Taking the Necessary Steps - APA Services

Taking the Necessary StepsAn Interview with a HIPAA-Compliant Practitioner

Dr. Charlie Cooper of Chapel Hill,NC, heads up a multidisciplinarygroup practice consisting of

28 providers in two cities. His practice is compliant with both Privacy and Securityregulations of the Health Insurance Porta-bility and Accountability Act (HIPAA).Because the process he went through can work for psychologists in a wide rangeof practices, Good Practice (GP) asked him about what it takes—and why it’simportant—to become HIPAA compliant.

Privacy Rule Compliance

GP: What steps have you taken to becomecompliant with the HIPAA Privacy Rule?

Dr. Cooper: So much of HIPAA com-pliance depends on context. How oneimplements the Privacy Rule is conditionedon the size and complexity of one’s practiceor institution. Here are some of the stepswe took in our practice:

1. We appointed a Privacy Officer (me).2. We studied the Privacy Rule to under-

stand what we needed to do to becomecompliant.

3. We prepared Policy and Procedures for the practice.

4. We created a Notice of Privacy Practicesto distribute to our patients.

5. We trained clinical and support staff in our policies and procedures.

6. We had contractors who work with our practice sign Business Associate Agreements.

GP: Where did you find the resources youneeded?

Dr. Cooper: We looked around forresources and selected the Privacy Ruleproduct that was created by the APAPractice Organization. It provided state-specific templates for all the essentialdocuments we used to articulate policies,inform patients, set up contracts withbusiness associates and record the relevant data that must be maintained in order to demonstrate compliance. The four hours of continuing educationcredit were an added bonus.

GP: How long did it take to put your PrivacyRule process in place?

Dr. Cooper: In our practice, the processrequired between 15 and 25 hours of mytime as the privacy officer, including

(continued on page 2)

Putting HIPAA into Practice

IN THIS ISSUESix Reasons Why HIPAA Matters 4

What Triggers the Needto Comply? 6

Psychotherapy Notes and HIPAA 8

Comparing Privacy and SecurityRules 10

National Provider Identifier (NPI) 14

Final Enforcement Rule Takes Effect 16

GOOD PRACTICE TOPICAL EDITION PUTTING HIPAA INTO PRACTICE WINTER 2007 3

GP: Which actual Security Rule complianceactivities did you implement in your practice?

Dr. Cooper: Interestingly, we found thatmost implementation standards werealready being met within our practice. Forexample, we had already installedcomputers with password-protectedaccess controls and thorough backupprocedures. We had firewalls and anti-virus protection. We had taken physicalmeasures to assure that protected healthinformation was secured in locked areas.And we already had begun to outlinedisaster-recovery procedures.

So in our case, the bulk of activitiesnecessary for compliance were focused on documentation and training. As a result, for our practice, becomingcompliant involved conducting a formalrisk assessment, documenting oursolutions to identified risks, creating allnecessary policies and procedures and,finally, giving an orientation and trainingfor staff. We had a computer consultanton retainer, so we had him sign a BusinessAssociate Agreement.

After studying the Security Rule, ourcomputer consultant told us, “The good

news is that HIPAA’s requirements arelargely measures that any business shouldtake to protect data in the first place.”

GP: Do you have any recommendations forpsychologists who feel they may need assistanceunderstanding the technical issues involved inthe Security Rule?

Dr. Cooper: My nearly blanket recom-mendation for anyone attempting tocomply with the Security Rule is to form a reliable relationship with an informa-tion technology expert who can provideassistance in an emergency and is willingto sign the Business Associate Agreementso he or she can work on your computers,PDAs, etc., as needed.

Compliance Issues

GP: What were your biggest challenges inbecoming HIPAA compliant, and how did youaddress them?

Dr. Cooper: The biggest challenge wasdrafting, updating and maintaining thedocumentation required by each rule. We

dealt with the initial documentationprocess almost exclusively by using thetemplates included in the APA PracticeOrganization’s online products. The long-term challenge will be to updateour documents, especially thosepertaining to the Security Rule. Becausewhile the Privacy Rule compliance stepsremain largely unchanged, Security Ruleimplementation is continually subject tochange as technology renders pastsolutions obsolete. It has proved difficult,even in a large practice like ours, to exert

the oversight and discipline to documentall the evolutionary changes that occur—usually technology-driven—such as whenwe acquire and install new software.

GP: Is it really that important to be HIPAAcompliant?

Dr. Cooper: Yes, and there are manyreasons for investing in HIPAA compliance.Perhaps most important, in an increas-ingly technologically sophisticated era,HIPAA rules can be highly protective ofour clients. I can give you one example: Ihad a palm device that contained a smallamount of unencoded, client-specificinformation on it. Neglectfully, I left itbehind in a store where I was shopping.While I discovered the loss within fiveminutes and recovered the PDA immediately,the lesson was pounded in and has stuckindelibly. Now my PDA has automatic dataencoding and fingerprint recognition as apassword.

Additional reasons for compliance includethe fact that many privacy and securitydecisions often surface suddenly, as when

sensitive records are requested or whenthere is a security breach. To attemptcompliance after the horse has jumpedthe fence could jeopardize not onlypatients but also one’s practice standingwith licensing authorities or in litigation.HIPAA is getting so well-known that itsurely will be the basis for legal actions inthe future. In my view, it’s important tobe HIPAA compliant even for practicesthat do not transmit electronically, and

2 AMERICAN PSYCHOLOGICAL ASSOCIATION PRACTICE ORGANIZATION

Taking the Necessary Steps(continued from page 1)

Introducing a New ResourceA Focus on HIPAA Compliance

staff training. However, in a typical smallpractice of two to four clinicians with onesupport staff, I would estimate a muchsmaller amount of time would initially berequired; perhaps eight to 12 hours. For asolo practitioner it would be even less.

Security Rule

GP: What steps did you take to becomecompliant with the HIPAA Security Rule?

Dr. Cooper: Our efforts toward SecurityRule compliance included the following:

1. We designated a Security Officer (again, that honor fell to me).

2. We conducted a risk analysis, identifyingrisks we needed to abate through admini-strative, physical and technical measures.

3. Following the risk analysis, we preparedthe required documentation of our compliance policies and procedures.

GP: What resources helped you create thedocumentation necessary for compliance?

Dr. Cooper: We utilized the online com-pliance workbook from the APA PracticeOrganization. As with the Privacy Ruleresource, the workbook provided templatesthat simultaneously walked us through arisk analysis and, for each standard andimplementation specification, suggestedlanguage we could use—and action stepswe could take—to address potential risks.

GP: How long did it take you to complete boththe risk assessment of your practice and thecompliance documentation?

Dr. Cooper: It took 10 to 12 hours.However, I would estimate for a solo or a two- to four-person practice, the timerequirement would be far shorter becausethe compliance process would be lesscomplex due to things such as feweremployees and practice locations.

Dr. Charlie Cooper

Dear Practitioner:

T his newsletter is the first in aplanned series of topical editionsof Good Practice from the APA

Practice Organization that supplement our annual magazine. This issue focuseson HIPAA compliance and containsinformation of particular interest to our members.

The federal Health Insurance Portabilityand Accountability Act (HIPAA) isintended as a major step toward makingour health care system more efficientthrough the use of informationtechnology. But the voluminous rulesresulting from this act—the Privacy andSecurity Rules in particular—have addedto the complexity of practice.

Both of these rules are equally importantfor practitioners, and each requires aseparate set of compliance activities.Practitioners have turned to us for guidanceto help ensure that they implement HIPAAfully and appropriately.

In this issue, one of our peers describes thesteps he took to make his practice compliant

with the HIPAA Privacy and Security Rules.You’ll also learn how these two HIPAA rulesdiffer, how psychotherapy notes are affordedheightened privacy protection underHIPAA, how to apply for your NationalProvider Identifier (NPI), potential penaltiesfor non-compliance with HIPAA, and more.

We at the Practice Organization remaincommitted to serving you in numerousways through this and other resources.We hope you’ll keep this newsletter handyand share it with colleagues.

The APA Practice Organization isconstantly seeking ways to help memberswith the challenges and opportunities of practice in the current health caredelivery system. As always, we invite yourcomments and suggestions. Please feelfree to call us toll-free at 800-374-2723 or send your email to [email protected].

Sincerely,

Russ Newman. PhD, JDExecutive Director for Professional Practice

P.S. Look for the next issue of Good Practicemagazine in the spring of 2007.

QUESTIONS ABOUT HIPAA?

Staff for the APA Practice Organization are available to help

members with questions about HIPAA. Contact us toll-free at

800-374-2723 or send an email to [email protected].(continued on page 7)

This newsletter containsinformation about HIPAAcompliance of particular

interest to practicingpsychologists. Learn more

at APApractice.org.

“The good news is that HIPAA’s requirementsare largely measures that any business should take

to protect data in the first place.”Computer Consultant to Dr. Cooper

6GOOD PRACTICE TOPICAL EDITION PUTTING HIPAA INTO PRACTICE WINTER 2007 5

HIPAA requirements could be invoked in legal and professional disciplinary proceedings.

Those who had backed up and storedtheir patient records in a location safe fromflooding, consistent with the HIPAA SecurityRule, were prepared to recover what theyneeded. Taking this important step inadvance helped minimize disruptions tocontinuity of patient care. Others wholacked backup files were not as fortunate.

5Following HIPAA specifications canhelp you avoid potential risks.

As one example, the Security Rule requirespractitioners to implement policies andprocedures to address the final destructionand/or disposal of EPHI and computersor other devices in which EPHI is stored.Disposing of a computer without usingsoftware that completely removes patientrecords is contrary to HIPAA requirements.

There are reports of computer programsbeing used to recreate patient files that a psychologist thought he or she had“deleted.” The use of such programs mayjeopardize confidential patient healthinformation and increase the psycholo-gist's risk of liability.

6The Privacy and Security Rules arelikely to be invoked as setting thestandard of care in the health careindustry.

Many health care analysts have advancedthis argument. HIPAA requirements couldbe brought to bear in legal and pro-fessional disciplinary deliberations, evenin situations where HIPAA compliancetechnically has not been triggered.

Consider a scenario where a practitionerfaces disciplinary action for failing to take reasonable steps to protect patientconfidentiality after improperly throwingout his practice computer and thenhaving his patient records retrieved.

The attorney for the complaining patientmight assert that the practitioner wasactually violating the “customary standardof care,” and therefore the psychologistwas negligent, by not adhering toHIPAA’s standards for disposing ofcomputer equipment.


Six Reasons Why HIPAA Matters

Have you ever wondered if HIPAAcompliance is really vital to youas a practicing psychologist?

If there’s ever been a doubt in your mind,the following considerations may help you reconsider the matter.

1Compliance is a matter of law.

The most obvious consideration is if youas a health care practitioner take actionsthat trigger HIPAA, you must comply fullywith the HIPAA rules. This includes allhealth care professionals who electroni-cally transmit health information inconnection with standard transactionsdesignated under HIPAA. (See “WhatTriggers the Need to Comply?” on page 6for a list of the standard transactions thattrigger HIPAA.) There are potentialsubstantial penalties associated withfailure to comply with HIPAA. (See thearticle, “Final HIPAA Enforcement RuleTakes Effect,” page 16).

The following considerations apply even ifa psychologist does not technically triggerHIPAA.

2 The health services delivery industryis fast moving toward electronictransactions.

Increasingly, participation in health insur-ance programs requires electronic claimssubmission and other electronic trans-actions that trigger the need for HIPAAcompliance. Payers are creating incentivesfor such participation, for example, byreimbursing more quickly for claims sub-mitted electronically than for paper claims. Even health professionals who do not yet

engage in electronic transactions canensure that their future actions do not putthem in violation of HIPAA by complyingnow. For example, should they decide atsome point to employ an electronic billingservice or to take a client whose healthinsurance plan requires electronic billing,these practitioners will have no “graceperiod” for meeting HIPAA requirements.Full compliance will be required beginningat the moment electronic billing isinitiated.

3HIPAA helps protect your patients.

The Privacy and Security Rules entail requirements that help protect the

integrity and confidentiality of thetherapist-client relationship. These shouldbe matters of central concern to mentalhealth professionals. Following the Privacyand Security Rules—for example, by keep-ing HIPAA-compliant psychotherapy notes(see “Practitioners: Take Note,” page 8)and by using safe email practices—canprotect client confidences from insurancecompanies as well as computer hackers.

4 HIPAA requirements constitute sound business practice.

Consider the example of “contingencyplanning” as required by the HIPAASecurity Rule. Taking steps to ensure thatelectronic protected health information(EPHI) can be recovered and restored inthe event of an emergency can lesseninterruptions to your practice.

For example, there were practitionersaffected by Hurricane Katrina who neededto recover lost electronic patient data.

Even health professionals who do not yet engage in electronic transactions can ensure that their

future actions do not put them in violation of HIPAA by complying now.

?GOOD PRACTICE TOPICAL EDITION PUTTING HIPAA INTO PRACTICE WINTER 2007 76 AMERICAN PSYCHOLOGICAL ASSOCIATION PRACTICE ORGANIZATION

8. Referral Certification andAuthorizationCommunications including: a requestfor the review of health care to obtainan authorization for the health care, a request to obtain authorization forreferring an individual to anotherhealth care provider, or a response to one of these requests.

The following two transactions have yet to be formally defined by theDepartment of Health and HumanServices, so we have provided a basicdefinition below.

9. First Report of InjuryCommunication where an injury isreported to the worker’s compensationcarrier for any potential workerscompensation claim.

10. Health Claims AttachmentsAn extraction of relevant informationfrom the medical record to demonstratethe reason for the service provided andthe subsequent health care claim.

Once a psychologist—or an entity such asa billing service acting on behalf of thepsychologist—triggers HIPAA, the PrivacyRule applies to all protected healthinformation1 in the psychologist’spractice. Once HIPAA is triggered, theSecurity Rule applies to all electronicprotected health information2 in apractice.

1Under HIPAA, “protected health information,” or PHI,

is information that: is transmitted or maintained in any

form or medium; relates to the past, present or future:

physical or mental health condition of an individual; the

provision of health care to an individual; or payment for

providing health care to an individual; and identifies the

individual or could reasonably be used to identify the

individual. For psychologists, this generally means

information about a specific patient, client or person

you are evaluating.

2Electronic protected health information, or EPHI, is PHI

that is transmitted or stored in electronic form.

What Triggers the Need to Comply?

Both the HIPAA Privacy Rule andSecurity Rules are triggered whena psychologist, or an entity such

as a billing service acting on behalf of thepsychologist, transmits information inelectronic form in connection with anydesignated standard transactions (items 1through 10 at right).

Transmission in “electronic form” includestransmission via the Internet, extranets(using Internet technology to link abusiness with information only accessibleto collaborating parties), leased lines,dial-up lines, computer-generated faxes(not traditional paper-to-paper faxes),private networks and electronic protectedhealth information (EPHI—see footnote 2,page 7) that is physically moved from onelocation to another using magnetic tape,disk or compact-disk media.

Following are the standard transactions.For psychologists, the transactions mostlikely to trigger HIPAA are communica-tions from the practitioner related toinsurance claims or eligibility (items 1, 3, 4, 5, 6 and 8). The definitions thatappear below are summaries of the

definitions provided by the U.S.Department of Health and HumanServices in 45 C.F.R. Sections 62.1101-162.1802.

1. Health Care ClaimsRequests to obtain payment and thenecessary accompanying informationfrom a health care provider to a healthplan, for health care services rendered.

2. Health Care Payment andRemittance AdvicePayment information about thetransfer of funds or payment proces-sing information from a health plan toa health care provider’s financial insti-tution; or either the explanation ofbenefits or remittance advice from ahealth plan to a health care provider.

3. Coordination of BenefitsInquiries from any entity to a healthplan for the purpose of determining therelative payment responsibilities of thehealth plan regarding either claims orpayment information (e.g. whetherpayment should be made instead byanother insurer, Medicaid, etc.).

4. Enrollment or Disenrollment in aHealth PlanInquiries regarding subscriberenrollment information provided to ahealth plan to establish or terminateinsurance coverage.

5. Health Care Claim StatusInquiries used to determine the statusof a health care claim or a responseabout the status of a health care claim.

6. Eligibility for a Health PlanEither: (1) an inquiry from a healthcare provider to a health plan or fromone health plan to another health planto obtain information about a benefitplan for an enrollee regarding eligibilityto receive health care under the plan,coverage of health care under the plan,benefits association with the plan; or(2) a response from a health care planto the provider or other health careplan regarding the same.

7. Health Plan Premium PaymentsThe communication of either payment,information about the transfer offunds, detailed remittance informationabout individuals for whom premiumpayments are being paid, or paymentprocessing information such as payrolldeductions, associated group premiumpayment information or other grouppremium payments.

Once a psychologist—or an entity such as a billing service acting on behalf of the psychologist—triggers HIPAA, the Privacy Rule applies to all protected

health information in thepsychologist’s practice.

Taking the Necessary Steps (continued from page 3)

thus have not “triggered” HIPAA. This is because compliance with the PrivacyRule assures sound treatment ofconfidential information and clearcommunication with clients regardingthat information. Compliance with theSecurity Rule is consistent with goodbusiness-information practices. And it is increasingly easy to trigger that ruleinadvertently through an emergencyaction such as transmission of an email or computer-based fax.

GP: What are the biggest misconceptionspractitioners may have about HIPAAcompliance?

Dr. Cooper: From my experience fieldingcalls regarding HIPAA issues as Director ofProfessional Affairs in the North CarolinaPsychological Association, the biggestmisconception among practitioners maybe that HIPAA is largely irrelevant topractice. It often may seem true—until the moment it becomes not only relevantbut indispensable in resolving someunforeseen privacy or security issue.

Another common misconception is thatmany practitioners think if they’recompliant with the Privacy Rule they’vesatisfied all of their HIPAA obligations,which is absolutely not true.

GP: Is it important to comply with both thePrivacy and Security Rules?

Dr. Cooper: Yes, because they’re synergistic: you can’t fully implement one without the other. Without thePrivacy Rule, you don’t know what toprotect. Without the Security Rule, youdon’t know if you have “holes” in theprotective shield.

GP: What advice would you give to otherpractitioners about becoming HIPAAcompliant?

Obtain the tools for each rule, designateseveral blocks of time and persevere. Withthe confidence the Practice Organization’stools provide, the process is not onlyachievable, it can actually becomeinteresting.

Once you’re compliant, it’s alsoimportant to be aware that if aspects ofyour practice change, such as hiring a newstaff person, you may need to revisit andupdate your policies and procedures toensure ongoing compliance.

GP: Is there any other advice you can give to practitioners who have not yet taken steps to become HIPAA compliant?

If you did not meet the deadline forHIPAA compliance, you still shouldimplement. It’s an important aspect ofrisk management for your practice, andcompliance can definitely be accom-plished in small steps.

The HIPAA compliance informationand resources mentioned in this

article can be found onAPApractice.org.

See page 20 for a list of additionalresources for help with HIPAA.


over psychotherapy notes during an audit of your patient records. Even so,insurers can refuse to pay for services if medical necessity is not sufficientlydocumented in the clinical record. So itadvisable for the clinical record to provideadequate rationale for medical necessity.

Patient access to information in the client record

The HIPAA Privacy Rule also generallyprotects psychotherapy notes from beingviewed by the patient. However, becausethis federal regulation does not preemptstate laws that give patients greater accessto their records than HIPAA does, patientaccess to psychotherapy notes varies fromstate to state.

In some states, the Privacy Rule prevailsand the patient has no right to accesspsychotherapy notes. In other states, thepsychologist has greater discretion towithhold psychotherapy notes than towithhold the clinical record. In a thirdgroup of states, psychotherapy notes haveno greater protection from patient accessthan the clinical record.1

Keeping “separate” psychotherapy notes

The HIPAA definition of “psychotherapynotes” explicitly states that these notesmust be kept “separate” from the rest of

the patient record, but does not specifywhat “separate” means. It seems clear,however, that if the psychologistmaintains the notes in a general chartalong with other clinical information, thenotes would not qualify for the heightenedprivacy protection that HIPAA providesfor psychotherapy notes.

In light of the HIPAA rule wording,practitioners should consider whethersomeone else would be able to readily“distinguish” their psychotherapy notesfrom the rest of the record. If anotherperson could do so, the psychotherapynotes likely would be considered asseparate from the clinical record. As oneapproach, psychologists separate theirpsychotherapy notes by keeping them onone side of the patient’s file folder, whileputting the clinical record on other side.

When keeping separate recordselectronically, the psychotherapy notesshould be located in a separate electronicfile, or separate part of the electronic file,and preferably labeled as “confidential”and/or “psychotherapy notes.” Inaddition, they should have a higher levelof security, such that only the therapistwho created them has access (unless thepatient has authorized broader access).Keep in mind that maintenance of electronicrecords also raises important issues relatedto HIPAA Security Rule compliance.

Why “psychotherapy notes” are offered special privacy protection

During the rule-making process, APAsuccessfully advocated to the U.S.Department of Health and HumanServices (HHS) that the final Privacy Rule should provide heightened protection forpsychotherapy notes. In doing so, thePrivacy Rule recognizes that the kinds ofinformation contained in psychotherapynotes need a higher level of privacy pro-tection than other types of informationkept in patient records.

HHS accepted APA’s arguments that psy-chotherapy notes reflect communicationswhose confidentiality is essential tosuccessful psychotherapy and that thesenotes serve as the therapist’s private notesfor his or her own use. As such, they arenot needed by or to be shared with othersin the health care delivery system such asthird party payers and other health careprofessionals.


Practitioners: Take Note HIPAA provides extra privacy protection for psychotherapy notes

P ractitioners face a number ofissues in considering how to createand maintain their client records.

When the focus is on psychotherapy notes as defined by the Health InsurancePortability and Accountability Act (HIPAA),several questions typically come to mind:Should I create psychotherapy notes? If Ido so, what information should I include?Where should I keep the notes? Whathappens if I don’t create separatepsychotherapy notes?

The HIPAA Privacy Rule does notmandate what health care professionalsmust put in their patient records. But itdoes confer special privacy protectionswhen mental health professionals keeppsychotherapy notes that are separatefrom the clinical record.

The following issues and considerationsfor practitioners pertain to psychotherapynotes and HIPAA:

How HIPAA defines “psychotherapy notes”

According to the text of the HIPAA PrivacyRule, “psychotherapy notes” means:

... notes recorded (in any medium) by a health care provider, who is a mental healthprofessional documenting or analyzing thecontents of conversation during a privatecounseling session or a group, joint, orfamily counseling session and that areseparated from the rest of the individual’smedical record.

The HIPAA rule also stipulates whatpsychotherapy notes exclude:

... medication prescription and monitoring,counseling session start and stop times, themodalities and frequencies of treatmentfurnished, results of clinical tests and anysummary of the following items: diagnosis,functional status, the treatment plan, symptoms, prognosis, and progress to date.

Typically, these “excluded” items comprisethe other part of the patient record (oftenreferred to as the clinical record) that isseparate from psychotherapy notes.

Patient authorization required to release psychotherapy notes

The Privacy Rule requires psychologistsand other entities covered under HIPAA to obtain specific patient authorizationfor the disclosure and use of “psycho-therapy notes.” Under HIPAA, disclosingpsychotherapy notes to others calls formore than just notice or general consent.Explicit patient authorization—writtenpermission from the client that meetsspecific Privacy Rule requirements—isneeded to release psychotherapy notes to,or let them be viewed by, anyone otherthan the therapist who created them.1

This authorization requirement applies to records requests from managed careand other health plans. It even protectsclients from having other mental healthprofessionals in the same group practiceview the psychotherapy notes unless theclient has authorized it.

Insurance companies barred from access to psychotherapy notes

Before the HIPAA Privacy Rule tookeffect, insurance companies sometimesrequested entire patient records, includingwhat are now called psychotherapy notes,in making “medical necessity” decisions.Patients could decline to have this type ofinformation released, but the insurancecompany might deny coverage for relatedservices.

Now health plans cannot refuse to pro-vide or authorize reimbursement to thepatient or psychologist if a patient doesnot agree to release psychotherapy notes.The HIPAA Privacy Rule forbids suchrefusal to pay. Further, managed carecompanies may not require you to turn

The HIPAA Privacy Ruledoes not mandate whathealth care professionalsmust put in their patient

records. But it does conferspecial privacy protections

when mental healthprofessionals keep

psychotherapy notes thatare separate from the rest

of the clinical record.

(continued on page 12)

1 State-specific patient authorization forms as well as state-by-state information about patient access to psychotherapy notes is part of HIPAA for Psychologists, the online Privacy Rule compliance tool from the APA Practice Organization designed for practicing psychologists. Visit the “HIPAA Compliance” and“APApractice.org Store” sections of APApractice.org for details and ordering information.

10 AMERICAN PSYCHOLOGICAL ASSOCIATION PRACTICE ORGANIZATION GOOD PRACTICE TOPICAL EDITION PUTTING HIPAA INTO PRACTICE WINTER 2007 11

The HIPAA Privacy and Security Rules A Side-by-Side Comparison

S orting through the complexitiesof the various HIPPA rules is no simple matter. The federal

regulations related to these rules arevoluminous.

Some health care professionals havemistakenly believed that, by complying

with the requirements of the HIPAAPrivacy Rule, they have met most or allof their obligations under HIPAA.Although there is a bit of overlapbetween the HIPAA Privacy and SecurityRules, each rule is distinct and requiresits own compliance process.

A fundamental distinction is that thePrivacy Rule focuses on intentionalreleases of protected health information,while the Security Rule focuses onsafeguarding your practice againstunintentional disclosures. Anotherdifference is that the Privacy Rule callsfor a thorough comparison of the rule

with your state laws related toconfidentiality of patient records; theSecurity Rule does not require such acomparison.

The table below highlights several of themajor differences and similarities in theHIPAA Privacy and Security Rules.

1 Under HIPAA, “protected health information,” or PHI, is information that: is transmitted or maintained in any form or medium; relates to the past, present

or future: physical or mental health condition of an individual; the provision of health care to an individual; or payment for providing health care to an

individual; and identifies the individual or could reasonably be used to identify the individual. For psychologists, this generally means information about a

specific patient, client or person you are evaluating.

2 Electronic protected health information,

or EPHI, is PHI that is transmitted or

stored in electronic form.

4 Step-by-step guidance is provided in two online products from the APA Practice Organization: HIPAA for Psychologists Online

Privacy Rule Compliance Course, developed in collaboration with the APA Insurance Trust, and the HIPAA Security Rule Online Compliance

Workbook. These products also include a business associates contract tailored to psychologists that may be customized. Visit the

APApractice.org Store online at APApractice.org for additional information.

3 For additional information, see “What

Triggers the Need to Comply?” on page 6.

Applying policies and procedures to control when, under what circumstances and to whom to release protected health information, or PHI1. The Privacy Rule focuses on intentional releases of PHI.

The Privacy Rule is triggered when a psychologist transmits PHI in electronic form in connection with any of the following typesof transactions:

• Health care claims • Eligibility for a health plan

• Health care payment and remittance advice • Health plan premium payments

• Coordination of benefits • Referral certification and authorization

• Health care claim status • First report of injury

• Enrollment or disenrollment in a health plan • Health claims attachments

Further, the Privacy Rule is triggered when an entity acting on behalf of the psychologist, such as a billing service, transmits PHI in electronic form.

Once a psychologist triggers HIPAA, the Privacy Rule applies to all PHI in the psychologist’s practice.

• Determine what state laws related to privacy are more stringent than the Privacy Rule.

• Develop a notice of privacy practices and authorization form (shaped by the interaction of state privacy laws and the Privacy Rule), as well as a Business Associates Contract and other forms you may need for compliance.

• Designate a “Privacy Officer” responsible for ensuring that appropriate privacy procedures are adopted and followed (also see section below on “Scalability”).

• Document and implement policies and procedures in light of the rule’s requirements, for example, a patient complaint process.

• Train employees to carry out their functions under the Privacy Rule.

The administrative requirements of the Privacy Rule are “scalable,” meaning that a health professional covered by HIPAA must take “reasonable” steps to meet the requirements according to the size of practice and type of activities. A key example: while a hospitalmight be required to create a full-time staff position to serve as a “Privacy Officer,” a psychologist in solo practice may identifyhimself or herself as the Privacy Officer.

The HIPAA Privacy Rule establishes a minimum set of requirements for protection of PHI. The federal rule does not preempt, or override, state laws that are stricter in safeguarding an individual’s PHI or that give the patient greater access to his/her PHI.Practitioners need to determine for their particular state whether HIPAA preempts state law, or whether stricter state law applies.

HIPAA requires health professionals to enter into contracts with business associates4 (such as accountants, lawyers or a billing service)with whom they share PHI as defined under HIPAA. In essence, the psychologist needs to contractually obligate the business associate to follow all HIPAA compliance requirements that the psychologist must follow. Having an appropriate business associates contract protects the psychologist from liability if the business associates violate HIPAA obligations.

Focus

What triggers the rule3

What the rule applies to

Major steps towardcompliance4

Scalability

Interaction with state law

Responsibility for violations by business associates

Protecting “electronic protected health information,” or EPHI2, from unintended disclosure through breaches of security and from unintended loss, for example, through fire or flood.

The same transactions as listed for the Privacy Rule.

Once a psychologist triggers HIPAA, the Security Rule applies to all EPHI in a psychologist’s practice.

• Conduct a formal risk analysis of your practice. The risk analysis is a thorough assessment of the practice’s potential security risks and vulnerabilities related to EPHI.

• Designate a “Security officer” responsible for ensuring that appropriate privacy procedures are adopted and followed. In a solo practice, this will be the individual psychologist. In a small or large group practice, one of the psychologists or office staff can be designed as the Security Officer.

• Implement safeguards to minimize any risks you have identified.

• Develop security policies and procedures in light of your risk analysis and the safeguards you have chosen.

• Document measures that the practice has taken to comply with the Security Rule.

Many provisions of the Security Rule explicitly allow the compliance process to be tailored to the size and complexityof one’s practice. As with the Privacy Rule, requirements for solo or small practices are generally far less extensiveand complicated than for a large health care facility. Nonetheless, even if your practice is small, you must document your rationale for any tailoring you do as allowed by the rule.

Not applicable to the Security Rule. Compliance with the rule does not vary because of state law.

Same as for the Privacy Rule

HIPAA PRIVACY RULE HIPAA SECURIT Y RULE


Practitioners: Take Note HIPAA provides extra privacy protection for psychotherapy notes (continued from page 9)

Kinds of information included inpsychotherapy notes in line with HIPAA

Psychotherapy notes are designed toprotect information whose sanctity isimportant to maintaining the therapeuticrelationship. Some practitioners reflect in these notes the patient’s intimate confidences and sensitive informationabout persons other than the patient,along with the psychologist’s speculationsand unformed opinions.

Making decisions about what to keep,and what not to include, in psychotherapynotes may be found in the rationaleembraced by HHS in finalizing the PrivacyRule—namely, that psychotherapy notesare the therapist’s private notes that arenot typically used by or shared with otherprofessionals or with third party payers.

If the information should be shared withother health professionals involved withthe patient’s care, this constitutes areason to put it in the clinical record. Forexample, a notation that the patientreported feeling irritable after takingpsychotropic medication would fall intothis category. And if the information isamong the “exclusions” to the HIPAAdefinition of psychotherapy notes, thatinformation should be included in theclinical record.

Sometimes the decision about what to record where is a matter of detail, as the psychologist keeps in mind whomight ultimately have access to the information. For example, a practitionermight note in the clinical record thesymptom that the patient is having night terrors. But the details of thosenightmares and the psychologist’s initialmusings about their significance, whichare less important to other health care

professionals, would go in the psycho-therapy notes.

Although placing information in thepsychotherapy notes always protectsinformation from health insurers and maybar patient access, keep in mind thatthere are a variety of situations whereoutside parties may have access topsychotherapy notes. For example, aclient might have to authorize their releasefor a military or government job appli-cation, or a court may order the disclosureof records. Accordingly, the psychologistshould consider such potential disclosureswhen making psychotherapy note entries.

What if a practitioner does not keepseparate psychotherapy notes?

Practitioners subject to HIPAA need toconsider the practical effect if they choosenot to keep separate psychotherapy notes.In contrast to the clear protections forpsychotherapy notes, psychologists whokeep their records combined have only thePrivacy Rule’s vague “minimum necessarydisclosure” standard to rely on whenarguing that insurers and others shouldnot see the entire record.

When “protected health information” is disclosed or used, the Privacy Rulerequires psychologists to share theminimum amount of informationnecessary to conduct the activity. Therequesting party will often argue that the

entire record is the “minimum” that theyneed, while the psychologist counters that a much narrower set of records isappropriate to release. It is conceivablethat the final arbiter of what is “minimumnecessary disclosure” in a case such asthis could be a court of law in the eventthat a legal dispute ensued.

Additional Considerations

Also be mindful of the followingadditional considerations related tokeeping psychotherapy notes and otherelements of patient records:

• Insurance company employees may not understand that HIPAA precludesthem from looking at psychotherapynotes. Some practitioners report having interactions with managed care company representatives who are seemingly unaware of the HIPAAprivacy protections that apply topsychotherapy notes.

• A number of other important con-siderations have a bearing on record keeping, including: applicable state law; APA’s Record Keeping Guidelines (which are being revised); APA’s ethical principles; and institutional policies governing record keeping(for example, policies that apply to psychologists employed in a health care facility).

FIND OUT MORE

To learn more about the HIPAA rules and how to comply, visit

the “HIPAA Compliance” section of APApractice.org.


A s of May 23, 2007, all healthcare professionals will berequired to have a National

Provider Identifier (NPI) to use whenbilling electronically any government orprivate health insurer. The creation anduse of the NPI raise a number ofquestions for practicing psychologists.This question-and-answer article addressesseveral common inquiries.

Q. What is the NPI?A. The NPI is a unique 10-digit numberassigned to every health care provider orentity that applies for it. This number willreplace other provider identificationnumbers, such as Medicare’s UniquePhysician Identifier Number (UPIN), thathave been assigned to health care profes-sionals by government and private

insurers for use in billing. Once a healthprofessional receives an NPI, that numberis assigned to that health professional forhis or her entire career, regardless ofwhether the health professional relocates,changes employers or even changes healthprofessions.

Q. How is the NPI used?A. The NPI is intended for use inidentifying practitioners when theytransmit health information electronically—for example, in submitting claims forpayment and referral authorizations.

Q. Who must apply for an NPI?A. All “covered entities” under theHealth Insurance Portability and Account-ability Act (HIPAA), which includes allhealth care professionals who are required

to comply with this federal law, mustobtain an NPI no later than the May 23,2007 deadline. In essence, the need tocomply with the Privacy Rule is triggeredwhen a practitioner transmits protectedhealth information in electronic form inconnection with health care claims andother transactions as specified in the rule.

The “HIPAA Compliance” section of APApractice.org contains further infor-mation about what constitutes a“coveredentity” under HIPAA. In addition, theCenters for Medicare and Medicaid ServicesWeb site includes “tools” for determiningif you’re a covered entity. The relevant Web site is http://www.cms.hhs.gov/apps/hipaa2decisionsupport/default.asp.

Any private health insurer can require that


Applying for Your National Provider IdentifierA Q&A for Psychologists

health professionals who bill the insureruse an NPI, even if the billing is done bymail rather than electronically. Thismeans that even psychologists who arenot considered “covered entities” underHIPAA likely will be required to get an NPI.

Therefore, the APA Practice Organizationencourages all psychologists who billprivate and/or public health insuranceplans, including federal and state programs, to obtain an NPI.

Q. If I am not currently covered under HIPAAand I apply for an NPI, will I automatically berequired to comply with HIPAA?A. No. Applying for an NPI does not“trigger” your having to comply with HIPAA.

Q. Do I apply for an NPI as an individualor organization? A. Every individual and organizationcovered under HIPAA must obtain an NPI.The overarching rule is that if you have anorganization that your state views asseparate from the individual, the organi-zation should obtain its own NPI. Soleproprietorships, which are unincorporatedbusinesses, generally are not consideredseparate and distinct from the individualowner. For that reason, sole proprietor-ships should apply as individuals, using asocial security number, not their employeridentification number (EIN). On the otherhand, corporations are usually seen asseparate and distinct, so they should apply for a separate NPI apart from theindividual health care professionals whowork for the corporation.

A group practice (that is not a soleproprietorship) should obtain its own NPI,and all the psychologists who work in thatgroup should get their own unique NPIs.The group practice’s NPI and the indi-vidual psychologists’ NPIs are not linkedin any way. This allows the individualpsychologists to bill for services renderedat other places such as in a hospital or in another group practice—for example,

if they work part-time in more than onesetting. Further, it allows individuals toleave one group practice and join anotherwithout having to worry about changingtheir NPI.

Q. What will health insurers and others knowabout my practice based on the NPI assigned to me?A. Unlike identifiers used by the govern-ment and health insurers in the past, theNPI is a random number. The 10-digitnumber does not reveal any informationabout the health professional, such as geo-graphic location or type of practice. Yet,while no such information can be gleanedfrom the NPI itself, insurers may have accessto certain information included in your NPIapplication, such as your choice of taxonomycode (discussed further in this article).

Q. What steps do I take to apply? A. The steps you take depend onwhether you file electronically or submitpaperwork to obtain an NPI.

Electronic Application Process

Psychologists may complete and submitthe NPI application form online byaccessing https://nppes.cms.hhs.gov. Youwill be able to complete the applicationquickly, so long as you have all therequired information ready before youbegin. The list of information needed forindividuals applying for an NPI includes:

• Health practitioner name • Health practitioner date of birth• Country of birth• State of Birth (if birth was in the

United States)• Health practitioner gender • Social Security Number or other

proof of identity

• Mailing address • Practice location and phone number• Taxonomy (see the question-and-

answer section on pages 18 and 19) • State license information (required

for certain taxonomies only)• Contact person name • Contact person phone number

and email

The Web site listed above will walk youthrough the steps involved in completingthe application. The Center for Medicareand Medicaid Services (CMS) advises thatelectronic submission is the fastest way toobtain your NPI.

Paper Application Process

For any health care professional whowishes to complete a hard copy version of the application form and send it viaregular mail, the application can bedownloaded fromwww.cms.hhs.gov/cmsforms. When youaccess the site, click on “CMS Forms.”Doing so will take you to a list of forms that includes the NPI application—CMS Form #10114. The application form isthree pages long followed by instructionsfor completing the form. Individuals whorender health care services are asked tocomplete Sections 2A, 3, 4A and 5.

Application Form Submitted by anEmployer

In some cases, a psychologist who isemployed by a health care entity may findthat the entity is willing to submit the NPI application on his or her behalf. Forexample, a hospital may do so for its

Psychologists may complete and submit the NPI applicationform online by accessing https://nppes.cms.hhs.gov.

(continued on page 18


HHS indicates that one act could give riseto several violations. The agency gives theexample that the single act of disposing ofa computer without first “scrubbing” thehard drive to remove electronic protectedhealth information would violate severaldifferent HIPAA provisions.

In considering the amount of the fine,HHS will consider the nature and circum-stances of the violation, the health pro-fessional’s history of prior compliance

and his/her financial condition. Moredetailed considerations under the lastcategory include the size of the coveredentity and whether the fine would put theentity out of business.

When a proposed penalty becomes final,the enforcement process finally becomes

public. HHS must notify the public of thefine imposed and the reason for imposingthe penalty. HHS will also give notice to various other entities, including theappropriate state or local licensing agencyand “the appropriate state or localmedical or professional association.”

Available Defenses

The Rule provides several defenses thatare available to someone facing a fine. If

these defenses are established to HHS’satisfaction, the agency will not impose afine. The two most significant defenses forpsychologists relate to not knowing aboutthe violation and being unable to comply.The first of these defenses applies whencovered entities who would be liable forpenalty did not know that they were in

violation, and by exercising reasonablediligence would not have known of theviolation. The rule defines reasonablediligence as “the business care andprudence expected from a person seekingto satisfy a legal requirement” undersimilar circumstances. Obviously, prac-titioners could not reasonably rely on thisdefense if they failed to take steps tocomply simply because they thought thefederal government would not enforce theHIPAA rules.

The second defense applies when circum-stances make it temporarily unreasonablefor the entity to comply with the HIPAArequirement at issue, despite the exerciseof ordinary business care and prudence.Under this defense, the entity knows theyare violating a HIPAA rule and mustnormally correct the violation within 30days of knowing about it.

For example, a devastating tornadodestroys a psychologist’s practice,including paper and electronic copies ofthe privacy notice required by the HIPAAPrivacy Rule. The psychologist sees newclients in the aftermath of the naturaldisaster but is unable to give them a copyof her privacy notice. She is able to correctthe situation within 30 days by recreatingthe notice and distributing it to her newclients. If she were subject to an enforce-ment action, she could argue that she wastemporarily unable to comply with thisHIPAA requirement, despite the exerciseof ordinary business care and prudence.

The entire text of the enforcement rule isavailable at http://www.hhs.gov/ocr/hipaa/FinalEnforcementRule06.pdf.

PLEASE NOTE: The information in thisarticle does not constitute legal adviceand should not be used as a substitutefor obtaining personal legal advice andconsultation prior to making decisionsregarding your individual circumstances.


Final HIPAA Enforcement Rule Takes Effect

I f you thought that the federal HealthInsurance Portability and Accounta-bility Act (HIPAA) lacked the “teeth”

of enforcement, think again. The federalgovernment has issued regulations thatestablish how the U.S. Department ofHealth and Human Services (HHS) willdetermine liability and calculate fines forhealth care professionals who violate anyof the HIPAA Rules.

The HIPAA Enforcement Rule took effectin March 2006. The rule makes enforce-ment regulations applicable to all of themajor HIPAA rules, including the Privacyand Security rules.

The HIPAA regulations pertain to coveredentities including health care professionalswhose activities “trigger” HIPAA. Thishappens, for example, when a psychologisttransmits protected health information insubmitting health care claims electronically.(See the article “What Triggers the Need to Comply?” on page 6 for addi-tional information about actions thattrigger HIPAA.)

This article highlights additionalimportant aspects of the newEnforcement Rule that are important topsychologists: the general enforcementapproach, liability for the acts of agents,fines and defenses available to a coveredentity that is facing a penalty.

General Enforcement Approach

In deciding where to direct itsenforcement efforts, HHS will relyprimarily on complaints brought to the

agency’s attention. However, HHS canconduct compliance reviews on its own if there has been no complaint. Whenacting on complaints, HHS is not limitedto complaints by patients. For example,HHS can act on complaints from othercovered entities.

Enforcement actions will remain privateuntil a final penalty is imposed. So thefact that you may not have heard aboutHHS conducting investigations does notmean they are not taking place.

The Enforcement Rule generally favors avoluntary approach to HIPAA compliancewhereby HHS would work with a psycho-logist at issue to make sure that thepractitioner understands and corrects the violation. However, if such voluntaryefforts fail, the rule calls for the agency to resort to investigations, hearings and fines.

Liability for Actions of Your Agent

The Enforcement Rule explains thecircumstances under which you could beheld liable for HIPAA violations of youragent—that is, someone acting on yourbehalf and at your direction. You can be subject to this type of “agency liability”if a member of your “workforce” commitsHIPAA violations. The rule defines“workforce members” as including notonly your paid employees, but alsotrainees and volunteers who are underyour direct control.

You can also be held liable for violationsby your agents who are not under your

direct control but who are still carryingout HIPAA-related functions on yourbehalf. This kind of agent is generallyconsidered a “business associate” underHIPAA, a person or company with whomyou share protected health information aspart of running your business. Examplesinclude a billing service or accountant.

There is an important exception to HIPAAliability provided by the EnforcementRule. You generally are not liable for theHIPAA violations of your businessassociate if you are in compliance withthe business associate provisions of thePrivacy and Security Rules as they apply toyour practice. Essentially, this means thatyou have in place “business associatecontracts” that comply with those rules.Importantly, however, this exception willnot protect psychologists who are awarethat their business associates are violatingthe privacy or security obligations undertheir contracts and fail to take reasonablesteps to remedy the problem.

One place to find a business associatecontract that satisfies both the PrivacyRule and Security Rule is in the HIPAASecurity Rule Online Compliance Workbook available online atAPApractice.org.

Fines

The new Enforcement Rule allows HHS toimpose fines of up to $100 per violation,to a maximum of $25,000 for violationsof an identical requirement during onecalendar year. A continuing violation isdeemed a separate violation for each dayit occurs. Thus, a continuing violationfound to have lasted most of the year (atleast 250 days) would reach the $25,000limit for that one violation. In calculatingthe number of violations, HHS can rely onstatistically valid sampling. However, therule gives the accused entity a procedurefor challenging those statistics.

The federal government has issued regulations that establishhow the U.S. Department of Health and Human Services

(HHS) will determine liability and calculate fines for healthcare professionals who violate any of the HIPAA rules.

The fact that you may not have heard about HHS conductinginvestigations does not mean they are not taking place.

Q. What guidance does the APAPractice Organization provideabout choosing a taxonomy code?A. Practitioners who apply fortheir NPI need to decide which andhow many taxonomy codes to choose. Aspreviously noted, as of October 2006, thereare two “general codes” included in thetaxonomy code list—“psychologist” and“neuropsychologist”—as well as 19“specialty” codes associated with thegeneral code “psychologist.”

Unfortunately, there is no published guidancefrom CMS regarding how to choose a code.Should practitioners choose a generalcode only, or one or more of the specialtycodes? How do practitioners decidewhether they “specialize” in an area ofpractice enough to identify themselves byone of the specialty codes?

Adding further confusion to this issue isthat a practitioner’s choice of taxonomycode may carry reimbursement orcredentialing implications. This is the caseeven though the Centers for Medicare andMedicaid Services (CMS) included the taxonomy codes in the NPI process tohelp distinguish among health profes-sionals, not for use by insurers in governing reimbursement. Officials with CMS have assured us that the agency does not intend for the Medicare orMedicaid programs to use the taxonomycodes to restrict the kinds of services thata health professional may bill and bereimbursed for providing.

Even so, it is likely that CMS will shareyour taxonomy code information with private health insurers and/or that theseinsurers will ask you for your taxonomy code(s). Because these codes have not routinely been used by private insurers forpsychology, it is difficult to predict theimpact of these codes on reimbursement.We do not yet know of any specific situ-ations where insurers are using the taxonomycodes in connection with reimbursement.

The APA Practice Organizationremains wary that third partypayers may limit or deny

reimbursement based on apsychologist’s choice of taxonomy

codes (see sidebar, page 20). Forexample, an insurer might deny paymentfor services that a psychologist provides to children if that practitioner has notchosen the specialty code for “child,youth, and family” from the taxonomycode list. Alternatively, insurers coulddecide not to pay for services that theybelieve are represented by certainspecialties. For example, an insurer maynot cover counseling and decide that allof the services furnished by psychologistswho chose “counseling” as one of theirtaxonomy codes represent uncoveredcounseling services.

The APA Practice Organization is activelymonitoring the potential for misuse oftaxonomy code information and intendsto take necessary actions to address any unintended uses of the taxonomy codes.But the fact of the matter is that, at thepresent time, we just do not know howpayers may use this information.

With this as background, the APA PracticeOrganization evaluated the issue ofchoosing taxonomy codes and hasidentified at least three strategies.

Choosing Your Strategy

One strategy would be to choose all thetaxonomy codes that represent any area inwhich you practice. (You may opt to pickonly the specialty codes and not a generaltaxonomy code.) This might have theadvantage of protecting psychologistsfrom being denied reimbursement oradmission to a panel on the grounds thatthey did not choose a specific specialty.However, if an insurer sees any of thetaxonomy code areas as representingservices that the insurer does not cover,there is the risk that the company would

argue that all of your services relate tothat taxonomy code and deny paymentfor the services. In addition, if a psychol-ogist selects a long list of specialty taxonomycodes, insurers might consider the practiceso broad that they would question thepractitioner’s expertise in any one of thespecialty areas chosen.

A second strategy would be to list onlythe general “psychologist” or “neuro-psychologist” code. This may protect you against being pigeonholed into aparticular specialty area. However, therecould be a risk of payment denials if aninsurer decided to only pay for services in a particular practice area when theservices were furnished by psychologistswho identify themselves as specializing in that area—such as only paying forservices to children when a practitionerchose the “child, youth and family”taxonomy code.

A third strategy would be to choose thecode or codes that most accurately reflectyour practice in its entirety, that is, theservices you spend the majority of yourtime providing. For example, licensedpsychologists with a broad-based practice might elect to choose just the “psychologist” code. On the otherhand, psychologists who focus in specificpractice areas may want to choose aspecialty code or codes in addition to ageneral code. For example, a neuropsy-

18 AMERICAN PSYCHOLOGICAL ASSOCIATION PRACTICE ORGANIZATION GOOD PRACTICE TOPICAL EDITION PUTTING HIPAA INTO PRACTICE WINTER 2007 19

Applying for Your National Provider Identifier (continued from page 15)

employed providers. However, the healthcare entity is required to obtain yourpermission before filing an NPI applicationfor you. If applicable, you could checkwith your billing or human resourcesdepartment to find out whether yourorganization is planning to submit NPIapplications for its employees.

Q. What is a “taxonomy code”?A. As part of the application process, theCenters for Medicare and Medicaid Services(CMS) requires that all types of healthprofessionals list a “taxonomy code” orcodes. A taxonomy code is a 10-digitalphanumeric identifier separate from theNPI used to describe your health carepractice and the professional services youprovide. According to CMS represen-tatives, the purpose of including the

taxonomy code as part of the application process is to help distinguish amonghealth professionals—for example, wheremultiple providers have the same name. APA was not included in the process ofdeveloping the psychology-related codesfor the taxonomy code list and believesthat these codes do not accuratelyportray the practice of psychology.

Q. Where do I find the taxonomy code list? A. The electronic version of theapplication lists the available taxonomycodes. First you will be asked to chooseamong general categories of health careprofessionals. The applicable category forpsychologists is “Behavioral Health and Social Service Providers.” Then you will be asked to choose among more specificcategories. Two of the categories are

“Psychologist” and “Neuropsychologist.” The remaining categories include 19specialties listed under “Psychologist.”

The paper version of the application form does not list the taxonomy codes. To obtain the list of available codes, theapplication instructs you to go to thefollowing Web site: http://www.wpc-edi.com/taxonomy.

At the main page for this Web site address,you need to click on “Individual or Groups,”then click on “Behavioral Health andSocial Service Providers.” That will takeyou to two codes applying to psychology—“psychologist” and “neuropsychologist.”If you click on the term “psychologist,”you will see the list of specialty codes thathave been assigned to psychology.

Because [taxonomy] codeshave not been routinely

used by private insurers forpsychology, it is difficult topredict the impact of thesecodes on reimbursement.

(continued on page 20

chologist who focuses on providingservices to geriatric clients may wish tochoose the general “neuropsychologist”code as well as the specialty code, “adultdevelopment and aging.” If that neuropsy-chologist also furnishes services such aspsychotherapy, feedback and/or cognitiverehabilitation, he or she may also want tochoose the “clinical psychologist” code.

The APA Practice Organization generallyadvises practitioners to take the thirdapproach. Though no strategy is risk-free,this option represents a balance of the

first two strategies and may minimize the risk of negative reimbursement con-sequences until we have a better sense of how insurers will use these codes.

Guidance from the APA Practice Organiza-

tion may change when it becomes clearerhow insurers will handle the codes. TheNPI process permits practitioners to addor delete codes at any time.

The APA Practice Organization hasexpressed our concern to the organizationsinvolved that the taxonomy code list in itspresent form is inconsistent with the waythat psychology is practiced. We are continuing to communicate with thesegroups in seeking appropriate revisions tothe code list. We will apprise our membersof future changes. We also stand ready to respond to any instances in whichinsurers use the taxonomy codes in inap-propriate ways, so please notify the PracticeDirectorate if you encounter this situation.

Q. May I change my choice of taxonomy code?A. Yes. Psychologists who have an NPI can change their taxonomy codedesignation at any time. The APA PracticeOrganization will update members if thereare changes in taxonomy codes and/orour guidance for practitioners aboutselecting a code.

Do you have a question about the NPIthat is not answered in this article? If so,contact legal and regulatory affairs stafffor the APA Practice Organization bysending an email to [email protected] or calling 1-800-374-2723, ext. 5886.Further, please let us know if you becomeaware of situations where health care payers use the taxonomy codes to makereimbursement decisions.


750 First Street, N.E. • Washington, D.C. 20002-4242800-374-2723 • APApractice.org

The APA Practice Organization iswary that third-party payers coulduse taxonomy code information tolimit or deny payment for services.We need your help as we work tomitigate the risk that the codesmight be used adversely by insurers.Please let us know if you learn thatyour insurer is using your taxonomycode for any purpose, such as formaking reimbursement decisions or credentialing. Call us toll-free at1-800-374-2723 x5886, or send anemail to [email protected].

Practice Working for You

Applying for Your National Provider Identifier (continued from page 19)

Online Resources forMore Help with HIPAA

APApractice.org, the APA PracticeOrganization’s site, has a section withinformation and resources devoted toHIPAA compliance. In addition to theHIPAA Privacy and Security Rule, thissection of APApractice.org includesinformation about a third rule thatapplies to practitioners: the HIPAATransaction Rule. Click the button forthe APApractice.org Store to access the following step-by-step complianceproducts developed specifically forpracticing psychologists: HIPAA forPsychologists Online Privacy Rule ComplianceCourse (developed in collaboration withthe APA Insurance Trust) and the HIPAASecurity Rule Online Compliance Workbook.

The U.S. Department of Health andHuman Services has a Web page locatedat http://www.hhs.gov/ocr/hipaa withanswers to frequently asked questionsabout HIPAA privacy and other educa-tional materials.

The U.S. Centers for Medicare andMedicaid Services devotes a portion of its Web site to HIPAA. Begin yoursearch for general information at thefollowing link: http://www.cms.hhs.gov/HIPAAGenInfo. For particular helpdetermining whether you are a “coveredentity,” type in the following addressonce you open your Web browser:http://www. cms.hhs.gov/apps/hipaa2decisionsupport/default.asp.

The following online resources are useful forpractitioners in applying for a NationalProvider Identifier (NPI; see “Applyingfor Your National Provider Identifier,”page 14). Psychologists may completeand submit the NPI application formonline at https://nppes.cms.hhs.gov.For those who wish to complete a hard-copy version of the applicationform and send it via regular mail, theapplication can be downloaded fromwww.cms.hhs.gov/cmsforms.

Documents

Taking the Necessary Steps - APA Services