Entities impacted by HIPAA are widespread, so even if a practitioner, such as an Industrial- Organizational (I-O) Psychologist, is not directly affected by HIPAA, it is advantageous for them to be aware of HIPAA laws as they may consult with a business that is covered by HIPAA. Flynn (2003) relates if a company has at least 50 employees, the company offers health benefits to them, that company is required to comply with HIPAA. The administrative simplification section goal of HIPAA is to simplify the process by which health- care providers and health- care payers communicate with each other. Part of the administrative simplification rules deal with protective measures that health- care providers and payers have to take in order to protect the privacy and security of this individually identifiable health information.
“Firewalls, computer passwords, security measures, policies, procedures, and trainings for people who handle protected health information, to ensure that HIPAA requirements are understood and followed” (Flynn, 2003).
The Administrative Simplification Requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) will have a major impact on health care providers who do business electronically as well as many of their health care business partners. Many changes involve complex computer system modifications. Providers need to know how to make their practices compliant with HIPAA. The Administrative Simplification Requirements of HIPAA consist of four parts: 1) Electronic transactions and code sets; 2) Security; 3) Unique identifiers; and 4) Privacy (CMS, 2003).
The security component of HIPAA will not be in effect for two years after they are released. Physically limiting who has access to that information by use passwords or establishing only certain computers allows access to this information.
Small group health plans (i.e., those plans wit less than five million dollars a per year in either total health care premiums of benefits paid out), have an additional year to comply with the privacy rule, so they have until April 2004. Most group health plans require some form co- assistance from lawyers, consultants, or others, to ensure they're complaint by April 2003. (Flynn, 2003).
Schmit, Chair of the Committee on Professional Practice theorizes the HIPAA Privacy Rules will not affect most I-O psychologists. Unless I-O Psychologists' executive assessments include health care related diagnostics, I-O practitioners should not be a covered provider. Those working in Employee Assistance Programs (EAPS) will certainly be covered.
Also any I-O psychologist or other psychologist performing services for an employer for which insurance reimbursement is sought, or which the employer (acting as a self insurer) pays for, would have to make sure that the employer is complying with the Privacy Rules (Schmitt, 2003; Ohio Psychological Association, n.d).
HIPAA does not apply in educational settings where the Federal Education Rights and Privacy Act (FERPA) or to some forensic psychologists and Industrial- Organizational psychologists engaged in non- health care services (American Psychological Association Practice Organization, n.d.). An I-O psychologist simply performing executive assessments for an employer for an employer's use typically would not need to comply with the Privacy Rules. Whether or not an employer contracts a third party biller or clearinghouse to conduct any of these business transactions electronically, such as “claims or equivalent encounter information, payment and remittance advice, claim status inquiry/ response, eligibility inquiry/ response, and referral authorization inquiry/ response” (CMS, 2003), it is up to the employer or possibly the I-O practitioner as the health care provider to see to it that transactions are being conducted in compliance with HIPAA.
The Ohio Psychological Association (n.d.) counsels its members that the Privacy Rule does not require psychotherapy notes, but does requires that psychologists have a “business associate contract” with any business associates, such as billing services, accountant, and attorneys, with whom they share privileged/ protected health information as the business associates and other individuals provide service to, or on behalf of, the psychologist. “This contract assures that the business associate (who is not directly regulated by the Privacy Rule) will safeguard privacy” (Ohio Psychological Association, n.d.). Contingent upon the clinical depth of an I-O Psychologists work reimbursal systems, such as third party payers via health insurance, some aspects of HIPAA compliance will be irrelevant. However, working in managed care milieus, or the insurance industry, or entities covered by or collaborating with HIPAA in any fashion may place impetus for some level of insight into HIPAA regulations. Schmitt (2003) suggests consulting the Society for Human Resource Management (SHRM) website as it serves as a good online toolkit promulgating HIPAA compliance.
HIPAA Compliance
The criminal penalties under the HIPAA Privacy Rule for use of a patient's protected health information for personal gain can range up to 10 years in prison and a fine up to $250,000. The federal government obtained its first privacy conviction against a former employee of a Seattle Washington health care entity in August 2004. To deal with the breadth and depth in complexity and size, HIPAA developed the concept of what is coined as scalable compliance meaning that a covered entity takes reasonable steps to meet the requirements according to its dimension and activity types (Ohio Psychological Association, n.d.). Consequences are primarily intended for those that would misuse privileged patient information for their own personal gain. If an infraction has transpired the HHS Office for Civil Rights may pursue action deemed mild in consequence severity.
