HIPAA Demystified, Part 1: What is HIPAA?
HIPAA- the very acronym strikes fear in the hearts of many medical professionals. And for good reason- fines for violating HIPAA can begin at $100 per offense and top out at $1.5 million. But what IS HIPAA, and what does it mean for private speech therapy practices?
HIPAA is the Health Insurance Portability and Accountability Act of 1996. It was enacted to simplify healthcare paperwork and make it more efficient, as well as to prevent fraud. A 2004 addendum is the reason we have NPI (National Provider Identifier) numbers today.
HIPAA consists of two Rules- the Privacy Rule and the Security Rule. Both are overseen by the Department of Health and Human Services (HHS) and enforced by the Office of Civil Rights (OCR). Here are the distinctions:
Privacy Rule: "A covered entity may not use or disclose protected health information, except either: (1) as the Privacy Rule permits or requires; or (2) as the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing."
What is Protected Health Information?:
This includes identifiers such as name, address, birth date, and Social Security Number, but excludes some information that is covered under FERPA.
When can I use that PHI? I have to bill, right? You can use/disclose that PHI for things like billing, sharing information with family members, and even for health care research. You just have to follow the Minimum Necessary Standard: "A covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request"... basically, you don't need to write a novel when a quote will do.
For more information, HHS has a 25 page summary here.
Security Rule: requires that covered entities “maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI.”
Specifically, covered entities must:
Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
Identify and protect against reasonably anticipated threats to the security or integrity of the information;
Protect against reasonably anticipated, impermissible uses or disclosures; and
Ensure compliance by their workforce
There’s good news for us solo and small practice owners: the Security Rule does not dictate the requirements but requires the covered entity to consider:
Its size, complexity, and capabilities,
Its technical, hardware, and software infrastructure,
The costs of security measures, and
The likelihood and possible impact of potential risks to e-PHI
We can’t just “set it and forget it” when it comes to HIPAA, though- “covered entities must review and modify their security measures to continue protecting e-PHI in a changing environment.”
What are these “reasonable and appropriate” safeguards that the Security Rule entails?
Administrative safeguards: “ Administrative actions, policies, and procedures to prevent, detect, contain, and correct security violations.”
Selection, development, implementation, and maintenance of security measures to protect ePHI and to manage the conduct of workforce members in relation to the protection of that information.
Must perform a security risk analysis that identifies and analyzes risks to ePHI and then implement security measures to reduce the identified risks.
Examples: setting up email, EHR, and messaging
Physical Safeguards: Physical measures, policies, and procedures to protect electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion.
The technology and the policies and procedures for its use that protect ePHI and control access to it.
Examples: Making sure your computer locks after use, using passwords, not leaving files out
Organizational Standards: have contracts or other arrangements with BAs that will have access to the CE’s ePHI.
Example: sign BAA’s with all business associates
Policies and Procedures: Adopting reasonable and appropriate policies and procedures to comply with the Security Rule.
Maintain, until 6 years after the date of their creation or last effective date (whichever is later), written security policies and procedures and written records of required actions, activities, or assessments.
Periodically review and update documentation in response to environmental or organizational changes that affect the security of ePHI
Example: adding an EHR, confirming BAA’s, creating a HIPAA handbook
So that clarifies what HIPAA is. But who is considered a covered entity? I tackle that in HIPAA Demystified, Part 2: Are You A Covered Entity? Concerned about BAA's? I've got you covered in HIPAA Demystified Part 3: Lions and Tigers and BAA's, Oh My!
Do you have more questions about HIPAA? Ask them below, or send me a message!