In a podcast last fall we got Kelli Wise to answer the common question, “Do I need to Be HIPAA Compliant?” If you haven’t yet, I encourage you to listen to that episode here. (Sorry about the sound quality, we were new at the podcasting thing.)
But here’s the short(ish) answer
HIPAA stands for: Health Insurance Portability and Accountability Act, and it’s been added to and revised a bunch of time since it took effect in 1996. It was a law created to improve the efficacy and efficiency of our health care system and also included adoption of Federal privacy protections for individually identifiable health information.
That second part, the privacy bit, is what most people are referring to when they ask about compliance.
Protected Health Information (PHI) is anything that identifies the client. That includes name, phone number and email. And if you store any of that information on an electronic device, yes, you need to be compliant. It’s your job to protect that information, and not share it without explicit permission from the client. You can read the legal-y explanation here.
Protecting it means you limit access to any devices storing that information. Don’t leave your computer or tablet or phone where someone could access it, and have it password protected. At ALL times. Not just after it’s been dormant for a few minutes and enters sleep mode. Set it to require a password every time you open it, turn it on or wake it up. And never walk away from your device while it’s open.
It doesn’t have to be a 48 digit hexidecimal super-password. But it should be a decent password more complicated than your cat’s nickname or your birthday.
Be sure you’re using encryption settings on your phone and computer. Lock your physical file cabinet, and keep the key somewhere that’s not right next to the darn thing. (Preferably, keep it on your person.)
Again, this is actually the short answer. You can complete a free training on HIPAA compliance online. The U.S. Department of Health and Human Services gives some resources for training here. I just did the free training through Medscape and it was great. I mean, it was totally boring. But useful.
So you get yourself trained and get your office compliant. And if you have employees or contractors, you should get them trained and hip to your new protocols.
But what about other people you may do work with? A bookkeeper, accountant, etc.
This question came up in our Office Hours recently, and I spent some time looking at the HHR website to get an answer. My totally-not-legal-advice answer is this:
If anyone you contract with (like a bookkeeper) will see the names, contact information, or any other identifying information of your clients, they should be HIPAA trained.
You should request that they show you they have completed a training, and attest that they, and their devices, meet the standards. The HHR site has a sample agreement for these types of business associates.
Again, this is all ‘in-a-nutshell’ advice. It would be wise to schedule an hour and read a bit on the HHR site, and do a free training, at a minimum.
It’s a bit of a gray area if, as massage therapists, we’re really ‘health care providers’. But since I occasionally talk to PTs and MDs, I think it’s worth it for me to maintain HIPAA-level standards. It’s not that hard.
Have you completed a training? Share in the comments, or in our Premium Member Facebook group!