certification – Do I need it?
HIPAA compliance certification – Do I need it?
Maintaining patients’ medical records in an electronic format, eases the record-keeping burden for healthcare providers, but serious security risks accompany this method of managing potentially sensitive information, and may serve as fodder for hackers with ill intent. It is this heightened risk for a potential breach in secure management of electronic health records–and consequently patients’ personally identifiable information– that has made it essential for a series of rules that comprise HIPAA to be incorporated. These are:
- The Privacy rule : – Enacted in the year 2000, sets the national standards for protecting PHI among organizations and businesses that conduct customary healthcare transactions electronically.
- The Security Rule: – Enacted in 2003, requires that the applicable healthcare entities ensure that they have physical and technical safeguards in place for protecting the confidentiality, integrity, and availability of electronic protected health information (ePHI) of patients.
- Then later, the Enforcement rule (2009), the Omnibus Rule (2009) and the Breach Notification Rule (2010) were all added to strengthen the abovementioned privacy and security protections for patients’ health information.
Mental health professionals are included among the entities that must ensure that the systems and services they utilize are in compliance with HIPAA rules and regulations.
The HIPAA Privacy rule vs. “duty to warn” – are there limits to confidentiality?
To an extent, HIPAA rules can be adapted to accommodate for the extensive range in the types and sizes of entities that must comply with its regulations. For mental health professionals for example, while the therapeutic relationship depends on trust, and the guarantee that the client’s information is held in the strictest confidence, a balance must be struck between maintaining clients’ privacy, while simultaneously ensuring the safety and wellbeing of the public. It was this dilemma that formed the basis of the passing of laws and ethical guidelines known among therapists as “duty to warn”. So while standard practice demands that a client’s personal information is kept private, a therapist is obligated to share treatment related information under extenuating circumstances. Members of Law Enforcement, other authorized persons involved in the client’s care, or individuals at risk, may be notified of this type of information if a client poses a real and imminent threat to harm self or others, and/or if the client is incapable of making decisions on their own. To do this, however, the therapist must gain and document the client’s agreement (or that of an identified authority figure) for such potential disclosures, should they arise over the course of the therapeutic relationship, at the very beginning of the therapeutic process.
How can I be sure I am complying with HIPAA in my practice?
The layered components of the HIPPA guidelines can be complex to sort through; however, it is a federal requirement that covered entities, including mental health professionals, are compliant. In fact, non-compliance is a civil offence that carries a penalty of fines that range from US$100 to $50,000 per violation. Additionally, the unauthorized disclosure or misuse of PHI is a criminal offence, and attracts penalties in fines of up to US$250,000 and up to 10 years in prison. These penalties may apply to individuals as well as to an organization.
HIPAA training for therapist allows practitioners to decide when sharing information about a client is in that person’s best interest and helps with navigating legal and ethical dilemmas related to privacy and related disclosures.
Becoming HIPPA certified allows therapists to review the content of the HIPAA laws that are specifically related to their discipline and ensure that their practices are compliant. By doing this, therapists can protect themselves, as well as the business(es) with which they collaborate. Certification badges provided upon the completion of certain courses, when displayed on therapists’ profiles, subtly communicate an additional level of expertise in the field. It allows the therapist to show evidence that they have taken reasonable steps to ensure that they are familiar with, and have implemented measures to secure full compliance with federal laws that protect patients’ privacy.
How do I get HIPAA certified?
While there is no single standardized program that could appropriately train all covered entities on HIPAA laws, the Office of Civil Rights (OCR), under the auspices of the US Department of Health and Human Services (HHS) has launched a video training module on patients’ right of access, based on the HIPAA Privacy Rule. The training video includes a guide for health care providers to integrate this rule into their practices and CE credits are available upon the successful completion of the course. Find out more and see other related courses on the HSS website.
Other certification courses have been specifically curated for mental health professionals and are available for purchase online. They generally range in costs from $25 – $35 per course, and may include certification in HIPAA awareness, HIPAA security, or a combination of the two. These paid courses often include additional resources including manuals for conducting gap analyses, as well as forms and documents to address the identified gaps, create policies and procedures and implement contingencies for ongoing audits and remediation.
More resources and information about similar courses can be readily found from simple Internet searches. However, given that these courses are generally not commissioned nor certified by the HSS, be sure to check the sources and verify that they align with the most updated regulations outlined on the HHS site.
 PHI is defined as any individually identifiable health information related to the present, past and future health condition of the individual, regardless of form in which it is maintained.