HIPPA Compliance for Behavioral Health

, ,
hipaa compliance for behavioral health

The Health Insurance Portability and Accountability Act (HIPAA) and the Privacy Rule are laws that protect patient privacy. Consumers of medical, dental, and mental health services are very familiar with the practice of signing HIPAA release forms. People sign these forms when they check in with a provider for the first visit, and then periodically after.

HIPAA compliance for behavioral health centers has been critical in giving patients the confidence to seek treatment. When signing a HIPAA release prior to rehab or mental health treatment, they feel assured that their data is safe. This means that any lab results and therapist notes are kept secure and confidential.


HIPAA was passed in 1996 in order to establish national privacy standards for entities in the medical and related fields. The law added new rules in 2016 to further ensure that the medical entities were complying with the law. Since the adoption of electronic medical records (EHR), this amendment focused on protecting patients’ digital privacy.

HIPAA compliance is overseen by the Department of Health and Human Services. Its Office of Civil Rights (OCR) is responsible for enforcing privacy laws, and randomly selects providers to audit compliance.

HIPAA compliance involves these three areas of focus:

  • The Privacy Rule. The privacy rule ensures the privacy of protected health information (PHI). This includes putting standards in place for protecting EHR.
  • The Security Rule. The security rule requires that administrative, technical, and physical safeguards be put in place to protect health information.
  • Notification in Event of Breach. The entity that experiences a HIPAA breach is required to notify various parties about the violation.

OCR established financial penalties in 2019 applied to providers that fail to comply with HIPAA. Fines can become quite costly and are meant to deter providers from breaching HIPAA. These fines escalate as follows:

  • Tier 1: Minimum fine of $127 per violation up to $63,973 per year. The provider is unaware of the violation.
  • Tier 2: Minimum fine of $1,280 per violation up to $63,973 per year. The entity knew about or should have known about the violation.
  • Tier 3: Minimum fine of $12,794 per violation up to $63,973 per year. Willful neglect of rules with correction within 30 days.
  • Tier 4: Minimum fine of $63,973 per violation up to $1,919,173 per year. Willful neglect of rules and no attempt made to correct them.

Also, HIPAA-like state laws allow healthcare or mental healthcare entities to be sued for much larger sums.

About the Privacy Rule and Tele-Health

In 2020, an added layer of patient protection was added to HIPAA, called the Privacy Rule. This was needed due to the growth of telehealth and tele-mental health platforms that conducted sessions online. The Privacy Rule specifically addressed the need for patient privacy for PHI.

The Privacy Rule set national standards for PHI for three types of healthcare entities. These are health plans, healthcare clearinghouses, and healthcare providers that conduct medical or mental health sessions electronically.

Why HIPPA Compliance Is Essential in Behavioral Health

Because of the stigma associated with mental health or addiction treatment, it is crucial that patients are assured confidentiality. HIPAA safeguards patient PHI from unauthorized access and disclosures. These safeguards include:

  • Patient data, such as name, social security number and contact data.
  • Patient medical records.
  • Patient treatment plan.
  • Patient billing records.

To motivate providers to comply with HIPAA laws, and deter violations, OCR has established penalties.

Someone seeking treatment for a mental health or substance use disorder needs to be fully transparent with the clinical team. This helps to ensure a proper diagnosis and the treatment plan that follows. HIPAA provides the assurance that the information a patient provides is held in the strictest confidence.

Who Monitors HIPAA Compliance at Behavioral Health Centers?

While the OCR enforces HIPAA compliance, that is not who oversees daily operations on site. Behavioral health entities should have someone in charge of monitoring HIPAA compliance.

This person may be an employee whose sole job is to oversee that all departments are adhering to HIPAA laws. This person’s job title is Privacy and Security Officer. The person filling this role may be an employee of the practice or an outside sub-contractor.

A sub-contractor may be a consultant who is scheduled quarterly to come on-site and review all departments. They will be looking for any signs of non-compliance and then files a report with the owner of the practice. This allows the provider to make timely corrections, as well as updated training for employees.

Seek Assistance for HIPAA Compliance for Behavior Health Centers

When a behavioral healthcare center violates HIPAA it has far-reaching adverse effects. Not only have the patients’ privacy been violated, but the breach causes serious problems in their personal and professional life.

If a treatment center is cited by the OCR it can face stiff penalties that result in harsh financial impacts. In addition, some state laws may also have been breached, which could lead to lawsuits.

Providers must put in place safeguards to ensure HIPAA compliance. This may be a role that the provider might want to contract out to a behavioral healthcare consultant to handle. Whether the provider opts for a monthly or quarterly contract, the consultant is able to take on this responsibility.

To further avoid non-compliance, the consultant keeps the practice up to date on any new rules or laws that come out of HHS. It is wise to keep in mind that not having knowledge of the law does not protect the provider from being issued Tier One violations up to $63,973 per year. Doesn’t it make sense to ensure compliance from the outset?

Circa Behavioral Healthcare Solutions Provides

Circa Behavioral Healthcare Solutions offers a full spectrum of consulting services, including HIPAA compliance monitoring. Learn more about our services by calling our team today at (888) 458-6619 or submitting a contact form.