Establishing HIPAA-Compliant Habits in Your Practice
A step-by-step guide to creating a HIPAA plan
Dr. Bill Whitehead
As mental health professionals, no matter how experienced we become or how many clients we’ve helped, HIPAA compliance is a perennial source of anxiety. If you find HIPAA daunting, you’re not alone. Successfully starting and running a therapy practice demands a thorough understanding of HIPAA to provide the best possible service to your patients while avoiding HHS sanctions.
Fortunately, it’s easier than you might think to implement HIPAA-compliant habits within your practice. The realities of HIPAA audits are surprisingly less daunting than you might fear. How so? Keep reading to learn how HIPAA impacts our work as therapists and receive ten simple ways to do the right thing for your patients AND keep HIPAA happy.
HIPAA in a Nutshell
HIPAA (or the Health Insurance Portability and Accountability Act) is primarily intended to protect patients while facilitating a controlled flow of information. It has two main goals:
First, it allows for portability of insurance — for example, a worker with a chronic illness can change jobs and remain insured.
Second, it encourages electronic record-keeping, billing, and exchange of information as an effective way of reducing health care costs.
Of course, rules for who can access protected health information (PHI) and how it should be secured are strict. PHI is any information concerning health status, health care, or payment — any part of the medical record or payment history that can be associated with a patient’s name, address, social security number, etc.
The main HIPAA requirements for protecting PHI focus on medical professionals staying up to date on training and medical practices regularly checking for data security issues. Reading through the HIPAA requirements can be overwhelming, and you might worry about following every detail to the letter. But don’t panic! Many of these regulations were written with large institutions (such as insurance companies) in mind. By reading this and doing your homework, you’re already doing better than many of your peers. If you make an effort to comply with these regulations in your own small practice the “HIPAA police” (AKA HHS) will be more forgiving in the event that you are audited.
HIPAA Enforcement by the Numbers
You’d never knowingly violate a HIPAA regulation — but what happens if someone lodges a complaint and HHS audits you? First, don’t panic! It’s not the end of the world (or your therapy career): you’ve heard the stories in your professional circles, but let’s talk about what this might realistically mean. The most common issues that HHS investigates are impermissible uses and disclosures of PHI, lack of safeguards of PHI, lack of patient access to their PHI, uses or disclosures of more than the Minimum Necessary PHI, and lack of or invalid authorizations for disclosures of PHI.
Since the program launched in April of 2003, there have been more than 40,000 complaints filed. In the first five years, HHS didn’t impose a single civil penalty. About 20% of the time, HHS suggested “corrective action” – which is designed to prevent future violations by correcting the underlying compliance issues. Of the complaints filed, about 1% have been referred to the Justice Department for criminal prosecution. Typically, HIPAA charges are invoked after a failure to prosecute under other laws.
What does this mean for you?
In simple terms, you’re not going to be thrown in jail or fined millions of dollars for failing to have adequate “failure analysis” studies in place in your private practice. However, you need to be very careful about disclosing PHI. Mishandling of PHI generates the most complaints and – most importantly – can truly harm your patients. Helping patients is why we do what we do. So don’t panic about hypothetical audits – instead, focus on small steps you can take to follow HIPAA’s rules and serve your patients to the best of your ability.
10 Simple Strategies for HIPAA Compliance
The following ten strategies are beneficial for therapy practices for two reasons: first, they each address a specific HIPAA mandate. And second, they each address the actual needs and rights of mental health patients. Best of all: each strategy takes less than twenty minutes to accomplish, so they’re achievable for even the busiest practice owner.
1. Use a password-protected screensaver
- HIPAA mandate: Access to equipment containing health information should be carefully controlled and monitored.
- Patient need: On your lunch break, someone could look at a screen carelessly left displayed on the monitor, giving them access to PHI.
- How to do it: Luckily, this is a very simple process. Check out these step-by-step instructions for Windows and Mac.
- Time required: 2 minutes
2. Get a signed contract with your billing service containing data protection requirements
- HIPAA mandate: Covered entities must ensure that vendors have a framework in place to comply with HIPAA.
- Patient need: Obtaining a signature on a contract can be a wake-up call to emphasize the importance of privacy.
- How to do it**: A signed agreement (officially known as a Business Associate Agreement, or BAA) is easier than you might think to pull together. HHS even provides a sample template for how to word your provisions. Just make sure you put in writing your commitment to ensuring that you and your outside contractors are HIPAA-compliant.
- Time required: 20 minutes (to create a contract using a template)
**If you’re using TherapyAppointment for billing, you’re in the clear, but make sure that any other vendors you use who might have access to patient data DO complete this step.
3. Send emails through a secure channel
- HIPAA mandate: When PHI flows over open networks, some form of encryption must be
- Patient need: The fact that most complaints involve improper disclosure of PHI implies that this is a big concern.
- How to do it: If you use an EMR like TherapyAppointment, this should be a built-in feature, which makes it effortless for you. You can also use products like HushMail to ensure that your emails are secure. If an encrypted channel isn’t an option for some reason, then be careful to avoid any PHI in your messages. For example, if you get an email from a client asking if you can change an appointment from 3:00 to 4:00, you can’t simply hit “reply” and agree to those terms in detailed writing because then their PHI is compromised. However, if you erase all prior message history and simply write, “Yes, that is fine,” then you’re safe.
- Time required: 0-10 seconds
4. Encrypt your documents.
- HIPAA mandate: Access to equipment containing PHI should be carefully controlled.
- Patient need: If your laptop is lost or stolen, potentially embarrassing or damaging PHI will be lost with it.
- How to do it: Not a computer wiz? No need to worry. It’s simpler than you might think to make sure all your files are encrypted. Here’s a look at how (and why) to do it. Best of all, most options for encryption are free! Want to go even more lo-fi? Buy an encrypted thumb drive and simply store all your data there. Just like securing your emails, this is done for you if you use an EMR.
- Time required: 10 seconds per document (or 15 minutes one time)
5. Backup your data
- HIPAA mandate: Covered entities are responsible for data backups
- Patient need: The question is not “Will my hard disk crash?”, but “When?” Your responsibility to your clients is ensuring you have access to their patient histories and notes so you can provide the best care.
- How to do it: These days, data backups in the cloud are popular. If you use a cloud-based EHR/EMR solution, backups are automatic and are a safe, secure and completely HIPAA compliant option. But, if you chose to store locally, there are many options at your disposal, including thumb drives for small amounts of data or large external drives (encrypted, of course) for larger amounts of data. Here’s a look at some of your best options and how to use them.
- Time required: 20 minutes to back up “My Documents” to an encrypted USB drive
6. Ask patients where (and whether) they want to receive reminder calls
- HIPAA mandate: A request to receive calls at the office rather than at home is considered to be reasonable.
- Patient need: Realistically, the decision to receive mental healthcare is a big decision for many of your clients. Their confidence that their decision will be kept private by you and the methods used to communicate is one of your biggest responsibilities.
- How to do it: Asking is simple. But to be safe, get it in writing too: have your patients sign a form opting in to appointment reminders (and selecting where/when/how they should receive them), or opting out. That way, if you’re audited, you have documentation of your efforts to meet this requirement. Many EMR’s include this feature for your convenience.
- Time required: 30 seconds per patient
7. Secure your wireless network
- HIPAA mandate: When PHI flows over open networks, some form of encryption must be utilized.
- Patient need: An unsecured wireless network is “easy pickings” for even an amateur hacker. Don’t leave your clients vulnerable!
- How to do it: Here’s a handy how-to guide on making sure your wireless network is secure. Bottom line: make sure you’re using a reliable encryption protocol (you want WPA2, not WEP) and a strong password.
- Time required: 20 minutes
8. Install a virus scanner
- HIPAA mandate: Information systems housing PHI must be protected from intrusion.
- Patient need: All your other security efforts are useless if a keystroke logger creeps onto your computer.
- How to do it: The built-in Windows protection protocol (Windows Defender Security Center) is reliable and up to the task of keeping your computer safe. For other options (including for other operating systems), check out this comprehensive guide.
- Time required: 15 minutes
9. Log disclosures of PHI
- HIPAA mandate: An individual has a right to receive an accounting of disclosures of PHI.
- Patient need: Patients may feel more comfortable opening up in therapy if they know who has access to their information.
- How to do it: As with a number of these strategies, this is standard for an EMR like TherapyAppointment. But you can choose to do it yourself on paper or digitally. Each time you reveal PHI to anyone, for any reason, keep a written record of it. Document the date of the disclosure, what information you disclosed, who you disclosed it to, and why you disclosed it. For instance, you might document that you told a patient’s doctor how the patient was responding to a medication the doctor prescribed.
- Time required: 20 minutes (paper) or 20 seconds (electronic)
10. Create a one-page document of your compliance efforts.
- HIPAA mandate: Covered entities must adopt a written set of privacy procedures and designate a privacy officer.
- Patient need: They can’t get the help they need from you if you’re stuck in court!
- How to do it**: HIPAA requires that you write down your compliance efforts, but they don’t designate a length so my suggestion is to summarize in a one-page document. The reality is, most of your peers aren’t even doing that much, so taking the time to get this document organized will put you well ahead of the curve and will make a big difference should HHS ever come calling.
- Time required: 20 minutes
**Note: HIPAA also requires that you designate a “Privacy Officer,” so for small or solo practices, all you have to do is designate yourself as the Privacy Officer – and put it in writing.
Following these steps, you demonstrate your commitment to HIPAA and have strong documentation to hand over if you’re ever audited. And remember: nearly all HHS investigations arise from patient complaints, so treat your patients’ privacy with respect and you can reduce the likelihood you’ll ever have an issue.