Under the HIPAA Privacy Rule, patients have several rights regarding their medical records, including a right to access, a right to amend, and, in some circumstances, a right to restrict disclosures of their protected health information (PHI). Understanding and complying with those rights is an important component of quality patient care.
If you own a small- to medium-sized physical therapy practice, you are most likely preoccupied with daily operations such as paying bills, marketing your practice, and treating patients. You may know about HIPAA at a high-level—and you may also worry from time to time about a data breach. But, compliance and security are complicated; the regulations are written in legalese.
With electronic storage of protected health information (“PHI”) becoming more common, healthcare providers are rightly concerned about ensuring their data and security systems are not breached, and developing an established course of action in the event that their systems are breached.
Before 2015, data breaches were mostly confined to retail businesses. However, as more patient information becomes digitized, big data breaches are becoming more common in health care. And hackers don’t discriminate; they target organizations of all types and sizes, ranging from big hospitals to small private practices.
I’m sure by now you’ve heard a rumor that California has enacted the most impactful privacy rule in the nation. Maybe you also heard that California’s privacy rule applies to California residents—and that it does not apply to medical information.
Without a doubt, healthcare practices—big and small—find the HIPAA risk assessment daunting. The HIPAA Security Rule requires all covered entities (a.k.a. providers) and business associates (a.k.a. the people and vendors providers do business with) to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all electronic protected health information (ePHI).
As exhibited in the news items below, small practices are not immune to HIPAA scrutiny by the federal government’s Department of Health and Human Services (DHHS)—as investigated by their enforcement agency, the Office of Civil Rights (OCR).
Here’s a scenario I hope you never have to face: your small physical therapy practice hires a third-party billing company to manage your billing operations. Then, that billing company experiences a massive data breach affecting more than 1,000 of your patients.
The Health Insurance Portability and Accountability Act of 1996—a.k.a. HIPAA—does not distinguish between large and small practices. Fortunately, regulators do. While the law imposes the same requirements upon solo practitioners and large rehab hospitals, the manner in which those requirements are applied may depend upon your practice size.
The average American spends way more time scouring the Internet for medical advice than he or she does with an actual doctor. Here are the trends for patient behavior online and what it means for private practice PTs.
Today’s post comes from WebPT copywriters Charlotte Bohnett and Erica Cohen
So, you’ve decided to ditch the pen and paper and take your practice into the cloud―maybe through a payroll service, an email marketing tool, or even (hopefully!) an EMR. Now what? As you shop around for a cloud-based vendor to meet your clinic’s needs, be sure to get answers to the following nine questions.
1.) Is this truly cloud-based? Many companies claim to have a cloud-based component, but they still require you to download a desktop application (remote desktop protocol) that connects you with the web and stores your information. The bottom line? If you have to download and install anything, you’re not really in the cloud, and future updates are entirely your responsibility.
2.) Is your application browser agnostic? Browser agnostic means that no matter what browser (Safari, Google Chrome, Mozilla Firefox, or Internet Explorer) or version of that browser (IE7 vs. IE9) you use to access the Internet, your cloud-based application will work.
3.) Where is my data stored? Not all cloud-based vendors are the same. You want to make sure they’re storing your data in the most hi-tech and secure facility possible. For example, many Level 1 secure data centers boast a defensible perimeter, digital video surveillance, biometric screening, and 24x7xforever guard staff.
4.) How is my data backed up? Your clinic and patient data is invaluable, so of course you want to make sure that it’s always safe, secure, and frequently backed up. Additionally, ask your cloud-based provider how they will provide redundancies to ensure your data is always accessible and protected should a problem occur.
5.) What measures do you use to ensure my data is secure? Your cloud-based vendor should use the SSL encryption that is standard for all online banking applications. The federal government uses this same type of encryption for all of their data and communications. Look for a vendor that offers unique user IDs and passwords because this is an absolute must for anything online. Two more plusses: a vendor that has an audit trail (i.e., user activity tracking) as well as specialized staff well-versed in online security measures at the ready to provide you with expertise.
6.) What does Google say about the company? Conduct a Google search and see what the interwebs turn up. PT message boards and forums as well as articles often talk about cloud-based companies both positively and negatively so read for reputation clues. How online sources and the media describe a company can provide you with insight as to how that company treats its vendors, employees, and customers.
7.) What is the company’s focus? Depending on the cloud-based service you’re researching, you may find it valuable to find a vendor that focuses specifically on healthcare. This will ensure the company speaks your language and provides tailored features and benefits.
8.) Does the company keep its customers? No one wants to sign up with a vendor that is constantly losing customers. Thus, when researching, be sure to look for a vendor that keeps their customers happy. A few figures to consider: retention rate, user size, and growth rate. Your best bet is a company that has shown continued customer growth (year over year) while maintaining or improving their retention rate. Asking friends, family, and fellow therapists for recommendations and referrals is always a great route, too.
9.) How do I get my data if I decide to leave?
You certainly don’t want to be tied to a vendor you’re unhappy with because your data is stuck, so ask up front. Most cloud-based companies will return your data to you digitally on a pre-loaded storage device (e.g., a CD) or in a way you can download it to a storage device of your choice.
Regardless of the cloud-based service you decide to float on, just make sure you get all the answers you’re looking for—and the only way to do that is to ask everything up front. Remember, there are no stupid questions and a good provider will appreciate you doing your due diligence. In fact, your transition to the cloud can be a breeze (get it? a little sky humor).
Hopefully these questions help give you a soaring-off point.
Today’s post comes from WebPT copywriters Charlotte Bohnett and Erica Cohen.
The Health Insurance Portability and Accountability Act (HIPAA) is as dense as it is important. But for any healthcare provider handling private personal health information, which you promised to protect as part of the Health Information Privacy Rule, there are a few things you must know.
First, a little background information on HIPAA: US Congress established the Health Insurance Portability and Accountability Act in 1996. They implemented Title II: Preventing Health Care Fraud and Abuse to protect a patient’s private health information (PHI).
Under this act, all healthcare providers, insurers, and their business associates may only collect, share, or use a patient’s PHI in approved methods and only for the explicit purpose of furthering patient care.
PHI is defined as demographic information; medical history; test and laboratory results; insurance information; and any other data health professionals collect to identify individual patients and determine their appropriate care.