If you’ve been following our cash-based physical therapy blog series, then you’re already aware of how important remaining compliant is in this practice model. For those of you who are not full-blown compliance junkies like myself, don’t worry—I can sympathize with you. When my co-founder and I started MovementX, the goal was to provide the highest quality and most personalized care to our patients without the traditional burdens of the healthcare system. The last thing on our minds was complicated and cumbersome regulatory rules. As we grew, however, we quickly realized that if there was any hope in changing the landscape of physical therapy, we had to do things the right way.
For those of you in smaller private practices, you make up the majority and therefore have the largest impact on our profession. It is vitally important for the longevity of the cash-based PT industry, the viability of your business, and the wellbeing of your patients that you do everything you can to remain compliant. So today, let’s talk about how to protect your patients’ data through data privacy and security in mobile and cash-based PT practices.
To HIPAA or not to HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) addresses the privacy practices associated with the use and disclosure of patients’ protected health information (PHI) by covered entities. There is a common rhetoric in cash-based practice that HIPAA rules may not apply to those out-of-network because they do not qualify as a covered entity.
So what exactly is a covered entity? A covered entity is a healthcare provider or practice (of any size) that exchanges healthcare information with another entity via electronic transaction. The most common example is the exchange of patient information when submitting claims to insurance companies. With this high-level definition, it’s understandable why many cash-based practitioners assume HIPAA rules do not apply. After all, most are in this model of care to get away from the insurance companies, right? Well, I’d wager that cash-based PTs are not as removed from the insurance world as they’d like to think.
For example, even if you don’t utilize an electronic billing system to submit out-of-network claims, you likely provide a superbill to your patients for reimbursement, characterizing you as a covered entity. Why? Because if a claim is denied, the insurance company is going to communicate with you regarding how to handle the denied claim. And if a claim is approved, your practice will likely receive an Explanation of Benefits (EOB) from the insurer. In either instance, you’ve exchanged health information with an insurance company.
Taking it a step further, before a superbill can successfully be submitted by your patient, prior authorization may be required to be submitted ahead of time. To know whether prior authorization is required, log into the insurance portal or call customer service to submit a benefits and eligibility check. In the example above, there are three instances of exchange of health information with the insurance companies in a cash-based practice:
- Benefit verification,
- Prior authorization, and
- Superbill submission and claim correspondence.
For those of you in solo practice who don’t superbill and never exchange information with referral sources, you’re not totally off the hook. Oftentimes, state legislation puts in place privacy acts that are even more stringent than the ambiguous HIPAA rules. Be sure you are fully versed on your state’s data and patient privacy regulations.
Now that you understand the ties that still bind cash-based PTs to HIPAA rules and regulations, let’s dive into the specifics.
Choosing Your Software
Choosing Your Software
When it comes to deciding what software to use for the administrative tasks of running your practice, there are an overwhelming number of options. You have to account for your scheduling, documentation, payment processing, faxing, phone service, patient messaging, staff communication, business management, and payroll systems to name a few. Each one of these systems runs the risk of accidental or intentional exchange of patient health information.
For software in which you know PHI will be stored—such as an EMR (like WebPT)—you’ll need to inquire about the company’s security features, policies, and procedures. Additionally, you’ll need to thoroughly read and sign a Business Associates Agreement (BAA). A BAA is a legal contract between you (as the covered entity) and the partner who is handling your patient’s data. The BAA will outline the specific responsibilities of how PHI will be handled between the two parties. Without a BAA and up-to-date security practices, absolutely no patient information should be exchanged on the software.
For software that doesn’t offer a BAA, you can still use them to operate your practice if you are intentional about avoiding the exchange of PHI. For example, many companies use Slack as the primary means of communication between staff. As of December 2021, Slack does not have a BAA, and therefore is not held responsible for PHI. That said, no patient information should be exchanged on this platform in your clinic. However, you can still use Slack for inter-staff communications and business operations.
Of note, I highly recommend writing policies and procedures for your company on how to utilize your clinic’s software—and then hold your employees accountable throughout their training.
Managing Your Technology
Much like MovementX, many cash-based practices are capitalizing on the opportunity to expand access to care by providing services where movement matters most (e.g., at home, in the outdoors, at the workplace, at school). Despite the many benefits, practicing in this mobile model requires a greater attention to detail due to possible security risks. A few rules apply when treating on-the-go with your laptop, phone, or tablet.
Never connect to an unprotected network.
It may be tempting to stop at a park or coffee shop to catch up on documentation between patients when treating in the mobile model. However, any public internet connection presents a serious threat to your online security. Only connect to networks that have a strong internet password and limited guest access. Open access networks or networks that only require you to agree to “terms and conditions” should never be used when accessing your web-based EMR or other desktop patient data.
When in doubt, use your phone hotspot.
If you are in a pinch and must access the Internet, opt to use your phone’s private hotspot connection rather than a public network. Be sure your phone is configured with a strong private password and that others are not sharing your hotspot connection.
Purchase a VPN.
A VPN stands for a “Virtual Private Network” and can be purchased at a very affordable price for your phone, tablet, and computer. A VPN protects your identity and hides your online activity from hackers when on public Wi-Fi. When on your private network at home or at work, a VPN can hide your IP address providing even greater data privacy. Check with your phone carrier, as a free VPN may be provided as a benefit on your cellular plan.
Back up your data.
As much as possible, keep patient files off your desktop folders. If you do not have a secure cloud- or web-based EMR where you store data, encrypt your folders and require strong passwords for access. Additionally, back up your patient data to a cloud or external hard drive so that in the case of a breach or a stolen device, you have not lost essential health information on your caseload.
There is an endless list of web-security best practices that exist today, including the installation of antivirus and malware software, prevention of email phishing schemes, and ransom prevention. The four tips above are a baseline to build from, but it is well worth the effort to subscribe to one of the many webinars or newsletters surrounding HIPAA and data privacy protection. You can also hire an IT specialist who can work to establish best practices given the nuances of your practice.
Setting Up Your Space
When working in a cash-based model, there are endless options for where you can set up your treatment table (e.g., the park, the floor at a local gym, a patient’s doctor’s office, the lobby of a retirement home).
When setting up shop, make sure that you have privacy from a visual, vocal, and technical perspective. The best approach is to communicate thoroughly with your patient. Make sure they feel comfortable being treated out in the open and monitor the possibility of passersby overhearing your communication with the patient. Additionally, be very cognizant of where you place your technology and take inventory so you don’t accidentally leave written notes, HEPs, or intake paperwork lying around.
Similarly, when you get home from a day of treating patients, be sure you have a secure place to put any paperwork you’ve collected throughout the day. It is not expensive or difficult to add a lock to a drawer on your desk. Finally, purchase a scanner and a small shredder so that you can upload physical paperwork into a secure cloud, and then safely get rid of it.
Purchasing Cybersecurity Insurance
Unfortunately, data breaches and ransom attacks are common in the healthcare space. Cybersecurity insurance will cover the costs of managing a breach, legal representation, and lost business income. Contact your general and professional liability carrier to inquire about a policy. You won’t regret it!
HIPAA compliance and web security can feel overwhelming. Plus, with our industry progressively moving toward a more virtual existence, the demand for data privacy is only increasing. And a data breach or HIPAA violation can be a single point of failure for your practice. However, laying the foundation for HIPAA success will help you revolutionize the physical therapy patient experience—and expand the impact that cash-based practices can have on the health of society overall.