Social workers frequently ask us if they really need written privacy policies and procedures. They’re in solo private practice, they do their own billing, and they have no staff. They keep their patients’ information confidential. Why would they pay an attorney to craft a HIPAA policies and procedures manual?
Recently, I asked a private practice LCSW whether she had HIPAA procedures in place. Her response? “I am my HIPAA procedure!” If only it were that simple.
Why does an LCSW in solo private practice need a HIPAA policy and procedure manual?
HIPAA requires any provider who files insurance claims electronically or who performs any other “covered transaction” to maintain written privacy policies and procedures – these providers are called “covered entities.” This requirement obligates a provider to do far more than maintain a pamphlet or packet outlining their privacy safeguards: it requires them to address various issues pertaining to privacy, security, and breach notifications. Within those three topics that must be addressed, providers must maintain written policies explaining how they’ll meet each of the law’s requirements. Furthermore, this requirement still applies if an LCSW doesn’t personally submit electronic claims but instead uses a biller or a medical billing clearinghouse.
Is HIPAA the only law that pertains to an LCSW’s privacy obligations?
No. HIPAA is a federal law, and LCSWs who are “covered entities” must comply with the requirements of both HIPAA and its accompanying federal regulations. In Illinois, social workers are also obligated to comply with the Clinical Social Work and Social Work Practice Act (225 ILCS 20), with the Illinois Department of Financial and Professional Regulation’s social work rules (which incorporates the ethical codes of the National Association of Social Workers and of the Clinical Social Work Federation), and with the Mental Health and Developmental Disabilities Confidentiality Act (“MHDDCA”), 740 ILCS 110. The MHDDCA governs the conduct of mental health providers and includes standards for disclosing, amending, or refusing to disclose a patient’s record, and it articulates who is entitled to access such records. It states that “blanket consent to the disclosure of unspecified information is not valid,” and sets forth the standard for patient consent to disclosure. It also addresses topics like disclosures between agencies, such as the Department of Human Services and the State Board of Education (740 ILCS 110/7.1); Brian’s Law disclosures (740 ILCS 110/7(c)); and disclosures among an interdisciplinary team or members of a staff (140 ILCS 110/9).
What is the risk of not maintaining written privacy policies and procedures?
Generally, the biggest risk is that the social worker might violate the law because of the absence of written privacy policies and procedures. Without established policies (which are themselves required by law), it’s difficult to remain abreast of the requirements. Thus, the risks include:
- inadvertent disclosure of more information to a health plan, parent, or fellow treating provider than is required
- failure to obtain the correct form of client consent prior to disclosing information
- failure to properly manage a parent or guardian’s access to a minor child’s records
- failure to comply with the requirements surrounding how you store and when you disclose session notes
- inadvertent disclosure of more information than is required to the Department of Children and Family Services, to the court, or to an attorney
- unawareness of the parameters of permissible insurance company “audits”
- failure to maintain records for a sufficient length of time
- failure to follow legally-required security procedures on electronic devices, including updates, security checks, virus and log-in monitoring, and adequate management of passwords
- inadvertent disclosure of information to a patient’s insurance company after they’ve exercised their self-pay rights
- misconstrue your obligation to disclose patient records in a legal proceeding
If a provider is randomly audited by HHS, they risk fines and penalties if they cannot demonstrate their compliance. The LCSW could also be fined and penalized if an inadvertent breach occurred and they needed to establish their compliance and couldn’t do so.
What are the penalties for noncompliance?
The penalties are steep:
- Violations of the MHDDCA can reach $10,000 per violation and result in disciplinary action against the LCSW’s license.
- Violations of the Social Worker Practice Act can result in a lawsuit – the law specifically provides for a cause of action by a person “aggrieved” by an LCSW’s violation of the act, and that person can also recover their attorney’s fees (740 ILCS 110/15).
- A knowing and willful violation of the Social Work Practice Act constitutes a criminal offense and is punishable accordingly (740 ILCS 110/16).
Depending upon the severity of the privacy breach and the provider’s efforts to protect against such a breach (for example, whether it was a result of “willful neglect” by the provider), the provider’s punishment will fall into one of 4 categories under HIPAA. Depending upon the category assigned to the violation, the associated penalties can reach $50,000 per violation. HHS will assess a maximum of $1.5 million per category, per year.
But HHS isn’t the only one who can take action against HIPAA offenders – some state Attorneys General will sue HIPAA covered entities in federal court for privacy breaches, and they can recover fines of $25,000 per violation category per year. If a practice’s breach affects patients in multiple states, they could be pursued by multiple Attorneys General.
It’s important to remember that a breach isn’t required for a provider to be fined or penalized. Noncompliance with the law is itself a violation for which providers can be fined.
How would I get caught?
- An accidental breach, like a lost laptop, would trigger a mandatory report to HHS and a subsequent investigation into the LCSW’s privacy practices.
- A patient complains about an LCSW’s privacy practices to a government agency.
- An LCSW is selected for a random HHS audit.
- Another provider reports an LCSW’s privacy breach.
- A patient sues the LCSW after being damaged or harmed from a disclosure of their personal information.
- One of an LCSW’s business associates (e.g., an office co-tenant, an email service provider, or a billing company) experiences a privacy breach, which triggers an investigation into that business’s associates whose patients might be affected.
- A breach comes to the attention of the court or state during legal proceedings involving the LCSW’s patient.
What do professional social work associations say about patient privacy?
The National Association of Social Workers reminds LCSWs that those who are “covered entities” under HIPAA’s definition – for this purpose, those who accept insurance – need written privacy policies and procedures. This includes having an appointed privacy and security officer, having written agreements with business associates, and providing patients with written notices of privacy practices that summarize your broader privacy practices and articulate their rights surrounding patient privacy issues.
See the NASW’s HIPAA website here.
Daily, we work with providers to ensure that they are compliant with HIPAA and the other laws that govern LCSWs’ privacy obligations. Through a collaborative process whereby we learn about the provider’s practice, goals, and needs, we create a workable policy manual that allows the provider to be compliant with the law while streamlining their practice operations. We also train providers in HIPAA compliance. If you’re based in one of the states where we have licensed attorneys, schedule a free consultation to learn more.
About the author
Erin K. Jackson is Jackson LLP’s Managing Partner. She is responsible for all aspects of firm management, is a sought-after speaker for healthcare conferences, and is a published author. She is specifically focused upon the intersection of the patient experience in healthcare with the legal and ethical responsibilities of providers.
This blog is made for educational purposes and is not intended to be specific legal advice to any particular person. It does not create an attorney-client relationship between our firm and the reader. It should not be used as a substitute for competent legal advice from a licensed attorney in your jurisdiction.