In this post, BCMS will point out How can you avoid HIPAA Compliance issues for physical therapists. The Office of Civil Rights compiled a list of the top 10 HIPAA compliance issues for 2017. Their investigations and enforcement of HIPAA resulted in millions of dollars in fines and penalties. Take a moment to look at the top issues and ensure you are not making the same mistakes!
HIPAA Compliance Issues for Physical Therapists – Avoid These Errors and Put Your Mind at Ease
#1 – Affirmative Disclosures Not Permitted. This means sharing/posting/disclosing patient photos, reviews, videos etc. without signed disclosures must be avoided. Double check patients in the background of posted media. Do you have permission of everyone that is shown? Having written policies and procedures in place prior to disclosing PHI would ensure that all disclosures are permitted.
#2 – Lack of BAA. You must have a signed Business Associate Agreement for all Business Associates who have access to your PHI/ePHI. Be sure you have signed agreements with EMR, IT, Marketing, and other vendors! A $31K fine was levied last year to a small practice that was missing a BAA. Be proactive and send a BAA to your vendors; don’t wait until they send one to you. Per the rule you cannot share PHI/ePHI prior to having a signed BAA in place. Avoid this costly mistake and ensure all yours are in place and signed.
What Is a “Business Associate?” A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. A member of the covered entity’s workforce is not a business associate. A covered health care provider, health plan, or health care clearinghouse can be a business associate of another covered entity. The Privacy Rule lists some of the functions or activities, as well as the particular services, that make a person or entity a business associate, if the activity or service involves the use or disclosure of protected health information. The types of functions or activities that may make a person or entity a business associate include payment or health care operations activities, as well as other functions or activities regulated by the Administrative Simplification Rules. For more details, see the HHS.gov overview.
#3 – No, Incomplete or Inaccurate SRA. You must have an annual Security Risk Analysis per the Security Rule. This is a comprehensive analysis that includes both an assessment and a review for system vulnerabilities. The assessment looks at physical, technical and administrative safeguards for ePHI. It is possible to conduct your own SRA however ensure that the person conducting the assessment has the knowledge and skills necessary to complete the task. Also, be sure your assessment does not include bias and is objective to ensure your practice is taking the right steps to protect ePHI. Consider outsourcing this process as a solution to both the knowledge and bias concerns.
Under the HIPAA Security Rule, you are required to conduct an accurate and thorough analysis of the potentialrisks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the covered entity or business associate. Once you have completed the risk analysis, you must take any additional “reasonable and appropriate” steps to reduce identified risks to reasonable and appropriate levels. (45 CFR 164.308(a)(1)(ii)). Click HERE for the Security Risk Analysis Tip Sheet from CMS
BCMS is a full-service compliance consulting firm specializing in outpatient physical therapy practices. Our focused, PT specific compliance program can help you meet all your compliance needs. We also offer on-site SRA and include BAAs in our compliance program. Contact us for more information. We are the key to unlocking the compliance mystery. For more information or to contact us, click HERE