Advocates for ethical mental health care

Frequently Asked Questions: HIPAA Privacy Standards

November 2003
Prepared by Laura Groshong, WSCMHPC Lobbyist

Here are some of the most frequently asked questions about the new Federal HIPAA privacy standards affecting medical records and psychotherapy notes.

1. Generally what do the HIPAA Privacy Standards require clinicians to do?
Clinicians who meet the definition of a "covered entity" under the Privacy Standards (see below) must 1) Notify patients of their privacy rights with the Notice of Privacy Practice (NPP); 2) Develop privacy policies; 3) Designate a Privacy Officer; 4) Keep all records, paper and electronic, secured, i.e., locked file cabinets and password and/or encrypted computers; 5) Develop Authorization Forms and Business Associate greements.

2. Which clinicians must become HIPAA compliant?
All clinicians who send health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA are “covered entities” (see below). If a clinician is not sending information electronically, he or she technically is not a covered entity under HIPAA. However, it is advisable for all clinicians to become familiar with the HIPAA Privacy Standards as they are likely to become the basis for standard practice in all areas of confidentiality in practice.

3. When do clinicians need to comply with the Privacy Standards?
The compliance deadline under Privacy Standards for health care providers was April 14, 2003. The two ther components of HIPAA, the Security Standards and the Transaction and Code Set Standards, have eparate deadlines. For clinicians who filed for an extension under the Transaction and Code Set tandards, the deadline for compliance is October 16, 2003; otherwise, the deadline for compliance was October 16, 2002. The deadline for compliance with the recently finalized Security Standards is February of 2005.

4. What is a “covered entity”?
A covered entity is defined under the Privacy Standards as any health plan, health care clearinghouse, or health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA. In practice, most clinicians who bill a insurance electronically are covered entities. For help in determining whether you are covered entity, see the decision tool at:

5. What is Protected Health Information (PHI)?
Protected Health Information (PHI) is health information that is identifiable to a specific individual and that is maintained or transmitted by a covered entity in any form, whether in oral, paper, or electronic form.

6. What are “covered transactions”?
A covered transaction is any computer-to-computer transmission of healthcare claims, payment and remittance, benefit information, or health plan eligibility information. The covered transactions most commonly used by clinicians include Health Care Claims (request for reimbursement by a provider to a health plan for health care services); Eligibility for Treatment (request for information by a provider to a health plan about eligibility, coverage limits, and/or benefits in a health plan for a client or potential client); Authorization for Treatment (request made to a health plan for authorization of mental health treatment by a mental health provider); and Health Care Claims Status (request by a mental health provider to a health care plan).

7. When may PHI be disclosed without an Authorization form signed by the patient?
PHI may be disclosed without a separate Authorization form being signed by the patient when information being released has already been approved by the initial Authorization form signed by the patient. This enerally includes information about treatment, payment, and health care operations (TPO).

8. What does “minimum necessary” mean in disclosing PHI?
Minimum necessary” is a description of the principle behind all disclosures of PHI, except for those made between health care providers for treatment purposes. This means that the information disclosed is the “minimum necessary” for the specific disclosure, i.e., information being disclosed for payment purposes does not require information about the treatment progress. The major exception to the “minimum necessary” principle is when the treatment itself is being discussed, i.e., in supervision or consultation.

9. What is a “Business Associate”?
A Business Associate is a person or entity that performs certain functions or activities, on behalf of a covered entity, that involve the disclosure of PHI. Examples of Business Associates are a third-party administrator, an accountant, or a secretary who transcribes information for TPO purposes.

10. What is the “Notice of Privacy Practices” (NPP)?
The Notice of Privacy Practices informs a patient about the privacy practices of the clinician. The NPP must include information about how the clinician may disclose PHI about the patient; the rights of the patient to have access to the record; who is responsible for the development and implementation of the NPP; and the right of the patient to correct the record, among other information. The patient must sign the NPP at the first date of service except in emergency situations.


Washington State Coalition of Mental Health Professionals & Consumers
Mailing Address:  P.O. Box 30087  Seattle, WA 98113     Phone:   206-444-4304