Does HIPAA apply to you? You might not be compliant.
“HIPAA doesn’t apply to me.” We hear it all the time. But are you willing to bet your practice’s future and your patients’ trust on that? HIPAA sets national requirements for the privacy and security of patient records. It tells you what information you must protect, how you should protect it, and what to do if there’s a breach. And most importantly: it applies to nearly everyone who encounters patients’ health information.
HIPAA is shorthand for the Health Insurance and Portability Accountability Act of 1996 and its accompanying set of federal rules and regulations governing healthcare records privacy and access. As a federal law, HIPAA sets the minimum national standards that must be followed by health plans, health clearinghouses, healthcare providers, and business associates that maintain and transmit digital health records. States can heighten these requirements for providers and business associates practicing within their borders.
Many healthcare entities wrongly believe that HIPAA doesn’t apply to them. They thus inadvertently violate its stringent patient privacy mandates – risking significant penalties and government audits.
HIPAA’s requirements are stricter than you think.
If you believe that your healthcare practice is exempt from HIPAA, or that your DIY compliance efforts will satisfy the government, tread carefully. In an ever-changing technology landscape, not all electronic medical record (EMR or EHR) systems are HIPAA compliant. The same goes for communication platforms; Google Voice, for example, is not HIPAA compliant. For healthcare professionals, practices, and business associates that are required to abide by HIPAA’s requirements (these parties are all called “covered entities”), their patient relationships and policies, practice procedures, and vendor relationships must all conform to HIPAA.
Your policies must address privacy, security, and breach.
HIPAA mandates that covered entities maintain written policies and procedures addressing three general topics: the privacy rule, the security rule, and breach notification. The privacy rule is the best known of these, but it’s just the tip the HIPAA iceberg.
HIPAA’s privacy rule protects private information from disclosure.
HIPAA’s privacy rule governs how covered entities should guard individually-identifiable protected health information (PHI). The scope of PHI is much broader than many covered entities assume. It includes information like
- Name, address, date of birth, age, and social security number,
- Treatment records,
- Patient questionnaires,
- Billing and coding records,
- Patient visit / no-show attendance records,
- HIV/AIDS status,
- Mental health records,
- Physician narratives,
- Past, present, and future diagnoses or conditions,
- Past, present, and future treatments received.
HIPAA protects any information that might reasonably identify a patient from disclosure. Even revealing that someone is your patient without his/her written authorization can violate the law. For example: if you thank a current patient for referring her friend to you as a new patient, you likely violated HIPAA by revealing that your current patient’s friend is now seeing you for care; the fact that your patient referred her friend is irrelevant – you still revealed confidential information about your new patient.
HIPAA’s privacy rule only allows a covered entity to disclose a patient’s PHI with written authorization and in limited situations. A provider may disclose information:
- directly to the patient,
- to other healthcare professionals for the purpose of the patient’s care,
- as necessary to be paid for services (i.e., billing department or collection agency),
- which falls within some narrow allowances for medical research and practice operational purposes,
- which must be disclosed to serve public interest and public health (i.e., threats of harm, reports of abuse, criminal activity, or responding to a subpoena),
- as is incidental to other permissible purposes.
A covered entity’s policy manual should include compliant disclosure forms appropriate for their practice area. Different types of disclosures require different forms of patient authorization, so your policies must carefully track HIPAA’s regulations.
In rare situations, HIPAA doesn’t apply. Or, more accurately, HIPAA occasionally allows the disclosure of PHI without the patient’s authorization or knowledge (i.e., emergencies, mandated abuse reporting). It’s crucial to understand the laws that apply to your practice and your obligations to both your patients and the public.
HIPAA’s security rule requires that you satisfy a high level of recordkeeping security
HIPAA’s security rule requires that your patient records are maintained in a secure manner. Your written policies must address its requirements thoroughly.
To understand the difference between the privacy and security rules, consider the following example: The privacy rule prohibits you from discussing a patient’s identity and diagnosis in a coffee shop (you’re not keeping their information private.) The security rule prohibits you from charting the day’s records while on your laptop in a coffee shop. (The wifi isn’t secure.)
The degree of security that a provider is required to maintain at their practice depends upon the likelihood of breach, the type of records being stored, the practice size, and the cost of compliance. To be clear: no security is not an option. For a large hospital, something akin to a private server in a locked room, with a secure wifi network, and an in-house IT team may be required. In contrast, a sole practitioner psychiatrist may be required to maintain a secure wifi network (VPN) and a fingerprint-accessed laptop. These are mere examples to illustrate how the government may weigh the risk of breach against the burden of compliance.
HIPAA applies to you.
Covered entities must comply with HIPAA’s requirements.
HIPAA applies to health plans, health clearinghouses, and healthcare providers – essentially anyone involved with creating or maintaining patients’ healthcare records. These covered entities may include:
- Medical data processing agencies,
- Private health insurance plans,
- Self-insured employers,
- Medical billing services,
- Health management companies and management service organizations (MSOs),
- Physicians, psychiatrists, dentists, nurse practitioners, and other providers,
- Healthcare entities like ACOs, ambulatory surgery centers, or urgent care facilities,
- Medical spas, laser centers, aesthetic practices, and cosmetic surgery practices.
A covered entity’s business associates are also mandated to comply with HIPAA.
A business associate is broadly defined as any individual person or entity which encounters or discloses PHI. When a covered entity works with a business associate, they are required to enter into a Business Associate Agreement (BAA), which is a contract through which each party agrees to maintain legally sufficient HIPAA policies and procedures. BAAs are drafted by healthcare attorneys, and sample language is often included in a practice’s HIPAA policy manual.
A covered entity’s business associates may include:
- Accountants and bookkeepers,
- Financial professionals and advisors,
- Management, leadership, and productivity consultants,
- Data managers, IT consultants, and technology repair professionals,
- Collection agencies, and
- Medical accreditation entities.
At first, it’s hard to imagine how the management consultant working with your practice’s CEO may encounter PHI. However, that consultant is likely to meet with the CEO at your practice, where s/he will encounter patients in the waiting room and in the areas of your practice that generally remain off-limits to the public. These are the spaces within which clinical staff make confidential calls about emergent patient issues, new or refilled prescriptions, or appointment reminders. Other providers may be charting between patient visits and have PHI openly displayed on their screens. The list could go on, and it becomes readily apparent how anyone accessing your practice could quickly encounter PHI.
Any individual (or entity) who obtains or transfers personal medical information in electronic format during the course of business can find themselves subject to HIPAA’s stringent requirements.
The top 2 HIPAA mistakes and misunderstandings we hear.
1. HIPAA requires written policies and procedures.
HIPAA requires covered entities to maintain written policies and procedures which address each aspect of the law. Many practices mistakenly believe that a Notice of Privacy Practices – the form that you receive the first time you visit a new doctor – is sufficient to demonstrate compliance with this requirement. Practices are required to provide patients with their Notice of Privacy Practices, but the document must actually reflect a summary of that practice’s privacy practices. That is, this document is a bird’s-eye view of your comprehensive procedures and offers patients an overview of how you maintain the security and privacy of their records. It is useless if not supported by detailed internal policies that govern your day-to-day operations.
A stunningly large number of covered entities and business associates do not have the legally required written policies and procedures manuals. Because this is the first document that government auditors will request when reviewing your practice operations for compliance, it’s crucial to keep it up-to-date.
2. HIPAA only allows the “minimum necessary” PHI to be disclosed.
Many providers are aware that they can access only the “minimum necessary” PHI at work to perform their jobs. It’s for this reason that a physician’s EMR/EHR login grants them access to only their patients’ records, and not the records of their colleagues (without good cause).
This means that a practice’s employees should only have access to protected health information specific to their position. A physician may need access to a patient’s full medical history, but a medical coder should only see diagnostic codes and insurance information. Likewise, a lab technician should only have access to requisitions, not a patient’s complete medical history.
This requirement also applies to the myriad records requests made by patients. For example, if a patient authorizes their physician to release records concerning their herniated disc with a physical therapy clinic, the physician should interpret that request narrowly. If the patient’s full record includes information that is not necessary for that treatment – for example, the patient’s HIV-positive status – that PHI cannot be disclosed. The same rule holds true when information is released to business associates. When a patient’s file is sent to a collection agency, the vast majority of treatment details should be omitted. And when a patient authorizes the release of their therapy records for 2015 through the present, the practice must be careful to not release the patient’s entire record, which stretches into early 2014. Missteps in these nuanced situations can create major headaches for all parties involved and can significantly impact the security and privacy of a patient’s records.
Can you confidently say that you’re fully HIPAA compliant?
Penalties for HIPAA Violations Are Significant
HIPAA has teeth, and it carries civil and criminal penalties for violations. However, a HIPAA auditor’s corrective action plan can be financially crippling for a small or mid-sized practice. The best way to avoid massive fines? Conform your practice’s procedures to HIPAA’s requirements, train your staff, perform regular risk assessments, and update your policies regularly.
Schedule a Complimentary Phone Consultation with a Chicago HIPAA Attorney
Jackson LLP’s dedicated healthcare attorneys are committed to making HIPAA compliance straightforward and stress-free. By working to understand our clients’ practices and business ventures, we create HIPAA policies that simplify their day-to-day operations and help them sleep better at night, knowing that if an auditor knocks on their door, they can demonstrate and explain their compliance efforts.
To schedule a complimentary phone consultation with one of Jackson LLP’s Chicago healthcare attorneys, call our office at (312) 985-6484 or click the button below.