Is Your Organization HIPPA Compliant?

The Details Behind HIPAA

Healthcare regulations are continually evolving. The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule provides consumers with important privacy rights and protections in regard to their personal health information. Since President Bill Clinton signed HIPAA into law in 1996, it has been continually updated to keep up with changes in data exchange, including electronic health information.

HIPAA establishes “national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically” (

The Act makes sense. Guaranteeing consumer privacy protections results in individuals trusting their health care providers and cultivates a willingness to seek needed services. These protections are especially important in the world of behavioral health where stigma associated with seeking services is pronounced. Furthermore, HIPAA outlines when health providers may or must disclose information such as for the health and safety of the patient or others.

However, at a time when healthcare is depending on the unrestricted flow of data to transform how care is delivered and paid for, HIPAA and its regulations have been viewed with frustration.

The apparent crackdown of HIPAA audits, and the substantial fines issued when violations are found, has led to a great deal of anxiety among healthcare providers. This is the case especially for  small entities, such as mental health agencies, who don’t have the staff or technology to keep up with an ever-changing world of electronic health information and security. Failure to comply with HIPAA can result in not only the fines mentioned above but also criminal charges and civil action lawsuits as well as providers losing their credentials or licensure.

So, does HIPAA compliance in mental health differ compared to HIPAA compliance in other areas of healthcare?

Privacy rights and protection of health information take on distinct meaning in mental health care. This is because the stigma associated with mental health conditions, sensitive issues of family dynamics and/or a slew of other factors.

One exception to the Privacy rule is psychotherapy notes. These types of notes receive special protections under HIPAA. The following was found on

The Privacy Rule defines psychotherapy notes as notes recorded by a health care provider who is a mental health professional documenting or analyzing the contents of a conversation during a private counseling session or a group, joint, or family counseling session and that are separate from the rest of the patient’s medical record. Psychotherapy notes do not include any information about medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, or results of clinical tests; nor do they include summaries of diagnosis, functional status, treatment plan, symptoms, prognosis, and progress to date.  Psychotherapy notes also do not include any information that is maintained in a patient’s medical record.

Psychotherapy notes are treated differently from other mental health information both because they contain particularly sensitive information and because they are the personal notes of the therapist that typically are not required or useful for treatment, payment, or health care operations purposes, other than by the mental health professional who created the notes.

However, HIPAA treats the disclosure of mental health information to family members the same as with general health information. Unless authorized by the patient, a health care provider may only share or discuss information to the extent that family members need to know to assist in the patients care or payment of care.

Can Brown Consulting Ltd. help my organization ensure HIPAA compliance?

Yes! This specific consultation service includes conducting a full HIPAA Compliance Analysis. Our analysis involves reviewing and providing concrete examples of HIPAA Compliant:

  • Plans
  • Policies & Procedures
  • Forms
  • Contracts
  • Notices
  • Position Descriptions

Services provided also include:

  • Interactive work-groups with staff
  • Further education/training

Making sure your business in compliant with HIPAA regulations can be stressful. Let us at Brown Consulting Ltd. help you guarantee HIPAA compliance!

-Megan Phillips, M.A.