Does HIPAA Apply to You? You Might Not Be Compliant.
“HIPAA doesn’t apply to me.” We hear it all the time. But are you willing to bet your practice’s future and your patients’ trust on that assumption? Find out if you’re required to follow HIPAA and how to step onto the path to compliance.
(Originally published December 16, 2018. Updated September 21, 2021)
HIPAA, which is shorthand for the Health Insurance and Portability Accountability Act of 1996 and its accompanying set of federal rules and regulations, sets national requirements for the privacy and security of patient records. It tells you what information you must protect, how you should protect it, and what to do if there’s a breach. And most importantly: it applies to nearly everyone who encounters patients’ health information.
Many small healthcare practices and health-related businesses wrongly believe that HIPAA doesn’t apply to them. They thus inadvertently violate its stringent patient privacy mandates — risking significant penalties and government audits.
As a federal law, HIPAA sets the minimum national standards that must be followed by health plans, health clearinghouses, healthcare providers, and business associates that maintain and transmit digital health records. States can heighten these requirements for providers and business associates practicing within their borders. That’s right — you can satisfy HIPAA and still come up short under your own state’s requirements.
HIPAA’s requirements are stricter than you think.
If you believe that your healthcare practice is exempt from HIPAA, or that your DIY compliance efforts will satisfy the government, tread carefully. Unfortunately, not all electronic medical record (EMR or EHR) systems are HIPAA compliant. The same goes for communication platforms. For example, although the federal government relaxed a few very specific enforcement guidelines for communications during the COVID-19 emergency, many public-facing communication platforms remain prohibited.
In short, for healthcare professionals, practices, and business associates required to abide by HIPAA’s requirements (called “covered entities”), all patient relationships and policies, practice procedures, and vendor relationships must conform to HIPAA.
HIPAA policies must address privacy, security, and breach.
HIPAA mandates that covered entities maintain written policies and procedures. These policies must address three general topics: the privacy rule, the security rule, and breach notification. The privacy rule is the best known of these, but it’s just the tip of the HIPAA iceberg.
HIPAA and Privacy
The Scope of PHI
HIPAA’s privacy rule governs how covered entities should guard individually identifiable protected health information (PHI). The scope of PHI is much broader than many covered entities assume. It includes information like
- Name, address, date of birth, age, and social security number,
- Treatment records,
- Patient questionnaires,
- Billing and coding records,
- Patient visit/no-show attendance records,
- HIV/AIDS status,
- Mental health records,
- Physician narratives,
- Past, present, and future diagnoses or conditions,
- Past, present, and future treatments received.
HIPAA protects any information that might reasonably identify a patient from disclosure. Even revealing that someone’s status as your patient without written authorization can violate the law. Say, for example, you thank a current patient for referring her friend to you as a new patient. In this case, you likely violated HIPAA by revealing that your current patient’s friend is now seeing you for care. That your patient referred her friend is irrelevant — you still revealed confidential information about your new patient.
The Limits to PHI Disclosure
HIPAA’s privacy rule only allows a covered entity to disclose a patient’s PHI with written authorization and in limited situations. A provider may disclose information:
- directly to the patient
- to other healthcare professionals for the purpose of the patient’s care
- necessary for payment (i.e., billing department or collection agency)
- that falls within some narrow allowances for medical research and practice operational purposes
- necessary to serve the public interest and public health (e.g., threats of harm, reports of abuse, criminal activity, or responding to a subpoena)
- as is incidental to other permissible purposes
A covered entity’s policy manual should include compliant disclosure forms appropriate for their practice area. Different types of disclosures require different forms of patient authorization, so your policies must carefully track HIPAA’s regulations.
In rare situations, HIPAA doesn’t apply. Or, more accurately, HIPAA occasionally allows the disclosure of PHI without the patient’s authorization or knowledge (i.e., emergencies, mandated abuse reporting). It’s crucial to understand the laws that apply to your practice and your obligations to both your patients and the public.
HIPAA’s security rule requires that you satisfy a high level of recordkeeping security.
HIPAA’s security rule requires that you securely maintain patient records. Your written policies must address its requirements thoroughly.
To understand the difference between the privacy and security rules, consider the following example: The privacy rule prohibits you from discussing a patient’s identity and diagnosis in a coffee shop (you’re not keeping their information private.) The security rule prohibits you from charting the day’s records while on your laptop in a coffee shop. (The wifi isn’t secure.)
A provider’s required degree of security depends upon the:
- likelihood of breach
- type of records being stored
- practice size
- cost of compliance.
To be clear: implementing no security is not an option. For a large hospital, a private server in a locked room with a secure wifi network and an in-house IT team may be required. In contrast, a sole practitioner psychiatrist may be required to maintain a secure wifi network (VPN) and a fingerprint-accessed laptop. These are mere examples to illustrate how the government may weigh the risk of breach against the burden of compliance.
Does HIPAA apply to your healthcare practice?
Covered entities must comply with HIPAA’s requirements.
HIPAA applies to health plans, health clearinghouses, and healthcare providers – essentially anyone involved in creating or maintaining patients’ healthcare records. These covered entities may include:
- Medical data processing agencies
- Private health insurance plans
- Self-insured employers
- Medical billing services
- Health management companies and management service organizations (MSOs),
- Physicians, psychiatrists, APRNs, and other providers
- Healthcare entities like ACOs, ambulatory surgery centers, or urgent care facilities
- Medical spas, laser centers, aesthetic practices, and cosmetic surgery practices
A covered entity’s business associates must also comply with HIPAA.
A business associate is broadly defined as any person or entity that encounters or discloses PHI. When a covered entity works with a business associate, the covered entity must enter into a Business Associate Agreement (BAA). A BAA is a contract through which each party agrees to maintain legally sufficient HIPAA policies and procedures. Healthcare attorneys typically craft BAAs and will often include sample language in the HIPAA policy manual.
A covered entity’s business associates may include:
- Accountants and bookkeepers
- Financial professionals and advisors
- Management, leadership, and productivity consultants
- Data managers, IT consultants, and technology repair professionals
- Collection agencies
- Medical accreditation entities
Looking at these examples, it’s hard to imagine how a management consultant working with a CEO may encounter PHI. However, that consultant is likely to meet with the CEO at the practice. There, they will encounter patients in the waiting room and in the areas of the practice that generally remain off-limits to the public. These are the spaces in which clinical staff make confidential calls about emergent patient issues, new or refilled prescriptions, or appointment reminders. Other providers may be charting between patient visits and leave PHI openly displayed on their screens. The list could go on. Thus, it becomes readily apparent how anyone allowed behind the front desk of a practice could quickly encounter PHI.
Any individual (or entity) who obtains or transfers personal medical information in electronic format during the course of business can find themselves subject to HIPAA’s stringent requirements.
Most Overlooked Aspects of HIPAA
1. HIPAA requires written policies and procedures.
HIPAA requires covered entities to maintain written policies and procedures which address each aspect of the law. Unfortunately, many practices mistakenly believe that a Notice of Privacy Practices — the form that you receive the first time you visit a new doctor — is sufficient to demonstrate compliance with this requirement. Yes, practices must provide patients with their Notice of Privacy Practices, but the document must actually reflect a summary of that practice’s privacy practices. In other words, the Notice of Privacy Practices document provides a bird’s-eye view of your comprehensive procedures. It offers patients an overview of how you maintain the security and privacy of their records. Thus, it is useless if not supported by detailed internal policies that govern your day-to-day operations.
Sadly, a stunningly large number of covered entities and business associates do not have the legally required written policies and procedures manuals. Because this is the first document that government auditors will request when reviewing your practice operations for compliance, it’s crucial to keep it up-to-date.
2. HIPAA only allows the “minimum necessary” PHI to be disclosed.
Providers can access only the “minimum necessary” PHI at work to perform their jobs. It’s for this reason that a physician’s EMR/EHR login grants them access to only their patients’ records and not the records of their colleagues (without good cause).
In other words, a practice’s employees should only have access to protected health information specific to their position. For instance, a physician may need access to a patient’s full medical history, but a medical coder should only see diagnostic codes and insurance information. A lab technician should only have access to requisitions, not a patient’s complete medical history. We’ve seen some high-profile instances of minimum necessary violations when hospital staff members peek at the records of celebrity patients who are not under their care.
This requirement also applies to the myriad of records requests made by patients. For example, if a patient authorizes their physician to release records concerning their herniated disc with a physical therapy clinic, the physician should interpret that request narrowly. If the patient’s full record includes information not necessary for that treatment — for example, the patient’s HIV-positive status — the physician should not disclose that unnecessary information.
The same rule holds when information for releasing information to business associates. When a patient’s file is sent to a collection agency, most of the treatment details should be omitted. And when a patient authorizes the release of their therapy records for 2015 through the present, the practice must be careful not to release the patient’s entire record, which stretches into early 2014. Missteps in these nuanced situations can create major headaches for all parties involved and significantly impact the security and privacy of a patient’s records.
3. HIPAA mandates patients’ right to access their health records.
Although HIPAA is best known for its protections against breaches and improper disclosure, HIPAA’s Right of Access provisions detail the requirements for healthcare providers when a patient asks for health records. Under these provisions, healthcare providers must furnish records in a timely manner, in the requested format, and for free or for the reasonable cost of producing the records — among several other requirements. In recent years, the government has vigorously pursued providers who garner complaints.
As with other areas of HIPAA, covered entities should not leave compliance to chance. In short, every practice’s formal HIPAA plan should address patients’ rights to access their health information.
Penalties for HIPAA Violations Are Significant
HIPAA has teeth, and it carries criminal penalties and civil penalties up to $50,000 per violation. Moreover, a HIPAA auditor’s corrective action plan can be financially crippling for a small or mid-sized practice.
The most common violations are:
- inadequate or non-existent written policies and procedures
- unencrypted or stolen USB computer drives, laptops, and email containing PHI
- inadequate security awareness
- lack of training for staff and providers.
One sobering example: The Office for Civil Rights slammed a covered entity for nearly $2 million in penalties when an unencrypted laptop containing PHI went missing – in large part because investigators concluded that the covered entity used insufficient encryption throughout the entire company.
Electronic mobile devices can be especially vulnerable to breaches. “Covered entities and business associates must understand that mobile device security is their obligation,” warned Susan McAndrew, former deputy director of health information privacy for the Office for Civil Rights. “Our message to these organizations is simple: encryption is your best defense against these incidents.”
Still not convinced that HIPAA compliance is serious business? Here is the HIPAA Wall of Shame, a public list of HIPAA breaches. If your breach affects 500+ persons, the Health Information Technology for Economic and Clinical Health (HITECH) Act requires that it be posted publicly on OCR’s website. Showing up on there can’t be good for business.
To avoid massive fines, create and conform to a written HIPAA plan, train your staff, perform regular risk assessments, and regularly update your policies.
Schedule a Complimentary Phone Consultation with a HIPAA Attorney
Jackson LLP’s dedicated healthcare lawyers are committed to making HIPAA compliance straightforward and stress-free. By working to understand our clients’ practices and business ventures, we create HIPAA policies that simplify their day-to-day operations and help them sleep better at night, knowing that if an auditor knocks on their door, they can demonstrate and explain their compliance efforts.
If you operate in one of the states where we practice, you can schedule a complimentary phone consultation with one of Jackson LLP’s healthcare attorneys. Click the button below to learn how we can help your healthcare practice avoid the headaches of a failed audit, preventable breach, or other breakdowns in HIPAA compliance.
This blog is made for educational purposes and is not intended to be specific legal advice to any particular person. It does not create an attorney-client relationship between our firm and the reader and should not be used as a substitute for competent legal advice from a licensed attorney in your jurisdiction.