
Transmission of PHI is only acceptable when both parties are directly involved in the patient's care. This means that one clinician shouldn't view case notes on another clinician's cases and that an administrative assistant should not be nosing around in a patient's records. Nonetheless, unauthorized access can and does happen, and it is a major HIPAA violation.
Not all HIPAA violations stem from misconduct within a practice. Oftentimes, the exposure of patient information is the result of malicious outside actors hacking into networks or devices. There are multiple ways a data breach could lead to a violation. When more than 500 individuals have been impacted by a data breach, the HHS Office for Civil Rights investigates the situation to determine if the breach was due to a violation.
HIPAA also contains a Breach Notification Rule, which requires covered entities to report a breach of PHI to the affected individuals and the OCR Secretary. In some cases, even the media must be notified. The absolute maximum length of time to report a breach is 60 days, but the law requires notification "without unreasonable delay."
Some clinicians like to review session notes or patient records after hours on their personal laptop, home computer or other device. This is a twofold threat. One risk is that if a screen is left on, a family member or friend may inadvertently see PHI, which in itself constitutes a violation. Another risk is the security of the network. If a breach occurs due to hacking of the home network, an investigation could reveal unsecured network use that results in a violation.
What Are the Fines for HIPAA Violations?
The consequences of violating HIPAA are financially dire. In the past, the maximum annual limit for violations of all types was $1,500,000 — more than enough to drive a behavioral health provider or practice out of business. In April 2019, the HHS decided to lower the annual limit on penalties for three out of the four tiers of violation culpability. The four tiers of culpability are:
- No knowledge. The person responsible for the violation didn't know about it and couldn't have known about it even if they exercised reasonable diligence.
- Reasonable cause. The individual's violation had a reasonable cause as opposed to willful neglect.
- Willful neglect, corrected. The violation was caused by willful neglect but was corrected promptly.
- Willful neglect, not corrected. The violation was caused by willful neglect which was not corrected promptly.
The fines for each type of violation are as follows:
|Culpability||Annual Penalty Limit|
|Willful Neglect - Corrected||$10,000||$50,000||$250,000|
|Willful Neglect - Not Corrected||$50,000||$50,000||$1,500,000|
HIPAA violations also carry the possibility of criminal penalties. The possible penalties are also categorized into tiers, as follows:
|Unknowingly or With Reasonable Cause||One Year|
|Under False Pretenses||Five Years|
|For Personal Gain or Malicious Reasons||Ten Years|
The new rules tying civil monetary penalties to culpability has eased some of the anxiety clinicians feel over the possibility of an accidental violation. Providers acting in good faith now have less to fear. Nevertheless, HIPAA compliance is still one of the core responsibilities of operating a behavioral health practice and should never be taken lightly.
The complexity of HIPAA means that even professionals have questions about it. Here are five of the most frequently asked questions about HIPAA:
HIPAA is a real regulation, and HIPPA is simply a typo. There is no such act or organization as HIPPA — it's just a common misspelling.
HIPAA Compliance and EHRs
Your EHR is the front line of HIPAA compliance. You store every piece of relevant information there and use it to transmit critical PHI. There are hundreds of vendors out there claiming to offer HIPAA-compliant EHRs, but unfortunately, a good portion of them either focus only on one aspect of the law or are overstating their capabilities. In your search for new software, these EHR security features are essential in maintaining regulatory compliance.
It should be noted that even EHRs with all the compliance features listed above do not completely eliminate the potential for HIPAA violation. If someone wants to steal information, they can still do so if they are an administrator and have the ability to change passwords.
Features like access controls do make it much harder for malicious actors to get away with violations and make it easier for hardworking clinicians to do their jobs without fear of accidentally accessing something they aren't authorized to see. A top-tier EHR will provide you with all the tools you need to make compliance less of a burden for the professionals in your practice.
ICANotes: The Premier Behavioral Health EHR
ICANotes is a comprehensive EHR designed by behavioral health professionals to suit the needs of mental health practices of all sizes. Customizable narrative templates make creating session notes as simple as clicking your mouse. With ICANotes, it's possible to draw up complete psychotherapy notes on a session in just minutes, saving you time that you can spend providing quality care to your patients.
In terms of HIPAA compliance, ICANotes is dedicated to staying ahead of strict and changing regulations. The platform's robust data security features encompass every technology mentioned above and more, giving you greater peace of mind when it comes to remaining compliant. If you're interested in learning more about our award-winning EHR software, we invite you to register for a live demo or try it out for yourself by taking advantage of a free trial. Better compliance and better behavioral health outcomes are in reach when you partner with ICANotes.
Intuitive, Accessible, Time-Saving
ICANotes - the only EHR software that actually thinks like a clinician.