Technology in Counselor Education: HIPAA and HITECH as Best Practice

Abstract

The use of technology in counseling is expanding. Ethical use of technology in counseling practice is now a stand-alone section in the 2014 American Counseling Association Code of Ethics. The Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act provide a framework for best practices that counselor educators can utilize when incorporating the use of technology into counselor education programs. This article discusses recommended guidelines, standards, and regulations of HIPAA and HITECH that can provide a framework through which counselor educators can work to design policies and procedures to guide the ethical use of technology in programs that prepare and train future counselors.Keywords: counselor education, technology, best practice, HIPAA, HITECHThe enactment of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) brought forth a variety of standards addressing the privacy, security and transaction of individual protected health (PHI; Wheeler & Bertram, 2012). According to the language of HIPAA (2013, §160.103), PHI is defined as individually identifiable health information (p. 983) that is transmitted by or maintained in electronic media or any other medium, with the exception of educational or employment records. identifiable health information is specified as follows:Information, including demographic data, that relates to:* the individual's past, present or future physical or mental health or condition,* the provision of health care to the individual, or* the past, present, or future payment for the provision of health care to the individual, and that identifies the individual for which there is a reasonable basis to believe can be used to identify the individual. Individually identifiable health includes many common identifiers. (U.S. Department of Health and Human Services [HHS], n.d.-b, p. 4)The HIPAA standards identify 18 different elements that are considered to be part of one's PHI. These include basic demographic data such as names, street addresses, elements of dates (e.g., birth dates, admission dates, discharge dates) and phone numbers. It also includes such as vehicle identifiers, Internet protocol address numbers, biometric identifiers and photographic images (HIPAA, 2013, § 164.514, b.2.i).According to language in HIPAA, the applicability of its standards, requirements and implementation only apply to entities, which are (1) a health plan (2) a health care clearinghouse (3) a health care provider who transmits any health in electronic form in connection with [HIPAA standards and policies] (HIPAA, 2013, § 160.102). Covered entities have an array of required and suggested privacy and security measures that they must take into consideration in order to protect individuals' PHI; failure to protect individuals' could result in serious fines. For example, one recent ruling found a university medical training clinic to be in violation of HIPAA statutes when network firewall protection had been disabled. The oversight resulted in a $400,000 penalty (Yu, 2013). Moreover, the recent implementation of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009 increased the fines resulting from failure to comply with HIPAA, including fines for individuals claiming they did not know that can range from $100-$50,000 (Modifications to the HIPAA Privacy, 2013, p. 5583). The final omnibus ruling of HIPAA-HITECH, enforcing these violations, went into effect on March 26, 2013 (Modifications to the HIPAA Privacy, 2013; Ostrowski, 2014). Enforcement of the changes from the HITECH Act on HIPAA standards began on September 23, 2013, for covered entities (Modifications to the HIPAA Privacy, 2013).Academic departments and universities must understand the importance of HIPAA and HITECH regulations in order to determine whether the department or university is considered a covered entity. …