Are mental health professionals covered entities under HIPAA?

Mental health professionals are generally considered covered entities under HIPAA if they treat patients and engage in electronic transactions involving protected health information (PHI), such as electronic billing or maintaining electronic health records.

However, they may not be classified as covered entities if they operate on a cash-only basis without electronic transactions or if their practice scope does not involve HIPAA covered activities. Mental health professionals must assess their specific practice activities to determine their HIPAA obligations and consult legal advice to ensure compliance.

Learn more: Paubox for mental health professionals

Understanding covered entities

HIPAA defines covered entities as organizations or individuals involved in transmitting health information electronically in connection with certain transactions. These include healthcare providers who conduct electronic transactions related to billing and payments, health plans, and healthcare clearinghouses. Mental health professionals should question whether their practice involves electronic transactions or the maintenance of electronic health records (EHRs).

Read more: How to know if you’re a covered entity

Mental health professionals as covered entities

In most cases, mental health professionals fall under the category of healthcare providers and are thus considered covered entities under HIPAA. That includes psychologists, psychiatrists, counselors, social workers, and therapists who treat patients and use electronic means for healthcare transactions, such as submitting insurance claims or maintaining EHRs.

Criteria for HIPAA coverage

To be classified as a covered entity under HIPAA, mental health professionals must meet two primary criteria:

1. Treatment of patients: Providing healthcare services to individuals falls under the definition of a healthcare provider covered by HIPAA. That includes diagnosis, counseling, therapy, and other forms of mental health treatment aimed at improving patients' psychological and emotional well-being.
2. Electronic transactions: Engaging in electronic transactions, such as submitting claims to insurance companies electronically or maintaining electronic patient records, means that HIPAA requirements apply. That ensures patient information is transmitted securely and with privacy protections in place.

Exceptions and specific scenarios

There are exceptions where mental health professionals may not be considered covered entities under HIPAA:

• Cash-only practices: If a mental health professional operates on a cash-only basis and does not engage in electronic transactions or maintain electronic records, they may not be subject to HIPAA regulations. However, even in cash-only practices, they must maintain patient confidentiality and comply with state laws regarding patient privacy.
• Limited scope: Practices that do not involve electronic transactions covered by HIPAA, such as certain counseling services that do not bill insurance electronically, might not meet the criteria for HIPAA coverage. 
  
  

Meeting HIPAA requirements for covered entities

According to the HHS, "Individuals, organizations, and agencies that meet the definition of a covered entity under HIPAA must comply with the Rules' requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information.". 

• Privacy Rule: Protecting patients' PHI and ensuring that disclosures are made only with patient authorization or as permitted by law ensures compliance with the HIPAA Privacy Rule. That includes implementing policies and procedures to safeguard PHI from unauthorized access and disclosures.
• Security Rule: Implementing safeguards to protect electronic PHI from unauthorized access, use, or disclosure meets the HIPAA Security Rule requirements. That involves conducting regular risk assessments, implementing technical security measures (e.g., encryption, access controls), and training staff on security practices.
• Breach Notification Rule: Reporting breaches of unsecured PHI to affected individuals, the Department of Health and Human Services (HHS), and in some cases, the media is a requirement of the Breach Notification Rule. Prompt notification helps mitigate potential patient harm and comply with legal requirements.

Practical considerations for compliance

• Treatment coordination: Mental health professionals can share PHI with other healthcare providers involved in a patient’s treatment without patient authorization, ensuring continuity of care and improving outcomes. The HHS states that "HIPAA permits health care providers to disclose to other health providers any protected health information (PHI) contained in the medical record about an individual for treatment, case management, and coordination of care and, with few exceptions, treats mental health information the same as other health information.". This collaboration effectively addresses complex mental health needs. 
• Patient rights: Patients have rights to access their PHI, request amendments, and receive an accounting of disclosures. Mental health professionals must educate patients about their privacy rights and facilitate their requests in compliance with HIPAA regulations.
  
  

FAQs

Do mental health professionals always need patient consent to share information with other healthcare providers for treatment?

No, HIPAA allows mental health professionals to share patient information for treatment purposes without needing patient consent, ensuring seamless care coordination.

Do HIPAA rules apply differently to telehealth services?

HIPAA rules apply equally to telehealth services. Mental health professionals must ensure patient information is protected when using electronic communication platforms for remote sessions.

Read more: How does HIPAA apply to telehealth?

Can professionals use mobile devices to communicate patient information securely under HIPAA?

You can use mobile devices to communicate patient information securely if appropriate safeguards are in place. That includes using encrypted email and HIPAA compliant text messaging applications to protect electronic PHI from unauthorized access or disclosure.