The Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects health care consumers’ privacy and stipulates certain rules be adhered to on the part of health care providers. The Health Information Technology for Economic Clinical Health Act (HITECH) of 2009 was the first major overhaul of HIPAA, and added rules to how information is stored for protection.
Together, HIPAA and HITECH are all about security and privacy. How you go about protecting client records is all about security. What needs to be protected is all about privacy.
Many massage therapists would like to think that HIPAA is not something they need to worry about; however, the U.S. Department of Health and Human Services’ definition of a health care provider is “any person or organization who furnishes, bills, or is paid for health care in the normal course of business”—and any health care provider who transmits client records electronically in relation to any health care claim does need to be HIPAA compliant.
Here is a checklist to help you determine if you need to comply with HIPAA. If you can answer yes to any of these questions, you need to know more than what can fit in this article—however, I will cover an overview of information you need to be on the road to being HIPAA compliant.
- Do you work for someone who files insurance claims, or do you file insurance claims?
- Do you complete an intake form for clients?
- Do you write session notes on clients?
- Do you work in a massage establishment with more than 10 employees?
- Do you file claims with any clearinghouses, such as Availity or Office Ally?
- Do you have general liability insurance or malpractice insurance?
- Do you want to be covered if your session notes are subpoenaed for legal reasons?
- Do you want protection if your client decides to sue you for any reason?
If you answered yes to any question, you must become HIPAA compliant. This can seem like a huge uphill battle—but it’s not, once you get to know the rules of HIPAA and HITECH. Most of the regulations are common-sense rules. The bottom line is, the client records you maintain are not yours; they are the clients’. You are merely the keeper of the information.
HIPAA/HITECH is all about protecting someone’s privacy. If you remove all the personal information from a client’s records and put it on a billboard, in public, would it violate HIPAA/HITECH? The answer would be no—if you remove all the protected health information. That information includes anything that can uniquely identify a client, such as her Social Security number, phone number or even an IP address that identifies the client online.
With 2014 came a new law stipulating that anyone to whom a health care provider releases client information—such as a subcontractor—must also be compliant with certain specific HIPAA rules. This new rule stipulates that if a health care provider or his company is required to be HIPAA compliant, then anyone he releases information to must also be HIPAA compliant. This includes any subcontractors who work for you.
If you are considered a covered entity—meaning, someone who must comply with HIPAA regulations—then many of the rules you need to follow can be summed up in a risk analysis. Once you are considered a covered entity, you must complete this analysis every three years. Here are some of the risk analysis areas; an overview of which can guide you in determining if you are compliant:
1. Security awareness. Training is provided to all employees and subcontractors on an annual basis, which addresses acceptable use and good computing practices for systems they are authorized to access. Content of training is based on the institution’s policies addressing issues such as privacy requirements, virus protection, incident reporting, Internet use, notification to staff about monitoring activities, password requirements, and consequences of legal and policy violations. Your computer must have virus protection and be password-protected.
2. Human resources security. Policies and procedures that address purpose, scope, roles, responsibilities and compliance to support personnel security requirements, such as access rights and disciplinary process, are in place. This means protected health information should only be accessible if it is needed to do your job. Your receptionist, for example, does not need to access your SOAP notes and so should not be given access to them.
3. Position categorization. Procedures for identifying system access needs by job function and screening criteria for individuals performing those functions are in place. This means you should create an operational manual where you stipulate who, in what role, has access to protected health information.
4. Physical and environmental program. This is a policy, as well as procedures, that address the purpose, scope, roles, responsibilities and compliance for physical and environmental security, such as security perimeter and entry controls, working in secure areas, equipment security, cabling security, fire detection and suppression, and room-temperature controls.
Remember, the rules are written for an entity as large as a hospital, all the way down to a single-room operation. The larger the facility, the more rules you will probably have in regard to security.
5. Physical access monitoring. The need for monitored access to business areas is evaluated. In monitored areas, records for approved personnel access and sign-in sheets for visitors are maintained. Logs are periodically reviewed, violations or suspicious activities are investigated, and action is taken to address issues. Something as simple as a burglar alarm will protect you in this case. Physical access can also be the computer log on your computer that notes date-and-time usage.
6. Physical access control. Physical access to facilities containing information systems is controlled and individuals’ authorization is verified before granting access. The two-key rule should apply in most cases. This means you must make sure your records are protected under lock and key, and that you separate that lock and key from the key that locks your building or storage location. If you store records in your home, there are special rules that are too cumbersome to go over here. If you take your records to your appointment at the client’s workplace or place of residence, the records need to be in your presence at all times.
This does not mean you can leave the thumb drive that the files are saved on, in your car and go grocery shopping on the way home. A therapist in Pittsburgh, Pennsylvania, has already been fired and fined by the U.S. Department of Health and Human Services’ Office of Civil Rights, which administers HIPAA, for doing just that. The fine was not levied on the facility; it was levied on the therapist.
7. Network protection. Network and communication protection policies and procedures are in place. These documents outline the procedures to authorize all connections to network services. Authorization is based on an evaluation of sensitive or critical business applications, classification of data stored on the system and physical location of the system.
8. Boundary protection. Equipment designed for public access, such as Web servers dispensing public information, must be protected. These are segregated from the internal networks that control them. Access into internal networks by authorized staff is controlled to prevent unauthorized entry. The levels of security change based on your hosting setup, such as whether you host with an Internet provider or not.
9. Protect and secure network infrastructure. These are policies and procedures for technology upgrades; network equipment such as servers, routers, firewalls and switches; patches and upgrades; firewall and server configurations; and server hardening.
10. Transmission integrity and confidentiality. Data is protected from unauthorized disclosure during transmission. Data classification is used to determine what security measures to employ, including encryption or physical measures. Protected health information that is transmitted is done so under a secure sockets layer certificate (SSL), which is a digital document that verifies the security and authenticity of an electronic interaction. Without an SSL certificate, any information sent from a user’s computer to a website can be intercepted and viewed by hackers and fraudsters. It is similar to the difference between sending a postcard and sending a tamper-proof, sealed envelope. In a case settled in April 2014, the parent company of a physical therapy center agreed to pay $1,725,220 after an unencrypted laptop was stolen from the facility.
Prepare for Future HIPAA Requirements
The HIPAA/HITECH information I covered in this article is far from all of it, and I acknowledge that this article might raise more questions than it answers. I suggest you consult a professional HIPAA/HITECH instructor for additional training. The Office of Civil Rights releases new rules continuously, so you should subscribe to a professional organization to make sure you are up to speed on new rules and alerted when rules are implemented that may affect your massage practice.
About the Author
Greg Neely is a native Floridian who earned an associate’s degree in medical massage therapy in 2008. In 2009, he became certified in both Insurance Massage Billing and HIPAA Certified Security Training. Neely teaches HIPAA continuing education classes for massage therapists, and developed software for medical massage billing for massage therapists.