Overview of The Three Standards of HIPAA Relevant to Psychotherapists

                                                                                                                                                Barney McDowell 3-10-03

 I.  Health and Human Services published three separate “standards” required of all “covered entities”:  1) the Privacy Standards, 2) the Security Standards, and 3) the Transaction Standards.  The “standards” are sometimes called “Rules”.

II. The first task for each health care provider is to determine if the law considers them to be a “covered entity” or “non-covered entity”: 

A.    If a provider qualifies as a non-covered entity, the law simply doesn’t apply to their practice.  (See our separate section on this topic!) 

B.  If a provider is “covered”, different requirements ensue for each of the three rules:

1)     the “Privacy Standard” applies to “uses and disclosures” of all “protected health information” in paper, electronic, or oral forms.  This is addressed in the bulk of the materials you will find under our HIPAA Help section.

2)     the Transaction Standards applies only to electronic “transactions”; this ‘rule’

amounts to prescribed software codes that have been issued by the

      government for how protected health information must be guarded when

      transmitted electronically.

3)     the Security Standards specifies “physical, administrative, and technical” protective measures against unauthorized “access, alteration, deletion, and transmission” of electronic information that is “created, maintained, received, or transmitted”.

III.  Different Deadlines for Compliance for Each of the Three Standards

A.  Privacy Standards:  April 14, 2003

B.    Security Standards:  April 21, 2005

C.  Transactions Standards:  This is already in effect as of October 16, 2002--unless a covered entity filed for an extension before that date; also if a covered entity hasn’t ever done an electronic transaction and hasn’t filed an extension, April 14, 2003 will be the compliance date if, indeed, they ever do participate in an electronic transaction.