A moderate consequence may entail civil penalties of no more than $100 per infraction not to exceed $25,000. A severe consequence would entail imprisonment of up to 10 years, fines of up to $250,000 possibly both, for a “knowing wrongful disclosure of individually identifiable health information” (HIPAA for Psychologists, n.d.).
It may be advantageous for I-O Psychologists to be proficient in their knowledge of HIPAA compliance measures. From a less altruistic vantage point, it may make an I-O Psychologist more marketable in certain fields, as well. Wheeler (2004) edifies key aspects of HIPAA compliance as privacy policies and procedures should be documented and disseminated in the form of “Notice of Privacy Practices.” HIPAA and state law requirements should be addressed, such as Use and Disclosure of Information (including verification of identity and authorization to release information), Patient Rights (access, amendment and accounting), and the Compliant Process. There should be HIPAA amenable authorization preceding release of Protected Health Information (PHI).
Additionally, electronic or digital signatures may be used as a security measure by a covered entity that determines that such use is appropriate and reasonable (Wheeler, 2004). Wheeler (2004) further recommends covered entities take definitive measures that are comprehensive and replete throughout the organization, many of which address the practice of I-O psychology, such as:
Document requests and what action was taken; Statement of client's review rights and how to file a complaint; Document the designated the record sets that are subject to access and the titles of person(s) responsible for processing requests for access by individuals. Provide training to employees or other members of the workforce regarding the privacy policies and procedures. Document who was trained, the date, training occurred and what it entailed. HIPAA Training Log with information kept in each employees file. Periodic refresher training.
Document what was done in response to client complaint. This documentation is especially important if the client takes the complaint to the Office of Civil Rights under the United States Department of Health and Human Services. State law and ethical codes should be consulted to determine whether or not it is appropriate to release information to a friend or relative without the client's consent (Wheeler, 2004).
I-O Psychologists' Ethical and Legal Responsibilities to Privileged Information
Psychologists had until April 14, 2003 to adhere to the deadline for complying with the HIPAA Privacy Rule. Fortuitously, there are products, such as software developed by the APA Practice Organization and APA Insurance Trust for Psychologists to be prepared. “Although there have always been exceptions to confidentiality, the demand for client information inherent in managed care far exceeds traditional limitations to confidentiality” (Corey, Corey & Callanan, 2003, p. 378). This, too, is influenced in privacy practices.
The Privacy Rule applies to any psychologist who transmits protected health information in electronic form in connection with a health care claim. Once the rule is triggered, the psychologist's entire practice must come into compliance. Because the Privacy Rule applies to the electronic transmission of health information, some psychologists who do not submit electronic claims or who don't participate with third-party payment plans may not currently need to comply with the Privacy Rule. However, it is in your best interest to comply now, as any number of future actions may trigger the Privacy Rule (for example, participating in Medicare or another third-party payment plan in the increasingly electronic private market (Ohio Psychological Association, n.d.).
Compliance may also be triggered by actions outside of a practitioner's control, such as if utilizing a billing service that becomes entirely electronic. If one of these events suddenly triggers an entity's Privacy Rule obligations after the April 2003 deadline, there will not be a grace period for coming into compliance. Consequently, the APA Practice Organization and the APA Insurance Trust strongly recommend that actions be taken now to get in compliance, so that psychologists will be ready as the health care industry becomes increasingly dependent upon electronic transmission. HIPAA's Privacy Rule applies to all health care providers ranging from those in large multi-hospital systems to individual solo practitioners; hence I-O Psychologists should be privy to those regulations. The administrative requirements of the Privacy Rule are “scalable,” meaning that a covered entity must take “reasonable” steps to meet the requirements according to its size and type of activities.
The Privacy Rule applies to, and provides specific protections for, protected health information (PHI). With certain exceptions, the Privacy Rule defines PHI as information that: (1) is created or used by health care professionals or entities; (2) is transmitted or maintained in any form or medium; (3) identifies or can be used to identify a particular patient; and (4) relates to one of the following: (a) the past, present, or future physical or mental health condition of a patient; (b) the provision of health care to a patient, or (c) the past, present, or future payment for providing health care to a patient. The Privacy Rule does not require that you keep psychotherapy notes. It simply specifies heightened protection for psychotherapy notes in the event that a psychologist maintains them (Ohio Psychological Association, n.d.).
