HIPAA Compliance and Confidentiality Issues When Working with Clients Remotely
Written by guest blogger Midge Murphy, JD, PhD, LLC, Energy Medicine author of Practice Energy Healing in Integrity, The Joy of Offering Your Gifts Legally & Ethically
The purpose of this article is to provide energy healing practitioners with some basic information about Health Insurance Portability and Accountability Act (HIPAA) compliance and confidentiality issues when working with clients remotely. Because numerous energy healing modalities can be used via distance, many practitioners conduct client sessions by phone, Skype, Zoom or another electronic platform and may also communicate with clients through emails.
HIPAA is a Federal statute that was implemented by the U.S. Congress in 1996. It formalizes many of the pre-existing protections of medical information, which it refers to as Protected Health Information (PHI). This law addresses a variety of issues related to health care, specifically regarding the electronic exchange, privacy and security of health information. The HIPAA Privacy Rule sets standards with respect to the rights of individuals to their health information, procedures for exercising those rights and the authorized and required uses and disclosures of such information. The Privacy Rule defines what information needs to be protected, who is authorized to access the protected health information and delineates individuals’ rights to control and access their own protected information.
The security standards in HIPAA were developed for two primary purposes. First and foremost, the implementation of appropriate security safeguards protects certain electronic health information that may be at risk. Second, protecting an individual’s health information, while permitting the appropriate access and use of that information, ultimately promotes the use of electronic health information in the health care industry. HIPAA guarantees individuals the right to access and request amendment of their PHI and to request an accounting of disclosures of their protected PHI.
HIPAA applies to regulated health care professionals and health care corporations (covered entities). Under the law, covered entities are required to disclose to every client what can and cannot be done with PHI. We have all received “Notice of Privacy Practices” from our doctors. Covered entities are also required under HIPAA to have in place a system of business policies that meet commonsense requirements about privacy protection both for paper records and for electronic records, such as a rule that files are to be kept in a secure location.
It is clear that when licensed health care providers work with patients within their scope of practice, they must comply with HIPAA because they are considered covered entities. Where things get murky is when a licensed health care provider works with clients via distance in a separate unregulated practice. Does HIPAA apply to the licensed health care provider who has a separate unregulated energy healing, wellness or coaching practice? For example, what if a chiropractor decides to offer EFT coaching sessions to clients via distance for stress management and life strategies. The chiropractor is not providing the EFT coaching sessions as part of his/her scope of practice as a chiropractor but only as an unregulated EFT practitioner and coach. Would the chiropractor need to use a HIPAA compliant electronic platform for EFT coaching sessions? If you fit into this category, where the application of HIPAA is unclear, you have a couple of options. One is to choose to be HIPAA compliant in your unregulated practice. A second option is to seek professional advice from a HIPAA compliant specialist to determine if it is advisable to be HIPAA compliant or not.
Generally, unlicensed energy healing practitioners, who are not also practicing some other regulated profession, are not obligated to comply with HIPAA. However, the wording of HIPAA contains some ambiguity, which can create a problem for unlicensed energy healing practitioners. In those states with health care freedom laws, such as New Mexico, Minnesota and California where unlicensed practitioners may offer their services as alternative healing arts practitioners, it is unclear whether they need to comply with HIPAA. Another example is the state of Colorado where unlicensed practitioners can register with the state as an “unlicensed psychotherapist.” Do they need to comply with HIPAA? There is no authoritative answer and it is not clear what governmental body has the authority to provide an answer. If you are an unlicensed energy healing practitioner where the application of HIPAA is unclear, you must decide how you wish to proceed. If you are unclear or want to model your practice with licensed professionals, the safest counsel is to choose to comply with HIPAA on a voluntary basis. That means distance client sessions would need to be conducted on a secured HIPAA compliant electronic platform. With the uncertainty, it would be advisable to seek professional advice from a HIPAA compliant specialist.
In addition to HIPAA, energy healing practitioners need to be aware that they have a legal obligation to maintain the privacy and confidentiality of the information shared by their clients in sessions and to exercise due care. So, while unregulated practitioners may not be subject to HIPAA, they face a more significant legal risk if they fail to maintain the privacy and confidentiality of clients when conducting sessions remotely. An unlicensed practitioner could face a tort claim in civil court for breach of confidentiality, invasion of privacy or negligence. Because of the legal risks, the most prudent course of action would be to only use a secure electronic platform for distance client sessions. However, the costs of offering sessions on a secure electronic platform may be prohibitive for some energy healing practitioners. In such a case, there is a risk management strategy that can be implemented. When I draft a Client Agreement for an unlicensed practitioner, I always include in the confidentiality section of the Client Agreement, that if any communication regarding the client’s session is conducted over the phone or via Zoom or another electronic platform, it is not possible to guarantee the confidentiality of the information. While that disclosure may or may not protect an unlicensed practitioner from a tort claim, it is an important risk management strategy to include in a Client Agreement.
Disclaimer The information provided in this article is for educational purposes only and is not legal advice or opinion. Further, the information contained in the article is provided only as general information, which may or may not reflect the most current legal developments. The information provided in this article should not be used as a substitute for competent professional advice from a HIPAA specialist or from a licensed attorney in your state.
© 2018 Midge Murphy, all rights reserved. Any unauthorized use of this article is prohibited by federal law. No part of this document may be reproduced or transmitted in any form or by any means, including photocopying, for public and/or private use without permission in writing from Midge Murphy.