This material is copyrighted. Except for your own private use, you may not copy or reproduce it in any way without express permission from Cascadia Training.
CD containing HIPAA & HITECH Policies, Procedures & Forms for Health Care Professionals
Presented and developed by Marvin Eidinger, Jr., PhD, JD and Robert Smith, Attorney-at-Law
On March 26, 2013 federal regulations related to the practice of mental health professionals changed. The regulations that enforce HIPAA (45 CFR Parts 160, 162 & 164) and HITECH (42 CFR Parts 412, 413, 422 & 495) were enhanced to tighten the responsibilities each of us has related to our clients' protected health information (PHI). Together, HIPAA & HITECH address PHI on paper and PHI stored and transmitted by computers.
Enforcement of the regulations for HIPAA & HITECH changed, too. The Office fo Civil Rights for the Department of Health and Human Services (OCR) must investigate credible accusations of violations of HIPAA and/or HITECH. Before, OCR was investigating large hospitals with thousands upon thousands of records; now, they are investigating the smallest agencies, clinics, companies and sole practitioners. The fines for violations have changed. Formerly the maximum fine was $25,000. The maximum fine for a HIPAA violation is now $150,000.
The Hospice of Northern Idaho agreed to pay a fine of $50,000 to settle a recent OCR investigation. Idaho State University agreed to pay $400,000 for violations within a clinic.
Common to those settlements were admissions or evidence related to the following violations:
- Failure to have written policies and procedures outlining protections for PHI in their possession;
- Failure to train workforce members on those policies and procedures; and
- Failure to secure computing systems and Internet transmissions that contained PHI.
A focused effort by Attorney Robert "Bob" E. Smith, a member of Advocates Law Group, PLLC, and Marvin W. Eidinger, Jr., PhD, JD, a psychologist and attorney, resulted in a CD containing a complete set of Policies and Procedures that satifsy the HIPAA and HITECH requirements. Additionally, the CD contains 20+ forms that meet new federal and state requirements.
Some of the forms are fixed in content and structure; e.g., the Notice of Privacy practices and Authorization for Release of Protected Health Information. Some of the forms are examples; e.g., disclosure form that the state requires each therapist provide clients prior to their first meeting and an example Business Associate Contract that satisfies the requirement for you to have a written contract with those who have access to your clients' PHI.
The cost of the CD is $310. The CD is designed for sole practitioners. The files are PDF files that work will with Apple and Microsoft operatiing systems. The copyright allows the purchaser to make as many copies of the files as necessary, both in print and electronic form, as well as store the files on more than one computer to support their own professional use. The original purchaser may not give the CD or any file contained on the CD in any form to another person or make the files available in any way without receiving a signed licensing agreement by the copyright holders.
Cascadia Training provides training related to the new regulations. The training provides leaders, therapists, attorneys, billing support organizations, and other health care providers an overview of what needs to be done to become HIPAA and HITECH compliant. There is a $25 discount on the CD if it is purchased before or on the day of attending the course.
The changes to the regulations require OCR to consider good faith efforts by the health care provider before they consider a fine. Use of these documents and attending training demonstrates a good faith effort to comply with the law.
Many of the regulations are new. They have not been elucidated by the court of law. The fines paid so far are not the result of trials; rather they were settlements to avoid trial and potentially much larger fines. Accepted interpretations of the regulations may evolve and change and, thus, the CD and the files it contains may need updating over the next several years.
Fully utilizing the CD as directed demonstrates good faith to adhere to the law.
Besides the Policies and Procedures, the forms contained on the CD are:
- Notice of Privacy Practices
- Acknowledgement of receiving Notice of Privacy and health care provider disclosure form
- Authorization for the use or disclosure of protected health care information
- Revocation of authorization for the use or disclosure of protected health information
- Response to request for restrictions on the use or disclosure of protected health information
- Request for confidential communications
- Termination of restrictions for the use or disclosure of protected health information
- Request for an accounting of disclosures of protected health information
- Information is needed to respond to request to change or amend protected health information
- Response to requested change or amendment to protected health information
- Risk Assessment & Audit Protocol
- Accounting of disclosure of protected health information
- Completion of the disclosure of protected health information
- Time needed to respond to request for access to inspect or copy health care record
- Reason for denial of access to inspect or copy health care record (potentially harmful to patient)
- Time needed to respond to request to change or amend health care record
- Risk Assessment Protocol for Business Associates
- Business Assocate Contract
- Request for access to inspect or copy health care record
- Response to request for access to inspect or copy health care record
- Reason for denial of access to inspect or copy health care record
- Request to change or amend protected health care information
Marvin W. Eidinger, Jr., PhD, JD
Marvin W. Eidinger, Jr. is a licensed psychologist and attorney. He completed his undergraduate work at the University of Washington and his doctorate in Counseling Psychology at Washington State University. His dissertation addressed the existence of the Criminal Personality. Dr. Eidinger has been a practicing psychologist since 1982 in clinics, hospitals and as a sole practitioner either full-time or part-time.
Dr. Eidinger wrote and produced the world's first scoring and analyses microcomputer program for the MMPI. The technology was utilized by the California Institute of Technology for more than a decade in their counseling center. He also worked for Rockwell International and The Boeing Company in fields of Human Resources, Ethics, Employee Surveys and Information Technology.
Dr. Eidinger completed his Juris Doctorate at Seattle University and became a member of the Washington State Bar in 2002. Since that time, he has practiced family law as well as advocated for professionals in the field of mental health. He is a certified mediator and collaborative attorney. His law firm, Marvin W. Eidinger, Jr., PLLC focuses on helping small agencies and individual practitioners address HIPAA requirements.
Robert E. Smith, Attorney-at-Law
Robert E. Smith is a Member of the law firm Advocates Law Group, PLLC. He received two degrees from the University of Washington, an undergraduate degree in Psychology and a graduate law degree. The entirety of this professional career has been spent in the greater Seattle area.
Mr. Smith began his career by representing a specialty hospital and its various programs. From that time to the present, he has gradually but continually expanded the legal services he provides to an increasing number of health care providers and agencies. Many of his health care clients are providers of behavioral health care services.
Mr. Smith is a presenter at seminars for continuing education credits for attorneys and for various groups of DOH licensed health care providers. His trainings frequently include the privacy and security issues of HIPAA, 42 DFR Part 2, and the Uniform Healthcare Information Act. He is available for in-house presentations to specific audiences.
His practice also includes general business law, estate administration and estate planning.