Does HIPAA Apply to Therapists?

by

HIPAA applies to therapists if they qualify as a HIPAA covered entity or if they work for a practice or healthcare organization that qualifies as a HIPAA covered entity. How does HIPAA apply to therapists varies depending on the therapist’s HIPAA status and any state privacy regulations that preempt HIPAA.

There is no “yes” or “no” answer to does HIPAA apply to therapists because there are many different types of therapists. Some therapists may not qualify as a HIPAA healthcare provider due to the nature of services they provide, some may not qualify as a HIPAA covered entity because of the way in which their services are provided, and others are exempted.

When is a Therapist a HIPAA Covered Therapist?

A therapist is a HIPAA covered therapist when they own, work for, or are contracted to a practice or healthcare organization that meets the definition of a HIPAA healthcare provider, that conducts (or subcontracts) HIPAA covered transactions electronically, and that is not exempted from being a HIPAA covered entity due to an exception in the HIPAA Regulations.

For example, a licensed psychology practice that accepts members of the public covered by health insurance as patients, and that processes insurance transactions electronically, qualifies as a HIPAA covered entity. In this scenario, HIPAA applies to all members of the practice’s workforce including non-medical staff such as receptionists and cleaners.

However, if the practice only accepts cash clients, doesn’t conduct HIPAA covered transactions, or doesn’t conduct them electronically, HIPAA does not apply. In this scenario,  state privacy regulations and the practice’s licensing requirements most likely will determine which standards apply to the privacy of individually identifiable health information.

Therapists that do not meet the definition of a HIPAA healthcare provider (i.e., unlicensed life coaches) and therapists that work exclusively in publicly funded schools are exempted from HIPAA. In the first instance, state privacy regulations will most likely apply, while in the second instance, students’ medical records are protected by the Family Educational Rights and Privacy Act (FERPA).

How Does HIPAA Apply to Therapists?

When a practice or healthcare organization qualifies as a HIPAA covered entity, how does HIPAA apply to therapists is determined by the therapist’s role in the practice or organization. If a therapist is a sole practitioner, they are responsible for complying with all applicable standards and implementation specifications of the HIPAA Administrative Simplification Regulations.

In such circumstances, the sole practitioner is responsible for identifying which standards apply to the practice, implementing safeguards to ensure the privacy and confidentiality of Protected Health Information (PHI), developing HIPAA policies and procedures, and managing Business Associate Agreements with business partners to whom PHI is disclosed.

HIPAA applies to therapists that work for the practice or organization – either as an employed or contracted member of the workforce – depending on the HIPAA policies and practices developed by the organization’s HIPAA Privacy and Security Officers. Workforce members are also required to comply with the HIPAA Privacy Rule by default (see §164.530(e)).

If an independent therapist that does not qualify as a HIPAA covered entity provides a therapy service on behalf of the covered practice as a business associate, they are required to comply with the HIPAA Security and Breach Notification Rules on their premises, as well as all applicable Privacy Rule standards stipulated in the Business Associate Agreement.

Other Regulations Therapists Must be Aware Of

In additional to understanding when does HIPAA apply to therapists, therapists also need to be aware of other regulations that might apply to their activities. This include the regulations relating to the confidentiality of SUD patient records (42 CFR Part 2), the Americans with Disabilities Act (ADA), and the Mental Health Parity and Addiction Equity Act (MHPAEA).

Many states also have healthcare privacy regulations. Some, but not all, exempt HIPAA covered entities, while others (i.e., Texas and New York) have more stringent privacy protections than HIPAA. Most states also have breach notification requirements that do not exempt HIPAA covered entities, while forty-six states have mandatory child abuse reporting requirements.

Therapists requiring further information about when does HIPAA apply to therapists and how does HIPAA apply to therapists in different roles are advised to speak with their state licensing authority. Members of the public and therapy students requiring further information are advised to review the resources published by the Department for Health and Human Services.

James Keogh

James Keogh has been writing about the healthcare sector in the United States for several years and is currently the editor of HIPAAnswers. He has a particular interest in HIPAA and the intersection of healthcare privacy and information technology. He has developed specialized knowledge in HIPAA-related issues, including compliance, patient privacy, and data breaches. You can follow James on Twitter https://x.com/JamesKeoghHIPAA and contact James on LinkedIn https://www.linkedin.com/in/james-keogh-89023681 or email directly at [email protected]