HIPAA Compliance – What Physical Therapy Practice Owners Need to Know

Physical Therapy HIPAA Compliance

It can be a daunting task for small business owners to navigate the complexities of physical therapy HIPAA compliance.

Questions and Answers Regarding HIPAA that all Physical Therapy Practice Owners Should Know

WHILE WE TYPICALLY FOCUS ON ISSUES RELATED to payment compliance, it is paramount that we understand what other federal regulations apply to us as practitioners in the health care business arena. Understanding the laws, performing associated risk assessments, developing policies and procedures, educating the workforce, monitoring compliance with the statute, and enforcing their requirements is the only way we can mitigate our risk and safeguard our practices.

This article will focus on the Health Insurance Portability and Accountability Act (HIPAA), based on HIPAA questions posed or violations noted from 2016–2018.

Question:  Do I have to encrypt my computers, emails and test messages?

Answer:  Yes, you must address Security Rules 164.312, which mandates encryption of data both at rest and in transmission.  All data, including emails and text messages, that contain ePHI must be encrypted or otherwise addressed to meet the minimum encryption standards before transmission.  The upside, however, is that stolen ePHI that is encrypted does not have to be reported (aka if you have an encrypted laptop or flash drive and it is stolen you do not have to report the ePHI as a security breach).

Question:  Can my staff use personal devices (smart phones, iPad, etc.) for patient documentation?

Answer:  Yes, your staff may use personal devices at work.  However, you need to ensure that they also comply with all provisions under HIPAA, the Security Rule, and the HITECH Act.  All the same rules apply as for your practice-owed computers, laptops, tablets, etc., including encryption, login monitoring, data backup, unique user identification, workstation security, and more.  Additionally, you will need written out policies and procedures in place for personal device use.

Question:  What are the Patient Rights that came about via HITECH and the Omnibus Rule?

Answer:  The newest Patient Rights are in blue and italizes.  These rights must be included in your Privacy Notice

  • Access to PHI
  • Amend PHI
  • Request limited use or disclosure
  • Request confidential communication of PHI
  • Be informed of breach of privacy
  • Make complaints about noncompliance
  • Revoke authorization
  • Be notified of opt-out options for marketing, fundraising, and sale of PHI
  • Restrict PHI from health plans
  • Recieve a paper copy of the Privacy Notice

Question:  What do I have to include in a Breach Notification?

Answer:  When notifying a patient of a breach, include the following information:

  • A description of the breach (what happened)
  • A description of the types of information that were involved in the breach (waht data was shared)
  • The steps that the affected individual(s) should take to protect themselves from potential harm
  • A brief description of what the covered entity (CE) is doing to:
    • Investigate the breach
    • Mitigate the harm
    • Prevent further breaches
    • Provide contact information at no cost to the individual

Also, remember that the breach must also be reported to the secretary of the US Department of Health and Human Services (HHS).  Breaches over 500 individuals require additional reporting to media outlets and websites.  Timelines for breaches vary by state so be sure to check your local reporting requirements.

The exception for reporting comes with knowledge that the breached PHI/ePHI was not usable, readable or decipherable.  According to the American Health Information Management Association:

“The interim final rule defines unsecured PHI as information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the HHS Secretary in the guidance issued under section §13402(h)(2) of the American Recovery and Reinvestment Act. The guidance specifies that only encryption and destruction consistent with the National Institute of Standards and Technology (NIST) guidelines renders PHI unusable, unreadable, or indecipherable.

These guidelines, if used, create the functional equivalent of a safe harbor and notification is not required in the event of a breach. The guidance may be used to render PHI unusable, unreadable, and indecipherable to unauthorized persons, and is published on the HHS website. If PHI has not been secured in accordance with the specified guidance and a violation has occurred, then it must be presumed to be a breach.”

Question: Who should initiate a Business Associate (BA) Agreement (BAA)? The Business Associate or the Covered Entity (CE)?

Answer:  Covered Entities should initiate the BA agreement so that they are certain that all the requirements set forth by the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Omnibus Rule are in the agreement. They are:

  • Allowed and required disclosures:  what the BA can and can’t do with the data, as well as what they’re required to do with the data
  • Reference to “downstream” subcontractors: Ensure that they are responsible to abide by the same terms as the BA’s.
  • BA’s responsibility to safeguard the data: with reference to the security rule
  • Reporting obligations:  BA’s methods for notifying CE of impermissible disclosures, which could include a data breach incident
  • Satisfactory assurance from the Business Associate that it complies with HIPAA Security and Privacy as it pertains to BA’s
  • Termination clause:  CE can terminate contract for violation of terms, and in the event of termination, the BA must return or destroy the data.

In addition to these provisions, there are optional elements such as:

  • Liability and indemnification clauses for both parties
  • Monitoring and auditing rights of the Covered Entity

Question: I have a Privacy Notice available for patients to read if they wish to; most don’t. I heard that I must provide each patient with the notice before I ask them to sign our Acknowledgment of Receipt, is this true?

Answer:  Yes, you are required to offer the Privacy Notice to all new patients and any active patients if the Notice is modified in any way.  In addition to offering the notice, you must post it or have it readily available in the reception or common space so that a patient, visitor, etc., can access it without requesting it from you.  Don’t forget that you must also post the notice on your website, if you have one.

Your patients should never be asked to sign the Acknowledgement of Receipt without first having access to the Privacy Notice.

Question: How do I prove that all my staff need access to both protected health information (PHI) and electronic protected health information (ePHI)?

Answer:  HIPAA requires covered entities to develop role-based access to written policies and procedures to validate that access to PHI and ePHI is based on the individual’s need to access either or both to do their jobs.  If this is the case, you may list all of them with full access to PHI and ePHI.

For more information on HIPAA requirments for Physical Therapist and other outpatient healthcare provides, contact BCMS