While counseling and coaching services may seem to fall outside of the realm of traditional healthcare, they often fall squarely in the realm of mental health and are therefore subject to HIPAA requirements. Knowing whether these services fall under HIPAA regulations can be tricky, and it’s important to understand your responsibilities in protecting patient health information (PHI).
Below, we explore HIPAA compliance requirements for mental health services, such as coaching and counseling, and how you can ensure compliance.
Coaching vs. counseling, and your legal HIPAA rights
One thing that is important to note about healthcare law related to mental health is the strong distinction between counseling and coaching. The life coach industry first became popular within business, noted David J. Ley, PhD, in Psychology Today. Dr. Ley definitely is both concerned and unimpressed with the coaching business, but does identify some important points in the difference, ethically and legally, between these two similar types of service.
Ethics – While counseling establishes very clear boundaries, through licensure and regulation, these boundaries do not exist in a standardized way within coaching. There are associations of coaches that have developed strong ethical guidelines, but any given coach does not have to become a member of that association.
Abandonment – A licensed counselor is not allowed to abandon a patient, regardless if they have not been keeping pace financially. A mental health counselor must be certain that the patient is provided high-quality care or that they are referred to another facility that can offer them what they need.
Privacy & Security – If coaching is not delivered within a formal healthcare setting, it is not covered by the Health Insurance Portability and Accountability Act, explained Dr. Fey. That means you do not have the same confidentiality protections – the Privacy Rule that gives you rights and the Security Rule that enacts proper protections within digital relationships and settings. HIPAA may be annoying to healthcare organizations and IT specialists at times, but to us as patients, it does serve a function. Since coaches often do not have training related to healthcare privacy or healthcare law, said Dr. Fey, “they may not even be aware of the subtle forms of disclosure which might be damaging to their clients.”
How HIPAA is different for mental health
Mental health practices are likelier to adopt consumer cloud solutions than large health facilities such as hospitals are.
There are many technologies that are specifically built to target healthcare clients, such as telemedicine video conferencing, secure clinician-to-clinician texting, email systems encrypted to safeguard ePHI, etc. Large medical clinics take much greater advantage of those specialized solutions than mental health practices do, according to licensed professional counselor (LPC) / national certified counselor (NCC) Roy Huggins in Person-Centered Tech.
Huggins noted that mental health practices are likelier to use a consumer tool such as Gmail or PayPal. Risk management becomes difficult when you are trying to embrace products that were built for consumers, but that those solutions are essential within mental health, suggested Huggins. He criticized the Office for Civil Rights (OCR), the branch of the HHS that oversees the development and enforcement of HIPAA regulations, for not understanding how important these consumer tools are within mental health.
According to Huggins, there are shortcomings of these technologies – especially since they were developed without the specific requirements of HIPAA in mind (since, after all, not all technologies were built for highly sensitive personal health data).
It is not a good idea to use customer invoicing within a standard cloud tool – but that typically you will be able to take credit card payments in that manner, stated Huggins. It really is all about the proper safeguards being in place for the data, so if a certain cloud tool has payment processing encryption (but not for other components of their ecosystem), you could use the one but not the other.
Mental health providers spend quite a bit of time with patients in comparison to most other healthcare providers.
In general, a mental health practitioner will spend a full hour in therapy with a patient immediately, with large chunks of time continuing as they go.
It is rare within healthcare to have that amount of direct interaction and collaborative tone to facilitate such a strong direct and customized relationship.
By having a sense of collaboration and a client-centered perspective at the forefront of the arrangement, and with the amount of time that mental health providers have with patients, there is ample opportunity for more clinician-client collaboration (CCC).
The Security Rule has somewhat broad language, as Huggins indicated. For instance, there is no explicit rule that all email must be encrypted.
He is right about that. The summary of the Security Rule from the HHS states that it is built to be scalable and flexible enough to allow for analysis that is appropriate to different types of settings. “What is appropriate for a particular covered entity will depend on the nature of the covered entity’s business, as well as the covered entity’s size and resources,” said the HHS.
Rather than listing specifics for what you necessarily need to do, the HIPAA guidelines dictate the need to develop documentation of your procedures and policies that are used to safeguard health data. The procedures and policies that are stated within those documents are the details for how you actually comply with the law on a daily basis.
In order to follow best practices within the industry and as general safeguarding of data, it will typically make sense to put a password rotation system in place, along with email encryption and other strategies.
Your policies may be different, though, depending on what is best for security – and the security scenario for mental health professionals has its own expectations and needs.
Mental health professionals have greater leeway to use their understanding of client requirements to determine what they do in terms of security – since the needs of the client are used so substantially to arrive at better clinical outcomes.
Focusing on the client in such a specific and direct way, and customizing to meet their needs, can be completely compliant with HIPAA and improve client relationships, Huggins advised, adding that “we have more space and deeper skills to enact it than most other health care professions.”
What sort of risks do mental health services organizations face when it comes to HIPAA?
In April 2017, a report was released by Databreaches.net that discussed 3000 healthcare records having been compromised. The records were offered for sale on a darknet. The data included the histories of patients – both health and mental health – along with notes from therapy appointments.
There were over 45,000 patient files that had been stolen by the cyberattacker, but only 3000 to 3500 were unique patients. Data included full names, phone numbers, addresses, social security numbers, dates of birth, names of doctors, and employers.
Along with the above elements, the records additionally included full family histories for patients, as well as any histories of substance abuse.
The descriptive advertisement for the records was especially disturbing, as indicated by HIPAA Journal: “‘Everything confessed/discussed in complete privacy is in here for thousands of patients,’” said the darkweb post.
The minimum price listed for the data was $10,000. It was reportedly sold to a single individual.
The hacker who was selling the records said that the network security of the healthcare firm was “not-so-great.”
Databreaches.net investigated and noted that the data was from a practice in Bangor, Maine: Behavioral Health Center. The practice was notified by the security researchers and immediately began an investigation.
This incident highlights the importance of HIPAA compliance for mental health providers.
Your HIPAA compliant mental health hosting
Mental health IT takes a somewhat different approach related to HIPAA, as noted above. Counselors must maintain HIPAA compliance. Coaches can choose HIPAA-compliant infrastructure as a way to demonstrate their dedication to HIT security.
Are you in need of a HIPAA compliant setup for your mental health infrastructure? HIPAA Compliant Hosting by Atlantic.Net™ is SOC 1 & SOC 2 certified and HIPAA & HITECH audited, designed to secure and protect critical data and records.
Learn more about our HIPAA compliant web hosting and HIPAA cloud hosting solutions.