HIPAA training for mental health professionals should be more thorough than for other health care professionals due to the number of times mental health professionals may be required to make decisions about disclosing Protected Health Information based on their professional judgement.
Under §164.530(b) of the Privacy Rule, covered entities “must train all members of the workforce on the policies and procedures with respect to Protected Health Information required by [the Privacy Rule] and [the Breach Notification Rule] as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity”.
However, the provision of training on policies and procedures with respect to Protected Health Information (PHI) may not be sufficient for mental health professionals to carry out their functions compliantly. Depending on the services provided – and how they are provided – mental health professionals may need to know the answers to questions not normally asked of other healthcare professionals. For example:
- May mental health professionals provide therapy to patients in a group setting where other patients and family members are present?
- Can a mental health professional refer a homeless patient to a social services agency when doing so may reveal that the basis for eligibility is related to mental health?
- When does HIPAA allow a mental health professional to notify an individual’s family that a patient has overdosed, e.g., because of opioid abuse?
- When does HIPAA allow a mental health professional to notify an individual’s family that a patient has been admitted for an involuntary psychiatric hold?
- How does HIPAA interact with the Part 2 rules for disclosing information about substance use disorder treatment in an emergency?
The answers to all these questions are “circumstance-specific” inasmuch as a patient may consent to PHI being disclosed if they are able to, or the decision to disclose – or withhold – PHI could be made by a personal representative or a mental health professional. It is for this reason HIPAA training should be more thorough for mental health professionals than for other health care professionals.
What Should HIPAA Training for Mental Health Professionals Consist Of
All healthcare professionals should receive basic HIPAA training on topics such as what PHI is, when it can be used or disclosed in compliance with HIPAA, and when the minimum necessary standard applies. Basic HIPAA training of this nature will help workforce members better understand “policy and procedure” training and better connect HIPAA compliance with security awareness training.
With regards to policy and procedure HIPAA training for mental health professionals, there is no one-size-fits-all model. This is because mental health professionals may work in diagnosis, therapy, treatment, research, or other roles in the field. However, it may be important for mental health professionals to be trained on the difference between consent, implied consent, attestation, and authorization.
There is also no one-size-fits-all model for security awareness HIPAA training for mental health professionals because security awareness training must be provided in accordance with the HIPAA Security Rule’s General Requirements (§164.306). These require security awareness training to be designed to protect against uses and disclosures of PHI not permitted or required by the HIPAA Privacy Rule.
Is the Provision of Basic HIPAA Training Really Necessary?
Although the provision of basic HIPAA training is not a requirement of HIPAA, by ensuring all members of the workforce have a minimum level of HIPAA knowledge, HIPAA covered entities and business associates can focus on policy and procedure training and security awareness training without having to ensure that the terminologies and expressions used in the training are understood.
In addition, basic HIPAA training often covers subjects such as why healthcare data is targeted by cybercriminals, how stolen healthcare data is monetized, and the consequences of HIPAA violations and data breaches (i.e., operational disruptions, medical identity theft, etc.). Including these subjects in HIPAA training can make workforce members take more care when using or disclosing PHI.
To reduce the burden of providing more than the minimum required HIPAA training for mental health professionals, HIPAA covered entities can subscribe workforce members to online HIPAA training courses. Online HIPAA training courses can be completed remotely as time allows and often award a certificate of completion when a workforce member passes an end-of-course test.
Mental health professionals can also subscribe to an online HIPAA training course independently if they feel their HIPAA knowledge is weak. Ideally, the course should be sufficiently comprehensive to align with the individual’s role, be accredited by a recognized training assessor, and award Continuing Education Units (CEUs) that are recognized by the individual’s licensing body.