Understanding HIPAA Compliance for Health and Wellness Professionals

When it comes to the Health Insurance Portability and Accountability Act (HIPAA) and its requirements, understanding the particulars can be incredibly confusing and intimidating. What does it mean to be HIPAA compliant? Who needs to be HIPAA compliant? What’s considered a violation? What are the penalties for being non-compliant? So. Many. Questions. The good news is, we can help you get started (although if you have specific questions related to your HIPAA responsibilities, the best person to ask is your legal counsel). As you’ll see, with the right tools, processes, and systems in place, achieving HIPAA compliance can be a lot easier than you thought. 

What is HIPAA?

Signed into US federal law in 1996, HIPAA’s original intention was to ensure that employees wouldn’t lose their insurance if they changed jobs. Today, it’s a law that governs the privacy and security of all Personal Health Information (PHI)—names, addresses, dates, diagnoses, medical record numbers, etc.—in the United States. Get the full summary here. 

Why is HIPAA Important?

Keeping data private is no longer as easy as locking a filing cabinet. The rapid technological advancements of the digital age have made it easier for a client’s data to be stolen and misused. And this vulnerability is exactly why HIPAA exists and is an important part of any health care practice, including the wellness category. 

Who Does HIPAA Apply to?

Contrary to popular belief, HIPAA doesn’t actually protect all health information, nor does it apply to every person who uses or sees health information. HIPAA only applies to covered entities and their business associates. The three types of covered entities under HIPAA are:

Health care providers – For the most part, it refers to individuals who get paid to provide health care (though there are some exceptions). This includes doctors, dietitians,, chiropractors, naturopathic doctors, and other health and wellness professionals who are regulated or have a healthcare license. HIPAA also applies to the places they work, such as hospitals, private clinics, nursing homes, pharmacies, urgent care clinics, and other entities that offers health care in exchange for payment.  

Health care plans – Regulated personal insurance coverage that covers the costs of medical care, such as a Heath Maintenance Organization (HMO) plan or a Preferred Provider Organization (PPO).  

Health care clearing houses – Companies that process information so that it can be transmitted between entities. 

What Does it Mean to Be HIPAA-Compliant?

To put it simply, when you’re HIPAA-compliant, you’re following the rules they’ve set forth. So, what is HIPAA compliance? A set of practices that ensure the security and privacy of all forms of protected health information.

HIPAA Compliance for Health and Wellness Practitioners

As we mentioned earlier, there are three types of covered entities under HIPAA: health care providers, health care plans, and health care clearinghouses. Many wellness businesses and alternative practitioners fall under the “health care providers” category, especially if their services are covered by a person’s medical coverage. 

For those who work in traditional health care professions, HIPAA compliance is nothing new. However, for those in the health and wellness industry who serve clients outside of traditional health care, HIPAA compliance can feel intimidating or challenging. Many health and wellness practitioners fall under the category of “health care providers” whether or not their services are covered by a client’s health insurance plan, but regulation depends on where your practice is located. 

With digital data privacy and security becoming more of a concern to clients, ensuring you’re taking steps to protect your clients’ personal health information is important whether or not you must be HIPAA-compliant. While anyone who isn’t careful about securing their clients’ PHI could lose the trust of their clients, if you’re a licensed or regulated healthcare provider, the consequences of non-compliance are much more severe—you may be subjected to a fine and sanction.     

HIPAA Compliance Checklist

Achieving HIPAA compliance can certainly seem overwhelming, but having a clear idea of what you need to do can make it easier and keep you on the right track. Here are some suggestions that can help you wrap your head around the ins and outs. 

1. Get a comprehensive overview of HIPAA: Before you jump into the specifics, get a good understanding of the rules and policies that guide HIPAA so you can better understand where your organization fits. Visit HHS for the most recent guidelines.  
2. Recruit internal help: Understanding the particulars of HIPAA shouldn’t be a one-person job. Choose a few team members who have strong organizational and writing skills to help go through all of the information and determine what actions, if any, need to be taken to achieve compliance. Remember, as important as it is to be compliant, it’s just as important to keep track of your actions and understand what you need to do moving forward. 
3. Do a risk assessment: This will help you determine and document where there are vulnerabilities within the business that could result in a breach of PHI. 
4. Assess your current security measures: There are things you can do to help up the security on your end, like encrypting data and installing a firewall and anti-malware protection. You can also require stronger passwords to enter your site and implement a multifactor authentication (more on that later). 
5. Make sure your privacy policies are being followed: Ask yourself, are clients receiving your Notice of Privacy Practices? Are all requests for restrictions considered? Are access and amendment requests handled in a timely fashion? 
6. Schedule annual HIPAA team training: Keep your staff in the know on the most up-to-date HIPAA rules, policies, and practices by doing an annual refresher. They usually only take about half a day and can be done right in your office or online to minimize work disruption.
7. Use HIPAA-compliant software: It’s the first, and arguably most important, step to managing protected healthcare information, but it’s not the last.
8. Put your own PHI protection practices in place: Cleary identify where PHI is stored, received, maintained, and transmitted. Also, ask yourself: Are all the tools that are used to treat PHI HIPAA-compliant? Do you have Business Associate Agreements (BAAs) in place with each? Do you have passwords on your computer or phone that have access to PHI? Are your passwords strong? Are notifications that could display PHI turned off?   

The Importance of HIPAA-Compliant Software for Charting 

Accurate and concise client charting is essential to an individual’s health and wellness. If you work with client PHI, it’s important to carefully consider your choice of HIPAA-compliant database software—one that ensures you can meet your clients’ needs, while keeping their information private. You need to have your own security protocols in place and maintain all requirements under numerous privacy policies that adhere to HIPAA compliance deadlines. Practice Better is HIPAA-compliant so you can rest assured that your client’s data will be safe and secure.

Create and House Health Care Forms in Practice Better 

From waivers to client agreements to informed consent forms to terms of use contracts, Practice Better lets you create and store a client’s personal health information privately and securely. This eliminates the need to make PDFs for client review from which they have to print, sign, scan, and send back. You’ll also have the ability to create the forms from scratch or work off of one of our templates. Find out more about the forms needed for your practice here.

What Makes a Secure Electronic Health Record (EHR)?

The digital version of a client’s medical chart, EHRs are real-time, patient-centered records that make information available instantly and securely to authorized users. So, what makes a secure EHR? It all comes down to privacy. 

Password protection – This goes beyond simply requiring users to create a tough password to enter their information. It could include asking security questions, doing regular password resets, and implementing lockout capabilities that forbid access if the password is used too many times. Practice Better also uses a Two-Factor Authentication step that provides an extra layer of security by prompting users to enter a special code from an app like Google Authenticator or Microsoft Authenticator. 

Data encryption – By coding client information in a way that can only be deciphered by registered programs or with a provided access code, good EHR systems can make transferring data much safer. 

Audit trails – These provide documentation to keep track of every single action that takes place with a client’s information by automatically registering and recording who accesses the system, including where they are, what time they’re accessing, and what they do once they’re in. 

Improve the Client Experience with HIPAA Secure Messaging

We now live in a time where live chat or video conferencing has become the new standard of communicating. For everything. That makes having a secure HIPAA-compliant messaging platform essential to doing business in this day and age. Practice Better lets health and wellness practitioners stay connected to clients with secure, real-time messaging and Telehealth sessions to give them the same personal touch as in-person visits. No download required. 

What Are the Penalties for not Being HIPAA-Compliant

By far, the biggest consequences of a HIPAA violation are the legal and financial penalties. Depending on the type of violation, the number of impacted people, and whether or not you knew the violation was occurring, your business could face serious fines. These can range anywhere from $100 to $60,000. Worse yet, you could be fined for every single medical record that was exposed.

Another consequence is the hit your business’ reputation will take. For example, having to notify clients of a security breach in which their information was exposed will cause them to lose trust in your business and take theirs elsewhere. 

What to do if You Don't Think Your Practice Is HIPAA-Compliant?

Three words: HIPAA Risk Assessment. We touched on it earlier, but this can help ensure your business is compliant with HIPAA’s administrative, physical, and technical safeguards. It can also help uncover areas where your business’ PHI could be at risk. 

A risk assessment:

• Identifies where PHI is stored, received, maintained, and transmitted
• Assesses current security measures used to safeguard PHI 
• Determines the likelihood of a threat
• Determines the potential impact of a breach of PHI
• Assigns risk levels for vulnerability and impact combinations

As you can see, HIPAA compliance can seem like quite the complicated undertaking. It’s not always clear who HIPAA applies to or how to put the practices in place, yet the penalties for violating the rules can be steep. That’s why it’s never been more important to have the proper protocols, policies, and software in place to prevent costly violations. If you have additional questions about how HIPAA applies specifically to your practice, the best person to help you is your lawyer, who can help you ensure you are complying with the law. 

For more information, check out our Better Business Conversation where we partnered with Lisa Fraley, Attorney and Legal Coach, in a two-part series decoding the legal basics of setting up your health and wellness practice.  

References 

https://privacyrights.org/consumer-guides/health-privacy-hipaa-basics

https://www.healthit.gov/sites/default/files/comments_upload/hipaa-security-checklist.pdf

https://www.hipaajournal.com/hipaa-risk-assessment/

Practice Better is the complete practice management platform for nutritionists, dietitians, and wellness professionals. Streamline your practice and begin your 14-day free trial today.