Mental health professionals are not covered entities under HIPAA if they operate exclusively on a cash-only basis without engaging in electronic transactions or maintaining electronic records or only paper records and do not transmit patient information electronically. Additionally, specific practice settings where services do not involve HIPAA covered transactions may exempt them from being considered covered entities. However, they must still comply with relevant state privacy laws and maintain patient confidentiality.
HIPAA defines covered entities as organizations or individuals that transmit health information electronically in connection with certain transactions. These covered entities include healthcare providers, health plans, and healthcare clearinghouses. Whether mental health professionals can be considered covered entities depends on whether their practice involves electronic transactions or the maintenance of electronic health records (EHRs).
Related: How to know if you’re a covered entity
Mental health professionals who operate on a cash-only basis, without engaging in electronic transactions or maintaining electronic records, may not be subject to HIPAA regulations. In these practices, all transactions are conducted in cash, and patient records are kept on paper. While HIPAA might not apply, these professionals must still maintain patient confidentiality and comply with relevant state laws regarding patient privacy.
Practices that exclusively use paper records and do not transmit patient information electronically are typically not covered by HIPAA. That includes not submitting electronic insurance claims or communicating with other healthcare providers about patient care electronically. These practices must assess their activities carefully to ensure they do not inadvertently engage in electronic transactions that would trigger HIPAA coverage.
Some mental health services may not involve HIPAA covered transactions. For example, certain counseling services that do not bill insurance electronically or provide healthcare services that do not require the electronic transmission of protected health information (PHI) might not be covered entities. Mental health professionals in these settings must evaluate their practice scope and consult with legal advisors to determine their HIPAA obligations.
Even if a mental health professional is not covered under HIPAA, they must still comply with state-specific privacy laws. For instance, some states have laws that mandate the protection of patient information similar to HIPAA, regardless of electronic transactions. Mental health professionals must stay informed about their state regulations and ensure they meet all applicable requirements.
While HIPAA sets federal standards for patient privacy, mental health professionals have ethical obligations to maintain confidentiality and protect patient information. Professional organizations, such as the American Psychological Association (APA), provide guidelines and ethical standards for patient confidentiality. They state that "Ethics Code Standard 4.05(b) allows disclosure of confidential information without patient consent “where permitted by law for a valid purpose such as to… protect the client/ patient, psychologist, or others from harm.”
Yes, using email to communicate with patients typically involves electronic transmission of PHI, making them a covered entity under HIPAA. That means they must ensure HIPAA compliant email communication practices.
If their practice includes electronic transactions or maintains electronic records, they must comply with HIPAA, even if services are only provided in person.
Can a mental health professional be partially covered by HIPAA for some services and not others?
Yes, if they engage in electronic transactions for some services but not others, HIPAA regulations would apply to the services involving electronic PHI transmission.