Attorney Articles | HIPAA Overview

Articles by Legal Department Staff

The Legal Department articles are not intended to serve as legal advice and are offered for educational purposes only. The information provided should not be used as a substitute for independent legal advice and it is not intended to address every situation that could potentially arise. Please be aware that laws, regulations and technical standards change over time. As a result, it is important to verify and update any reference or information that is provided in the article.

HIPAA Overview

In this article learn about the various component parts of HIPAA and how they fit together to protect patient's privacy.

By David G. Jensen
CAMFT Staff Attorney
The Therapist
(May/June 2003)

The Health Insurance Portability and Accountability Act of 1996 ("HIPAA") was passed by Congress to promote standardization and efficiency in the health care industry. HIPAA will accomplish these goals by imposing new restrictions on how covered entities can use and share information and by creating new rights for individuals concerning their health information. HIPAA should help health care providers do business with health plans in less costly and more efficient ways, and it should give patients more rights and control over their health information.

In thinking about HIPAA, however, it's important to realize that HIPAA isn't just one big thing that you have to comply with; rather, it's four big things. These four component parts of HIPAA, much like the component parts of an engine, work together to accomplish HIPAA's purposes of streamlining the health care industry and affording patients more rights. The four component parts of HIPAA are: Privacy Requirements; Electronic Transaction and Code Sets Standards Requirements; Security Requirements; and National Identifier Requirements.

Privacy Requirements
HIPAA creates rights for patients concerning how their health information is used and disclosed by health care providers who are covered entities under HIPAA. These rights are set forth in the component part of HIPAA known as the Privacy Rule. The Privacy Rule essentially limits what you, as a health care provider, can do with a patient's health information without that patient's knowledge and consent. Furthermore, the Privacy Rule requires you to take reasonable precautions to keep patient information confidential and secure. The date set for complying with the Privacy Rule was April 14, 2003.

To understand the Privacy Rule, you need to have a working knowledge of the following terms and concepts:

  1. to Disclose information means to release it outside your practice; to Use information means to utilize the information inside your practice.
  2. to conduct Health Care Operations means to conduct certain activities such as conducting case management and care coordination activities; contacting health care providers about treatment alternatives; reviewing the competence or qualifications of health care professionals; conducting training programs for trainees and interns; conducting or arranging for legal or auditing services; or, conducting business management and general administrative activities, among others.
  3. the Minimum Necessary standard means that when using or disclosing protected health information you must make reasonable efforts to limit the protected health information to the minimum amount necessary to accomplish the intended purpose of the use, disclosure, or request.
  4. conductPayment activities means to obtain reimbursement for rendering health care and it includes such things as determining eligibility or coverage, billing, claims management, collection activities, utilization review activities, and disclosures to consumer reporting agencies, among others.
  5. Protected Health Information ("PHI") is the information that you maintain about your patients, whether such information is kept in electronic or paper form.


  6. Psychotherapy Notes is information recorded (in any medium) by you, as a mental health professional, documenting or analyzing the contents of your counseling sessions and that is kept separate from the rest of the patient's medical record. The definition of psychotherapy notes, however, excludes such things as medication prescription and monitoring, session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.
  7. to conduct Treatment activities means the provision, coordination, or management of health care and related services by one or more health care providers.

Electronic Transaction and Code Sets Standards
HIPAA is designed to create one national "language" for covered entities so that all covered entities, whether they are health plans, health care clearinghouses, or health care providers, can communicate with one another in that language. The language that HIPAA has created is an amalgam of standard transactions, code sets, and identifiers, and HIPAA requires all covered entities to utilize this language when conducting transactions subject to it. These transaction and code sets standards have been created to give the health care industry a common language to make it easier for covered entities to communicate with one another electronically. Consequently, the Electronic Transaction and Code Sets Standards will improve efficiency in the health care industry by standardizing communication between covered entities. The date for complying with the Electronic Transaction and Code Set Standards is October 15, 2003.

Security Requirements
An essential part of HIPAA is keeping patient information safe and secure from a variety of threats. The Security regulation will outline the minimum administrative, technical, and physical safeguards required to prevent unauthorized access to a patient's health information or the loss of such information. On February 20, 2003, The Department of Health and Human Services published final regulations on the Security Requirements. Although these regulations are effective as of April 21, 2003, health care providers who are covered entities have until April 21, 2005 to become completely compliant with them.

National Identifier Requirements
Another essential part of HIPAA is that covered entities be able to communicate with one another efficiently. To accomplish this objective, there needs to be a way for such entities to identify themselves when interacting with other covered entities. The National Identifier Requirement will require health care providers, health plans, and employers to have national identification numbers that identify them when they are conducting standard transactions, which are transactions governed by HIPAA. For employers, the Employer Identification Number ("EIN"), which is issued by the Internal Revenue Service, was selected as the national identifier. However, for health plans and health care providers national identifiers have not been established. Consequently, as a health care provider, you do not have to have a national identifier right now, but you may have to have one in the future, even if you are not a covered entity. Currently, there is no date for complying with the National Identifier.

Covered Entities
No overview of HIPAA would be complete without mentioning the central concept of covered entities. The concept of a covered entity is the lynchpin that holds all of the component parts of HIPAA together. Understanding who is and who is not a covered entity is important because HIPAA is only applicable to covered entities. Consequently, if you are a covered entity, you must comply with HIPAA. Conversely, if you are not a covered entity, you do not have to comply with HIPAA, unless you choose to do so.

So who are covered entities? Right now there are three groups listed in the regulations: health plans, health care clearinghouses, and health care providers who transmit health information in electronic form in connection with certain administrative and financial

As a provider of mental health services, you are not a health plan or a health care clearinghouse. You may, however, depending upon how you utilize a computer in your practice, be a health care provider who conducts certain administrative or financial transactions electronically.


The information contained in this article is intended to provide guidelines for addressing difficult legal dilemmas. It is not intended to address every situation that could possibly arise, nor is it intended to be a substitute for independent legal advice or consultation. When using such information as a guide, be aware that laws, regulations, and technical standards change over time, and thus one should verify and update any references or information contained herein.