TPC-Journal-V2-Issue3

The Professional Counselor \Volume 2, Issue 3 192 HIPAA, HITECH and the Practicing Counselor: Electronic Records and Practice Guidelines Jeffrey S. Lawley The use of technology in counseling practice is constantly expanding, offering new tools for communication and record-keeping. These tools come with significant legal and ethical risks for counselors as well as counselor educators and supervisors. Rules from HIPAA and HITECH are discussed in relation to counselor practice. Guidelines for electronic records and communication are suggested. Keywords: counselor education, ethical risks, supervision, technology, electronic records The Professional Counselor Volume 2, Issue 3 | Pages 192–200 http://tpcjournal.nbcc.org © 2012 NBCC, Inc. and Affiliates www.nbcc.org doi:10.15241/jsl.2.3.192 In April 2005, the Security Rule of the Health Insurance Portability and Accountability Act (HIPAA; 2007) went into effect for all health care providers. New security standards (which specifically address protection of access to medical records, as opposed to privacy standards which address issues related to sharing of medical records with other entities) are now enforced for any professional that handles electronic Protected Health Information (ePHI), including professional counselors. Some aspects of the impact of HIPAA on individuals who are practicing as independent clinicians have been addressed previously (See Benefield, Ashkanazi,& Rozensky, 2006, and Brendel & Bryan, 2004 for examples). However, many discussions of HIPAA have been aimed at other types of practitioners. HIPAA’s rules have since been amended in a number of ways by the Health Information Technology for Economic and Clinical Health (HITECH) act, which was passed in 2009 and went into effect in February 2010. HITECH (2009) makes changes to some HIPAA rules regarding electronic security and access to ePHI. In comparison to discussions of other technological issues regarding counseling, such as online counseling (Richards, D., 2009; Rummel & Joyce, 2010), electronic security is a relatively new and sparse area in the counseling literature. The shifts in law regarding ePHI have direct effects on the way that some current counseling practices, such as e-mail interactions with clients (McDaniel, 2003), must be pursued. The question of practical implications of changing laws is made more complex by the fact that many of these rules are written with large organizations or medical practices in mind. This can leave the individual or small group practitioner without the resources of larger practices feeling overwhelmed. Regardless, counselors are required to be aware of not only important aspects of the HIPAA security rule, but also the ways in which it is amended by HITECH. Awareness of laws regarding practice and the use of technology is part of the American Counseling Association’s (ACA; 2005) ethical guidelines regarding limitations to confidentiality and privacy in the counseling process. Counselors may wish to discuss limitations specific to electronic medical records as part of this process (Richards, M., 2009). ePHI is defined as any Protected Health Information (PHI) that is stored on any form of electronic media, or which is transmitted in any electronic form (e.g., fax or Internet). This would include scanned records or correspondence that is written on a computer and then printed (Freeny, 2007). This does not include ePHI in educational records, which falls separately under the Family Educational Rights and Privacy Act (HIPAA, 2007). The security rule requires that medical professionals take measures to keep ePHI confidential and to protect it from disclosure. Additionally, counselors are to safeguard ePHI from any “reasonably anticipated threats or hazards to the security or integrity of such information” (HIPAA, 2007, §164.306 (a) (2)). Jeffrey S. Lawley is an Assistant Professor at Louisiana State University-Shreveport. Correspondence can be addressed to Jeffrey S. Lawley, Louisiana State University-Shreveport, 1 University Place, BE Building 348, Shreveport, LA 71115, jslawley@gmail.com.