It’s often a challenge for private businesses, including allied health clinics, to make sense of all the legal details contained in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and turn that insight into actionable tasks that create compliance. In fact, according to Health and Human Services, the Department that regulates HIPAA, private healthcare clinics are the second most likely healthcare provider to violate privacy laws.
Jane wants to make understanding and acting in compliance with HIPAA a little easier.
In this Guide document, we:
Review how privacy laws apply in the United States,
Briefly discuss the role of HIPAA for health clinics
Look closely at two critical sections of HIPAA: the Privacy Rule and the Security Rule, and
Offer a Top 10 To-Do List that can help clinics get started with or double check policies and procedures.
This information is not a legal interpretation of the law and is not binding on the Office for Civil Rights of the U.S. Department of Health and Human Services. This information is not intended to nor should it ever replace formal legal counsel.
Privacy Laws In the United States
In the United States, there is no single or even set of privacy rules that apply. Instead, privacy is handled through a patchwork of federal and state laws, which are often specific to the particular kind of information at hand. On top of these laws, in many cases there are often guidelines constructed by various regulating organizations that are not considered law, but are determined to be within the realm of “best practices.”
HIPPA compliance is required for any organization that stores Personal Health Information (PHI) in the United States and, in particular, electronic PHI. This includes allied health clinics - especially those transitioning to electronic clinical notes and charting. Health information in allied health clinics is regulated first and foremost by HIPAA, and the first order of business as far as privacy goes should be to understand this law.
Where HIPAA does not cover all local requirements, state law and/or regulating guidelines will apply. Most of this Guide document addresses HIPAA, but towards the end we’ll get you started with state-by-state considerations.
The Role of HIPAA in Health Clinics
Since its release, HIPAA has changed the ways in which health data is collected, stored, exchanged and protected. This was a necessary shift as the industry moved from primarily paper records to electronic where the risks of data exposure is increased. HIPAA acts as an essential piece of legislation that dictates the ways that allied health clinics behave in regard to Personal Health Information (PHI). Those controls in turn inspire a sense of confidence and trust that patient records will remain confidential.
HIPAA’s Privacy Rule is the section of law that defines Personal Health Information (PHI) in the United States, lays out privacy requirements, and regulates general use and disclosure limits for all PHI, no matter what form it comes in: paper or electronic.
HIPAA’s Definition of Personal Health Information - The Privacy Rule defines PHI as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual.”
Many kinds of information fall under this broad definition. Some examples relevant in health clinics include:
- Names and dates directly applying to or somehow related to any individual
- Telephone, email address, fax numbers and other contact information
- Social security, medical record, health insurance plan, or other account numbers
- Driver’s licence numbers or vehicle identifiers, such as serial numbers
- Computer identifies, such as: IP address, web URL, device identifiers and serial numbers
- Biometric identifiers, such as: retinal scan, fingerprints, etc.
- Full-face photos and comparable images
- Geographic data smaller than a state (city, for example)
Basically, any unique identifying number, characteristic, code or other information must be collected, stored, used, disclosed or otherwise handled in accordance with HIPAA privacy practices.
HIPAA’s Security Rule deals with the protection of electronically stored and transmitted health records. It provides 3 categories of safeguards that electronic systems must have in place to comply with HIPAA. Systems storing PHI must have:
- Administrative Safeguards: These are policies and procedures that clearly show how the electronic system and the company that manages that system will comply with HIPAA. This includes day-to-day protection of devices and passwords, for example. One of the most important Administrative Safeguards is the requirement that health professionals sign a Business Associate Agreement with any third party that creates, receives, maintains, or transmits electronic PHI on the healthcare professional’s behalf. Under HIPAA, a third party that handled PHI is considered a Business Associate of the healthcare provider or clinic, the “Covered Entity.” The Business Associate Agreement is a written contract between those two parties.
Jane’s Administrative approach: Though our support staff will be able to see your account data, we have a strict policy that we only access your account when you request assistance from us. Employees sign strict confidentiality clauses to ensure that they understand the confidential nature of the data that we handle. Furthermore, we limit chart access to only our senior managers–other support personnel simply won’t be able to see your medical data. And all employees go through rigorous training so that our privacy policies can be strictly adhered to. FYI, all our employees are based in BC (Canada).
- Physical Safeguards: Physical access to areas where data is stored must be controlled.
Jane’s Physical approach: When it comes to the physical location of our data, Jane’s servers are located in a super secure facility (based in Eastern Canada), complete with the latest security, authorization, and surveillance technologies - including a “man trap” that locks you in if you don’t pass the retina scan. If you’re the kind of person who likes the technical lingo, the facility is SOC2 Type2 audited and compliant. Jane’s data is also backed up nightly to a separate data centre in Western Canada.
- Technical Safeguards: PHI being transmitted electronically must be protected.
Jane’s Technical approach: Jane has implemented a number of technical functions to keep your data safe. The most notable is that any data in transit between the Jane servers and your browser, your data is encrypted with 256 bit encryption, the same as banks use. Jane also requires each staff member to have their own account and Jane allows you to control the permissions for each staff member. All access is logged so that you can review the logs as necessary.
Jane has the appropriate policies and procedures in place to ensure that we stay compliant on our end with the appropriate regulations and can work with you to develop a BAA Agreement. You can also read our Security FAQ for more information.
Top 10 To-Do List
This list of Top 10 things is not exhaustive, and it merely offers a general summary of the recommendations of the U.S. Department of Health and Human Services. This list and this Guide document as a whole are not intended to be nor should they be considered legal advice.
1 - Create clinic-wide privacy procedures.
Appoint a Privacy Officer and contact person regarding privacy issues. This person is responsible for receiving complaints and training all employees on privacy matters, especially by informing all staff of PHI disclosure limitations and practices. Document all privacy practices and procedures and provide a Notice of Privacy Practices to patients or clients that informs individuals of how their PHI will be used. This Notice of Privacy Practices should include your clinic’s notice to patients on how you will collect, use and disclose PHI as well as any consent forms you wish to use to obtain consent for that collection, use and disclosure of PHI. Keep track of disclosures of PHI. When disclosing PHI, always disclose the minimum information necessary. Never sell PHI or identifying information to a third party. Train staff on your privacy procedures, especially relating to disclosure.
2 - Obtain consent to collect, use and disclose PHI.
The keys to proper consent for collecting, using and disclosing PHI under HIPAA are:
Developing a set of policies and procedures, and
Documenting those policies and procedures along with any instances of use or disclosure.
Follow use and disclosure criteria and obtain consent before disclosing PHI to another entity except in a handful of highly-specific scenarios. For example, a primary health care providers do not need consent to disclose a copy of of an individual’s medical records to a specialist who needs the information to provide treatment. Consult HIPAA’s extensive Use and Disclosure Criteria for much more detailed information on when consent is and is not required.
3 - Construct an emergency plan.
Clinics should have a plan in place that will be activated in the event of an emergency that threatens the security and privacy of PHI. What you need is to make sure the right people have access to PHI in case of various emergencies. Should there be a data centre outage, for example, you need to make sure that the PHI for your clinic can still be accessed via a backup copy and recovered if necessary. In certain situations, it may be necessary to restore data from one location to another location. You need to make sure that access to the PHI for your clinic will not be cut off because one particular computer or computer system is unavailable.
And know what your clinic will do in the event of a breach. If you have implemented appropriate safeguards, and information is encrypted, you may not need to report a breach. If, despite your best efforts, a significant breach has occurred, you will need to follow the steps laid out by the Breach Notification Rule. This involves informing the patient and Health and Human Services and determining the extent and severity of the breach.
4 - Create processes that give patients easy access to their records.
Under HIPAA, the Privacy Rule requires that clinics and healthcare providers turn over copies of health records within 30 days of receiving a written request. Individuals also have the right to have their health records corrected where necessary in a timely manner. Access to health records and correction of records applies to health records in any form, paper or electronic, appointment schedules, medical bills, dictated notes, conversations and any information entered into patient portals.
The Privacy Rule also explicitly requires providers to turn over PHI in cases of suspected child abuse so that child welfare agencies can identify or locate suspects or witnesses.
5 - Secure your devices, website and network.
Build and maintain a website that upholds all HIPAA privacy requirements for identifying information. Run that website on a secure network with all the appropriate safeguards, and seek professional assistance if need be. Exercise Access Controls, for example:
- Require secure password-protected login.
HIPAA requires that each user accessing PHI MUST use unique user identifiers. And remember, PHI obviously includes clinical notes, but it also includes patient schedules and financial statements regarding health care. With each user logging in using unique credentials, you’ll be able to monitor, record, and and periodically examine all activity regarding electronic PHI.
- Put timeouts on your devices so that they automatically log out after a short period of inactivity.
Timeouts are added and managed on individual computer devices, not through your practice management software.
Train staff to act with integrity where electronic PHI is concerned, including not destroying or altering records.
Require authentication for all individuals or entities who access PHI.
Check that any data transfers that have PHI are encrypted.
You can examine your clinic’s security by consulting resources at the U.S.’s HealthIT website, including this: Security Risk Assessment Tool.
6 - Weigh your options for storing PHI.
There are pluses and minuses for all available options for storing your clinic’s PHI regardless of whether you choose to store in hard copy in your physical clinic, on your own servers, or in a cloud-based practice management solution. What has worked for many healthcare providers we see in the U.S. is to look for a solution that meets the needs of your daily workflow while also making adherence to HIPAA as simple as possible. Sometimes clinics choose a combination of these storage options, and at other times clinics choose one.
If you are going to choose a cloud-based practice management solution, keep your eye out for critical features that allow you to comply with HIPAA easily and get back to the business of running your clinic and treating patients. Some of these key features include:
All system activity can be logged and listed in reports. This will allow you to audit every person and instance of access to PHI.
Access to all PHI is role-based. This ensures that only the people who need PHI to do their jobs can get access.
Servers where the vendor stores PHI meet the highest and most up-to-date security standards. This gives you peace of mind that emergencies will be managed according to HIPAA and that the risk of a breach is as minimal as possible.
The vendor and all employees adhere to HIPAA regulations for potential viewing, using or disclosing of PHI. Many clinics forget to think about this, but it’s important that any company handling your PHI also follows HIPAA with their own employees.
7 - Sign a Business Associate Agreement (BAA) with software vendors.
HIPAA requires a written contract between clinics and any other entity handling PHI. For this contract, HIPAA defines two types of organizations:
Covered Entity: This is the organization recording the data. Typically this means health clinics and practitioners - basically anyone treating patients or seeing clients.
Business Associate: The organization that is helping store and process data on behalf of the above “Covered Entity.”
The BAA explains the Business Associates roles, responsibilities and appropriate limitations in being compliant with HIPAA. Make sure your Privacy Officer regularly reviews any BAA you sign and update that contract when necessary.
8 - Consider your state laws.
Check state laws that might put additional privacy requirements on your clinic beyond HIPAA.
Where state law is less stringent than HIPAA, HIPPA will apply.
Where state law is more stringent than HIPAA, state law will apply.
In many cases, more stringent state laws involve reporting of public health information, such as communicable disease or child abuse, or birth and death records.
The best advice that we’ve seen is to make sure your clinic makes “good faith” efforts to comply with all applicable laws, bylaws and regulations that apply in the location of your healthcare business by creating policies and procedures and being prepared to demonstrate that you have lived by these policies. While these actions are not guaranteed to relieve you of all legal liability in every instance, there is a legal consensus circulating that following these steps will go a long way toward mitigating your liability.
This information is not intended as legal advice. Clinics and practitioners should obtain legal counsel if they need formal legal advice.
9 - Check with your regulating body.
Another check you can make is to consult your regulating body for your specific discipline. Regulating bodies sometimes have additional guidelines that are deemed “best practices” in all matters concerning privacy, and they can offer assistance in understanding and implementing all of the applicable laws in your region.
10 - Stay current.
Laws often change. Make sure your Privacy Officer has a strategy in place to keep informed of any adjustments in privacy requirements and a strategy to keep your clinic or practice up-to-date on the latest changes and refresh your policies periodically as needed.
Jane is here to help, and as always, let us know if you need a hand.