How is HIPAA Compliance like Cleaning the Bathroom?
By Barbara Griswold, LMFT
May 20, 2019
Barbara: Roy, I’m a so-called insurance expert, yet I want to hide my head under the covers when the topic of HIPAA comes up. And I confess I know my practice is not fully HIPAA-compliant.
Roy: Don’t feel too bad, that’s pretty typical. There are a lot of misconceptions about HIPAA out there that make the process harder. I would guess only about 2 – 5% of therapists are actually HIPAA compliant.
Barbara: So, in a few sentences, what is HIPAA?
Roy: HIPAA stands for the Health Insurance Portability and Accountability Act, a law designed to outline privacy and security standards to protect your client’s Protected Health Information (PHI). It addresses the security of the physical sites where your work is done (e.g. your office, and possibly your home if you keep any practice-related information there), but the security side was primarily aimed at the protection of electronic client information. It covers standards like encryption, passwords, anti-virus software, etc.
Barbara: How do I know if this applies to me?
Roy: You are considered a “HIPAA covered entity” and thus legally required to comply with HIPAA only if you perform “certain transactions in electronic form,” such as billing insurance or making coverage inquiries online. You are also a covered entity if someone is doing these online transactions on your behalf (ex. a clearinghouse, practice management system, or billing service). So, if you’ve never billed insurance, you probably aren’t a covered entity. (For more on this, see Roy’s article “Am I A HIPAA Covered Entity?“).
Barbara: What about using email, doing internet sessions with clients, or running credit cards?
Roy: No, these don’t inherently make you a HIPAA-covered entity.
Barbara: And what if I am NOT a covered entity?
Roy: We recommend HIPAA compliance (or close to it) for all therapists. Professional ethics codes require counselors to take precautions to ensure the confidentiality of all information transmitted through the use of any medium. HIPAA is an excellent guideline on how to meet the standard of care for protecting client’s confidentiality, a “best practices” standard which may be echoed by state law. It’s wise to have policies and procedures in place about who can access your client info, why and how, and to be able to prove you’ve taken steps to prevent and handle a security breach.
Barbara: What about if some person or vendor submits electronic claims or handles client protected health information (PHI) for me? And what about texting and email?
Roy: When choosing vendors who do any handling of your client info, including secure email and texting, you need to choose ones that will execute a Business Associate Agreement (BAA) with you. A BAA is a document that says that the vendor will comply with HIPAA security standards (ex. appropriately safeguard client information, notify you of security breaches, and have a plan in place for how they will respond to a breach) just like you do.
Barbara: So, I should just look for products/services that say they are HIPAA Compliant?
Roy: No, this is one of the biggest HIPAA myths. Many products will say they are “HIPAA Compliant.” But there is no such certification, so any product can say this. You will need to do research about which products are HIPAA secure. Check out our vendor reviews at https://personcenteredtech.com/vendorreview
Barbara: Can I just get an “informed consent” from clients that it is OK to use a service without a BAA?
Roy: No, the Business Associate relationship is between you and the vendor. That relationship needs to be established properly.
Barbara: So, what if I AM a HIPAA-covered entity? What would be the first steps in becoming HIPAA compliant?
Roy: Perform a security risk analysis of your practice to find out how well you currently are complying with standards and managing your practice’s security. Then make a risk management plan and create a HIPAA Policies and Procedures “manual” that describes how you comply with HIPAA security standards in your practice. If that sounds overwhelming, it doesn’t have to be. The “manual” doesn’t have to follow a specific format – whatever works for you to maintain your secure and compliant practices, and is understandable for others, is fine. On the privacy side, you’ll have to start giving out a HIPAA Notice of Privacy Policies to all clients. (Check out Roy’s articles on this topic here). And don’t hesitate to contact PersonCenteredTech.com for support — we are happy to help therapists do risk analyses and set up a HIPAA-compliant practice. We won’t shame you!
Barbara: This all sounds like cleaning the bathroom. It isn’t fun, but it needs to be done, right?
Roy: Right. And like cleaning the bathroom, you can’t just do it once and you are done – it’s an ongoing process. So, while it takes time, once you clear away the fear, it’s doable, and important to protect our clients’ confidentiality.
Readers: If you have follow-up HIPAA questions, please don’t send them to me! Read some of Person Centered Tech’s articles on telehealth, HIPAA, social media, and other technology topics at https://personcenteredtech.com/articles/collections/, subscribe to their mailing list, or schedule a consultation with Roy or his staff at firstname.lastname@example.org or (503) 893-9717.