Introduction
September 23, 2013 is the enforcement date for the 2013 changes to the HIPAA medical privacy regulations, issued by the U.S. Department of Health and Human Services in January (codified at 45 C.F.R. Part 160, Part 162, and Part 164). The amended regulations address many aspects of the HIPAA requirements, as discussed in the article, Social Workers and the 2013 Omnibus HIPAA Rule (Morgan, S., 2013). Known as the Omnibus Rule, the 2013 HIPAA regulatory amendments expand patient and client privacy protections and clarify elements of the medical privacy, security and breach notification standards. As a result, health care entities covered by the HIPAA rules, including clinical social workers, will need to update and revise many of their compliance documents. NASW’s Legal Defense Fund has provided a basic set of online HIPAA privacy forms and office policies for use by members in meeting their regulatory responsibilities and these have been updated to take into account the new requirements. This article will review the sample documents (available at https://www.socialworkers.org/hipaa/sample.asp) and highlight key issues in adapting them for a clinical social worker’s practice.
Forms and Policies Distinguished
Social workers should distinguish between the HIPAA forms and the HIPAA office policies. Both types of documents are needed for HIPAA compliance. For example, the Notice of Privacy Practices (NPP) is the form commonly distributed to clients that informs them of how their health information will be protected and the circumstances under which it will be disclosed. However, it is the Notice of Privacy Practices Policy that describes the day-to-day procedures followed by the social worker when handling the Notice of Privacy Practices. Specific sample documents will be discussed individually, below. All HIPAA compliance documents should be maintained for six years. The State mandated time period for retaining client records is not affected by the HIPAA requirement and is contained in state laws addressing health records (see Morgan, S., Khan, A. and Polowy, C., November 2010).
HIPAA Policies
HIPAA requires that covered entities have written office policies and while this may seem burdensome for a small or solo practitioner, it is a requirement for practitioners who are subject to HIPAA. To track adherence to the requirements, it is appropriate to place all of the revised HIPAA policies into a HIPAA compliance file or folder (which may be electronic or on paper), so that they are available for review when needed.
The sample policies offered by NASW should be personalized with the name of the social work practice, dated and signed, and then filed with other HIPAA compliance documents. The blanks at the top of the sample policies for “policy number” and “subject” are for the optional use by the social work practice. The sample policies include:
In the event that a social worker has a HIPAA question or is the subject of a HIPAA investigation, review of the HIPAA policy documents can be instructive. Health care entities are expected to comply with their own written policies. Health care entities, including solo practitioners, are required to receive training on the HIPAA policies and to provide training to any members of their workforce about the policies. The training should be documented and records of the training filed with other HIPAA compliance documents.
Sample Notice of Privacy Practices (NPP), State Law and the NASW Code of Ethics
The Notice of Privacy Practices (NPP) is the HIPAA form that is familiar to most clients and practitioners. Specific instructions for social workers are provided in a document titled, “Notice of Privacy Practices Instructions for Use” located in the “policy” section of the sample document Webpage.
Sample documents such as the NPP are meant to be modified for the specific practice setting and to take into account state privacy laws that are more protective of privacy than HIPAA. It is also permissible for the NPP to incorporate professional ethics standards that are more protective of privacy. Some of the modifications that would otherwise need to be made to meet state social worker confidentiality requirements may already be incorporated in the NASW sample because certain standards of the Code of Ethics have already been taken into consideration. For example, for payment purposes HIPAA allows release of information to the client’s insurance company without any consent or authorization from the parties. But the NASW Code of Ethics requires consent for the information to be released. That provision is referenced already in the sample notice in the section “For Payment.” It states that the social work practice would disclose information for payment based on client authorization.
Different categories of information are listed on the NPP about how health information might be used by the social work practice. The area requiring particular review is the section for disclosures of information “without authorization.” Page 2 and Page 3 of the sample NPP list instances where information might be released without the authorization of the client. Those are the areas where, again, the sample has been modified to be consistent with the Code of Ethics, but where a social worker would also want to review state law requirements.
One area that mental health practitioners may consider adding is for reporting elder or vulnerable adult abuse, which could very readily be added in a section following Child Abuse or Neglect. Federally-funded drug and alcohol abuse treatment providers have stricter privacy standards that may limit elder abuse reporting. Depending on a state’s reporting law a social worker may want to consider whether any additional detail about reporting child abuse would be appropriate. For example, some states require that child abuse be reported regardless of how much time has passed, so that if an adult patient reports that they were abused as a child a report must still be filed. In those states, it may be appropriate to add clarifying language, or to verbally review that provision with new clients.
Another example of how the sample NPP has been modified to meet the Code of Ethics is the section addressing disclosures for family involvement in care. HIPAA allows health care entities to notify family members who are involved in the patient’s care if they are closely involved in the treatment. The Code of Ethics does not permit this disclosure unless the client consents, although it does not specify that the consent be in writing.
State laws on client access to health records often differ from HIPAA regarding how soon a practitioner must respond to a client request for records. If state law requires access within less than 30 days, this should be followed when clients request their records. Otherwise, the HIPAA time period of 30 days applies. Social workers may review their state law provision in the legal article, Access to Records by Social Workers’ Clients (Morgan, S. and Khan, A., 2012).
Using the Finalized Notice of Privacy Practices
NASW’s sample forms include a one-page client “acknowledgment” form for clients to sign when they receive the NPP. It should be signed by the client or include a short explanation from the social worker as to why the acknowledgment was not signed. The client’s signature is not mandatory; however, the social worker’s attempt should be documented. The acknowledgment may be kept with the client’s chart rather than the entire NPP.
Information about how a health or mental health care practice will use the NPP is contained in the NPP Policy; however, for quick review, some pointers are offered here:
Authorizations to Release Information
Three sample documents are provided that facilitate client’s permission (authorization) to release their confidential records. These are:
Like all of the sample policy documents, the Authorization Policy needs to identify the name of the social work practice or agency at the top [in the brackets] and should be dated and signed or initialed by the social worker or other person with authority to adopt policies for the health care practice. The word “sample” should be removed from the authorization forms when they are being personalized for a specific social work practice setting. The “Standard Authorization, Mental Health Treatment” will be most commonly used by a clinical social worker in private practice when releasing client information to a third party. The type(s) of information to be disclosed should be indicated by checking off all appropriate options or by writing in specific categories of information, the names of the parties provided and the document signed and dated by the client or their authorized representative (e.g., parent, guardian, executor of estate).
The option for “psychotherapy notes” should be used only when the clinician keeps a second set of more detailed notes in addition to the primary client chart and when the client wants that information disclosed to a third party. An authorization for the release of separately-maintained psychotherapy notes should not be combined with an authorization to release any other type of information in the client’s record. At times, two signed authorizations may be needed: one to release the primary client record and a second to release the clinician’s detailed psychotherapy notes. If only one chart is maintained for each client, then the psychotherapy notes check-off would not be applicable. For more information on the HIPAA definition of psychotherapy notes, read Social Workers and Psychotherapy Notes (Morgan, S. and Polowy, C., 2006).
Federally-funded drug and alcohol abuse treatment centers must comply with an additional set of federal confidential rules that are more protective of privacy than HIPAA (see Morgan, S. and Polowy, C., 2011). If a social worker is working in this type of treatment setting, the Authorization to Release Substance Abuse Information should be used when releasing client records. This authorization includes a statement that the party receiving the information is prohibited from re-releasing it without the client’s consent. By contrast, the Authorization to Release Mental Health Information is required to include an opposite statement, indicating that the party receiving the information may re-disclose it.
Breach Notification
NASW offers five sample documents related to notification of privacy breaches:
For more information about the four factors to be reviewed in a breach notification risk assessment, see Social Workers and the 2013 Omnibus HIPAA Rule (Morgan, S., 2013). For suggested steps to follow in responding to a privacy breach, see Preventing and Responding to Electronic Privacy Breaches (Morgan, S. and Polowy, C., September 2010).
Business Associates
Social workers or other health practitioners are expected to have signed agreements with third parties on whom they rely to perform business functions related to the health care practice when disclosures of confidential client information are needed to carry out the designated tasks. Such third parties are referred to in HIPAA as “business associates” (BA). NASW sample HIPAA documents include a Business Associates Policy and a Business Associate Agreement. In the BA agreement, the “covered entity” refers to the clinical social worker and the “business associate” refers to the third party who will perform contractual activities such as accounting, billing, legal services, cloud computing, practice management or other functions.
The BA Policy should be adopted in the same manner as other HIPAA office policies. Suggestions for use of the sample business associate agreement are offered as follows:
Accounting of Disclosures
HIPAA created a right for clients to request a list of the instances where their confidential information has been disclosed by their health care providers (an “accounting of disclosures); however, it contains many exceptions. The 2013 Omnibus HIPAA Rule did not make changes to the Accounting of Disclosures requirements. Thus, there is no need to update the sample policy and accounting log provided for NASW members; however, one should continue complying with the Accounting of Disclosures requirements by tracking disclosures related to matters such as:
The Accounting of Disclosures Policy should be personalized and filed with other HIPAA policy documents and the Accounting of Disclosures Log should be copied and kept in individual client files to track the type of disclosures listed above. If the log is not maintained regularly, a social worker will need to complete it based on the documented disclosures referenced in the client’s record in order to respond to a client request for an accounting.
Analysis and Conclusions
Compliance with HIPAA requires maintaining a current level of knowledge about the regulations. Clinical social workers who are subject to the regulations need to:
NASW will continue to update the HIPAA compliance resources available to social workers. For twice-weekly updates on legal and ethical issues, you may visit the Social Work Ethics and Law Institute (SWELI) Facebook page and click “Like” at www.facebook.com/socialworkethicslaw.
© September 2013. National Association of Social Workers. All rights reserved. Re-publication of this article or portions thereof is by permission only.
Additional Resources
NASW Sample HIPAA Privacy Forms and Policies, www.socialworkers.org/hipaa/sample.asp.
NASW Online HIPAA Training Program, www.medelearn.org/nasw.
NASW Legal Defense Fund, Legal Issue of the Month Archive, www.socialworkers.org/ldf/legal_issue.
Introducing NASW’s Sample HIPAA Privacy Forms and Policies, Free, one-hour Webinar available to members of NASW Specialty Practice Sections at www.socialworkers.org/sections/teleconferences/tcourses/Default.aspx?courseID=853d92e7-d553-4f19-8c47-55879651ef97&header=OFF.
U.S Dept. of Health and Human Services, Office of the National Coordinator for Health IT, Privacy and Security Resources for Professionals www.healthit.gov/providers-professionals/ehr-privacy-security.
U.S. Dept. of Health and Human Services, Model Notice of Privacy Practices, www.hhs.gov/ocr/privacy/hipaa/modelnotices.html.
U.S. Dept. of Health and Human Services, Sample Business Associate Agreement Provisions, www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html.
References
45 C.F.R. Part 160, Part 162, and Part 164 (March 26, 2013). HIPAA administrative simplification, regulation text (Unofficial version). Available at www.hhs.gov/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf.
Morgan, S. (March 2013). Social workers and the 2013 omnibus HIPAA rule, NASW Legal Defense Fund, Legal Issue of the Month. Available at https://www.socialworkers.org/ldf/legal_issue/2013/mar2013.asp.
Morgan, S. and Khan, A. (October 2012). Access to records by social workers’ clients, NASW Legal Defense Fund, Legal Issue of the Month. Available at https://www.socialworkers.org/ldf/legal_issue/2012/Oct2012.asp.
Morgan, S., Khan, A. and Polowy, C. (November 2010). Social workers and record retention requirements, NASW Legal Defense Fund, Legal Issue of the Month. Available at https://www.socialworkers.org/ldf/legal_issue/2010/201011.asp.
A dark green background with a pale green border. A white rectangle text box in…
Text reads “DisAbilities Council Virtual Meeting. May 16. 7 – 8:30 PM PT. Virtual” The…
Text reads "Opinion. Clinical Intuition: Another Look" While we are proud to feature opinion pieces…
Text reads "SLO Unit: EMDR in the Treatment of Psychological Trauma and How to Access…
A dark green background with a pale green border. A white rectangle text box in…
Text reads “LGBTQ+ Virtual Support & Consultation Group. May 8. 7 – 8 PM PT”…