When it comes to the Health Insurance Portability and Accountability Act (HIPAA) and its requirements, understanding the particulars can be incredibly confusing and intimidating. What does it mean to be HIPAA compliant? Who needs to be HIPAA compliant? What’s considered a violation? What are the penalties for being non-compliant? So. Many. Questions. The good news is, we can help you get started (although if you have specific questions related to your HIPAA responsibilities, the best person to ask is your legal counsel). As you’ll see, with the right tools, processes, and systems in place, achieving HIPAA compliance can be a lot easier than you thought.
Signed into US federal law in 1996, HIPAA’s original intention was to ensure that employees wouldn’t lose their insurance if they changed jobs. Today, it’s a law that governs the privacy and security of all Personal Health Information (PHI)—names, addresses, dates, diagnoses, medical record numbers, etc.—in the United States. Get the full summary here.
Keeping data private is no longer as easy as locking a filing cabinet. The rapid technological advancements of the digital age have made it easier for a client’s data to be stolen and misused. And this vulnerability is exactly why HIPAA exists and is an important part of any health care practice, including the wellness category.
Contrary to popular belief, HIPAA doesn’t actually protect all health information, nor does it apply to every person who uses or sees health information. HIPAA only applies to covered entities and their business associates. The three types of covered entities under HIPAA are:
Health care providers – For the most part, it refers to individuals who get paid to provide health care (though there are some exceptions). This includes doctors, dietitians,, chiropractors, naturopathic doctors, and other health and wellness professionals who are regulated or have a healthcare license. HIPAA also applies to the places they work, such as hospitals, private clinics, nursing homes, pharmacies, urgent care clinics, and other entities that offers health care in exchange for payment.
Health care plans – Regulated personal insurance coverage that covers the costs of medical care, such as a Heath Maintenance Organization (HMO) plan or a Preferred Provider Organization (PPO).
Health care clearing houses – Companies that process information so that it can be transmitted between entities.
To put it simply, when you’re HIPAA-compliant, you’re following the rules they’ve set forth. So, what is HIPAA compliance? A set of practices that ensure the security and privacy of all forms of protected health information.
As we mentioned earlier, there are three types of covered entities under HIPAA: health care providers, health care plans, and health care clearinghouses. Many wellness businesses and alternative practitioners fall under the “health care providers” category, especially if their services are covered by a person’s medical coverage.
For those who work in traditional health care professions, HIPAA compliance is nothing new. However, for those in the health and wellness industry who serve clients outside of traditional health care, HIPAA compliance can feel intimidating or challenging. Many health and wellness practitioners fall under the category of “health care providers” whether or not their services are covered by a client’s health insurance plan, but regulation depends on where your practice is located.
With digital data privacy and security becoming more of a concern to clients, ensuring you’re taking steps to protect your clients’ personal health information is important whether or not you must be HIPAA-compliant. While anyone who isn’t careful about securing their clients’ PHI could lose the trust of their clients, if you’re a licensed or regulated healthcare provider, the consequences of non-compliance are much more severe—you may be subjected to a fine and sanction.
Achieving HIPAA compliance can certainly seem overwhelming, but having a clear idea of what you need to do can make it easier and keep you on the right track. Here are some suggestions that can help you wrap your head around the ins and outs.
Accurate and concise client charting is essential to an individual’s health and wellness. If you work with client PHI, it’s important to carefully consider your choice of HIPAA-compliant database software—one that ensures you can meet your clients’ needs, while keeping their information private. You need to have your own security protocols in place and maintain all requirements under numerous privacy policies that adhere to HIPAA compliance deadlines. Practice Better is HIPAA-compliant so you can rest assured that your client’s data will be safe and secure.
From waivers to client agreements to informed consent forms to terms of use contracts, Practice Better lets you create and store a client’s personal health information privately and securely. This eliminates the need to make PDFs for client review from which they have to print, sign, scan, and send back. You’ll also have the ability to create the forms from scratch or work off of one of our templates. Find out more about the forms needed for your practice here.
The digital version of a client’s medical chart, EHRs are real-time, patient-centered records that make information available instantly and securely to authorized users. So, what makes a secure EHR? It all comes down to privacy.
Password protection – This goes beyond simply requiring users to create a tough password to enter their information. It could include asking security questions, doing regular password resets, and implementing lockout capabilities that forbid access if the password is used too many times. Practice Better also uses a Two-Factor Authentication step that provides an extra layer of security by prompting users to enter a special code from an app like Google Authenticator or Microsoft Authenticator.
Data encryption – By coding client information in a way that can only be deciphered by registered programs or with a provided access code, good EHR systems can make transferring data much safer.
Audit trails – These provide documentation to keep track of every single action that takes place with a client’s information by automatically registering and recording who accesses the system, including where they are, what time they’re accessing, and what they do once they’re in.
We now live in a time where live chat or video conferencing has become the new standard of communicating. For everything. That makes having a secure HIPAA-compliant messaging platform essential to doing business in this day and age. Practice Better lets health and wellness practitioners stay connected to clients with secure, real-time messaging and Telehealth sessions to give them the same personal touch as in-person visits. No download required.
By far, the biggest consequences of a HIPAA violation are the legal and financial penalties. Depending on the type of violation, the number of impacted people, and whether or not you knew the violation was occurring, your business could face serious fines. These can range anywhere from $100 to $60,000. Worse yet, you could be fined for every single medical record that was exposed.
Another consequence is the hit your business’ reputation will take. For example, having to notify clients of a security breach in which their information was exposed will cause them to lose trust in your business and take theirs elsewhere.
Three words: HIPAA Risk Assessment. We touched on it earlier, but this can help ensure your business is compliant with HIPAA’s administrative, physical, and technical safeguards. It can also help uncover areas where your business’ PHI could be at risk.
A risk assessment:
As you can see, HIPAA compliance can seem like quite the complicated undertaking. It’s not always clear who HIPAA applies to or how to put the practices in place, yet the penalties for violating the rules can be steep. That’s why it’s never been more important to have the proper protocols, policies, and software in place to prevent costly violations. If you have additional questions about how HIPAA applies specifically to your practice, the best person to help you is your lawyer, who can help you ensure you are complying with the law.
For more information, check out our Better Business Conversation where we partnered with Lisa Fraley, Attorney and Legal Coach, in a two-part series decoding the legal basics of setting up your health and wellness practice.
References
https://privacyrights.org/consumer-guides/health-privacy-hipaa-basics
https://www.healthit.gov/sites/default/files/comments_upload/hipaa-security-checklist.pdf
https://www.hipaajournal.com/hipaa-risk-assessment/
Practice Better is the complete practice management platform for nutritionists, dietitians, and wellness professionals. Streamline your practice and begin your free trial today.