The year was 1996. The place — the United States Congress.
After facing rising concerns regarding the portability of health insurance, the US Congress decided to create a legal regulation to help patients across the US maintain their insurance coverage, regardless of their employment status. On August 21, 1996, this regulation was first introduced as the Health Insurance Portability and Accountability Act.
That was HIPAA then. Fast-forward to 2003, the initial HIPAA regulation was massively upgraded with separate privacy and security rules, Since healthcare organizations entered the world of electronic patient data management, the need for protecting this sensitive health information under clearly defined guidelines has become even more paramount.
Today, HIPAA is a full-on US healthcare security regulation aiming to:
👌 Protect the health & personal information of patients
👌 Promote secure sharing of health information electronically
👌 Allow patients to keep their health insurance when changing jobs
👌 Combat healthcare information fraud, breaches, and misuse
👌 Simplify administrative processes in the healthcare industry
For your medical spa or private practice, understanding HIPAA is as important as complying with it. And complying with HIPAA is just as important as maintaining it.
Let’s unpack how HIPAA works, whom it applies to, and how your practice can achieve it, without violations or fines. Meanwhile, we’ll also debunk ten of the biggest HIPAA myths that could impact your compliance.
Want to start from the top? Click below to download the FREE HIPAA compliance checklist!
A handy HIPAA compliance glossary for healthcare providers
HIPAA terminology can be technical, but understanding it is crucial for navigating your compliance accordingly. To help you get a better grasp of the language around HIPAA and compliance, we created a handy glossary slideshow of the most commonly used terms.
Who needs HIPAA compliance?
HIPAA compliance applies to covered entities and business associates in the USA.
Covered entities include —
- Health plans — like health insurance companies, health maintenance organizations (HMOs), company health plans, and governmental healthcare programs, like Medicare and Medicaid.
- Healthcare providers — healthcare organizations that handle protected patient information (PHI and ePHI). Doctors, practitioners, clinics, practices, med-spas businesses, chiropractors, psychologists, GPs, physiotherapy clinics, and pharmacies, all have to be HIPAA compliant.
- Healthcare clearinghouses — organizations that convert healthcare processes, like billing information, into standardized formats, for efficient electronic data exchange between healthcare providers, patients, and other entities.
Also good to know 💡
Nurses who want to open a medspa, lets say in California. If there’s a way for them to do that, they also have to be HIPPA compliant.
Business associates (BAs) include —
- Third-party service providers that help manage a healthcare business’s PHI. BAs typically include organizations like medical billing companies, IT service providers, cloud software, accounting firms, claims processing and data storage companies, attorneys, and pharmacy benefit managers (PBMs).
What type of Protected Health Information does HIPAA cover?
HIPAA aims to protect various patient health information, a.k.a PHI, including:
- Patient medical records, health insurance details, and personal information
- Communications between patients and doctors, practitioners, or nurses
- Billing data of patients and clinics
- Electronic health records (EHR)
- Patient lab results, treatment images, consent, and other forms
- Patient prescription and medication information
- Other identifiable health information
How does HIPAA protect this information?
One of the ways HIPAA safeguards PHI is by enforcing various requirements that healthcare organizations — like your clinic — should follow. These include:
1. Access controls — you need to control who can view and use PHI by limiting authorized access to the necessary personnel only.
2. HIPAA training — healthcare employees and BAs both require extensive HIPAA compliance training to be able to protect PHI accordingly and avoid penalties.
3. HIPAA compliance documentation — for HIPPA to successfully protect PHI, it requires you to prepare complete compliance documentation. This also includes Business Associate Agreements (BAAs), compliance training records, emergency plans, risk assessment evidence, security and privacy policies, etc, Check the full documentation you need here.
4. The 5 HIPAA rules — when enforced, these rules help you prevent security, privacy, and breach-related concerns, whilst avoiding compliance violations.
HIPAA is not a self-acting regulation. While it provides certain regulations you should follow, it is up to your practice to implement and monitor them on an ongoing basis.
Understanding HIPAA’s 5 rules
HIPAA created a set of 5 rules that all healthcare organizations and their BAs need to follow, to ensure full-on compliance.
Although beneficial to your practice, following these rules also helps your patients:
- Learn how their health information is used when they seek healthcare
- Inspect and obtain copies of their medical records, and request corrections
- Control certain uses of their health information, by giving consent
- Be notified in case of a data breach that may compromise their information
Let’s have a look at what each HIPAA rule requires covered entities to do.
1. The HIPAA Privacy Rule —
The HIPAA Privacy Rule acts as a guardian for patient health information. It sets limits on who within the clinic can access and share patients’ protected health information.
It also ensures that only authorized personnel, like a doctor or a practitioner, can do so.
Meanwhile, front-of-house teams, nurses, and related medical personnel cannot access this information.
This rule also asks healthcare providers to obtain patient consent before disclosing their PHI. This approach promotes a culture of respect for patient privacy and reinforces the importance of securing medical data within your clinic.
2. The HIPAA Security Rule —
The HIPAA Security Rule safeguards both regular and electronic health records (PHI and ePHI). It ensures that patient information remains private, accurate, and accessible when needed. It also encourages clinics to perform risk assessments and put security measures in place, like digital locks, to prevent unauthorized access.
By following these guidelines, clinics can better protect patient information, reduce risks of data breaches, and maintain trust with their patients.
3. The HIPAA Breach Notification Rule —
The HIPAA Breach Notification Rule requires you to report any security incident that can compromise the security of patients’ unprotected health data. This rule also ensures that patients are informed about any such information breach.
Under this rule, you’ll be required to investigate and reduce the risks associated with data breaches and keep detailed records of your actions. You not only secure patient data but also maintain a strong commitment to patients’ well-being and safety.
4. The HIPAA Omnibus Rule —
The HIPAA Omnibus Rule is the latest upgrade of this regulation. It basically applies to your Business Associates and their subcontractors, asking them to take the necessary measures to protect patient data. Patients also get more control over their health data, especially around their genetic information, like their DNA.
To ensure that both BAs and your practice are HIPAA compliant, you will need to sign a Business Associate Agreement. This creates a more diligent and patient-focused approach to HIPAA compliance.
5. The HIPAA Enforcement Rule —
The HIPAA Enforcement Rule sets the rules for HIPAA violation penalties and fines. Under this rule, the Health and Human Services (HHS) can investigate violation complaints, share corrective action plans for improvement, and decide what penalties to give based on the violation.
What is considered a HIPAA violation
HIPAA violations can be purposeful or accidental, which might affect the penalty amount.
A HIPAA violation can happen if your practice or your business associates:
⛔ Share patient information without their consent
⛔ Don’t dispose of patient data securely
⛔ Fail to protect PHI confidentiality, integrity, and access
⛔ Don’t apply safeguards to ensure data confidentiality, integrity, and access
⛔ Don’t sign an agreement with BAs before granting them access to PHI
⛔ Don’t provide patients with copies of their medical records, upon their request
HIPAA investigations are conducted by the Office for Civil Rights (OCR), part of the U.S. Department of Health and Human Services (HHS).
The OCR both enforces HIPAA regulations and investigates potential violations to ensure compliance with healthcare privacy and security rules.
Click here to learn more about specific HIPAA violations and fines!
What does a HIPAA investigation look like?
HIPAA investigations are not typically conducted on a regular, routine basis. The Office for Civil Rights (OCR) will mostly investigate your clinic if someone, like a patient, reports a breach, or complains that their privacy rights have been violated. A HIPAA investigation might also happen if the OCR detects a flaw in your compliance, or if a certain threat to your PHI has occurred already, and has affected over 500 people.
HIPAA investigations can take place in the clinic or digitally, based on the nature of the violation. In general, the OCR will give you advance notice before an investigation, although they might also show up unannounced, especially with severe violations.
A HIPAA investigation can take several months to complete, during which the OCR:
- Investigates the reported complaint
- Detects existing issues
- Informs your clinic of the final investigation results
- Proposes a fine and a list of action steps to help correct the issues
If charged, HIPAA penalties can range from $100 to $50,000 — per violation. However, for clinics that don’t cooperate. HIPAA fines can grow bigger, or even lead to imprisonment.
What you can do during a HIPAA investigation
The best way to tackle a HIPAA investigation at your clinic is to work with them, not delay, and answer all questions the OCR has.
Additionally, you can easily bypass or reduce HIPAA penalties by —
✔️ Reviewing your HIPAA policies and ensuring they are up to date
✔️ Reviewing the patient’s right of access rules
✔️ Doing risk analysis, creating risk management steps, & documenting everything
✔️ Retraining your employees on HIPAA
✔️ Ensuring your BAs understand their role in staying HIPAA-compliant
Recommended steps for becoming HIPAA compliant
The HHS makes various recommendations that every covered entity and business associate needs to stay HIPAA compliant. Here’s what those steps look like for your practice.
1. Establish a set of privacy measures
First off, you need to appoint a compliance officer — or a committee — who will be responsible for ensuring HIPAA compliance through all stages. You also need to carry out HIPAA compliance training for employees, including BAs, to ensure they know how to handle and secure PHI.
2. Get patient consent to manage their PHI
Next, you will need to get consent from your patients whenever you are collecting, using, and disclosing their medical information. You need to create a set of policies and procedures to explain how a patient’s data will and won’t be managed, and how access to this data will be enabled for that patient.
3. Create an emergency plan
Developing an emergency plan helps protect the safety and privacy of your PHI in case of an incident. This plan should include everything from access controls to data backup, recovery procedures, and communication protocols.
For example, an emergency plan should feature:
- The person who handles HIPAA-related issues during emergencies, and their emergency contact details
- Details about how you can ensure data backup and recovery of PHI in case of a breach or incidents
- Details about who can and can’t access PHI during emergencies, and how
- Information on how and when you will communicate PHI breaches in case of emergencies — to BAs, to your staffers, to affected patients, and if needed to the OCR
The plan should also designate an incident response team who will maintain detailed documentation of the actions they took during emergencies.
4. Give patients access to their records
As per HIPAA rules, when a patient asks for access to their record, your clinic will have 30 days of receiving the patient’s written request to follow through. Patients should also be given the right to correct the information in their medical records. But, keep in mind that patients are not always given access to their records — we debunk this myth below.
5. Ensure secure devices, websites, and networks
To avoid PHI exposure across different channels, you will need to secure your website, data devices, and networks. Some of the protections you can apply here include:
- Password-protected logins and automatic device timeouts
- Authenticate access of employees and BAs that manage PHI
- Encrypt data transmissions that contain PHI
- Conduct a regular risk analysis to maintain compliance
- Maintain a secure website and run it on a secure network
- Enforce extensive employee training on how to handle EHRs
6. Think about PHI storage & disposal options
When storing clinic health information, you need to consider different options, like hard copies, your server, or a cloud-based practice management software, like Pabau.
This storage solution must align with daily workflow requirements while ensuring HIPAA compliance. If needed, you can even consider a combination of these storage methods.’
Aside from storage, you also need to think about how you’ll get rid of PHI the right way. Are you tossing paper records in the trash or selling old devices without clearing the data on them? If so, your PHI is still at risk of exposure. Instead of doing this, when destroying old data, consider shredding paper records and wiping all PHI stored in your devices.
7. Sign a Business Associate Agreement (BAA)
HIPAA requires signing a written contract between your clinic (the covered entity) and your business associates, like any attorney you work with or any CRM software you use, like Pabau. This ensures the secure handling of PHI by both your practice and your BAs.
Signing a BAA means that both your clinic and your BAs (and their subcontractors) will be able to protect patient information and fulfill HIPAA’s security and privacy rules.
At the same time, this agreement also holds you and your BAs responsible for any compliance violations.
8. Stay current on privacy laws
When ensuring HIPAA compliance, you need to stay updated with the ever-changing laws and regulations. Make sure that your compliance officer or committee is on track with all changes, and implements them correctly. Moreover, you can also create a special strategy to ensure that your practice stays informed of HIPAA regulations at all times.
Ensure HIPAA compliance with our step-by-step HIPAA guide — or download our handy HIPAA checklist and guide!
Debunking 10 common HIPAA myths
Clear as it may sound, HIPAA regulations can often lead to confusion and uncertainty. This can unfortunately drive practices to commit unwanted compliance violations.
Does HIPAA apply to emails and texts? Can you share PHI with all employees or just select ones? Does HIPAA only apply to electronic health information?
These are valid points that you need to be aware of to establish viable HIPAA compliance.
Stop fishing for the right answers — we debunk ten of the biggest HIPAA myths below.
1. The myth — HIPAA prohibits emailing between practitioners and patients
Emails are notorious for increasing the risk of scams, hacks, and data breaches. This risk can easily jeopardize the process of sharing sensitive data with patients.
The truth — under the HIPAA Privacy Rule, when communicating with patients, you can use various communication channels, including emails. However, HIPAA requires all practices to apply the necessary safeguards, e.g. encryption, to ensure maximum patient data security during this correspondence.
2. The myth — HIPAA applies to emails, but not texts
Text messages are regulated by the Telephone Consumer Protection Act (TCPA). So, practices often make the mistake of believing that HIPAA doesn’t apply to texts.
The truth — HIPAA considers both emails and texts as electronic communications. So, text messages, just like emails, fall under HIPAA’s regulations and rules. And that’s not all, because, on top of HIPAA compliance, text messages MUST also comply with the TCPA.
💡 HIPAA compliance also extends to your social media — learn how and why HERE!
3. The myth — Care providers can share patient information with employers
Employers can access any information they have on their employees. So, it’s almost natural for them to have access to the health information of patients. Right? Not really.
The truth — HIPAA actually prohibits healthcare providers from revealing or sharing any personal health information with their employers — without the patient’s consent.
Most of the time, employers, like a clinic’s CEO or owner, will not be allowed access to any patient’s medical data. In fact, the only time an employer can obtain access to a patient’s medical record is when the patient gives their explicit consent, in writing.
However, do consider that any health information that has been collected individually, like via HR surveys, is not covered by HIPAA.
4. The myth — HIPAA only applies to healthcare organizations
HIPAA is a must for covered entities. These include all healthcare providers, health plans, and healthcare clearinghouses. Healthcare clearinghouses are organizations that process and transfer healthcare data, like electronic claims and administrative transactions, in a standardized format.
However, covered entities are not the only audience that’s affected by HIPAA.
The truth — while HIPAA applies to all healthcare organizations, it also affects your business associates (BAs) and their subcontractors. Business associates, like accountants or attorneys, have access to your PHI and are just as responsible for protecting them as healthcare organizations.
And just like healthcare organizations, business associates can become subject to HIPAA violations and fines, if compliance has not been met. To ensure HIPAA compliance and data security both ways, covered entities and their BAs have to enter a legal Business Associate Agreement (BAA) and regularly monitor their compliance efforts.
5. The myth — HIPAA prohibits the use of sign-in sheets
Sign-in sheets help speed up the check-in process for patients and help your staff manage appointments better. But, since sign-in sheets can include sensitive patient information, some threats, like unauthorized access, can easily compromise this data.
The truth — HIPAA allows clinics to use patient sign-in sheets, under one condition — that all health information included in those sheets is restricted. So, when using sign-in sheets for patients, you can’t include any health information, like the reason for the visit. You can, however, include the patient’s and practitioner’s names, and the visitation date.
6. The myth — Patient health information can’t be used for marketing
Using patient healthcare data for marketing purposes is strictly prohibited by HIPAA. That is, unless the patient gives their explicit consent ahead of time.
The truth — some marketing-like activities can be permitted by HIPAA. For example, you can send patients health plans where you suggest alternative services or products they can use. Although this encourages the use of new products or services, it is not really considered a marketing ploy. Why? Because the suggested products and services are strictly chosen to improve the patient’s treatment journey, not promote an offer.
7. The myth — Patients cannot be called by name in the waiting room
Are you allowed to call patients by their names? How do you address a patient correctly? This common debate leaves many healthcare providers puzzled about how to handle in-clinic patient interactions — without violating HIPAA guidelines.
The truth — HIPAA doesn’t consider calling patients in the waiting room by their name a violation. After all, a patient’s name does not reveal any of their health information. However, HIPAA prohibits healthcare providers from stating treatment-related details about the patient in the waiting room. So, while “Mrs Smith, you’re up next,” is fine to say, “Mrs Smith, you’re up next for your blood test,” is considered a HIPAA violation.
8. The myth — Keeping patient records on paper doesn’t break HIPAA compliance
You might assume that HIPAA compliance only applies to patient data that is stored and sent electronically, but not to patient records that are kept on paper.
The truth — HIPAA applies to both on-paper and electronically managed patient data, also known as PHI and ePHI. So, ALL health information that your clinic handles, stores, or sends is subject to HIPAA. Whether patient information is faxed, copied, or shared digitally, HIPAA legally obliges every practice to protect all medical records accordingly.
9. The myth — HIPAA forbids sharing patient information with family members
Family members may often accompany a patient to their treatment or will need to obtain test results or labs on behalf of that patient. So, does sharing that patient information with their family mean you are violating HIPAA? Not necessarily.
The truth — HIPAA allows healthcare providers to share patient information with family members — if the patient is present and has no objections to it. But, if a patient cannot be physically present, they can still give consent to their practitioner to share their health details with family members. Sometimes, if a practitioner believes it is in the best interest of their patient, they may disclose their health information to the family.
Finally, if a patient is underage, the practitioner might be obliged to share health information with their parents — especially if treatment consent is needed.
10. The myth — Patients can sue healthcare providers for violating HIPAA
Violating HIPAA compliance can lead to legal sanctions and fines. But the real question is — can your patients file a HIPAA violation lawsuit against your clinic?
The truth — patients can’t sue health providers, even in case of a HIPAA violation. However, patients have the right to write a formal complaint to the Secretary of Health and Human Services (HHS). The HHS will then investigate the complaint, and act on it in case there are reasonable grounds for legal action.
Support your HIPAA compliance with Pabau
Have you taken all necessary steps to ensure HIPAA compliance — from risk analysis to reporting?
Time to make it count. What you need is a software like Pabau with a number of features that will help support your HIPPA compliance efforts, from data encryption and secure storage to access controls and audit logs. Learn how Pabau helps you support your HIPAA compliance – or download our step-by-step HIPAA compliance checklist to get started!