By Sept. 23, practitioners covered by the Health Insurance Portability and Accountability Act (HIPAA) must implement changes required by the HIPAA Final Rule, which was released in January by the U.S. Department of Health and Human Services. Most psychologists trigger the need to comply with HIPAA by electronically transmitting patient information in connection with insurance claims or other third-party reimbursement.

The most important changes affecting psychologists concern breach notification, notice of privacy practices and business associates. Psychologists will be required to conduct risk assessments if a breach occurs, and will need to make changes to their notice of privacy practices and their business associate contracts.

Changes to enforcement policies are critical and could result in penalties of up to $1.5 million a year for each HIPAA requirement violated. Stiffer penalties and enforcement are aimed at those who should be complying, but have not taken the basic steps to comply with the HIPAA Privacy Rule and HIPAA Security Rule.

The APA Practice Organization (APAPO) has prepared resources to help practitioners understand the changes and come into compliance. The Privacy Rule Primer has been updated to explain how Final Rule changes affect Privacy Rule compliance. The Primer provides a refresher for those who started complying years ago, and an introduction for new practitioners just starting with HIPAA. It covers HIPAA basics such as who needs to comply with the Privacy Rule and Security Rule.

APAPO has also developed a resource called The HIPAA Final Rule: What You Need To Do Now. This resource updates existing compliance information and forms, and includes inserts to update existing HIPAA forms. It is being provided to APAPO members and to past and future purchasers of the HIPAA for Psychologists compliance product. This resource, the Privacy Rule Primer and other HIPAA resources are available in the HIPAA compliance section of APAPO's Practice Central website.