If you’ve credentialed with insurance, it’s time to comply with HIPAA. Here’s what that means.
A guest post from Hushmail
If you choose to credential your practice with insurance, you’re automatically considered a “covered entity” and subject to the rules and regulations of the Health Insurance Portability and Accountability Act (HIPAA).
Signed into law in 1996, HIPAA casts a wide net. At first, its primary purpose was to ensure that people could keep their insurance coverage during job and life transitions, but subsequent legislation has focused on becoming more efficient in handling patient information by using electronic means to transmit and store patient data. This led to the necessity of protecting that data, and that’s where the HIPAA Privacy and Security rules come in. For the most part, this is what HIPAA means for therapists – rules set in place so clients can feel confident that their information is kept private both on and offline.
So what does it mean to be a HIPAA compliant therapist? Let’s find out:
Understanding privacy and security
As a healthcare practitioner doing their best to comply with HIPAA, the terms “privacy” and “security” may seem to blur together into one general concept of protection. However, while the terms are occasionally used interchangeably, and even though there is some overlap of their intent to protect personal information, the terms have very different meanings. It’s important that you understand these differences so you can successfully follow the HIPAA rules that have been put in place to protect your clients.
Essentially, privacy has to do with the right to keep personal information safe and confidential, and security has to do with the safeguards that are put in place to protect that information.
The HIPAA Privacy Rule
The HIPAA Privacy Rule requires secure communication of protected health information (PHI) and provides some recourse if it’s mishandled. One part of the Privacy Rule requires practitioners to develop and distribute a notice of privacy practices (NPP) that provides a clear explanation of your clients’ rights with respect to their PHI and the practices and procedures you’ve put in place to protect their privacy. The Privacy Rule also requires that practitioners properly inform their clients of their individual rights to access their records.
It’s interesting to note that recent audits conducted by the U.S. Office for Civil Rights (OCR) revealed that most covered entities included in the audits had NPPs that were missing required content and didn’t meet all of the requirements. Additionally, 89 percent of the covered entities failed to adequately inform individuals of their right of access to their records.
We’ll discuss later in the post steps you can take to ensure your practice is up to speed when it comes to the Privacy Rule.
The HIPAA Security Rule
The HIPAA Security Rule requires practices to have certain administrative, physical, and technical safeguards in place to protect PHI from leaks, breaches, cybercrimes, and other web vulnerabilities. This is where encrypted email and web forms come into play. When you’re sending your clients’ sensitive information back and forth online, nothing protects it quite like encryption.
Part of complying with the Security Rule is to regularly conduct a risk analysis to identify your practice assets, including all PHI created, maintained, received, or transmitted by you, and the risks and vulnerabilities posed to the confidentiality, integrity, and availability of that PHI. As part of completing a risk analysis, you will also rate the risks and vulnerability by considering their likelihood of occurring and their impacts on your practice. This rating will give you an idea of where to focus your risk management efforts.
Risk management puts safeguards like encrypted email in place to shore up any vulnerabilities that you find in the risk analysis.
In the OCR audit, 94 percent of covered entities failed to implement the Security Rule requirements for risk management that would reduce risks to a reasonable level, and only 14 percent met the requirements for safeguarding PHI through risk analysis.
This non-compliance might be due to misunderstandings of the law. HIPAA requirements can seem overwhelming when you first become a covered entity. However, while risk analysis and risk management might sound intimidating, they can be very straightforward processes that can be developed once and then implemented on a routine basis, making HIPAA compliance a very achievable goal.
4 steps to HIPAA compliance
Here are simple steps you can take to make sure you’re in compliance with the HIPAA Privacy and Security Rules.
1. Make sure your Notice of Privacy Practices is up to speed and properly posted. You can start by reviewing the model NPPs provided by the OCR. Then, create your own NPP to match. The OCR provides several different versions of the models, all using plain language and approachable designs, so you can choose the design you feel will best serve your practice.
2. Inform your clients of their right to access their records. The Privacy Rule stipulates that individuals have the right to request access to their protected health information (PHI) at any time, in the format of their choice or in a hard copy format agreed upon by the individual and the health care practice. It’s your responsibility to implement easy-to-understand policies and procedures that make it easy for an individual to make this request. Practices also must respond in a timely manner and document the request and the practice’s response. We explain in detail with the help of the OCR how you can achieve this in our blog post HIPAA tips: are you correctly informing your clients of their rights?
3. Conduct a risk analysis. Completing a risk analysis (also called a “risk assessment”) might sound intimidating, but it doesn’t have to be, and you don’t have to do it all in a day. A good risk analysis plan is easy to follow and allows you to go through the steps when you have time. Here are some of the things you can do and resources you can use to get the job done in a timely manner.
Develop policies and procedures for completing the risk analysis. Spell out exactly how you plan to conduct your risk analysis and update your policies and procedures as your practice changes.
Conduct the risk analysis. See the resources below for useful guides on how to do this.
If you’ve already conducted a risk analysis for your practice, review it and make any necessary updates. This is especially important now since there have been so many recent changes to the healthcare environment due to the pandemic.
The ONC/OCR Security Risk Assessment Tool is a downloadable tool to help healthcare practices conduct a security risk analysis as required by the HIPAA Security Rule
Our blog post Is your new virtual practice secure? Conduct a risk assessment. explains the steps of risk analysis and includes a downloadable guide
4. Establish ongoing risk management. Once you’ve conducted your risk analysis, you’ll see the areas that are in need of additional attention. You can then take remedial steps such as:
Document your security policy and procedures
Conduct ongoing staff training on your practice’s security policy and procedures
Use encryption where appropriate
Obtain signed BAAs from all third-party service providers that handle your practice’s digital assets, including its ePHI
Strengthen passwords and/or subscribe to a reliable password manager
HIPAA-compliant practices for communicating online
One of the most important steps you can take to protect your clients’ information online is to sign up for an encrypted email and web form service. However, once you have your account set up, common sense is paramount when communicating sensitive data. This is where a lot of practitioners get tripped up. No doubt you’ve heard of or experienced the stress and inconvenience caused by a fax sent to the wrong number. The same thing can happen with email, and no amount of encryption can protect against user error. Consider the following when using encrypted email and web forms:
Be wary of addresses you don't recognize. If you receive an email requesting PHI, and you aren’t sure where the email is coming from, confirm who the person is and the purpose of the email. This might require a quick phone call. A little extra effort will be worth in if it prevents PHI from falling into the wrong hands
Make sure you're sending to the right recipient. When your email application automatically fills in a name, it’s easy to mistake a John Smith with a Jon Smith. Or a Heather Bell with a Heather Biel. The solution is to slow down when sending an email and take the time to carefully select the correct address.
Don't put sensitive information in the subject line. Subject lines are displayed when listing emails and can be seen in notifications on some devices. Be sure to place any private or identifying information in the body of the email, not the subject line. Examples of inappropriate subject lines include: “Feedback on your depression screening” or “Welcome back to our ADHD support group.” These subjects tell too much information about the recipient.
Don't send group emails. Group emails are not ideal when it comes to protecting PHI. If the email implies information about the recipients, such as an email welcoming new members to a support group, then it’s considered PHI and under the protection of HIPAA. If you must send group emails, make sure they contain only very general information.
Make sure you encrypt. All encrypted email services are different and have unique encryption mechanisms. Hushmail’s service requires you to enable an encryption switch when you communicate with someone who doesn’t have a Hushmail account. Take the time to make sure the encrypted email you think you’re sending is, indeed, encrypted.
Hushmail makes HIPAA-compliant communication easy
As a covered entity, understanding the ins and outs of HIPAA compliance and online communication is crucial to the success of your practice. Hushmail takes the guesswork out of communicating securely with your clients. We have a proven track record of providing industry-standard OpenPGP encryption to protect the contents of your email and web forms, ensuring its security, privacy, and authenticity. Hushmail also provides plenty of extras to make life easier for your practice such as e-signatures and an array of self-administered questionnaires like the PHQ-9 that deliver a score upon completion.
Learn more about Hushmail for Healthcare.
Hushmail for Healthcare is your all-in-one solution for secure client and patient communication. It's perfect for therapists, psychologists, optometrists, dentists, chiropractors, physical therapists, and other healthcare professionals. Hushmail for Healthcare comes configured for HIPAA compliance right out of the box. All plans come with a signed Business Associate Agreement and built-in email archiving.