S is for Sharing Mental Health Informamtion


Today’s Letter is S, S is for Sharing Mental Health Information

Allowing Providers to Share

In certain circumstances HIPAA allows mental health providers to determine when to share mental health information based on professional judgment, when it is in the best interests of the patient, or to prevent or lessen a risk of harm.

If there is a risk of harm to themselves or others,or if exhibiting behavior that may threaten their health or safety, providers need to be able to use professional judgmentto identify the potential or likely risk and determine who can help lessen it.

Ways to Share

There are several ways the provider may address the situation.

If the patient lacks ability to make decisions or is unconscious, the provider can share information with the patient’s personal representative (if applicable), or with family or friends involved in their care if it’s determined in the patients’ best interest.

A provider may contact anyone reasonably able to lessen the risk of harm when they believe that a patient presents a serious and imminent threat to the health or safety to themselves or another person.

OCR Wont’t Second Guess

The Office for Civil Rights (OCR)states it won’t second guess mental health provider’s judgement when a patient is a threat to himself or others.

For more detail see the OCR guidance on Sharing Mental Health Information.  Remember to check state law for any restrictions on sharing.

This is your HIPAA ABCs brought to you by HIPAA Associates.  Contact us for more information on this important topic and HIPAA training for you and your company.


T is for Technical Safeguards

Technical safeguards are important due to technology advancements in the health care industry. Healthcare organizations are faced with the challenge of protecting electronic protected health information (EPHI), such as electronic health records, from various internal and external risks.

Covered Entity Must Comply

It is important, and therefore required by the Security Rule, for a covered entity to comply with the Technical Safeguard standards and certain implementation specifications; a covered entity may use any security measures that allow it to reasonably and appropriately do so.

Define “The Security Rule”

The Security Rule defines technical safeguards as “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”  It is based on the fundamental concepts of flexibility, scalability and technology neutrality. Therefore, no specific requirements for types of technology to implement are identified.

Implementing “The Rule”

The Rule allows the use of security measures that allows it reasonably and appropriately to implement the standards and implementation specifications.  A covered entity must determine which security measures and specific technologies are reasonable and appropriate for implementation in its organization.

Read more about Technical Safeguards


P is for Penalties

Our HIPAA ABC is “P is for Penalties.”

The Department of Health and Human Services has published a notice on April 30th that it is exercising its discretion in how it applies its regulations on the assessment of Civil Monetary Penalties (CMPs) under HIPAA. Currently HHS applied the same cumulative annual limit to the four categories of violations.

Pending further rule making HHS will now apply different cumulative annual CMP limits instead of the maximum $1.5 million for each level of violation. This is a reduction in the maximum limit, scaling down based on the level of culpability. HHS will use the new penalty structure until further notice.

The Four Categories

Based on four categories of culpability:

For a category of no knowledge the minimum penalty is now $100, and the annual limit will be $25,000 down from $1.5 million.

For a reasonable cause $1,000 is the minimum and $100,000 for an annual limit down from $1.5 million.

For Willful neglect with a correction it would be $10,000 as a minimum and $250,000 for annual limit.

The highest is for Willful neglect with no correction with $50,000 as a minimum with an annual limit of $1,500,000.

To read this important Notice visit the Federal Register using the link below.

R is for Reasonable Safeguards

Protecting PHI

Protect PHI

Reasonable Safeguards are precautions that a prudent person should take to prevent a disclosure of PHI. These must be applied to protect all forms of PHI: verbal, paper, and electronic.  They help prevent unauthorized uses or disclosures of PHI.

Verbal PHI

Reasonable Safeguards must be applied to all of your verbal disclosures of PHI. When you are working with a patient, first determine who is with the patient before discussing PHI.  Do not assume the patient permits disclosure of their PHI just because family or a friend is in the room with them. Ask who is with the patient and if the patient permits disclosure; or ask the persons to leave the room providing the patient an opportunity to object.

Prevent Violations

The use of reasonable safeguards may be the difference between an Office for Civil Rights finding of a privacy violation or a finding that an incidental disclosure occurred which is secondary to a permissible disclosure, and not a violation. Reasonable safeguards protect PHI and help prevent you from violating patient privacy.

E is for Encryption

Computers & Data Breaches
Safeguarding ePHI

HIPAA Security Rule

The HIPAA Security Rule allows the transmission of electronic PHI (ePHI) as long it is safeguarded. It is up to the healthcare provider to decide on the use of encryption based on the results of its risk assessment.

The encryption standard is confusing because it is defined as an addressable requirement which should be implemented if it is a reasonable and appropriate safeguard for the protection of ePHI.

No Specific Requirements

When the Security Rule was enacted, it was recognized that due to rapid advances in technology it would be very difficult to give guidelines that change regularly. For this reason, they chose not to require specific safeguards that could be soon outdated.

Alternative to Encryption

Based on its security risk assessment a health care provider may determine that encryption isn’t reasonable and appropriate and present their alternative to protect ePHI or it may decide to do neither and determine the standard may otherwise be met.  The provider should document its reasons for its decision.

D is for Disclosures

See our video

Disclosures to Law Enforcement

Sometimes it is hard to determine under what circumstances PHI disclosure to law enforcement is permissible.

HIPAA permits disclosures to law enforcement in certain situations. It is always okay when there is a signed authorization from the patient or their legal representative.

When to Respond

Disclosures are permitted when required by law, for example to respond to subpoena’s and court orders when specific requirements are met.  Also, for investigation of a crime, to locate a missing person and to prevent serious threats to public health and safety.  State law reporting may be required by law for reports of child and adult abuse and neglect, and for certain injury and disease reporting.

State Law

Besides considering the federal HIPAA law, review state law because it may be more protective than HIPAA and, in that case, state law is followed.

This is your HIPAA ABCs brought to you by HIPAA Associates.  Contact us for more information on this important topic and HIPAA training for you and your company.  Follow us on Facebook and Twitter.


C is for Complaints

Mary Lopez presents HIPAA ABCs

Today’s letter is C, “C is for Complaints.”


A covered entity must have a procedure for individuals to file a complaint regarding its privacy practices or for an alleged violation of the Privacy Rule.71 The Notice of Privacy Practices must contain contact information for the covered entity’s privacy officer and information on how to submit a complaint to the Office for Civil Rights.

Privacy Officer

The privacy officer or designee investigates all complaints involving privacy of protected health information and should maintain records on the complaints and their resolution. The Privacy Officer will determine whether or not there has been a violation or a breach of unsecured PHI.

On behalf of the covered entity the Privacy Officer responds to inquiries initiated by the Office for Civll Rights as it investigates complaints.

No Retaliation

Under the HIPAA Rules there is a no retaliation for making a privacy complaint.

This is your HIPAA ABCs brought to you by HIPAA Associates.  Contact us for more information on this important topic.  Follow us on Facebook and Twitter.



B is for Breaches

Today’s letter is B

B is for Breaches.  A breach is an impermissible use or disclosure of protected health information or PHI that compromises its privacy or security.  This is presumed to be a breach unless the covered entity or business associate can demonstrate there is a low probability that the phi has been compromised based on a risk assessment of the following:

  1. Nature and extent of the PHI involved, including the types of identifiers and the likelihood of identification
  2. The unauthorized person to whom the disclosure was made.
  3. Whether the PHI was acquired or viewed.
  4. The extent to which the risk to the patient was mitigated.

Paper Breaches

Examples of breaches of paper phi are loss of paper files, unsecure disposal, and paperwork given to the wrong person.

Electronic Beaches

Examples of electronic PHI breaches include loss of an unencrypted mobile device and sharing PHI on an unsecured document sharing internet site.

All of these have been the subject of Office for Civil Rights penalties.

Verbal Breaches

Verbal breaches of PHI occur if PHI is disclosed to the wrong individual or if its overheard when safeguards are not used.

For more information about breaches or about HIPAA please contact us.  Follow us on Facebook or Twitter.

S is for Social Media

Watch Our Video  

Benefits of Social Media

Social media offers many benefits for health care organizations because it allows interaction with patients and others, offering education, and services.  It is an essential communication and marketing tool and part of strategic marketing plans.  In their role as employer, organizations turn to social media to communicate with their employees.

Authorization to use PHI

However, it is possible to violate HIPAA Rules and patient privacy while using social media if not managed correctly.  It is important for health care organizations to disclose protected health information or PHI only with patient authorization for interviews, photographs and marketing communications.

The Risk of Social Media

For employees posts of PHI will violate the HIPAA Rules and result in a reportable breach of PHI. Social media posts aren’t a permissible use or disclosure of PHI.   The ability to post simultaneously in several platforms increases the risk for an organization. Remember in order to de-identify PHI all 18 identifiers must be removed and there must be low risk it could be used to identify the patient. This includes removal of facial images, and other identifiers such as tattoos.

Preventing Risk

To prevent risk Employees should be trained on the dangers of using social media inappropriately from the very onset of their employment.  Many organizations deal with the issue through development of a social media use policy and monitoring of social media activity.

P is for Permitted Uses and Disclosures

HIPAA in the work place
HIPAA in the work place.

Key Disclosures

A covered entity may use and disclose PHI for a number of different purposes and stay in compliance with HIPAA permitted uses and disclosures.  It is always permitted to use and disclose PHI for treatment, payment and health care operations.

Sharing with Health Care Providers

Keep in mind that HIPAA was written to not only protect PHI but to assist treatment providers in caring for the patient without requiring patient authorization in order to share their PHI.  For example, it is permissible to share PHI with health care providers who will treat the patient in their office or after hospital discharge. The sharing may be electronically and must be in a manner that is compliant with the Security Rule.

Sharing for Care Coordination

We now see the need to share data with health care providers for purposes of care coordination.  This activity didn’t exist when HIPAA was written and is now required by CMS and is part of a treatment plan.  A health care provider may disclose PHI to another for this treatment purposes without patient authorization.