Many people have heard about HIPAA and know that it’s important to be HIPAA-Compliant, but a lot of people aren’t entirely sure what that means. If you’re in this situation, don’t worry. Below you will find a guide to what HIPAA is, who is affected by its regulations, and how you can keep your own private practice HIPAA-compliant.
What is HIPAA?
HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. It was enacted to simplify healthcare paperwork, make processes more efficient, and prevent medical fraud.
Overarching HIPAA regulations include the Privacy Rule and the Security Rule, which are enforced by the Office of Civil Rights (OCR) and cover separate yet complementary areas. SLPs in private practice should be aware of and adhere to both rules in order to be in compliance.
The Privacy Rule states that “a covered entity may not use or disclose protected health information, except either: 1) as the Privacy Rule permits or requires; or 2) as the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing.” So, what counts as Protected Health Information (PHI)?
“All information that relates to an individual’s past, present or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.”
PHI includes identifiers such as name, address, birth date and Social Security Number. You can use PHI to bill insurance, share information with family members (if the patient has allowed that), and even for healthcare research by adhering to the Minimum Necessary Standard. The Minimum Necessary Standard requires that healthcare professionals use “only the minimum amount of PHI needed to accomplish the intended purpose…” Basically, you should share only what is required, but no more.
The Security Rule requires that covered entities “maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI [electronic PHI].”
Administrative safeguards are “administrative actions, policies, and procedures to prevent, detect, contain, and correct security violations.” Companies are also required to perform a security risk analysis to identify and analyze risks to ePHI and then implement security measures to reduce those risks. Real-life examples include setting up encrypted email, choosing a HIPAA-compliant EMR, and setting up a secure messaging system for clients (texting doesn’t cut it).
Physical safeguards are physical measures, policies, and procedures to protect electronic information systems and related buildings from natural and environmental hazards and unauthorized intrusion. Examples include making sure your computer locks immediately after use, using passwords, not leaving files out, and making sure your office is protected from flooding or other environmental hazards.
Organizational Standards require that companies have contracts with any Business Associates that have access to your ePHI. Examples include signing BAA’s with all business associates.
Finally, Policies and Procedures require adopting reasonable and appropriate policies and procedures to comply with the Security Rule. You must maintain written security policies and procedures and written records of required actions, activities, or assessments for at least 6 years after you establish them. Examples include confirming your BAA’s and creating a HIPAA handbook.
Who is a Covered Entity?
So, who exactly does HIPAA apply to? A covered entity is one of the following:
- “A Health Care Provider, which includes doctors, clinics, psychologists, dentists, chiropractors, nursing homes, pharmacies, and SLPs/OTs/PTs, only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard,”
- A Health Plan, which includes Health insurance companies/HMOs, government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans’ health care programs, or
- A Healthcare Clearinghouse, which is an intermediary between the insurance company and the provider that checks claims for accuracy and forwards the claim info on to the insurance company.
If you still have questions about if you qualify as a Covered Entity, the Centers for Medicare and Medicaid Services (CMS) has an interactive flow chart that you can use to determine if you qualify for that definition here. It asks the questions
- Do you furnish, bill, or receive payment for healthcare services in the normal course of business? (This would be YES, for SLPs)
- Do you send any healthcare transactions electronically? (Do you accept insurance info or send bills or invoices electronically?)
Under this definition, it would appear that if you ONLY bill private pay, NEVER contact insurance about Out of Network Benefits, and ONLY give clients hard copies of their invoices (don’t email it), then you are NOT considered a covered entity. If you do bill insurance or check benefits electronically, then you ARE a covered entity.
What is a BAA?
Once you’ve determined if you are a covered entity, you’re ready to learn what a BAA is (hint: it’s not the sound a lamb makes!)
BAA stands for Business Associate Agreement. It is a contract that you sign with anyone you do business with who may access PHI while working with you. This includes the following:
- Billing companies or EMRs
- Accountants, because they see your income from insurance and private pay clients
- Lawyers whose legal services involve access to PHI, such as if someone sues you
- Clearinghouses (if your EMR has an integrated clearinghouse, like Fusion does, you won’t need a separate BAA for them)
You are not required to have a BAA for all associates, however. The list of associates who don’t require one includes:
- hospitals or doctor’s offices that refer to you- they are covered entities as well, not just business associates
- insurance companies
- people in your office whose jobs don’t involve using or disclosing PHI, like janitors
- mail carriers
Most clearinghouses, EMRs, and billing companies will have their own BAAs set up. The BAA must describe how the Business Associate (BA) is allowed and required to use PHI; require that the BA abide by the Minimum Necessary Standard; and require that the BA use appropriate safeguards to prevent PHI from being used or disclosed in ways that aren’t delineated in the contract.
Now you know what HIPAA is, who it applies to, and how to comply. To save you some headaches, make sure you choose an EMR that is fully HIPAA compliant, like Fusion Web Clinic.
About the Author:
Jill Shook, MS, CCC-SLP owns a private practice in Pittsburgh, PA. She created a course for SLPs starting out in private practice, which is available through Northern Speech Services, and blogs about resources for SLPs in private practice at Private Practice SLP. Email her at firstname.lastname@example.org
SWOT Template for Clinic Risk Analysis
We’ve put together a SWOT template with some guidelines to conduct a risk analysis at your clinic. This handout will guide you as you look for areas where you can improve security and HIPAA compliance.