Why Most Therapists Are Not Legally Compliant
Wondering whether you’re legally compliant?
When the Department of Health and Human Services released its 2020 HIPAA Audit Report, the results were troubling.
The overwhelming majority of providers were not legally compliant in five out of seven areas examined.
Only 3 percent of HIPAA-covered entities received auditors’ top rating for risk management compliance. Zero received the top rating for risk analysis.
When new federal requirements took effect in 2022 for Good Faith Estimates (GFEs), many health care providers simply decided not to comply.
Additionally, state requirements are also often not met. For example, here in California, I routinely see advertisements for master’s-level therapists that leave out legally-required information. What’s more, many therapists offering telehealth services shrug their shoulders at the state’s requirements for telehealth.
Finally, about a quarter of mental health practitioners don’t do all of their required continuing education.
Reasons why therapists aren’t meeting compliance standards
When healthcare providers don’t comply with all of the state and federal rules governing their practices, they leave themselves at risk. Client complaints and lawsuits—as well as licensing board or HHS investigations—can result in fines and penalties. Violations that are severe or repeated can lead to the possibility of losing one’s license.
Given the level of risk involved, providers’ level of noncompliance with legal requirements can at first seem startling. But it begs the question: Why aren’t more people meeting these requirements?
I’ve been writing about ethics in mental health care for many years now, and I’m deeply interested in providers’ decision-making around legal and ethical issues. While there are certainly some disciplinary cases and lawsuits that result from providers’ lack of knowledge, it’s also true that many providers are keenly aware of the rules, and choose not to follow at least some of them.
While I don’t necessarily agree with those choices, I also can’t describe them as irrational.
Providers often thoughtfully choose which risks they will take in their practices.
Here are some of the reasons why providers sometimes actively choose noncompliance.
Not enough time or bandwidth to comply
Some choose to deprioritize areas of legal compliance that seem to present more work than reward.
Consider HIPAA compliance as an example.
Simply including disclaimers at the bottom of your emails to clients does not ensure you’re sending HIPAA-compliant emails to your clients. Here’s why and what to do instead.
While the 2020 audit report cautions providers against simply copying and pasting someone else’s Notice of Privacy Practices, developing your own practices document can be tedious and time-consuming. Furthermore, developing one with the help of a consultant or attorney can be expensive.
Consequently, some providers seem to take a check-the-box approach of at least having something, even if it isn’t in line with what their practice actually does with client information. It seems unlikely, after all, that a client would complain because they don’t find your Notice of Privacy Practices to be technically accurate. While I couldn’t find any hard data on the topic, I think it’s safe to say that a lot of clients treat the NPP like they treat a rental car contract, or like a phone app’s terms of service—and agree to it without actually reading it.
Some therapists disagree with the laws
In other instances, providers choose not to comply with a certain law because they don’t agree with the law.
In the 1980s, as many states enacted mandated-reporting laws for mental health professionals who become aware of child abuse, a sizeable number of psychologists (one-fourth, in one study) reported that making such a report was unethical in their view. It’s likely that some in this group chose not to make reports even when legally required to do so.
Speaking of the mandated reporting of child abuse, for many years California law was discriminatory against minors who identified as LGBT. Depending on the age combination of the minors involved, consensual sexual activity might be legal for heterosexual minors, but a mandated abuse report if those minors were instead in a same-sex relationship. That issue finally got fixed in 2021. Prior to the fix, many clinicians who felt that the law was unfair to LGBT minors simply chose not to report—a direct violation of the law—when they knew their minor clients were engaging in consensual sexual activity with someone of the same sex.
When providers see a rule as counter to clients’ best interests (or as irrelevant to those interests), they seem less likely to follow the rule. Here, their action (or lack thereof) is principled and symbolica small form of protest, done with awareness of the risks that come along.
Fatigue over paperwork
I’d also like to raise another possibility, which I’ve heard many clinicians voice in different forms over the past two years:
We’re required to do too much. Particularly around GFEs, I’ve heard several colleagues say that they find such new rules to be more exhausting than enlightening. When discussing GFEs in social media groups, I saw more than a few therapists and counselors say something to the effect of, “I’m already transparent with my pricing. Fee disclosures are required by my state. This is just more paperwork.”
When providers perceive their work as over-regulated in general, and efforts at compliance unlikely to have positive, practical impacts, they may essentially throw up their hands. The issue may not be any one specific rule, but their overall frustration with trying to keep up with so many rules and so many rule changes.
No one else is doing it
Lawyers and risk analysts like to talk about developing a “culture of compliance” in organizational settings, where every employee has a vested interest in ensuring that the workplace is compliant with all applicable legal and ethical standards. The oversight and supervision in such settings makes a real difference. Colleagues can often quickly identify areas of concern, and help the organization to course-correct.
Peer pressure doesn’t happen as easily in private practice, though. Our colleagues usually don’t have a lot of visibility into the day-to-day activities of our practices. Clients tend to assume that we are fulfilling our responsibilities appropriately. Ultimately, a solo private practice may go for years without any meaningful outside review—unless, of course, there’s a lawsuit or complaint.
In that time, the urgency of compliance can seem to lessen. If clients don’t ask questions, and no one else sees your documents, what’s the point of investing the time and energy to make sure every proverbial box is checked?
Put another way, if we see that our peers are working diligently to comply with a specific standard, we’re likely to do the same, which has a direct impact on the standard of care. But the inverse is also true. When our peers don’t seem to care much about a rule, we seem less likely to care about it ourselves.
Making meaning out of noncompliance
So what does all this mean?
First, not all instances of noncompliance should be seen through the same moral lens.
Refusing to comply with a rule because one believes the rule is wrong is different from noncompliance out of ignorance or indifference.
Second, full legal compliance appears to be extremely rare in health care.
Even among those who pursue full compliance as a goal, the 2020 HIPAA audit makes clear that the overwhelming majority don’t achieve it. (To be clear, that includes me. While I strive for compliance, I’m also aware of areas in which I haven’t always met that standard.) Moreover, I am of the opinion that health care in general, and mental health care in particular, is over-regulated in the U.S., to the point that full legal and regulatory compliance is now, as the data shows, nearly impossible for the average practitioner. I am deeply concerned about the amount of power that affords regulatory bodies and disgruntled clients, who have the leverage to meaningfully harm the practice of almost any provider they don’t like.
Third, new state and federal regulations may be moving health care in general, and private practice in particular, away from a culture of compliance. The reasons for noncompliance described above can start to stack on top of one another. When new rules are seen as irrelevant or difficult to comply with, and are also seen as presenting relatively low risk for those who choose not to comply, the discussion among professionals becomes one of mutual shoulder-shrugging. If you don’t see that new rule as a big enough deal to put effort into, I guess I won’t either.
It can be helpful to remember that there’s a certain level of security that comes with legal and ethical compliance. Those standards exist, at least in part, to protect providers. When we can demonstrate that we have complied with the rules governing our work, we’re better protected from lawsuits, complaints, or other disciplinary actions. Every area of noncompliance presents at least the possibility, however remote, that a disgruntled client will discover a way that they can hurt you.
Licensing boards also tend to take a kitchen-sink approach to professional discipline. A customer complaint opens the door to an investigation, and the investigation can lead to charges regarding every area of noncompliance they find along the way, no matter how small we may perceive them to be. Even famous mobsters have ultimately been jailed not for their worst crimes, but because they didn’t follow tax law.
Examining your own compliance
As you work to improve compliance on an ongoing basis, it may be helpful to identify the areas where you see yourself falling short—and then to take an open, honest look at why. In some areas, you may just need updated information.
In others, you may be actively choosing to not attend to certain requirements. Do you stand by those choices? Could you justify them to colleagues and clients? Or, are you putting yourself at a higher level of professional risk than you would like?
It may well be the case that few, if any, of us follow every rule as it is written. But that also means we have great opportunities to improve—or to better understand why we’re choosing not to.
How SimplePractice streamlines running your practice
SimplePractice is HIPAA-compliant practice management software with everything you need to run your practice built into the platform—from booking and scheduling to insurance and client billing.
If you’ve been considering switching to an EHR system, SimplePractice empowers you to run a fully paperless practice—so you get more time for the things that matter most to you.
Try SimplePractice free for 30 days. No credit card required.
READ NEXT: The Key to HIPAA-Compliant Email for Therapists
More Stories
Stay inspired
Get the latest stories from your peers right to your inbox.