Today's post comes from WebPT copywriters Charlotte Bohnett and Erica Cohen.

The Health Insurance Portability and Accountability Act  (HIPAA) is as dense as it is important. But for any healthcare provider handling private personal health information, which you promised to protect as part of the Health Information Privacy Rule, there are a few things you must know.

First, a little background information on HIPAA: US Congress established the Health Insurance Portability and Accountability Act in 1996. They implemented Title II: Preventing Health Care Fraud and Abuse to protect a patient’s private health information (PHI).

Under this act, all healthcare providers, insurers, and their business associates may only collect, share, or use a patient’s PHI in approved methods and only for the explicit purpose of furthering patient care.

PHI is defined as demographic information; medical history; test and laboratory results; insurance information; and any other data health professionals collect to identify individual patients and determine their appropriate care.

A HIPAA violation can be anything from discussing identifiable patient information with your friends over lunch to leaving your not-password-protected work laptop open at a coffee shop. And, if you are found to have committed wrongful disclosure of individually identifiable health information, there are financial and criminal repercussions—including fines of up to $50,000 and one-year imprisonment.

Serious stuff, yes. But none of this is meant to scare you. There are plenty of ways to arm yourself with the knowledge and internal processes necessary to ensure you and your clinic are fully HIPAA compliant. Plus, CMS knows that mistakes happen. Should you ever run into a situation where you think there may have been a potential HIPAA breach, this document explains who to notify and when.

So what are some best practices you can employ in your clinic to ensure HIPAA compliance? Here are three tips.

  1. Learn. There are tons of online resources available with explicit definitions, case studies, and trainings. Granted, the language can often be convoluted and masked in legalise, but it’s worth spending an afternoon scouring the web. Here are a few resources we’ve found helpful in understanding the beast-that-is-HIPAA.
    1. Ten Secrets to Effective HIPAA Training: Teach Your Staff to Trust the System
    2. HIPAA/HITECH Compliance Training
    3. HIPAA Survival Guide
  2. Teach. The knowledge you’ve gained in your research should not stop with you. Everyone at your clinic—from fellow therapists to your front office staff—should know all there is to know about HIPAA. And that goes beyond just understanding the seriousness of the act; your staff should also understand why it’s in place and be able to communicate this to your patients. Congress didn’t create HIPAA to make health care providers’ lives more difficult; nor did they institute it to add obstacles preventing patients from accessing their own health information. HIPAA is intended to protect patients from having their private information stolen and used against them—whether that be identify fraud or workplace discrimination. To ensure maximum compliance in your office, consider appointing a HIPAA compliance officer or one of these other 6 ways to make your office HIPAA compliant from Yahoo!
  3. Take it to the cloud. Most cloud-based EMR systems (like WebPT) provide unique user IDs and passwords for each therapist, therapist assistant, front-office staff, and administrator, allowing you (the clinic owner) to control access to your patients’ private information. And with secure data houses—like our IO Data Center in Phoenix, which boasts a defensible perimeter, digital video surveillance, biometric screening, and 24x7xForever guard staff—there is practically no threat of a physical or hacker-caused breach. Learn more about our gold-standard security here.

Those are our tips. What are yours? How do you hold your staff accountable? How do you ensure HIPAA compliance in your clinic? Share below in the comments section. Together, we can help everyone in the rehab community remain compliant

The Physical Therapists Guide to Contract Negotiation - Regular BannerThe Physical Therapists Guide to Contract Negotiation - Small Banner
  • articleAug 16, 2012 | 5 min. read

    HIPAA Devices: 2 Myths Debunked, 1 Proved True

    Today's blog post comes from WebPT copywriters Charlotte Bohnett and Erica Cohen. So, you probably remember a few weeks ago we wrote a pretty comprehensive overview on how you can ensure HIPAA compliance in your clinic . We covered everything from HIPAA basics to continuing education and training. In case you didn’t have a chance to read it , here’s a refresher: US Congress established the Health Insurance Portability and Accountability Act in 1996. They implemented Title …

  • The Essential Guide to Disaster-Proofing Your PT, OT, or SLP Practice Image

    articleSep 28, 2015 | 11 min. read

    The Essential Guide to Disaster-Proofing Your PT, OT, or SLP Practice

    September is Disaster Recovery Month, which makes it a perfect time to think about disaster-proofing your practice. If you’re ready to skip this blog because you don’t think a disaster will impact your practice, consider the following factors: Not all disasters are city-wide events, and a disaster of any scale could destroy your practice. These events come in all shapes and sizes, from the sprinklers going off in your clinic and destroying your equipment, to snow storms …

  • 5 Things Small Practices Need to Know about HIPAA Image

    articleSep 20, 2017 | 9 min. read

    5 Things Small Practices Need to Know about HIPAA

    The Health Insurance Portability and Accountability Act of 1996 —a.k.a. HIPAA—does not distinguish between large and small practices. Fortunately, regulators do. While the law imposes the same requirements upon solo practitioners and large rehab hospitals, the manner in which those requirements are applied may depend upon your practice size. Contrary to what many providers believe, the onus of HIPAA’s requirements won’t hamper your clinical practice. In fact, I’ve found that they actually do the opposite: HIPAA provides …

  • A 10-Point Plan for Smart and Secure Electronic Communications with Patients Image

    articleMar 15, 2018 | 8 min. read

    A 10-Point Plan for Smart and Secure Electronic Communications with Patients

    As emails and text messages have become ubiquitous, patient expectations around provider responsiveness have increased. Gone are the days when providers set aside time each afternoon to return calls; now, they can simply respond to their patients’ texts—but should they? Many physical therapists, regardless of their practice model or patient population, are surprised to learn that they may not be allowed to interact with patients in the manner they—or their patients—prefer. These same providers are typically even …

  • Digital Critical: Data Protection, Password Security, and Computer Safeguards Image

    articleDec 9, 2015 | 10 min. read

    Digital Critical: Data Protection, Password Security, and Computer Safeguards

    In the past five years, the way rehab therapists perceive—and use—information technology in their clinics has changed dramatically. We used to manage our files with stationary computers and back-room servers we could only access within the office. Now, our teams are mobile, and we use tablets, laptops, and phones to access the powerful cloud applications—including the WebPT EMR —that help us do our jobs. Essentially, the servers of yesteryear have migrated to the cloud.  With this new …

  • articleJul 11, 2013 | 5 min. read

    HIPAA Final Omnibus Ruling: How Does it Apply to You?

    Curious as to how the  new rules  included in the HIPAA Final Omnibus Ruling apply to you and your clinic? Here, we provide a breakdown of what's in store for your practice starting September 23, 2013. The American Medical Association (AMA) published some great information to help physicians navigate this new ruling, which also applies to rehab therapists. According to the AMA, providers should focus most heavily on these three areas: 1. Privacy, Security, and Breach Notification …

  • articleOct 15, 2013 | 3 min. read

    ICD-10 Checklist for Your Practice

    We’ve given you a lot of ICD-10 info to process this month. And in case you haven’t noticed, our main mantra has been “prepare, prepare, prepare.” Because like Confucius, we firmly believe that “success depends upon previous preparation, and without such preparation there is sure to be failure.” (And considering he’s the man behind one of the most influential movements in Asian history—not to mention the author of all five Chinese Classics—we’re thinking this Confucius guy gives …

  • Functional Limitation Reporting Refresher Image

    articleDec 12, 2016 | 4 min. read

    Functional Limitation Reporting Refresher

    The rehab therapy industry is abuzz with PQRS talk right now. In case you missed it: PQRS as it exists today is dunzo . In 2017, it’ll be replaced with the Merit-Based Incentive Payment System , or MIPS. Unfortunately, though—and yes, it is unfortunate —PTs, OTs, and SLPs are not required to complete MIPS reporting until 2019. (And the jury is still out as to whether they’ll be able to voluntarily participate before then.) All outpatient rehab …

  • articleAug 7, 2013 | 3 min. read

    Explained in Five Questions: Why WebPT is Not CCHIT-Certified

    Today's blog post comes from the WebPT content crew: Senior Writer Charlotte Bohnett, Contributing Writer Erica Cohen, and Junior Writer Brooke Andrus. Recently, we’ve received quite a few questions regarding WebPT’s status with the Certification Commission for Health Information Technology (CCHIT). As a result, we thought we’d take this blog post to address what CCHIT certification means, why we are not certified, and why that is A-okay. Here’s some background: What’s the HITECH Act? In 2009, the …

Achieve greatness in practice with the ultimate EMR for PTs, OTs, and SLPs.