Should HIPAA matter to clinicians who aren’t covered under HIPAA?

If you aren’t a “covered entity” (the term HIPAA uses to identify healthcare providers under its authority) do you need to care what HIPAA says? In these situations is HIPAA irrelevant? The answer is both “yes” and “no.”

Strictly speaking, for clinicians who aren’t covered entities they don’t need to be concerned with HIPAA (and all of the things they would need to do to become compliant). Throughout the last five years the mad-dash to become HIPAA compliant has resulted in a hysteria about all that is required. There is some basis for anxiety, but the realities of HIPAA compliance and enforcement aren’t so bad.

As stated above, non-HIPAA clinicians don’t need to be HIPAA compliant. That said, it shouldn’t be entirely outside the sphere of awareness for these clinicians. The reason for this is that HIPAA may be shifting the standard of care. Because of this, clinicians shouldn’t be entirely ignorant of HIPAA requirements.

The “standard of care” is the standard by which licensed health professionals are measured under the law. Different disciplines have different standards. Thus, there are somewhat different (though similar) standards of care for psychologists, social workers, psychiatrists, LPCs, and MFTs. Under the law, licensed clinicians have a duty to maintain the standard of care. In a nutshell, the standard of care is the set of responsibilities commonly exercised by similar professionals who are members in good standing of their profession. This is all a bit circular, but upon reflection it makes sense. Put another way: the professional responsibilities of mental health professionals are to do pretty much what everyone else does. It is a bit like an “average” of what most clinicians do. You can do things better than everyone else, but you can’t run your practice much worse than most other people; don’t fall too far below “average.”

Problems with the standard of care play out differently in different arenas. In a malpractice case, for example, a plaintiff must establish four central elements: (1) that there was a duty; (2) that the duty was breached; (3) that there were damages; and (4) the breach of the duty caused the damages.

In a licensure action, however, a board only needs to show that the standard of care (a duty) was breached. A board does not need to show damages, only that there was a departure from the standard of care.

What does this have to do with HIPAA? Well, if most practitioners maintain a level of security for their patients’ confidential information that is at least as stringent as HIPAA, the standard of care shifts; the “average” creeps toward HIPAA. In this way HIPAA affects all practitioners because it influences the standard of care.

It is certainly true that HIPAA is not the most stringent of standards when if comes to protecting patient confidentiality. In fact, in many ways California law protects patient privacy more than HIPAA. In these situations California law trumps HIPAA. Nevertheless, the gravitational pull of thousands of clinicians abiding by the amalgom of HIPAA and California law shouldn’t be ignored.

The moral of the story is to make sure that you are aware of how most other clinicians in your discipline keep records and if you fall below the “average,” you should consider taking additional steps.

So maybe HIPAA isn’t so irrelevant after all?

IMPORTANT: This website is for basic information only. Nothing in this website should be construed to be formal legal advice, nor does it create an attorney-client relationship. Please see the “Important Information” page at the top of the screen.