When are mental health professionals not covered entities under HIPAA?

Mental health professionals are not covered entities under HIPAA if they operate exclusively on a cash-only basis without engaging in electronic transactions or maintaining electronic records or only paper records and do not transmit patient information electronically. Additionally, specific practice settings where services do not involve HIPAA covered transactions may exempt them from being considered covered entities. However, they must still comply with relevant state privacy laws and maintain patient confidentiality.

Definition of covered entities

HIPAA defines covered entities as organizations or individuals that transmit health information electronically in connection with certain transactions. These covered entities include healthcare providers, health plans, and healthcare clearinghouses. Whether mental health professionals can be considered covered entities depends on whether their practice involves electronic transactions or the maintenance of electronic health records (EHRs).

Related: How to know if you’re a covered entity

General criteria for HIPAA coverage

• Treatment of patients: Providing healthcare services, including mental health treatment to individuals.
• Electronic transactions: Engaging in electronic transactions such as submitting claims to insurance companies or maintaining EHRs. 

Exceptions to HIPAA coverage

Cash-only practices

Mental health professionals who operate on a cash-only basis, without engaging in electronic transactions or maintaining electronic records, may not be subject to HIPAA regulations. In these practices, all transactions are conducted in cash, and patient records are kept on paper. While HIPAA might not apply, these professionals must still maintain patient confidentiality and comply with relevant state laws regarding patient privacy.

No electronic transactions

Practices that exclusively use paper records and do not transmit patient information electronically are typically not covered by HIPAA. That includes not submitting electronic insurance claims or communicating with other healthcare providers about patient care electronically. These practices must assess their activities carefully to ensure they do not inadvertently engage in electronic transactions that would trigger HIPAA coverage.

Specific practice settings

Some mental health services may not involve HIPAA covered transactions. For example, certain counseling services that do not bill insurance electronically or provide healthcare services that do not require the electronic transmission of protected health information (PHI) might not be covered entities. Mental health professionals in these settings must evaluate their practice scope and consult with legal advisors to determine their HIPAA obligations.

State laws and ethical considerations

Even if a mental health professional is not covered under HIPAA, they must still comply with state-specific privacy laws. For instance, some states have laws that mandate the protection of patient information similar to HIPAA, regardless of electronic transactions. Mental health professionals must stay informed about their state regulations and ensure they meet all applicable requirements.

While HIPAA sets federal standards for patient privacy, mental health professionals have ethical obligations to maintain confidentiality and protect patient information. Professional organizations, such as the American Psychological Association (APA), provide guidelines and ethical standards for patient confidentiality. They state that "Ethics Code Standard 4.05(b) allows disclosure of confidential information without patient consent “where permitted by law for a valid purpose such as to… protect the client/ patient, psychologist, or others from harm.”

Practical tips for mental health professionals

• Assess practice activities: Regularly review your activities to determine if HIPAA applies. If unsure, consult with legal advisors or compliance experts.
• State laws compliance: Familiarize yourself with state privacy laws and ensure compliance even if HIPAA does not apply.
• Implement best practices: Adopt best practices for patient privacy, including secure record-keeping, whether on paper or electronically.

FAQs

Are mental health professionals covered entities if they use email to communicate with patients?

Yes, using email to communicate with patients typically involves electronic transmission of PHI, making them a covered entity under HIPAA. That means they must ensure HIPAA compliant email communication practices. 

Must mental health professionals comply with HIPAA if they only provide services through in-person sessions?

If their practice includes electronic transactions or maintains electronic records, they must comply with HIPAA, even if services are only provided in person.

Can a mental health professional be partially covered by HIPAA for some services and not others?

Yes, if they engage in electronic transactions for some services but not others, HIPAA regulations would apply to the services involving electronic PHI transmission.