The Application of California law, HIPAA and Ethical Codes in School-Based Therapy Programs
by Michael Griffin, JD, LCSW
Staff Attorney
The Therapist
March/April 2018

This article is Part II of a three-part series entitled Practice Guidelines for School-Based Psychotherapists. In the March/ April, 2017 issue of The Therapist, Part I of this series discussed the Family Educational Rights and Privacy Act (FERPA)¹ and its application to school-based psychotherapists.² This article discusses the application of the Health Insurance Portability and Accountability Act (HIPAA), California laws and professional ethical codes to school based practice, and Part III of the series (in this issue), applies the principles discussed in Part I and Part II to a variety of common scenarios.

As discussed in Part I, FERPA applies to education records which are created and maintained by schools (public or private), that receive funding from the U.S. Department of Education, and which are directly related to the student.³ FERPA does not apply to records which are kept in sole possession of the maker and which are not accessible or revealed to any other person, including records which were created and maintained for the purpose of documenting confidential mental health treatment.⁴ Records which are maintained by mental health providers who are either contracted or employed with the school district to provide mental health treatment to students, could not therefore, be shared with any other person or entity unless the disclosure was permitted by the applicable provisions of (HIPAA), state laws and professional ethical codes.

Overview of HIPAA
HIPAA was passed for the purpose of establishing national security and privacy standards for the protection of private health information.⁵ While HIPAA is comprised of many components, the following discussion is intended as an overview of selected key elements of the law.⁶

Covered Entities
HIPAA only applies to individuals and organizations which qualify as “covered entities” under the law. A covered entity is defined as: 1) a health plan; 2) a healthcare clearinghouse; or, 3) a health care provider who transmits health information in electronic form in connection with certain administrative and financial transactions, also known as “covered transactions.”⁷ Covered transactions include, but are not limited to, billing a health plan electronically; checking a client’s eligibility and health benefits via the health plan’s website; and receiving confidential client information from health plans via e-mail. Merely e-mailing clients, storing client records electronically, or providing therapy services electronically are not “covered transactions” under HIPAA, and such transactions do not qualify the provider as a “covered entity.” Most schools are not HIPAA covered entities as they do not engage in one or more of these covered transactions. However, some school-based mental health treatment programs may elect to voluntarily comply with HIPAA, and this article provides an overview of relevant requirements.

Business Associates
If a HIPAA-covered entity engages a person or other business entity to perform certain functions or activities that involve the use or disclosure of protected health information on behalf of the covered entity, the third party is known as a “business associate.” In such instances, the covered entity must have a Business Associate Agreement (“BAA”) with the third party. A BAA must describe what the business associate has been contracted to do, and it must require the business associate to comply with HIPAA.

The HIPAA Privacy Rule
One of the core components of HIPAA is known as the “Privacy Rule.” The HIPAA Privacy Rule requires covered entities to protect individuals’ private health information (“PHI”), by requiring appropriate safeguards to protect client’s privacy, and defines conditions which govern the uses and disclosures of PHI without client authorization.⁸ The Privacy Rule provides the following six rights:

1. The right to request restrictions on certain uses and disclosures of their PHI
2. The right to receive confidential communications from health care providers
3. The right to inspect and receive a copy of their PHI
4. The right to receive an accounting of disclosures of their PHI
5. The right to amend their PHI, and
6. The right to receive a paper copy of the provider’s Notice of Privacy Practices

Before You Get Started