HIPAA Questions and Answers: A Guide for Small Healthcare Practices

Estimated reading time: 12 minutes

Between managing appointments and providing the best possible care to your clients,  the complexities of HIPAA can be overwhelming, especially when what you're reading feels like a foreign language.

We understand. This is why we've created this guide specifically for solo practitioners and small practices like yours. We'll answer your most pressing HIPAA questions in plain language. We'll provide answers that are easy to understand, even if you're not tech-savvy.

You'll get answers to the most pressing questions about HIPAA compliance for your practice, email communication, web forms, telehealth, and more.

Think of this as your HIPAA cheat sheet. After reading this guide, you'll gain the confidence and knowledge you need to run a successful, HIPAA-compliant practice (even if it's just part-time!).

What is HIPAA, and why is it important for my small therapy practice?

HIPAA is a law that provides a set of rules to safeguard your clients' sensitive health information, which is often referred to as PHI (protected health information). For example, HIPAA ensures that your clients' diagnoses and treatment details stay confidential.

Here’s why it matters for your therapy practice:

• Builds trust: Shows your clients you take their privacy seriously.
• Avoids fines: Helps you stay on the right side of the law and avoid hefty penalties.
• Protects everyone: Information is only shared with the right people when necessary.

In short, HIPAA compliance is something you need to get right.

What is the HIPAA Privacy Rule?

The HIPAA Privacy Rule is a set of requirements to keep your clients' protected health information safe and confidential. It sets out how you can use and share their PHI.

For your small practice, the Privacy Rule means:

• Letting your clients know their rights: You must tell them how their information can be used and shared.
• Creating privacy procedures: You'll need to have a plan for handling client information in your practice.
• Training your staff: Make sure everyone in your practice understands and follows the privacy procedures.
• Protecting client records: Keep those files secure so only authorized people can access them.

The good news is that the Privacy Rule is designed to work for practices of all sizes, so you can tailor the procedures to fit your specific needs. It's about finding the right balance between protecting your clients' privacy and running your practice smoothly.

What is the HIPAA Security Rule?

If the HIPAA Privacy Rule is about keeping client information confidential, the HIPAA Security Rule is its tech-savvy sidekick. It focuses specifically on protecting your clients' electronic health information (ePHI) — emails, digital records, and any health data you store or send online.

The Security Rule makes sure your clients' ePHI is:

• Confidential: Only the right people can see it.
• Accurate: It hasn't been changed without permission.
• Available: You and authorized people can access it when needed.

The Security Rule requires you to:

• Control access: Only authorized people should be able to see your clients' ePHI.
• Track activity: Keep an eye on who's looking at what, so you can spot any suspicious behavior.
• Prevent changes: Make sure no one can tamper with or delete your clients' information without permission.
• Secure transmission: Ensure sensitive information goes directly and securely to the intended recipient.

Like the Privacy Rule, the Security Rule is adaptable for small practices. You don't need to install Fort Knox-level security. It's about finding the right safeguards that make sense for your practice, its size, and the types of technology you use. You'll learn more about these safeguards as you scroll down below.

Who needs to be HIPAA-compliant?

HIPAA applies to healthcare providers (like you!), health plans (insurance companies), and healthcare clearinghouses (companies that process health information). These groups are called Covered Entities (CE), which you’ll learn more about below.

It's worth noting that HIPAA compliance isn't just for big hospitals and clinics. Even if you're a small, part-time practice, the key is whether you electronically transmit PHI to carry out financial or administrative activities related to healthcare. If you do, HIPAA applies to you.

What is a Covered Entity?

A Covered Entity (CE) is any healthcare provider, health plan, or healthcare clearinghouse that transmits health information electronically as part of its standard business practices in providing healthcare and conducts financial or administrative activities related to it. For example, if you're a therapist and send emails to clients, accept insurance, or bill online, you're likely a covered entity.

Being a covered entity means you have certain responsibilities under HIPAA. You must ensure your clients' PHI is kept private and secure, and HIPAA gives them certain rights regarding their information.

If you're unsure whether you're a covered entity, the HHS website has a handy tool for determining it.

What is PHI?

PHI is any information that can be used to identify an individual that relates to your clients’ past, present or future health. This could include their:

• Name
• Contact info (address, phone number, email)
• Birthdate
• Social Security number
• Client notes from a telehealth session
• Diagnoses

Here are some common examples of PHI you might encounter in your small practice:

• Basic identifiers: Name, address, phone number, email, Social Security number
• Health information: Diagnoses, treatment plans, medications, test results
• Payment information: Insurance details, billing records

What is ePHI?

ePHI is simply PHI that's in electronic form. This means anything from emails and text messages to electronic health records and billing information.

HIPAA protects both PHI and ePHI. This means you must handle all this information carefully, whether on paper or digital. The goal is to keep it confidential and secure so your clients can trust you with their sensitive information and you can meet your HIPAA and professional obligations.

What is a Business Associate?

A Business Associate (BA) is a person or organization outside your practice whose activities involve the use or disclosure of PHI to help you run your practice.

This could include:

• Your billing company
• Your accountant
• Any online service you use for scheduling, emailing, or storing client records

HIPAA considers these groups as extensions of your practice, so they need to be just as careful with client data as you are. For this reason, you need a contract with them – a Business Associate Agreement (BAA) – to pass on the responsibility to keep your clients’ information safe.

What is a Business Associate Agreement (BAA)?

A Business Associate Agreement is a signed written agreement between you and every business you hire to help with your practice who could have access to your clients' PHI. It's like a safety net, ensuring that they'll handle that sensitive data with the utmost care and follow all the HIPAA rules, just like you do.

A BAA  documents the business associate’s acceptance of the responsibility to keep your clients' information safe and how they will do so. It also covers what happens if there's a data breach. Key points to look for in a BAA include:

• How they'll use PHI: The BAA should clearly state what the business associate is allowed to do with your clients’ PHI.
• Their responsibilities in a breach: It should outline their obligations if there's a breach.
• Safeguards: The BAA should obligate the business associate to have administrative, physical and technical safeguards in place to protect the PHI.

What is considered a HIPAA violation?

A HIPAA violation happens when you break the rules about handling your clients' PHI.

This could mean, for example:

• Sharing information without permission: Discussing a client's case with someone without consent or posting details on social media.
• Mishandling records: Leaving files out in the open or exposing computer screens where anyone can see them.
• Not giving clients access to their information: If a client asks for their records, you must provide them within a specific timeframe.
• Not having proper safeguards in place: This could be anything from not encrypting your emails to not training your staff on the HIPAA rules.

Even if you didn't mean to do anything wrong, these actions can still be HIPAA violations.

What are some common HIPAA violations related to technology use?

Here are some common HIPAA violations that can happen when using technology in your practice:

• Unsecured emails: Sending client information through regular email is like sending a postcard—anyone with knowledge of how to intercept it can read it.
• Lost or stolen devices: If your laptop or phone gets lost or stolen and it's not password-protected or encrypted, that's a big problem.
• Social media slip-ups: Posting about clients (even without names) puts their privacy at risk.
• Sharing passwords: Letting others use your login or access client information on a shared computer.
• Using unencrypted messaging apps: Apps like regular text messaging or WhatsApp aren't secure enough for sharing PHI. Use only secure and encrypted apps.
• Leaving devices unattended: Even stepping away from your computer for a few minutes without logging out can lead to unauthorized access.

How do I avoid HIPAA violations?

Even if you're not a tech-savvy person, here are some key steps to protect your clients' PHI:

1. Use secure communication tools: Avoid using regular email or text messaging for anything that involves client information. Instead, opt for HIPAA-compliant services that offer encryption and other safeguards.
2. Keep devices safe: Ensure that devices are secure and that files are protected and encrypted. Don't leave your laptop or phone unattended in public places. If they are lost or stolen, remotely wipe any sensitive data.  
3. Be mindful on social media: Never post anything about your clients, even if you think it's harmless.
4. Get those BAAs: Whenever you work with a third-party service provider that might access client information (like billing), ensure you have a signed Business Associate Agreement (BAA).
5. Train your staff: If you have employees or assistants, make sure you undertake compliance training so they understand the HIPAA rules and your practice's privacy policies.
6. Stay informed: HIPAA regulations can change, so staying up-to-date on the latest requirements is essential. Resources are available on the HHS website and the Hushmail blog.

What happens if someone files a HIPAA complaint against me?

If a client believes there has been a HIPAA violation, they can file a complaint with the Office for Civil Rights (OCR).

Here's what you can expect if that happens and the OCR accepts the complaint:

1. Investigation: The OCR will investigate the complaint and gather information from both you and the person who filed it. You will be required to cooperate with the investigation.
2. Decision: After investigating, the OCR will let you know their findings.
3. If a violation is found: You may need to agree to voluntarily comply with the rules, or take corrective actions, such as changing your procedures or providing additional training to your staff. In some cases, you may also face fines.
4. Resolution agreement: You might also be required to sign an agreement with the OCR agreeing to perform certain obligations and make reports to them, generally for a period of three years.

What are the penalties or consequences for not being HIPAA compliant?

As of August 8, 2024, non-compliance with HIPAA can result in fines ranging from $141 to $ $71,162 per violation (or per record). The maximum penalty for violations of the same provision is $ 2,134,831 per year.

The Office for Civil Rights (OCR) can also impose a corrective action plan on your practice, requiring you to take specific steps to improve your compliance. This plan can last one to three years and be very costly in terms of the time required to meet your obligations under the plan.

The table below gives a brief overview of the fines and penalties under HIPAA.

The HHS updated these figures to adjust for inflation on August 8, 2024. These new figures are effective for assessments by the OCR on or after August 8, 2024, and apply for violations that occurred on or after November 2, 2015.

In addition, the violation could give rise to professional sanctions and legal action from patients.

What is the HIPAA Wall of Shame?

The HIPAA Wall of Shame is a public listing that provides information about breaches affecting 500 or more individuals.  The page lists all breaches reported within the last 24 months that are currently under investigation.

Landing on the Wall of Shame is bad news. It means:

• Public scrutiny: Your practice's name and the breach details are visible to anyone for two years.
• Loss of trust: Clients may worry about their information being safe with you.
• Reporting: You are required to investigate the breach and report to the affected individuals and OCR without unreasonable delay and no later than 60 days from the discovery.

Even small practices can end up on the Wall of Shame. All it takes is one stolen laptop, a hacked email account, or an accidental disclosure of client information.

What is a HIPAA risk assessment?

The purpose of the required HIPAA risk assessment is to identify weak spots that could put your clients' PHI at risk. You'll need to look at both the physical security of your office and the safeguards you have in place for your electronic client data (like online forms, telehealth sessions, etc). It's about proactively finding those vulnerabilities before they become a problem.

What steps should I take if there’s a data breach in my practice?

A data breach is scary, but staying calm and taking quick action is key. If you suspect a breach:

1. Assess:  Determine what information was accessed and who might be affected.
2. Contain: Disconnect devices, change passwords, and switch to secure communication.
3. Get help: If needed, contact a digital forensic investigator, law enforcement, and your attorney.
4. Document: Keep detailed records of everything that happened and the steps you've taken.
5. Notify: If 500 or more people are involved, inform affected clients and the OCR within 60 days; otherwise, you can report annually to the OCR.

The sooner you act, the better you can protect your clients and practice.

What is an incidental disclosure?

As a small healthcare practice, you're no stranger to handling sensitive information. But sometimes, despite your best efforts, client information can slip out unintentionally. This is called an incidental disclosure, the accidental or unavoidable sharing of health information, but the disclosure has to meet a few conditions:

• It’s secondary: It happens as a side effect of an otherwise allowed use or sharing of information. For instance, a client overhears a conversation in the waiting room while you're discussing a treatment plan with another healthcare provider.
• It’s unavoidable: Reasonable steps have been taken to protect the information, but the disclosure couldn't realistically be prevented. Maybe a client's name is visible on a document you're reviewing at your desk despite your efforts to keep the file confidential.
• It’s limited: Only a small amount of information is exposed.

The good news is that HIPAA understands that these things happen. As long as you've taken reasonable steps to protect information, and the disclosure was minor and unavoidable, it's usually okay.

However, if you constantly leave files in the open or mention client names across the waiting room, that's not an incidental disclosure—it's a HIPAA violation.

What is an NPP?

Your Notice of Privacy Practices (NPP) is like a transparency agreement between you and your clients. It's a clear, easy-to-understand document that explains how you handle their PHI. 
Your NPP needs to cover:

• How you use their information: This includes sharing it with other healthcare providers for treatment purposes or submitting claims to insurance companies.
• Their rights: Your clients have the right to access their records, request corrections, and even limit how their information is shared. Your NPP explains these rights.
• Your commitment to protecting their privacy.
• Your contact information: Your clients need to know who to contact if they have questions or concerns about their privacy.

What is the individual's right of access under HIPAA?

Your clients have the right to ask for and receive a copy of their health records whenever they want. This includes their therapy notes, treatment plans, and billing records. They can even request it in a specific format, like electronic or paper copies.

Ensure your clients know they have this right to make this process smooth for everyone. Explain it clearly in your Notice of Privacy Practices (NPP) and have a simple process for them to make requests.

Can I communicate with my clients via email? If so, how can I make sure these emails are HIPAA compliant?

You can communicate with your clients via email, but ensuring those emails are HIPAA-compliant is important. Here’s how:

• Use a secure email service: Regular email services like Gmail or Outlook aren't secure enough for PHI. You'll need a HIPAA-compliant service that offers encryption to scramble your messages and keep them private.
• Look for a BAA: Ensure the email service provides a Business Associate Agreement (BAA). This contract makes them responsible for protecting your clients' information.
• Choose strong encryption: Ideally, use a service with a "private message center" that keeps messages encrypted even when your client doesn't have a secure email account.
• Be mindful of what you send: Avoid putting sensitive information in the subject line, and never send group emails that could reveal someone's health status to others.

Can I use my personal email account to communicate with clients?

No, using your personal email for client communication is a big HIPAA deal-breaker. It's not secure enough to protect their sensitive health information. Stick to a dedicated, HIPAA-compliant email service to keep things safe and avoid violations.

What should I look for in a HIPAA-compliant email service?

Choosing the right email service for your practice is a priority. You need one that's secure, affordable, and easy to use, even if you're not a tech expert. Here are some key features to look for:

• HIPAA-specific features: Look for a service designed specifically for healthcare professionals, with features like encryption, a Business Associate Agreement (BAA), and an email archive.
• Ease of use: You're busy enough already! Choose a service that's user-friendly for both you and your clients.
• Affordable: Don't spend a fortune on expensive add-ons or complex setups. Find a solution that fits your budget.
• Additional features: Some services offer extras like secure online forms, e-signatures, templates and dedicated customer support. These can streamline your workflow and save you time.

How do I make sure that my practice’s voicemail is HIPAA-compliant?

Making your voicemail HIPAA-compliant is about two main things:

• Receiving voicemails from your clients: Your technology needs to be secure. This means using encryption to protect messages and access controls to limit who can listen to them. If you're using a cloud-based service, make sure they offer a Business Associate Agreement (BAA).
• Leaving voicemails for your clients: When leaving messages for clients, only share the minimum necessary information, like your name and number. You can talk to family or close friends involved in the client's care, but only with the client's permission.

How do I ensure that my fax is HIPAA-compliant?

Whether you're using a traditional fax machine or an online fax service, keeping your faxes HIPAA-compliant involves the following:

Traditional fax machine

• Secure location: Keep your fax machine in a private area where unauthorized people can't access it.
• Handle with care: Don't leave faxes lying around. File them securely or shred them when you're done.
• Cover sheets and disclaimers: Use a cover sheet with a HIPAA disclaimer to protect information from prying eyes.
• Double-check numbers: Avoid misdialing by storing frequently used numbers in the machine's memory.

Online fax service

• Choose a HIPAA-compliant provider: Ensure the service offers a Business Associate Agreement (BAA) and uses encryption.
• Use a HIPAA-compliant email: If the service sends notifications or allows you to send faxes via email, make sure your email service is also HIPAA-compliant.
• Follow best practices: Be careful about who you send faxes to and avoid including sensitive information in the subject line.

Is texting my clients HIPAA-compliant?

The short answer is: It depends.

Regular texting, whether SMS or in-app, isn't HIPAA-compliant on its own. This is because it doesn't have the built-in security features to protect your clients' private health information (PHI).

But you can still text clients if you take these steps:

1. Get their permission: Have a conversation about the risks of texting and get their written consent to use it for specific purposes (like appointment reminders).
2. Use texting with secure email so you’re always HIPAA compliant. When you’re sending a lengthier message that contains a lot of PHI, that’s where secure email comes in.
3. Keep it minimal: Even with a secure app, only text the bare minimum information needed. Do not share detailed diagnoses or treatment plans via text.

Alternatively, you can use a HIPAA-compliant text messaging app like iPlum instead of SMS texting or your regular app.

Can I use web forms to collect information from my clients?

Yes, you absolutely can—and should! Web forms are a great way to gather information from clients efficiently. However, you have to make sure those forms are secure and HIPAA-compliant. Here's why:

• Client privacy: Regular web forms might not have the encryption to protect your clients' sensitive health information (PHI).
• HIPAA violations: Collecting PHI through an unsecured form, even if it's just a contact form on your website, is a violation.
• Professionalism: Using secure web forms shows your clients you take their privacy seriously, building trust in your practice.

What should I look for in a HIPAA-compliant web forms service?

Just like with email, regular web forms can put your clients' privacy at risk. Here's what to prioritize when choosing a service:

• HIPAA compliance is a must: Ensure that the service offers a Business Associate Agreement (BAA) and uses strong encryption to protect data.
• Ease of use: You want an intuitive and user-friendly service for you and your clients. Drag-and-drop builders and pre-made templates can be a big help.
• Secure data collection and storage: Look for a service that stores completed forms securely and allows you to access them only through encrypted channels.
• Integration with your workflow: If you use an EHR or other practice management tools, consider a service that can integrate seamlessly with your existing systems.
• Customer support: When you have questions or need help, you want responsive and knowledgeable support.

Hushmail for Healthcare's secure web forms include a BAA and have the same strong encryption as your Hushmail email. You can embed forms on your website, share them via email, or even use them for telehealth pre-screening.

How do I respond to client reviews in my practice?

Responding to client reviews can be tricky. You want to show appreciation for positive feedback and address any concerns, but you also need to protect your clients' privacy. Here are some guidelines:

• Keep it vague in public: Never confirm that the reviewer is a client or discuss any specific health information. Avoid mentioning any details about their treatment or experiences, even if they shared them in the review. A simple "Thank you for your feedback" works for positive and negative reviews.
• Move the conversation to a secure channel: If you need to address a negative review or discuss anything further, invite the client to contact you privately through a HIPAA-compliant method, like secure email or a web form.
• Don't repost reviews without permission: Even if a review is glowing, you can't share it on your website or marketing materials without written consent from the client.

What happens to my practice's client records when I retire?

Even after you retire, you're still responsible for keeping your clients' information safe and accessible for a certain period. Here's what you need to know:

• Medical records: State laws determine how long you need to keep these, typically ranging from 5 to 10 years.
• HIPAA-related documents: You must keep records of HIPAA compliance, such as privacy policies, risk assessments and analysis, and business associate agreements, for at least six years.

Here's the good news for Hushmail users: You can downgrade your account to a "dormant" state. This keeps your emails and forms securely stored and accessible if needed, even if you're no longer actively using the service. It's also a simple and cost-effective way to stay compliant and avoid the hassle of transferring your data to another platform.