Whether you’re just now going into private practice or have been on your own for several years, you know that a big part of managing a practice is staying on top of HIPAA requirements. If you’ve attempted reading the actual legislation itself, you might have felt a little overwhelmed. There’s a lot there! It’s true that HIPAA can seem confusing, especially when dealing with it for the first time. That’s why we’ve put together a post about the bare minimum you need to know.
Does HIPAA apply to you?
The first question to ask is whether or not you’re a covered entity (CE) and are required to comply with the HIPAA rules. Making this distinction is fairly straightforward. If you’re a health care provider who engages in the electronic exchange of information to carry out financial or administrative activities related to health care, then you are a CE. This can include doctors, clinics, psychologists, dentists, chiropractors, and other practitioners.
If you exchange emails with clients, accept insurance, or bill online, most likely you’re a CE. But if for some reason you’re not, that doesn’t mean you should ignore HIPAA. Securing your clients’ PHI is still important for legal and professional reasons, and minding the HIPAA guidelines is a good way to ensure you’re providing adequate protection.
Who needs to be HIPAA compliant?
A health care provider
This includes providers such as:
...but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard.
A health plan
A health care clearinghouse
This includes entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.
Understanding PHI and how to protect it
The HIPAA rules are all about protected health information (PHI) and keeping it safe in both the physical and online worlds. By definition, PHI is individually identifiable information relating to the past, present, or future health status of an individual that is created, collected, or transmitted, or maintained by a HIPAA-covered entity in relation to the provision of healthcare, payment for healthcare services, or use in healthcare operations.
Here is a list of items that constitute PHI:
- Names (Full or last name and initial)
- All geographical identifiers smaller than a state, except for the initial three digits of a zip code if the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people
- Dates (other than year) directly related to an individual
- Phone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health insurance beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers (including serial numbers and license plate numbers)
- Device identifiers and serial numbers;
- Web Uniform Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers, including finger, retinal, and voice prints
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data
Know the safeguards to protect PHI
Although HIPAA guidelines only ask that you implement technical safeguards and that encryption be used whenever appropriate, its use is a widely accepted, reliable safeguard for PHI transmitted online. It helps to know a little about encryption and how it works before choosing a secure email, web form, or other communication service.
Encryption scrambles a message so that it’s unreadable to anyone who can’t access the key needed to unscramble it. There are multiple types of encryption. Many services offer TLS encryption, which encrypts information when it’s in transit from sender to receiver. With TLS, the encryption stops there. Open PGP encryption is another type of encryption (often offered by specialty, HIPAA-compliant services) that encrypts information while it’s in transit and also in storage. A combination of TLS and Open PGP encryption secures data throughout its journey from sender to receiver and in storage, providing the most consistent protection for your clients’ information when it’s transmitted online.
Make sure you acquire BAA’s from third-party service providers
To ensure you’re adequately protecting your clients’ PHI, you’ll want to sign up for HIPAA-compliant communication services, including your email, web form, online fax, and telehealth services. Many services claim to be secure. Some even tout a HIPAA-compliant platform. However, the only way you can be certain that a service meets the requirements is if that service offers a signed Business Associate Agreement (BAA).
A BAA is a signed document that affirms a third-party service provider's willingness to accept responsibility for the safety of your clients' PHI, maintain appropriate safeguards, and comply with HIPAA requirements when they handle PHI on your behalf.
HIPAA rules require a BAA from every third-party service provider you use that could be exposed to your clients’ PHI. This means any billing, online fax, video conferencing, messaging, email, and web form service.
Use services correctly to protect privacy
Once you’ve gotten the signed BAA’s from your third-party services, you’re well on your way to HIPAA compliance. However, even though the BAA will give you confidence that the third party is taking responsibility for protecting your clients’ information, there will usually be some things you need to do on your own to ensure that the information is as secure as it can be.
For example, even if you’re using a HIPAA-compliant service, you should still follow some best practices:
- Be wary of addresses you don’t recognize. If you receive an email requesting information that might qualify as PHI, and you aren’t sure where the email is coming from, confirm who the person is and the purpose of the email. Check the actual email address of the sender in addition to the name. This is a good communication practice in the healthcare world, but in the middle of multitasking, it’s easy to forget.
- Be sure to send to the right recipient. You’d be surprised how many errors are made by not looking closely at the recipient. It’s easy to mistake Melissa Jones for Melinda Jones. Or Taylor Smith for Tyler Smith. The solution is to slow down and take the time to select the correct person.
- Don’t put sensitive information in the subject line. Subject lines are the most visible part of an email. They are displayed when listing emails and can be seen in notifications on some devices. Be sure to place any private or identifying information in the body of the email, not the subject line. And be careful if you’ve chosen to customize your web form’s email subject line with information pulled from the form. That information should never be PHI. (You can learn how to do this in our blog post 8 Hushmail email and web form building hacks.)
- Don’t send group emails. As a rule, sending messages to a group is a bad idea when it comes to protecting PHI. If the email or web form implies information about the recipients, such as a welcome package for new members of a support group, then it’s considered PHI and under the protection of HIPAA.
- Make sure you encrypt. All encrypted email and web form services are different and have unique encryption mechanisms. For example, if you’re communicating with someone who doesn’t have a Hushmail account, you need to enable our encryption switch.
- Secure your surroundings before a telehealth session. If you’re conducting sessions online, it’s important to convey the same level of security for your clients as you would in a physical office. At the bare minimum, you should have a door that closes. Someone should never wander in when you’re in the middle of a session.
- Pause before sending or meeting with a client. It’s easy to get caught up in what we’re doing and forget some of these simple checks. That’s why you should always pause before you hit send or join meeting to make sure all PHI is secure and going to the correct destination.
Support clients’ right to access their information
The last bare minimum thing you should think about regarding HIPAA compliance is whether or not you’re supporting your clients’ right to access their information. We wrote extensively about this topic earlier this year in our blog post HIPAA tips: are you correctly informing your clients of their rights? HIPAA has put guidelines in place to ensure that clients have control over their PHI and can access it quickly and easily. Make sure that your Notice of Privacy Practices (NPP) is easy to find on your website and that the NPP spells out in clear terms how your clients can request their information and what they can expect when they do.
Make sure you have a written out plan.
- Explain how you will respond to requests for PHI and communicate that information to your clients
- Be sure to keep records of every request that comes in
- Document your response
Is it time to start using encrypted email and web forms to support your private practice?
We’re giving you the bare minimum you need to know about HIPAA. Find out if you’re a covered entity, what a BAA is and if you need one, how to ensure you’re using third-party services in a secure manner, and what you need to do to support your clients’ right to access their information.