Today's post comes from WebPT copywriters Charlotte Bohnett and Erica Cohen.
The Health Insurance Portability and Accountability Act (HIPAA) is as dense as it is important. But for any healthcare provider handling private personal health information, which you promised to protect as part of the Health Information Privacy Rule, there are a few things you must know.
First, a little background information on HIPAA: US Congress established the Health Insurance Portability and Accountability Act in 1996. They implemented Title II: Preventing Health Care Fraud and Abuse to protect a patient’s private health information (PHI).
Under this act, all healthcare providers, insurers, and their business associates may only collect, share, or use a patient’s PHI in approved methods and only for the explicit purpose of furthering patient care.
PHI is defined as demographic information; medical history; test and laboratory results; insurance information; and any other data health professionals collect to identify individual patients and determine their appropriate care.
A HIPAA violation can be anything from discussing identifiable patient information with your friends over lunch to leaving your not-password-protected work laptop open at a coffee shop. And, if you are found to have committed wrongful disclosure of individually identifiable health information, there are financial and criminal repercussions—including fines of up to $50,000 and one-year imprisonment.
Serious stuff, yes. But none of this is meant to scare you. There are plenty of ways to arm yourself with the knowledge and internal processes necessary to ensure you and your clinic are fully HIPAA compliant. Plus, CMS knows that mistakes happen. Should you ever run into a situation where you think there may have been a potential HIPAA breach, this document explains who to notify and when.
So what are some best practices you can employ in your clinic to ensure HIPAA compliance? Here are three tips.
- Learn. There are tons of online resources available with explicit definitions, case studies, and trainings. Granted, the language can often be convoluted and masked in legalise, but it’s worth spending an afternoon scouring the web. Here are a few resources we’ve found helpful in understanding the beast-that-is-HIPAA.
- Teach. The knowledge you’ve gained in your research should not stop with you. Everyone at your clinic—from fellow therapists to your front office staff—should know all there is to know about HIPAA. And that goes beyond just understanding the seriousness of the act; your staff should also understand why it’s in place and be able to communicate this to your patients. Congress didn’t create HIPAA to make health care providers’ lives more difficult; nor did they institute it to add obstacles preventing patients from accessing their own health information. HIPAA is intended to protect patients from having their private information stolen and used against them—whether that be identify fraud or workplace discrimination. To ensure maximum compliance in your office, consider appointing a HIPAA compliance officer or one of these other 6 ways to make your office HIPAA compliant from Yahoo!
- Take it to the cloud. Most cloud-based EMR systems (like WebPT) provide unique user IDs and passwords for each therapist, therapist assistant, front-office staff, and administrator, allowing you (the clinic owner) to control access to your patients’ private information. And with secure data houses—like our IO Data Center in Phoenix, which boasts a defensible perimeter, digital video surveillance, biometric screening, and 24x7xForever guard staff—there is practically no threat of a physical or hacker-caused breach. Learn more about our gold-standard security here.
Those are our tips. What are yours? How do you hold your staff accountable? How do you ensure HIPAA compliance in your clinic? Share below in the comments section. Together, we can help everyone in the rehab community remain compliant