Most health care practitioners are considered “covered entities” under HIPAA and HITECH — but not necessarily all. Healthcare providers are considered covered entities if they electronically transmit “PHI” — protected health information. You can collect individually identifiable health information without transmitting it electronically, although that’s becoming rare these days.
If you take only private-pay patients and/or do all your billing on paper, you may not be considered a covered entity under HIPAA. But the moment that you send any type of PHI outside of your office in electronic form, HIPAA almost certainly applies. And even if you have an almost completely paper-based office, if you keep any patient information on a computer system that has wireless access to the outside world, you may be vulnerable to hacking — which, technically speaking, means you’re “transmitting” your patients’ information, however inadvertently.
In order to be safe, check with the Department of Health and Human Services’ Office of Civil Rights (OCR), which is charged with the patient privacy protection aspects of HIPAA. (www.hhs.gov/ocr/privacy)
2. What do HIPAA and HITECH require me to do?
Do you have a few weeks for an answer to that question? HIPAA has two sections — one on portability of insurance and one on administrative simplification. It’s that second section that contains HIPAA’s privacy rule. To put it simply, the privacy portion of HIPAA requires that healthcare providers and other covered entities safeguard information that may reasonably allow someone to identify an individual receiving care. That kind of information is known as protected health information, or PHI.
3. What is considered to be PHI?
PHI includes a patient’s name, address, birthdate and dates of treatment, all contact information (e.g., phone numbers, e-mail addresses), Social Security number, health insurance plan information and photographs. PHI includes any information about the person’s health situation, treatments, prognosis and payments. PHI also includes any imaging and test results, so if you order or receive X-rays, MRIs or lab tests, those findings are considered PHI.
To sum up: If it’s in your patient’s chart, odds are pretty good that it’s PHI. And PHI remains protect- ed no matter how it is distributed, whether verbally, in writing or electronically.
4. What’s the most important detail for a chiropractor to take care of to ensure HIPAA compliance?
Put someone in charge.
If you’re a covered entity under HIPAA, you need a privacy and security officer. That may be your office manager or practice administrator, or it may be you. “My office manager is our HIPAA officer,” says Dr. Baker. “She’s in charge of keeping the HIPAA manual updated and prepares quarterly meetings for the office specifically focused on HIPAA compliance.”
The officer needs to:
• Review the regulations (available here: www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html
), and regularly check the OCR privacy site for updated information and new analysis.
• Establish a plan for training office staff. HIPAA Solutions RX (www.hipaarx.net) offers DC-HIPAA, a suite of four affordable online training courses endorsed by NCMIC.
• Conduct an office risk assessment. That means reviewing all the places that PHI is stored in your practice (e.g., computers, laptops and tablets, file cabinets, smartphones, etc.), analyzing how well they meet HIPAA’s privacy provisions and thinking about the possible risk of a security breach.
• Develop a compliance plan. If gaps are found, figure out how to address them.
For example, how vulnerable to hacking is your computer system? “If you want the convenience of Wi-Fi access, it puts you at more risk. I don’t use wireless in my office,” says Dr. Baker. “If anybody’s going to try to hack in, they have to come through my physical router, which is behind a firewall.”
If you do choose Wi-Fi access, make sure it’s set up by an IT professional with strong security credentials, preferably one who specializes in health care. “I know of several practices that use a wireless router with good security components,” Dr. Baker says. “But I went to one that didn’t want to spend the money to get a qualified IT guy in, and the original password of ‘password’ was left on the system. I pulled out my phone, found the network, typed in ‘password,’ and got in.”
5. Do I need special computer software?
A few years ago, the answer to that question, at least for smaller chiropractic offices, may have been “probably not.” As long as you took reasonable measures to make sure that your email and electronic records didn’t go astray — such as appending language to the end of every email such as “this communication is only intended for use by the recipient” — that may have been good enough.
But these days, it’s clear that there are significant advantages to using some type of encryption software to protect your email and other electronic transactions.
Last year, the FBI issued multiple alerts warning the healthcare industry that its computer systems are vulnerable to hacking compared to other types of businesses — and that hackers are eager to exploit that vulnerability. “The FBI has observed malicious actors targeting healthcare-related systems, perhaps for the purpose of obtaining protected healthcare information (PHI) and/or personally identifiable information (PII),” said the agency in a “Flash” alert in August 2014. “These actors have also been seen targeting multiple companies in the health care and medical-device industries typically targeting valuable intellectual property, such as medical device and equipment development data.”
You may think that hackers mostly target big hospital systems with a lot of data, but a chiropractic office with less security may represent tantalizing low-hanging fruit. Encryption software not only helps to protect your systems and your patients’ privacy from hacker attacks like these, but it also protects you. The HITECH rules mandate notification of patients (and local media if the breach could affect more than 500 people) if there is any type of breach of unsecured PHI. But if you have encryption software, you’re not required to make such a notification — even if there is a security breach. And you’re protected from potentially having to pay significant fines.
Don’t go cheap on that software, Dr. Baker says. “A lot of people may be using modified software that they put together and tried to modify themselves. There’s no protection because the software is not HIPAA-compliant, “and also does not have the audit trail that comes with HIPAA-compliant software.”
6. Besides encryption software, how else can DCs protect PHI?
• Make sure that every staff member has a unique password to log into the computer or electronic record system. It should be at least eight characters long and contain both uppercase and lowercase letters, at least one number and at least one symbol (e.g., @ or #). It should not use easily guessable information like the person’s birthdate or words like “password” or “secret.” (“Password,” by the way, was the second most commonly hacked computer password of 2014, beaten out only by “123456.”) Check password strength online at www.passwordmeter.com.
• Do not store computer passwords where they can easily be found — like written on a Post-it note on your monitor! • Require all staff members to log off of their computers when leaving their desks for more than a few minutes.
• Put privacy screens on all computers, and position desks so that the computer screens face away from public areas.
• Encrypt any mobile devices and laptops that may contain patient information. A late 2011 Healthcare Information and Management Systems Society (HIMSS) survey of 329 healthcare organizations found that only 44 percent of respondents encrypt their mobile devices. That can result in costly penalties. In January 2013, the Hospice of Northern Idaho agreed to pay the Department of Health and Human Services (HHS) $50,000 to settle potential HIPAA violations after an unencrypted laptop containing PHI was stolen. Learn more about protecting mobile devices here: www. healthit.gov/providers-professionals/ your-mobile-device-and-health-information- privacy-and-security.
• Don’t use public Wi-Fi when accessing patient information, and install software that can remotely disable or wipe your system if the device is lost or stolen. Learn more here: www. healthit.gov/providers-professionals/ your-mobile-device-and-health-information- privacy-and-security.
• Be very cautious about e-mailing or texting patient information — either in communication with the patient or with other professionals or specialists you may be consulting. Do so only over a secure, encrypted connection (again, no Wi-Fi). “You should get signed releases from patients authorizing you to communicate via e-mail or text, but even once you have that, don’t go into any protected information using that means of communication,” Dr. Baker cautions. “Instead, you could text the patient to say, ‘I received your lab results; give me a call at your convenience to discuss.’”
• Always double-check your e-mail headers before sending. Disable the “autofill” option that many email programs have, which automatically types in previously used email addresses after you key in the first couple of characters. Emails frequently go to the wrong recipient that way.
• Do not discuss your work in any way that could reveal PHI on Facebook, Twitter or other social media.
• File all patient records, imaging and tests in locked cabinets.
• Shred all confidential paperwork before discarding.
• Don’t leave patient files sitting on your desk.
• Don’t put the day’s appointment schedule up where it can easily be viewed by non-staff members.
• Double-check fax numbers before sending any patient records, and always use a cover sheet with a privacy disclaimer.
• Check your fax machine regularly; do not let papers that have come in by fax sit around where they might be seen by unauthorized individuals.
• Never talk about a patient unless it’s for purposes allowed by law and required by your job. When you do need to discuss a patient, close your door or lower your voice when talking on the phone.
• Make sure that clinical conferences, either with other providers or with patients, are held in private spaces where a door can be closed rather than in the waiting room or hallway.
• Don’t discuss cases or mention patient information in places where you could be overheard.
7. What do I have to tell my patients about HIPAA?
HIPAA requires that covered entities give their patients a notice of privacy practices (NPP) that addresses their privacy rights and how you may use or disclose their PHI.
You should already be doing this, but if you aren’t — or if you aren’t satisfied with the forms you have — there’s no need to spend a lot of time creating your own documents. HHS has model NPPs on its site — in both English and Spanish — that you can be sure meet government standards: www.hhs.gov/ocr/privacy/hipaa/modelnotices.html.
8. What’s the “business associate” rule?
Under HIPAA, any outside company — like an accountant or a lawyer — who has access to any part of your records that contain PHI, must sign a business associate contract attesting that they will also protect your patients’ privacy.
You can find a sample contract online here: www.hhs.gov/ocr/privacy/hipaa/ understanding/coveredentities/contractprov. html.
This provision doesn’t apply to communications between healthcare providers for the purposes of treatment. So, for example, if you’re sending an X-ray to a fellow DC with whom you’re consulting or a patient file to a neurologist to whom you’re referring a patient, you don’t need a business associate contract with that person.
If you think all of this sounds too complicated and expensive, remember that Idaho hospice. It probably would have cost less than $1,000 to install encryption software on the company laptops, which would have protected the hospice from the $50,000 fine despite the theft.
“I don’t want to be spending time on this either; I want to be in the adjusting room,” says Dr. Baker. “But this is the standard of care now, and it’s among the meta-competencies being taught in chiropractic colleges today. You’re at real risk if you resist this.”
ACA’s HIPAA Resources
ACA has stayed on top of new HIPAA developments including the changes made by the Omnibus Rule published in January 2013. ACA’s HIPAA resource page at www.acatoday.org/HIPAA
includes information on:
• What providers need to know about the changes;
• Updated template forms such as the Notification of Privacy Practices, Business Associate Agreement and an Authorization to Release Information;
• HIPAA and social media; HIPAA and electronic communications (email and texting);
• How to de-identify PHI;
• A HIPAA checklist for covered entities; And much more
Check often as updates are underway and more resources to help DCs become compliant will be added.