The Health Insurance Portability and Accountability Act of 1996—a.k.a. HIPAA—does not distinguish between large and small practices. Fortunately, regulators do. While the law imposes the same requirements upon solo practitioners and large rehab hospitals, the manner in which those requirements are applied may depend upon your practice size.
Contrary to what many providers believe, the onus of HIPAA’s requirements won’t hamper your clinical practice. In fact, I’ve found that they actually do the opposite: HIPAA provides a framework for managing your clinic operations and reassures patients that their data is secure (this is especially important in light of so many newsworthy security breaches). Signing a new office lease? HIPAA tells you what your agreement needs to say about the private patient data stored inside that office. Hiring a new employee? HIPAA tells you how often you need to provide him or her with privacy training. Buying a new laptop? HIPAA tells you what to do with the old one.
Still, there’s plenty of confusion around HIPAA requirements—especially when it comes to the manner in which HIPAA applies to smaller providers. On that note, let’s dive into the five things small-practice PTs, OTs, and SLPs should know about HIPAA.
1. You can only become a covered entity by performing a covered transaction. That’s it.
Do you electronically transmit patient information related to “covered transactions?” (Covered transactions generally include the electronic transmission of claims, but you can use HHS’s online tool to evaluate your status.) If so, you’re a covered entity who’s required to comply with HIPAA. But if you’re not a covered entity, you can stop worrying; you can’t accidentally become a covered entity unless you engage in a covered transaction.
I hear lots of myths about the fluidity of a provider’s covered entity status. Does using email make you into a covered entity—even if you don’t do electronic billing? No, because email isn’t a covered transaction. If you’re not a covered entity, but your intake forms reference HIPAA, does that obligate you to follow HIPAA? No, because as a non-covered entity, HIPAA doesn’t apply to you. Remember, there’s only one way to fall within the scope of HIPAA: performing a covered transaction.
One caveat: If you tell your patients that you’ll comply with HIPAA’s requirements, you should do so. This doesn’t mean that you become a HIPAA-covered entity—it simply means you should subject yourself to HIPAA’s privacy and security requirements because you promised your patients you would do so. For example, if you’re not a covered entity but your Notice of Privacy Practices states that you’ll use only HIPAA-compliant email software, then you should use HIPAA-compliant email software—not because HIPAA requires it, but because you said you would (and your patients could sue you if their information were compromised after you didn’t do as you promised).
2. You must have written privacy policies.
HIPAA compliance audits are many providers’ greatest fear. But, they’re absolutely something for which you can prepare. As explained in this audit program guide, “Every covered entity and business associate is eligible for an audit.” Audits can be random or targeted, and the auditors will begin by “review[ing] the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.” Gulp.
Don’t have any such policies? Double gulp.
HIPAA requires that all covered entities maintain written privacy policies and procedures addressing HIPAA’s three main components: privacy, security, and breach notification. To ensure the best protection against HIPAA audits, your policies should address each of the requirements imposed by these three components of the law. Government regulators are more likely to audit small practices, which are more likely to fall short of HIPAA’s requirements—and a failure to maintain adequate policies and procedures is one of the biggest reasons that practices are fined.
While privacy policies are required, they are not a mere formality. In fact, they come with some pretty good benefits—including providing you with accessible answers to privacy-related questions like:
- How should I discipline an SPT who shared my patient’s private information at PT Pub Night? (Disclaimer: My HIPAA policies don’t typically address this specific situation, but they would give you enough guidance to problem-solve it yourself!)
- How long should I retain patient records?
- How complex does my WebPT password need to be?
- Can all members of my clinic share a single computer login?
- What do I do with an old laptop?
- Can I use the Wi-Fi at Starbucks?
As you work with your attorney to create your privacy policies, you’ll learn about HIPAA—which is crucial for minimizing the chances that you’ll commit a breach. Need more convincing? Check out this government press release from earlier this year for details on a $2.5 million settlement resulting from a lack of understanding regarding HIPAA requirements. To learn more about the importance of comprehensive policy manuals, refer to this discussion between my law partner (and, full disclosure, my wife), Erin Jackson, and Dr. Karen Litzy, DPT.
3. Required risk assessments will help you tailor HIPAA compliance safeguards to your practice’s needs.
HIPAA isn’t one-size-fits-all. A crucial element of privacy rule compliance is the requirement that you complete technical, administrative, and physical risk assessments. These assessments help you consider and address privacy threats and vulnerabilities as well as plan your safeguards and action steps. The privacy requirements imposed upon your practice will largely depend upon the results of your risk assessments.
Once complete, your risk assessments will help you balance your patients’ privacy rights and the risk of a patient data breach against factors like your practice size and the cost of compliance. You must complete risk assessments annually, or more frequently if certain privacy-related events occur (e.g., an employee termination, a natural disaster, or a laptop theft). Additionally, as your practice grows, you may find that your answers—and thus, your policies—change.
Many small practices are overwhelmed by the daunting task of HIPAA compliance, and sometimes, the perceived weight of HIPAA discourages them from accepting insurance altogether—even when doing so would better serve their financial interests and their patients. But, in my view, HIPAA isn’t so onerous as to govern this important decision.
4. Without written policies, simply distributing a Notice of Privacy Practices document to patients doesn’t make you HIPAA-compliant.
Am I HIPAA-compliant if I have a Notice of Privacy Practices? Well, if that’s all you have, then no.
Your Notice of Privacy Practices document—which you give to patients at their first visit to explain how you’ll use their health information—is merely the tip of the HIPAA iceberg. HIPAA requires much more.
Your Notice of Privacy Practices is the required written notice informing patients of your privacy practices. If you don’t have underlying written privacy policies, then your Notice of Privacy Practices is likely misleading. In fact, handing out a Notice of Privacy Practices without maintaining the specified privacy policies may land you in hot water, as it may falsely represent your privacy practices to your patients.
5. You must have HIPAA agreements with anyone who handles your patient information.
Business associate agreements (BAAs) can help make HIPAA compliance much easier for small providers. These agreements alert those with whom you do business to the sensitive nature of your business operations and data. As noted in this guide, you should enter into a business associate agreement with any entity that handles or has access to your patient's health information. This may include your landlord (who probably has keys to your office), your janitorial staff, your tech support contractor, the yoga teacher who rents your studio in the evenings, or the phone company installing new lines.
I strongly suggest integrating a business associate agreement specific to your practice into your HIPAA policies. It’s one of the most frequently used, tangible aspects of HIPAA compliance, and you’ll occasionally need one on short notice—like when a laptop crash prompts you to summon a tech expert to the office or you must make an emergency call to a locksmith because you’re locked out of the clinic. Need more convincing? Consider this government press release explaining why not having a business associate agreement could end up being a very expensive mistake—to the tune of $31,000. As an added benefit, business associate agreements help protect your business associates, as providers aren’t the only ones who can get hit with HIPAA violation fines.
There you have it: the five biggest HIPAA misconceptions for small practices. Still having trouble separating HIPAA fact from HIPAA fiction? Leave your question in the comment section below.
Connor D. Jackson is a Chicago healthcare attorney with Jackson LLP. Connor works primarily with small physical therapy practices and regularly advises his clients about HIPAA compliance, scope of practice, liability concerns, privacy obligations, and new practice formation. Connor enjoys working with clients to create their ideal practice environment and to quell their compliance concerns. As a former litigator, Connor understands the financial and emotional cost of litigation, and he collaborates with his clients to minimize the risk of getting sued. You can email Connor at email@example.com or follow him on Twitter at @cjacksonESQ.