New guidance about communicating with a patient’s family, friends or caretakers was released by the U.S. Department of Health and Human Services, Office of Civil Rights. This is the office entrusted with education about and enforcement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. They have created two documents which lay out details about sharing information about a patient, one for providers of care and one for patients or consumers of care.
As I read these two documents, I found myself recalling my internship training in a Community Mental Health Center. We were clearly instructed that we were not even to acknowledge that a person was a client of the Center if someone telephoned about them. Family or friends accompanying them to their visit were not invited into the session unless the patient asked that they be included. Even minor adolescents and children were granted the privacy of the therapy session unless a clear agreement including parents or caretakers was reached. Obviously, the therapeutic relationship in the behavioral health field is a more sensitive matter than in many physical health settings. My experience is that mental health providers have always been more concerned and responsible about securing a patient/client/consumer’s privacy than anyone providing physical health care I have ever met.
In this electronic world in which we live, I have seen some of that care diminished; and we have begun to bump into this matter in technical support at SOS. HIPAA provides that a Covered Entity (a health care provider who electronically transmits certain transactions including electronic claims) must assure the security and privacy of their patient information. It also requires that Covered Entities educate people and organizations who provide services to them about the necessity of protecting the health information of their patients. In fact, it requires that Covered Entities maintain a Business Associate Agreement (BAA) with each person or organization with whom they do business who might in the course of doing business be exposed to the Protected Health Information (PHI) of their clients. If you have any doubt about whether you are, or are not, a Covered Entity, it would seem prudent to assume that you are and to execute a BAA with anyone to whom you reveal PHI.
When implementation of the Privacy Rule was first mandated in April 2003, we were asked to execute BAA’s by a very small proportion of our customers. During the five years since then, we have almost never been asked to sign such a document. Since service to our customers is a big part of who we are, we have made available a BAA that makes it very easy for a Covered Entity to assure that SOS is handling their data in an appropriate fashion if we ever have access to it (http://www.sosoft.com/fod/doc105-sosbaa.pdf ). Even given the ease of accomplishing this agreement, we still have difficulty getting provider organizations to do so.
What is your take on the HIPAA Privacy Rule and how it is implemented in your organization? Were you on top of this in 2003 and 2004 but not as likely to educate staff and your computer and software vendors in 2008? Do you see a difference between how psychology, psychiatry and other behavioral health organizations handle the Privacy Rule and how physical health providers do so? Has the rule kept you from filing your claims electronically so you would not become a Covered Entity?