HIPAA Policies Updated

NASW has updated its Health Insurance Portability and Accountability Act, or HIPAA, online policies, forms and online training course.

The information can assist social workers who are required to abide by the client privacy policies outlined in the Health Information Technology for Economic and Clinical Health (HITECH) Act, said Sherri Morgan, associate counsel for the NASW Legal Defense Fund.

As a result of the HITECH amendments, HIPAA standards have been tightened and clarified to reflect needed changes and they list specific notification requirements to clients if there is an unauthorized release of their private health records, specifically if the information is not encrypted.

While adherence to HIPAA has been complaint-driven in the past, government enforcement and stiffer penalties for noncompliance are expected to increase this year, Morgan explained. “The Office of Civil Rights for the Department of Health and Human Services is responsible for enforcing these rules,” she said. “However, state attorneys general also have been granted authority for civil enforcement.”

Social workers are encouraged to read the LDF February Legal Issue of the Month: HITECH HIPAA for Social Workers to learn about the latest requirements, Morgan noted.

Another source for information is the Department of Health and Human Services’ Web site Health Information Privacy.

At press time, several new rules for HIPAA-covered entities were expected to have taken effect in February, Morgan said.

Of particular note, health care entities, including clinical social workers, must comply with clients’ requests:

  • for a copy of their records, including in electronic format;
  • for their medical records to be forwarded to another entity or individual through electronic means if applicable;
  • for the provider not to notify their health plan, if they pay for services out of pocket; and
  • to opt out of any marketing or fundraising program.

Covered entities are also expected to have a HIPAA agreement in place with any third-party business associates, Morgan said. Existing agreements should be updated to reflect the new breach notification requirements and business associates’ expanded HIPAA compliance obligations which are now similar to covered entities’ obligations.

At press time, it was anticipated that HHS will provide updated information about the most effective client privacy safeguards; a report about HIPAA audit and enforcement changes; and an outline of civil and monetary penalties for noncompliance.

To assist social workers in meeting their HIPAA training requirements, NASW will debut an updated HIPAA training course that incorporates the HITECH Act. While there is a fee to take the course, members will receive a discount, Morgan said. The course is also open to nonmembers.

Members will be able to download updated HIPAA policy documents and client template forms.

Social workers are also encouraged to review their state’s health care privacy standards, Morgan said, as many states have existing privacy breach notification laws.


Information on the new (2017) NASW Website: