The New HIPAA-cratic Oath for Healthcare Professionals
by Patrick B. Kavanaugh, Ph.D.
(The American College of Physicians and Surgeons has published an analysis of HIPAA and its privacy provisions for public discussion and debate. This article relies on its analysis and background information and, additionally, the information presented at the Academy’s May 10th Board meeting. The following information may not be construed as legal advice. As with any legal issues, it would be wise to consult with an attorney who specializes in healthcare and HIPAA.)
Passed in Congress with broad bipartisan support, the privacy rules of the Health Insurance Portabiltity and Accountability Act of 1996 (HIPAA) went into effect this past April 14th for most covered entities. And the American Association of Physicians and Surgeons (AAPS), among other groups, went to court to protest HIPAA and the privacy provisions developed by the Department of Health and Human Services (HHS). In letters sent to the HHS secretary, the AAPS wrote on March 15th,
“In a nutshell, we object to the way the rule gives greater rights of access to the government than to the patient himself ... There is no justification for permitting public health surveillance and dissemination of personal medical records.”
and on March 26th, the AAPS warned the HHS secretary that the regulations,
“...would have unintended consequences: the worst would be to enable if not guarantee wholesale invasions of privacy. We fully support the effort in Congress to repeal this work of the previous administration.”
The American Association of Physician and Surgeons
Don’t the HIPAA privacy provisions protect patient privacy? In practice, the permitted uses and disclosures of patient information under HIPAA are anything the government authorizes ---without patient authorization . The Institute for Health Freedom, a nonpartisan think tank in Washington D.C. that analyzes health issues, has made known its grave concerns about the HIPAA privacy provisions. After studying the 1,200-page regulation, president Sue Blevins said,
“The rule does not provide true medical privacy. Rather it actually weakens individuals’ ability to restrict access to their medical records."
Since its inception, members of the Academy have shared the common goal of ensuring that the privacy and autonomy necessary for psychoanalytic practice are solidly protected. And with the new HIPAA requirements, it appears that they are not. The Academy’s Board is opposed to the new HIPAA-cratic oath that requires the entry of personal and private information into a nationwide computer data base where it can be accessed by dozens of government agencies, thousands of bureaucrats, pharmaceutical corporations, private insurance companies, police agencies, foreign government officials, and others....without the person’s consent. According to the AAPS’s analysis of HIPAA, this is what happens to information in the HIPAA system. Further, this sharing of records and information can take place for purposes that include: reporting abuse, health oversight activities, law enforcement, judicial and administrative proceedings, organ procurement, military and intelligence functions, workers compensation, healthcare research projects, marketing health-related products and services, and providing the data base for fund raising for health-related projects. There is something quite disturbing about this new HIPAA-cratic oath: with the enactment of HIPAA, there has been a radical and dramatic shift in the nature of the relationship between government, professional associations, and the citizenry.
HIPAA-crates: The Father of 21st Century Medicine
In many respects, our technocratic system has become the father of medicine in the 21st century. And HIPAA’s rules and regulations speak his technocratic rationality. The industrialization and de-professionalization of the health care professions continue as the healthcare reformation redefines our professional standards from within this rationality. In psychology, recent years have witnessed standards developed for: continuing education (mandatory CE), analytic education and training (national healthcare accreditation standards), and practice (HIPAA) and care (duties to report, warn, and medicate). More and more our professional associations turn to government to validate ourselves (licensing laws), our bodies of knowledge (national healthcare accreditation standards and licensing exams), and our scientific view of people (DSM-IV). Regulations regulate; standards standardize; and, institutions institutionalize. Apparently, it now takes a village of educrats, bureaucrats, governmental agencies, and professional associations to mandate and monitor matters of privacy and confidentiality.
During the past several years, HIPAA-related information and questions have been presented to the psychological community through the American Psychological Association’s (APA) Monitor, the American Professional Agency’s Insight, and through seminars and workshops by state psychological associations. For example: Are you aware of the requirements mental health professionals must meet to be HIPAA-compliant with the recent changes in privacy rules and patient consent? ... the new liability risks posed for psychologists by the HIPAA privacy regulations? ...what the state or federal penalties might be if the proper forms are not kept or the wrong information is released? Or, ... how forgiving the HHS might be if you are not HIPAA-compliant and violations inadvertently occur? Considerable time, money, and effort have been spent by our professional associations on the question of becoming HIPAA-compliant; it seems that very little of these resources has been spent on critically assessing HIPAA’s impact on the practice and profession of psychology. Is the state psychological association planning to survey the psychological community to determine its impact in Michigan? Is there any opposition to the HIPAA privacy rules by our national or state associations? Is the APA -or Division 39 - planning to file an amicus in support of the AAPS’s current legal challenge to HIPAA’s privacy provisions? It might make it easier for people to consider APA’s slogan to “Talk to Someone Who Cares” if their personal and private information stays in the consulting room unless (s)he specifically authorizes its release. Is it not HIPAA-critical to do otherwise?
HIPAA-cratic Language: Covered or Non-covered Entity
Is there a HIPAA-potamus in the middle of psychology’s living room that no one is talking about? The HIPAA is talked about in terms of how to be compliant as a covered entity...... but what about the potamus? ... the option of being a non-covered entity. Submerged in the murky waters of 1,200 pages of federal regulations is a river horse (HIPAA potamios) question that generates much confusion in the healthcare community: What is a covered v. non-covered entity in the HIPAA system? One of the observations made in the AAPS’s analysis of HIPAA is that most consultants, seminar producers, and lawyers are neglecting to advise physicians of the option of being a non-covered entity under HIPAA. And unfortunately, this seems to hold true in the psychological community as well.
Last month, the Academy’s Board invited Ms. Karen Grotberg, J.D. and Mr. Lawrence Jordan, J.D. to speak with us about HIPAA and its privacy provisions. Ms. Grotberg is quite knowledgeable about HIPAA’s rules and regulations as she specializes in employee benefits, including healthcare related plans. She represents clients before governmental agencies (such as the IRS and Department of Labor) and has counseled a wide variety of employers from Fortune 500 corporations to sole proprietors, not-for-profit organizations, and both public and private entities. Mr. Jordan specializes in intellectual property rights, e.g., the legal protection of creative ideas via copyright and trademarks. He represents artists, poets, musicians, authors, and inventors. He has been involved with the Academy since its early beginnings.
The morning was spent discussing the current legal challenges to HIPAA, HIPAA’s privacy provisions, and other practice-related issues. For the most part, however, our discussion centered on the question: Who is a covered v. non-covered entity ? HIPAA privacy rules apply only to covered entities; they do not apply to non-covered entities. According to the Administrative Simplification standards adopted by HHS under HIPAA, a covered entity is: 1) a healthcare provider that conducts certain transactions in electronic form, 2) a healthcare clearinghouse, or 3) a health plan. A psychologist is a covered entity only if (s)he electronically transmits protected health information on or after April 14, 2003. If the psychologist does not engage in the electronic transactions described in HIPAA’s privacy rules (and assuming that the psychologist does not also operate a clearinghouse enterprise), the psychologist is not a covered entity. This means that the psychologist has the ability to control her/his destiny under HIPAA. It should be noted, however, that a psychologist who is a member of a practice group rather than a sole practitioner could get drawn into HIPAA by virtue of the practice group’s billing or other practices involving electronic transmission of data. By engaging in electronic transmission of protected health information, a psychologist voluntarily relinquishes non-covered entity status and becomes a covered entity under HIPAA.
Thus, as a psychologist you are not a HIPAA covered entity if the following conditions are met: 1) no protected health information is transmitted electronically outside your office; 2) the records you maintain are all paper or you keep them in a computer (a word of caution: be aware that if you fax data outside your office via computer -- as opposed to faxing the traditional way with hard-copy paper -- you will be considered to have electronically transmitted data); and 3) you file no claims or do any billing via electronic transmittal, and you do engage a billing service or clearinghouse to file claims on your behalf - (including private and Medicare claims. Additionally, you should be aware that if you are or become a “business associate” of another party who is a covered entity, and protected health information is in any form is exchanged, you will be required to comply with certain of HIPAA’s privacy rules. There are no affirmative steps or declarations necessary for a non-covered entity to identify him-/herself as a non-covered entity. Those who are non-covered entities have the increasingly unique opportunity to inform people that you are an advocate for their privacy. As a non-covered entity, you are not required to make disclosures that HIPAA otherwise mandates. Personal information can remain private and confidential outside the HIPAA system (keep in mind that HIPAA not only permits certain disclosure of protected health information, it also requires disclosure in some circumstances).
There was a second closely related question considered at the Board meeting: If a provider steps into HIPAA by virtue of electronic billing, will (s)he always be a covered entity for HIPAA purposes even if he/she reverts back to paper billing? It is Ms. Grotberg’s opinion that the provider would cease to be a covered entity if (s)he reverts back to paper billing -- assuming the provider is not required to bill Medicare electronically and, of course, provided that there is no electronic transmission of protected health information for other purposes. However, Ms. Grotberg cautioned that the provider would likely remain subject to HIPAA’s privacy requirements with respect to protected health information acquired, created, used, or disclosed during the period when the provider was a HIPAA covered entity.
The Center for Medicare and Medicaid Services (CMS) confirms this conclusion: CMS indicates that health care providers who do not cease electronic transactions by April 14, 2003, are required to comply with HIPAA privacy rules but that such providers could revert to conducting solely paper transactions. Doing so, however, would delay receipt of Medicare payments for those providers who submit bills to Medicare. CMS goes on to say that unless such providers fall within the "small provider" exception or another exception to Medicare electronic billing rules, the providers will have to bill Medicare electronically no later than October 16th of this year and will thereby become a HIPAA covered entity. Effective October 16, 2003, Medicare’s electronic billing rules will generally require health care providers who have 10 or more employees and who bill Medicare to submit billing information electronically. Thus, a provider who bills Medicare and who employs at least 10 employees will not be able to avoid becoming a HIPAA covered entity.
Ms. Grotberg’s opinion is that the provider in question is not subject to HIPAA during the period of time when (s)he reverts to paper billing before having to resume electronic billing for Medicare compliance purposes. Any uses and disclosure of protected health information obtained or created during the period of time when the provider was a covered entity would continue to be subject to HIPAA's privacy rules. Thus, any protected health information gathered or created during a period when a provider is a covered entity should only be used or disclosed as permitted or required by the privacy rules. Government agency overseers will likely maintain that all applicable HIPAA privacy requirements must be met during any period of time when a provider is a covered entity. Ms. Grotberg’s additional research following the Board meeting confirmed the foregoing interpretation of covered entity status. The Board learned that the opportunity is still there for those who choose to practice outside of HIPAA-cratic parameters, which led to the last major topic considered at the Board meeting: the question of the Academy’s principles and guidelines for the practice of psychoanalytic psychology.
On the Question of Principles and Guidelines
Since its founding in 1995, members of the Academy have been involved in articulating those principles and guidelines that support psychoanalytic practices, theories, education, and ethics that are consistent with the study of the psychoanalytic arts. It is through the practice of the psychoanalytic arts that such study takes place and such understanding and knowing is achieved. From this study, certain principles or practice guidelines have been advanced that appreciate the uniqueness of the individual, celebrate the mystery of human being-ness, and respect the drama of the lived experiences of everyday life. Like-minded individuals derive support and legitimacy in the practice of psychoanalytic psychology by joining together, articulating their shared principles and practices, and advancing those guidelines in the professional community. And other groups are involved in a similar process. The Division of Humanistic Psychology (32), for example, formed a task force and developed Recommended Principles and Practices For The Provision of Humanistic Psychosocial Services: Alternative to Mandated Practice and Treatment Guidelines, an earlier version of which was published in The Humanistic Psychologist (vol. 24, Spring 1997, 64-107). Their document explicitly states the principles under which humanistic psychologists practice and offer psychological services. And, they explicitly speak to their own community of practice and distinctive views of human nature, science, research methodology, and psychotherapy. In the coming years, the Academy plans to continue its project of articulating the epistemology and the standards of practice, ethics, and education that are rooted in philosophy, the humanities, and the arts and are consistent with the study of the psychoanalytic arts. ........ Carpe Diem
(Dr. Kavanaugh is the current past president of the Academy. He is in private practice in Farmington Hills. Ms. Grotberg (Detroit) and Mr. Jordan (Ann Arbor) are with the law firm of Jaffe, Raitt, Heuer & Weiss, P.C.)
Dr. Kavanaugh received his doctorate in philosophy (psychology) from the University of Windsor in Ontario, Canada. Since the completion of his doctoral studies, he has been active in the academic, organizational, and practice areas of the psychoanalytic-psychological community. In the academic area, he has served as Director of Clinical Training and member of the core teaching and supervisory faculty in the doctoral program in psychoanalytic psychology at the University of Detroit; as a member of the teaching and supervisory faculty in the Program for Advanced Studies in Psychoanalysis in Wyandotte, Michigan, an interdisciplinary program for the study of the analytic discourse; and, as a member of the teaching and supervisory faculty in the pre-and post doctoral educational programs at the Detroit Psychiatric Institute, the Wyandotte General Hospital, and the V.A. Medical Center in Detroit. In the organizational area, he is the founding and current president of the Academy for the Study of the Psychoanalytic Arts; past president of the International Federation for Psychoanalytic Education; the Michigan Psychological Association, and the Michigan Society of Clinical Psychologists. In the practice area, many of his professional interests during the past 35 years are directly related to experiences in the discourses of various residential treatment facilities.
Dr. Kavanaugh is a recipient of The Distinguished Psychologist Award from the Michigan Psychological Association and the Master Lecturer Award from the doctoral students at the University of Detroit.
Currently Dr. Kavanaugh is in the private practice of psychoanalysis in Farmington Hills, Michigan:
Office: 31805 Middlebelt, Suite #305
Farmington Hills, Michigan, USA 48334
Phone: (248) 626-6460
Fax: (248) 626-4808