Ducks in a Row Article on HIPAA & HB300 (TMPA) for Texas Social Workers

I wrote this article on HIPAA and Texas’ Medical Privacy Act in July of 2013 for the Texas NASW’s newsletter. It’s an easy to understand and thorough overview of how private practice therapists are affected, and how to get compliant!  The target audience was NASW members, but the information is 99% applicable to all therapist credentials.  (Just the NASW membership parts won’t apply.) It’s not everything you need to know, but it’s definitely a great start.

Ducks in a Row: HIPAA & HB300 for Therapists

First:  the good news!  As a social worker following the NASW Code of Ethics, you already provide a similar or better level of privacy to your clients in most ways than what the new HIPAA guidelines require.  The other news?  There are some new technological and security requirements and a whole lot of paperwork requirements that you need to fulfill.  But don’t let it scare you.  The HIPAA & HB 300 regulations are complex and do require quite a bit of work to get compliant, but you can do it, and your practice can be the better for having done this work.  Really!

To summarize the 500+ page HIPAA requirements in a sentence or four (which can’t really be done, but I’ll try anyway) would look something like this.

Think very hard and methodically about privacy and security in your practice.  Identify all places where privacy and security might be at risk.  Develop a plan to address those risks, and take action.  Now document everything, continually maintain & update those documents, and keep thinking, evaluating, training, learning, and documenting regularly.     

That’s not too hard for a social worker, right!?  You can do this.   This article is intended to help a little by sharing with you what one private practice social worker from Austin has figured out so far by reading, researching and talking with others. (Important note: this article is not a comprehensive explanation, nor is it legal advice.)

To begin, let me define some terms.  Start where the client is, right?

HIPAA: Health Insurance Portability and Accountability Act.  This is a federal law passed a decade ago that has been rolling out new requirements recently.  Earlier this year, the latest requirements—that I’ll cover some of below—became law.  We’ve been given a grace period, thank goodness, until September 23rd, 2013, to get fully compliant with the new requirements… but still, that’s just 2 months away!

HB300:  This is a Texas law passed last year.  It mandates a MORE strict definition of who has to follow HIPAA than HIPAA itself does.  HB300 pretty much says that anyone who has contact with any Protected Health Information has to follow HIPAA guidelines.  That’s you.  And your dog.

PHI:  stands for Protected Health Information.  This one is easy for social workers.  Your client’s: name, contact information, diagnosis, treatment, progress, status, etc.  If it’s about your client, and it’s individually identifiable, it’s PHI.

NOPP/NPP: stands for Notice of Privacy Practices.  You probably already have your clients sign a version of this form.

As I mentioned, there are new HIPAA regulations now in effect.  But are you up to date on the existing regulations?   Here are a few highlights of what you should already have or do:

  • Have a “Notice of Privacy Practices” policy that you give/offer to clients and document having done so.
  • Have a designated “privacy officer” and “security officer” for your practice (even if there is only YOU in your practice, and you serve both roles.)
  • Have designated plan/person to handle PHI if you become sick or incapacitated, or die.
  • Have a disaster recovery plan & backup—so that natural or digital disasters don’t result in the loss of your client’s important medical records.
  • Use strong passwords.
  • Use virus protection software and a firewall on your computer.
  • Don’t release PHI without signed consent.
  • Have a written policy that explains and documents that you’ve done everything listed above.
  • Know & follow your professional Code of Ethics.

If you don’t do or have all of those items, make yourself a note of what’s missing.  Compliance with HIPAA requires self-assessment, so let’s start there.

Self-Assessment.  Although doing a privacy/security self-assessment is an existing HIPAA requirement, very few therapists have actually done one.  Consider this a top-priority item.  Templates are available, but I just made my own by thinking very hard and methodically—about where in my practice PHI is kept.

  • STEP ONE: Identify every place/person/location/device/mode of transmission where PHI travels or is kept.  For example: your laptop, your cell phone, your biller, your email account, your paper files, your desk where you sometimes simply turn paperwork upside down in between clients, etc.  Last part of step one: document every bit of this.
  • STEP TWO: Think about what could possibly go wrong?  A little technological savvy is helpful here, but for those of us who don’t have it, just make yourself a note that anywhere you have PHI on a computer, or portable electronic device including phones, you’ll need outside help to identify potential problems & solutions.  In addition to what could go wrong, you also need to identify the likelihood of that problem happening, and the size of the mess it would cause.  An example of what could go wrong: your laptop can be stolen or lost.  Or, email can be hacked or sent to the wrong address.  Or, you leave a file upside down on your desk and a nosy client/cleaning person picks it up.  Last part of step two: document every bit of this.
  • STEP THREE: Make a plan to address the identified risks.  To address the risks of a stolen laptop, you might: encrypt your entire computer, use a highly secure password to secure your computer, lock your laptop in a locking drawer, or delete all PHI from your laptop.  I myself have chosen to move to a ‘cloud based’ practice management system (ie, where all my client data, including appointments and billing, is done via the internet and stored on a HIPAA compliant computer system somewhere in the sky.  FYI, cloud-based storage or practice management systems have a lot of benefits, but that’s an article for another day.)   Last part of step three: document every bit of this.

The self-assessment is a big and very important piece of work, but there are several other requirements that are part of the ‘new’ HIPAA guidelines.  Here are some highlights:

Get Trained.  You are required to get HIPAA training.  Take one right away if you haven’t recently—things have changed, the penalties for noncompliance are astronomical, and training is an important step.  If you have employees, they must be trained within their first 90 days.  The NASW has a HIPAA & HB300 training that is currently free to members, you can find it on the continuing education portion of the website.  It is recommended to update your training yearly at this time, due to quickly shifting interpretations of the law and changing technological risks.

Interestingly, although training is required by the guidelines, the specifics of the training (ie, who/what/how long/etc) are not spelled out.  Furthermore, there are no “HIPAA certified” training programs or companies (or products!)  This is a detail that we private practice therapists can appreciate—it means that our trainings can be done by someone who understands the needs of our situation, which might not be the same person who trains the new hires at the local major hospital.  Either way, document your training.

Update your HIPAA forms.  The NOPP you’ve been having clients sign is no longer acceptable.  Happily, the NASW has promised to provide updated ones soon.  Once they are ready, members will be able to download these from the website: Once you get this form, you must also:

  • Post it on your website if you have one
  • Give a paper copy to your clients if you do not have a website
  • Document that you have done this.

Obtain Business Associate Agreements.  If you use a biller, transcriptionist, cloud-based storage or practice management system, or any kind of subcontractor or service that has access to PHI, you will need to have them sign a legal document that says, basically, that they are HIPAA compliant.  The NASW again, thankfully, has a sample BAA for you to download on their webpage.  Your medical biller is probably aware of this already and should be happy to sign, and obtaining a BAA with any other actual humans you work with should also be easy enough.  The challenge is that your email provider and your texting provider also have access to PHI, and they aren’t likely to agree to sign a BAA.

A Special Note about Email & Texting.  This dilemma is being discussed endlessly on HIPAA boards, and opinions vary.  It is clear that emailing and texting clients is not a secure practice.  PHI is transmitted when we use those services, and the information is available to the companies that we use to email/text.  Further, there are plenty of other risks, including the capacity for an email account to be hacked, for email/text messages to be misdelivered, or delivered appropriately but overseen by the wrong person.  That said, there are also many possible solutions.  For example, I can stop emailing with clients (unsatisfactory solution, but it’s an option.)  I can use encrypted email or purchase a HIPAA compliant service that provides clients with a secure “portal” for emailing me.  (very secure options, but inconvenient.)  I can also provide clients with information about the potential risks of emailing me, and then they can choose whether they would like to continue to email in spite of those risks.  (Convenient, but still has risks.)  Whatever you choose, make it an important part of your risk assessment, and document thoroughly.

Provide records electronically.  The wording is a little tricky, but basically, if a client asks for their medical records, you are required to provide them electronically within 15 days.  Yes, if the client agrees, you are still permitted to provide them on paper instead.  But take note: the brave new world of technology is coming for us, too: this is one of the ways (there are others) that HIPAA is nudging all of us towards keeping electronic records.

Breaches.  You need to know what constitutes a breach, and what the procedures are if you have one.  The procedures for handling a breach are too involved to go in to here, but at least know that any unauthorized/inappropriate acquisition, access, use, or disclosure of PHI is a breach—even if the information cannot be connected to a particular person.  In other words, if you have client information that “gets out,” then you have a breach.

Create a compliance file.  Perhaps you noticed that I have used the phrase “document this” in nearly every paragraph.  The documentation piece of HIPAA compliance is huge.  You must have an ongoing updated “HIPAA Compliance” file that has copies of your NOPP, your Policy & Procedure manual, listings of who your privacy & security officers are, current risk assessment, your policies, your BAAs, your policy about what you’ll do if you have a breach, etc.  Document your trainings.  Document your evaluation process and decisions about email/texting.  Document everything else.  The spirit of the law is that we must think very hard about privacy and security, and make informed decisions to protect PHI based on our reasonable efforts to identify problems.  Your documentation is your first defense if you ever have a problem.  Document!

In conclusion, while this may seem overwhelming, I want to encourage you to “lean in.”  Social workers have traditionally placed a very high value on client privacy, and this legislation can be a chance for us to make sure that we continue to do so in a changing and technological world.  Furthermore, in my own experience, going through the risk assessment process has helped me to identify, and subsequently improve, quite a few places where my practice wasn’t up to the high professional standard that I generally aim for.  I actually feel more confident and proud of my ‘practice management’ now, and less worried about what might happen the next time someone asks to look at my files.

There is good in these new guidelines—both for you and for your clients, and you can handle this well.   I hope that this article will help you take the next right steps towards complying with HIPAA and HB300 in your practice.