Today's post comes from WebPT copywriters Charlotte Bohnett and Erica Cohen.

The Health Insurance Portability and Accountability Act  (HIPAA) is as dense as it is important. But for any healthcare provider handling private personal health information, which you promised to protect as part of the Health Information Privacy Rule, there are a few things you must know.

First, a little background information on HIPAA: US Congress established the Health Insurance Portability and Accountability Act in 1996. They implemented Title II: Preventing Health Care Fraud and Abuse to protect a patient’s private health information (PHI).

Under this act, all healthcare providers, insurers, and their business associates may only collect, share, or use a patient’s PHI in approved methods and only for the explicit purpose of furthering patient care.

PHI is defined as demographic information; medical history; test and laboratory results; insurance information; and any other data health professionals collect to identify individual patients and determine their appropriate care.

A HIPAA violation can be anything from discussing identifiable patient information with your friends over lunch to leaving your not-password-protected work laptop open at a coffee shop. And, if you are found to have committed wrongful disclosure of individually identifiable health information, there are financial and criminal repercussions—including fines of up to $50,000 and one-year imprisonment.

Serious stuff, yes. But none of this is meant to scare you. There are plenty of ways to arm yourself with the knowledge and internal processes necessary to ensure you and your clinic are fully HIPAA compliant. Plus, CMS knows that mistakes happen. Should you ever run into a situation where you think there may have been a potential HIPAA breach, this document explains who to notify and when.

So what are some best practices you can employ in your clinic to ensure HIPAA compliance? Here are three tips.

  1. Learn. There are tons of online resources available with explicit definitions, case studies, and trainings. Granted, the language can often be convoluted and masked in legalise, but it’s worth spending an afternoon scouring the web. Here are a few resources we’ve found helpful in understanding the beast-that-is-HIPAA.
    1. Ten Secrets to Effective HIPAA Training: Teach Your Staff to Trust the System
    2. HIPAA/HITECH Compliance Training
    3. HIPAA Survival Guide
  2. Teach. The knowledge you’ve gained in your research should not stop with you. Everyone at your clinic—from fellow therapists to your front office staff—should know all there is to know about HIPAA. And that goes beyond just understanding the seriousness of the act; your staff should also understand why it’s in place and be able to communicate this to your patients. Congress didn’t create HIPAA to make health care providers’ lives more difficult; nor did they institute it to add obstacles preventing patients from accessing their own health information. HIPAA is intended to protect patients from having their private information stolen and used against them—whether that be identify fraud or workplace discrimination. To ensure maximum compliance in your office, consider appointing a HIPAA compliance officer or one of these other 6 ways to make your office HIPAA compliant from Yahoo!
  3. Take it to the cloud. Most cloud-based EMR systems (like WebPT) provide unique user IDs and passwords for each therapist, therapist assistant, front-office staff, and administrator, allowing you (the clinic owner) to control access to your patients’ private information. And with secure data houses—like our IO Data Center in Phoenix, which boasts a defensible perimeter, digital video surveillance, biometric screening, and 24x7xForever guard staff—there is practically no threat of a physical or hacker-caused breach. Learn more about our gold-standard security here.

Those are our tips. What are yours? How do you hold your staff accountable? How do you ensure HIPAA compliance in your clinic? Share below in the comments section. Together, we can help everyone in the rehab community remain compliant

Defensible Documentation Toolkit - Regular BannerDefensible Documentation Toolkit - Small Banner
  • articleAug 16, 2012 | 5 min. read

    HIPAA Devices: 2 Myths Debunked, 1 Proved True

    Today's blog post comes from WebPT copywriters Charlotte Bohnett and Erica Cohen. So, you probably remember a few weeks ago we wrote a pretty comprehensive overview on how you can ensure HIPAA compliance in your clinic . We covered everything from HIPAA basics to continuing education and training. In case you didn’t have a chance to read it , here’s a refresher: US Congress established the Health Insurance Portability and Accountability Act in 1996. They implemented Title …

  • Digital Critical: Data Protection, Password Security, and Computer Safeguards Image

    articleDec 9, 2015 | 10 min. read

    Digital Critical: Data Protection, Password Security, and Computer Safeguards

    In the past five years, the way rehab therapists perceive—and use—information technology in their clinics has changed dramatically. We used to manage our files with stationary computers and back-room servers we could only access within the office. Now, our teams are mobile, and we use tablets, laptops, and phones to access the powerful cloud applications—including the WebPT EMR —that help us do our jobs. Essentially, the servers of yesteryear have migrated to the cloud.  With this new …

  • A 10-Point Plan for Smart and Secure Electronic Communications with Patients Image

    articleMar 15, 2018 | 8 min. read

    A 10-Point Plan for Smart and Secure Electronic Communications with Patients

    As emails and text messages have become ubiquitous, patient expectations around provider responsiveness have increased. Gone are the days when providers set aside time each afternoon to return calls; now, they can simply respond to their patients’ texts—but should they? Many physical therapists, regardless of their practice model or patient population, are surprised to learn that they may not be allowed to interact with patients in the manner they—or their patients—prefer. These same providers are typically even …

  • The Essential Guide to Disaster-Proofing Your PT, OT, or SLP Practice Image

    articleSep 28, 2015 | 11 min. read

    The Essential Guide to Disaster-Proofing Your PT, OT, or SLP Practice

    September is Disaster Recovery Month, which makes it a perfect time to think about disaster-proofing your practice. If you’re ready to skip this blog because you don’t think a disaster will impact your practice, consider the following factors: Not all disasters are city-wide events, and a disaster of any scale could destroy your practice. These events come in all shapes and sizes, from the sprinklers going off in your clinic and destroying your equipment, to snow storms …

  • 5 Things Small Practices Need to Know about HIPAA Image

    articleSep 20, 2017 | 9 min. read

    5 Things Small Practices Need to Know about HIPAA

    The Health Insurance Portability and Accountability Act of 1996 —a.k.a. HIPAA—does not distinguish between large and small practices. Fortunately, regulators do. While the law imposes the same requirements upon solo practitioners and large rehab hospitals, the manner in which those requirements are applied may depend upon your practice size. Contrary to what many providers believe, the onus of HIPAA’s requirements won’t hamper your clinical practice. In fact, I’ve found that they actually do the opposite: HIPAA provides …

  • articleJul 11, 2013 | 5 min. read

    HIPAA Final Omnibus Ruling: How Does it Apply to You?

    Curious as to how the  new rules  included in the HIPAA Final Omnibus Ruling apply to you and your clinic? Here, we provide a breakdown of what's in store for your practice starting September 23, 2013. The American Medical Association (AMA) published some great information to help physicians navigate this new ruling, which also applies to rehab therapists. According to the AMA, providers should focus most heavily on these three areas: 1. Privacy, Security, and Breach Notification …

  • articleNov 7, 2013 | 2 min. read

    FLR and PQRS: How Are They Different?

    Functional limitation reporting (FLR) and PQRS both fall under the ever-widening umbrella of Medicare regulations, and they both involve outcome measures and data codes. Still, they are completely separate requirements, each with its own set of rules. Confusing, we know. To help you sort out the differences, we’ve put together a short breakdown of each one as well as a detailed compare/contrast chart: The Basics of FLR On July 1, 2013, Centers for Medicare & Medicaid Services …

  • ICD-10: Fact or Fiction Image

    articleApr 3, 2014 | 5 min. read

    ICD-10: Fact or Fiction

    As with any major change, the rumor mill churns at a mighty pace. With all the hearsay, telephone games, and disbursement of misinformation, it’s easy for the myths to swallow the truth. No worries, though; we’re here to sort the fact from the fiction. Fiction: Coders will spend an overwhelming amount of time dealing with external cause codes. Fact: From being struck by an orca to getting injured while crocheting, Chapter 20 of the ICD-10-CM Manual , …

  • webinarAug 13, 2013

    Rehab Therapy Industry News

    In July, we hosted a webinar focused on rehab therapy industry news. This session covered an array of newsworthy and timely topics, including: Functional limitation reporting and other Medicare regulations Changes to HIPAA regulations Direct access Branding PT to general consumers ICD-10

Achieve greatness in practice with the ultimate EMR for PTs, OTs, and SLPs.