LEGAL ISSUE: Review of the 2013 NASW Sample HIPAA Privacy Forms

By Sherri Morgan, Associate Counsel, LDF and Office of Ethics & Professional Review

Introduction

September 23, 2013 is the enforcement date for the 2013 changes to the HIPAA medical privacy regulations, issued by the U.S. Department of Health and Human Services in January (codified at 45 C.F.R. Part 160, Part 162, and Part 164). The amended regulations address many aspects of the HIPAA requirements, as discussed in the article, Social Workers and the 2013 Omnibus HIPAA Rule (Morgan, S., 2013). Known as the Omnibus Rule, the 2013 HIPAA regulatory amendments expand patient and client privacy protections and clarify elements of the medical privacy, security and breach notification standards. As a result, health care entities covered by the HIPAA rules, including clinical social workers, will need to update and revise many of their compliance documents. NASW’s Legal Defense Fund has provided a basic set of online HIPAA privacy forms and office policies for use by members in meeting their regulatory responsibilities and these have been updated to take into account the new requirements. This article will review the sample documents (available at https://www.socialworkers.org/hipaa/sample.asp) and highlight key issues in adapting them for a clinical social worker’s practice.

Forms and Policies Distinguished

Social workers should distinguish between the HIPAA forms and the HIPAA office policies. Both types of documents are needed for HIPAA compliance. For example, the Notice of Privacy Practices (NPP) is the form commonly distributed to clients that informs them of how their health information will be protected and the circumstances under which it will be disclosed. However, it is the Notice of Privacy Practices Policy that describes the day-to-day procedures followed by the social worker when handling the Notice of Privacy Practices. Specific sample documents will be discussed individually, below. All HIPAA compliance documents should be maintained for six years. The State mandated time period for retaining client records is not affected by the HIPAA requirement and is contained in state laws addressing health records (see Morgan, S., Khan, A. and Polowy, C., November 2010).

HIPAA Policies

HIPAA requires that covered entities have written office policies and while this may seem burdensome for a small or solo practitioner, it is a requirement for practitioners who are subject to HIPAA. To track adherence to the requirements, it is appropriate to place all of the revised HIPAA policies into a HIPAA compliance file or folder (which may be electronic or on paper), so that they are available for review when needed.

The sample policies offered by NASW should be personalized with the name of the social work practice, dated and signed, and then filed with other HIPAA compliance documents. The blanks at the top of the sample policies for “policy number” and “subject” are for the optional use by the social work practice. The sample policies include:

• Notice of Privacy Practices Policy
• Authorization/Consent Policy
• Breach Notification Policy
• Business Associates Policy
• Requests for Restrictions Policy
• Accounting of Disclosures Policy.

In the event that a social worker has a HIPAA question or is the subject of a HIPAA investigation, review of the HIPAA policy documents can be instructive. Health care entities are expected to comply with their own written policies. Health care entities, including solo practitioners, are required to receive training on the HIPAA policies and to provide training to any members of their workforce about the policies. The training should be documented and records of the training filed with other HIPAA compliance documents.

Sample Notice of Privacy Practices (NPP), State Law and the NASW Code of Ethics

The Notice of Privacy Practices (NPP) is the HIPAA form that is familiar to most clients and practitioners. Specific instructions for social workers are provided in a document titled, “Notice of Privacy Practices Instructions for Use” located in the “policy” section of the sample document Webpage.

• First, it is appropriate to simply remove the heading at the top that says that this is a “sample notice of privacy practices.”
• The language that should remain at the top of the NPP is mandatory wording required by the HIPAA regulations that reads, “This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review this notice carefully.” Those are the required words on the header that are contained on HIPAA notices for any health care practice and any health plan. This is universal language identifying the document as the notice of privacy practices or what some practitioners call the “HIPAA form.”
• Fill out the section on Page 3, “Your Rights Regarding your PHI,” with the contact information of the health or mental health care entity’s privacy officer (solo practitioners act as their own privacy officer).
• The Privacy Officer information is also to be provided on Page 4 in the “Complaints” section.
• Review the NPP in its entirety and determine whether it accurately reflects how the social work practice uses confidential information, including any state law modifications.
• Modify the effective date of the policy to reflect the date that it is adopted.

Sample documents such as the NPP are meant to be modified for the specific practice setting and to take into account state privacy laws that are more protective of privacy than HIPAA. It is also permissible for the NPP to incorporate professional ethics standards that are more protective of privacy. Some of the modifications that would otherwise need to be made to meet state social worker confidentiality requirements may already be incorporated in the NASW sample because certain standards of the Code of Ethics have already been taken into consideration. For example, for payment purposes HIPAA allows release of information to the client’s insurance company without any consent or authorization from the parties. But the NASW Code of Ethics requires consent for the information to be released. That provision is referenced already in the sample notice in the section “For Payment.” It states that the social work practice would disclose information for payment based on client authorization.

Different categories of information are listed on the NPP about how health information might be used by the social work practice. The area requiring particular review is the section for disclosures of information “without authorization.” Page 2 and Page 3 of the sample NPP list instances where information might be released without the authorization of the client. Those are the areas where, again, the sample has been modified to be consistent with the Code of Ethics, but where a social worker would also want to review state law requirements.

One area that mental health practitioners may consider adding is for reporting elder or vulnerable adult abuse, which could very readily be added in a section following Child Abuse or Neglect. Federally-funded drug and alcohol abuse treatment providers have stricter privacy standards that may limit elder abuse reporting. Depending on a state’s reporting law a social worker may want to consider whether any additional detail about reporting child abuse would be appropriate. For example, some states require that child abuse be reported regardless of how much time has passed, so that if an adult patient reports that they were abused as a child a report must still be filed. In those states, it may be appropriate to add clarifying language, or to verbally review that provision with new clients.

Another example of how the sample NPP has been modified to meet the Code of Ethics is the section addressing disclosures for family involvement in care. HIPAA allows health care entities to notify family members who are involved in the patient’s care if they are closely involved in the treatment. The Code of Ethics does not permit this disclosure unless the client consents, although it does not specify that the consent be in writing.

State laws on client access to health records often differ from HIPAA regarding how soon a practitioner must respond to a client request for records. If state law requires access within less than 30 days, this should be followed when clients request their records. Otherwise, the HIPAA time period of 30 days applies. Social workers may review their state law provision in the legal article, Access to Records by Social Workers’ Clients (Morgan, S. and Khan, A., 2012).

Using the Finalized Notice of Privacy Practices

NASW’s sample forms include a one-page client “acknowledgment” form for clients to sign when they receive the NPP. It should be signed by the client or include a short explanation from the social worker as to why the acknowledgment was not signed. The client’s signature is not mandatory; however, the social worker’s attempt should be documented. The acknowledgment may be kept with the client’s chart rather than the entire NPP.

Information about how a health or mental health care practice will use the NPP is contained in the NPP Policy; however, for quick review, some pointers are offered here:

• Keep a copy of the finalized NPP in the HIPAA compliance file for the social work practice.
• Post the finalized NPP on the social work practice Website.
• Post the NPP in a common area of the office (e.g., waiting room).
• Provide individual copies of the NPP to all clients.
• Put the completed Acknowledgment of Receipt of NPP in each client’s file.

Authorizations to Release Information

Three sample documents are provided that facilitate client’s permission (authorization) to release their confidential records. These are:

• Authorization/Consent Policy
• Standard Authorization, Substance Abuse Treatment
• Standard Authorization, Mental Health Treatment.

Like all of the sample policy documents, the Authorization Policy needs to identify the name of the social work practice or agency at the top [in the brackets] and should be dated and signed or initialed by the social worker or other person with authority to adopt policies for the health care practice. The word “sample” should be removed from the authorization forms when they are being personalized for a specific social work practice setting. The “Standard Authorization, Mental Health Treatment” will be most commonly used by a clinical social worker in private practice when releasing client information to a third party. The type(s) of information to be disclosed should be indicated by checking off all appropriate options or by writing in specific categories of information, the names of the parties provided and the document signed and dated by the client or their authorized representative (e.g., parent, guardian, executor of estate).

The option for “psychotherapy notes” should be used only when the clinician keeps a second set of more detailed notes in addition to the primary client chart and when the client wants that information disclosed to a third party. An authorization for the release of separately-maintained psychotherapy notes should not be combined with an authorization to release any other type of information in the client’s record. At times, two signed authorizations may be needed: one to release the primary client record and a second to release the clinician’s detailed psychotherapy notes. If only one chart is maintained for each client, then the psychotherapy notes check-off would not be applicable. For more information on the HIPAA definition of psychotherapy notes, read Social Workers and Psychotherapy Notes (Morgan, S. and Polowy, C., 2006).

Federally-funded drug and alcohol abuse treatment centers must comply with an additional set of federal confidential rules that are more protective of privacy than HIPAA (see Morgan, S. and Polowy, C., 2011). If a social worker is working in this type of treatment setting, the Authorization to Release Substance Abuse Information should be used when releasing client records. This authorization includes a statement that the party receiving the information is prohibited from re-releasing it without the client’s consent. By contrast, the Authorization to Release Mental Health Information is required to include an opposite statement, indicating that the party receiving the information may re-disclose it.

Breach Notification

NASW offers five sample documents related to notification of privacy breaches:

• Breach Notification Policy (required): The Breach Notification Policy document should be personalized and adopted in a manner similar to the other policy documents and filed with the HIPAA compliance folder.
• Breach Incident Log: The Breach Incident Notification Log should be maintained with other HIPAA compliance documents and completed in the event of a breach or breaches. If the breaches during a year affect a small number of clients (less than 500 per incident), then the information in the log may be used to file an annual breach incident report with the U.S. Department of Health and Human Services. Larger breaches (affecting 500 or more clients) require reporting as soon as possible (within 60 days), as well as notification of the media.
• Breach Notification – Patient: Most privacy breaches, regardless of the number of affected individuals, require notice to the client(s) unless a risk assessment determines there is a “low probability that the PHI has been compromised.” The sample notification to patients provides a general outline for the type of content that should be covered in notices to clients in the event of a privacy breach affecting their individual health information.
• Breach Notification – HHS: Although a sample notification letter to HHS is provided for NASW members, reporting to HHS is most commonly conducted online at www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html.
• Authorization to Notify Patient of Breach via Email/Phone (optional): The Authorization to Notify patient of Breach via Email/Phone is an optional form that may be used when discussing with clients how they would like to be notified in the event of a privacy breach. Unless there is a prior agreement, HIPAA requires that notification of a breach be made by U.S. Mail.

For more information about the four factors to be reviewed in a breach notification risk assessment, see Social Workers and the 2013 Omnibus HIPAA Rule (Morgan, S., 2013). For suggested steps to follow in responding to a privacy breach, see Preventing and Responding to Electronic Privacy Breaches (Morgan, S. and Polowy, C., September 2010).

Business Associates

Social workers or other health practitioners are expected to have signed agreements with third parties on whom they rely to perform business functions related to the health care practice when disclosures of confidential client information are needed to carry out the designated tasks. Such third parties are referred to in HIPAA as “business associates” (BA). NASW sample HIPAA documents include a Business Associates Policy and a Business Associate Agreement. In the BA agreement, the “covered entity” refers to the clinical social worker and the “business associate” refers to the third party who will perform contractual activities such as accounting, billing, legal services, cloud computing, practice management or other functions.

The BA Policy should be adopted in the same manner as other HIPAA office policies. Suggestions for use of the sample business associate agreement are offered as follows:

• Section 2.1 – Check the first box to specify the purpose for the business associate’s access to clients’ protected health information and enter the specific purpose in the blank space OR check the second box if a separate services agreement is attached which details the purpose of the business associates’ use of protected health information and enter the name of that document in the blank space.
• Section 2.2 – Check all options that apply.
• Provide the business associate with a copy of your Notice of Privacy Practices Policy.
• Have each party sign and date the agreement.
• Make a copy and store the agreement with HIPAA compliance documents.

Accounting of Disclosures

HIPAA created a right for clients to request a list of the instances where their confidential information has been disclosed by their health care providers (an “accounting of disclosures); however, it contains many exceptions. The 2013 Omnibus HIPAA Rule did not make changes to the Accounting of Disclosures requirements. Thus, there is no need to update the sample policy and accounting log provided for NASW members; however, one should continue complying with the Accounting of Disclosures requirements by tracking disclosures related to matters such as:

• Reporting abuse or neglect (Adult Services,; Child Protective Services, etc.)
• Health oversight activities (e.g., audits, inspections)
• Judicial or administrative proceedings (court orders, subpoenas)
• Public health activities (mostly applicable to health care settings)
• Reports to avert imminent harm (e.g., threats to health and safety)
• Unauthorized disclosures (e.g., privacy breaches, information sent to wrong person/place)
• Other disclosures made without authorization that are unrelated to treatment, payment and health care business operations.

The Accounting of Disclosures Policy should be personalized and filed with other HIPAA policy documents and the Accounting of Disclosures Log should be copied and kept in individual client files to track the type of disclosures listed above. If the log is not maintained regularly, a social worker will need to complete it based on the documented disclosures referenced in the client’s record in order to respond to a client request for an accounting.

Analysis and Conclusions

Compliance with HIPAA requires maintaining a current level of knowledge about the regulations. Clinical social workers who are subject to the regulations need to:

• Adopt a set of HIPAA policy documents
• Provide the Notice of Privacy Practice to clients and gain an acknowledgment signature
• Review with clients how they would like to be notified in the event of a breach (optional)
• Review relationships with business associates and update written agreements
• Use the Accounting of Disclosures form in each client file to track required disclosures of client information
• Use the appropriate authorization forms when disclosing client information based on written consent
• Perform a risk assessment of electronic systems and devices containing client information
• Develop a security plan for reducing the threats and vulnerabilities to electronic health information
• Obtain HIPAA training and provide training to any employees/volunteers (see www.medelearn.org/nasw)
• Follow notification and reporting requirements in the event of a privacy breach.

NASW will continue to update the HIPAA compliance resources available to social workers. For twice-weekly updates on legal and ethical issues, you may visit the Social Work Ethics and Law Institute (SWELI) Facebook page and click “Like” at www.facebook.com/socialworkethicslaw.

© September 2013. National Association of Social Workers. All rights reserved. Re-publication of this article or portions thereof is by permission only.

Additional Resources

NASW Sample HIPAA Privacy Forms and Policies, www.socialworkers.org/hipaa/sample.asp.

NASW Online HIPAA Training Program, www.medelearn.org/nasw.

NASW Legal Defense Fund, Legal Issue of the Month Archive, www.socialworkers.org/ldf/legal_issue.

Introducing NASW’s Sample HIPAA Privacy Forms and Policies, Free, one-hour Webinar available to members of NASW Specialty Practice Sections at www.socialworkers.org/sections/teleconferences/tcourses/Default.aspx?courseID=853d92e7-d553-4f19-8c47-55879651ef97&header=OFF.

U.S Dept. of Health and Human Services, Office of the National Coordinator for Health IT, Privacy and Security Resources for Professionals  www.healthit.gov/providers-professionals/ehr-privacy-security.

U.S. Dept. of Health and Human Services, Model Notice of Privacy Practices, www.hhs.gov/ocr/privacy/hipaa/modelnotices.html.

U.S. Dept. of Health and Human Services, Sample Business Associate Agreement Provisions, www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html.

References

45 C.F.R. Part 160, Part 162, and Part 164 (March 26, 2013). HIPAA administrative simplification, regulation text (Unofficial version). Available at www.hhs.gov/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf.

Morgan, S. (March 2013). Social workers and the 2013 omnibus HIPAA rule, NASW Legal Defense Fund, Legal Issue of the Month. Available at https://www.socialworkers.org/ldf/legal_issue/2013/mar2013.asp.

Morgan, S. and Khan, A. (October 2012). Access to records by social workers’ clients, NASW Legal Defense Fund, Legal Issue of the Month. Available at https://www.socialworkers.org/ldf/legal_issue/2012/Oct2012.asp.

Morgan, S., Khan, A. and Polowy, C. (November 2010). Social workers and record retention requirements, NASW Legal Defense Fund, Legal Issue of the Month. Available at https://www.socialworkers.org/ldf/legal_issue/2010/201011.asp.