What HIPAA Violations Mean for Your Physical Therapy Practice

The Health Insurance Portability and Accountability Act (HIPAA) has been protecting the privacy and security of certain health information for Americans everywhere since its implementation in 1996. Despite its intentions, there continues to be a concern for individuals’ health information as our healthcare system becomes increasingly digitized.


Do you know how this affects your physical therapy clinic? Let’s review:


The Consequences of HIPAA Violations

The severity of the consequence depends on the severity of the violation itself. These incidents can result in penalties costing your practice thousands or even millions of dollars in fines, not to mention a loss in credibility, reputation, and patients. With all violations, there are also the costs associated with civil and criminal investigations. Needless to say, the best thing for your practice is to know how to avoid any type of HIPAA breach.


According to Joette Derricks’ Security Risk Assessment for Small Practices: Tools and Case Studies, HIPAA violations and their resulting ramifications can be divided into four categories.


  1. An individual did not know and would not have known based on reasonable diligence that they violated HIPAA. This violation carries the most minor repercussion, with minimum penalties of $100 per violation and an annual maximum of $25,000 for repeated violations.
  2. An individual did not willfully neglect to protect individuals’ rights but did so with reasonable cause. The minimum penalty per violation increases dramatically, costing your practice $1,000 per violation or a maximum of $100,000 annually.
  3. An individual expressed willful neglect but corrected the violation quickly. At $10,000 for every violation or $250,000 for repeat violations, it’s clear that intent to disregard HIPAA increases the fines dramatically.
  4. An individual willfully neglected patients’ rights and did not correct the situation. The minimum penalty for this situation is also the maximum fine for a HIPAA violation in any of the situations listed. If a practice does not correct the situation, they can expect to forfeit $50,000 per violation or an annual maximum of $1.5 million.



It should be noted, however, that the most costly consequence may actually be the inability to recover from such an incident. When a practice is penalized for violating HIPAA and has, therefore, disregarded a patient’s rights to privacy regarding their personal health information, current and prospective patients may choose to seek care elsewhere where they believe their fundamental rights will be respected.



If you have concerns about your practice’s compliance with HIPAA, we have the resources you need to remain compliant. For more information on HIPAA violations, security risk analysis, and more, reach out to us at (713) 899-9812 or visit our website today!

Why You Need Compliance for Your Physical Therapy Practice

Compliance… the required evil that everyone with a physical therapy practice wants to avoid.  What does this mean for your practice and why should you care?

Why You Need Compliance for Your Physical Therapy Practice

What does this mean for your practice and why should you care?  In a broad sense it means that there are requirements you need to ensure both your practice and your staff are aware of, have documented, and are following daily.  The caring part is a bit more straightforward; compliance is required by law and can carry both civil and/or criminal penalties for non-compliance.   So, unless you are fond of fines or jail, let’s take a quick look at some of the key compliance components for your practice.

HIPAA, The Privacy and Security Rules

The most well-known compliance component is HIPAA, the privacy and security rules that most everyone is familiar with. HIPAA/HITECH requires the security of protected health information (PHI) both in paper and electronic formats.  Additionally, approximately 2/3 of the requirements involve having documented policies and procedures for how your practice handles PHI.  Do you have written out policies and procedures that your staff has been trained on?  Would your staff know where these are located if someone asked?  Does your staff know the 18 PHI identifiers? https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html#protected  If you cannot answer yes to these questions you may need to update/revise your existing HIPAA compliance program.

Other Laws and Requirements

True or False?  If we are compliant with HIPAA there are no other regulations we need to focus on?  Unfortunately, false; just being HIPAA compliant is not enough.  There are other laws and requirements that also apply to your practice.  The Fair Labor Standards Act, Fair Credit Reporting Act, Civil Rights Act, and Age Discrimination Employment Act at the federal level along with numerous state, county, and city laws govern how you employ, pay, provide benefits for, and even background check or drug test your staff.  One of the most confusing issues is the classification of staff as exempt or non-exempt.  Failure to properly classify an employee could lead to fines, payment of back pay and/or an EEOC compliant.  The Department of Labor provides guidance if you need a quick review https://www.dol.gov/whd/overtime/fs17a_overview.htm .  The Occupational Safety and Health Administration (OSHA) governs how you ensure your staff is safe at work.  Their requirements include such things as requiring Safety Data Sheets and pictogram labels for hazardous chemicals (including Tide Pods), eye wash stations and sharps containers.  The American with Disabilities Act (ADA) has requirements that impact both employees and patients of your practice from both an employment, facility and language accessibility standpoint.

Policies & Procedures are a Must

Sadly, the list continues if you participate in Medicare, Medicaid, or any private payer for reimbursement.  Each payer has their own list of requirements and compliance expectations.  Compliance with all laws, standards, and/or regulations is mandatory.  A critical first step to ensuring your practice is on the right path is to have written policies and procedures that detail how you do work and that cover all the requirements.

According to the APTA:

The policy and procedure manual plays an important role in every business and organization, and physical therapy is no exception. The development and enforcement of policies and procedures is an important responsibility of physical therapist (PT) managers.

A well-written and comprehensive manual communicates to both internal and external stakeholders the rules, regulations, and processes that govern an entity. Policy and procedure manuals are integral to the orientation and training of new and current staff; ensuring compliance with laws, regulations, and accrediting organizations; and promoting consistency, safety, and best practices.

A poorly developed manual, conversely, fosters confusion and inconsistency, increasing the risk that laws, regulations, and health and safety standards will be violated. Even worse, an inadequate manual can heighten the risk of injury or harm to patients and employees, and place the organization at risk for lawsuits and other damages. Taking the time to carefully and accurately develop and maintain policies and procedures, therefore, is an important investment for all managers.  https://www.apta.org/PolicyandProcedureManuals/ 

Once you have these in place train your staff and have them acknowledge the information.  Ongoing hold staff to the standards, audit to check for compliance, and provide education to ensure all compliance requirements continue to be met.  Compliance is never ending.  Annual updates, new information, and changes to laws require practice owners to keep informed to keep compliant.  Start the New Year off stress free by ensuring your practice is compliant!

Business & Clinical Management Services (BCMS) is an outpatient rehab consulting firm that provides the keys to unlocking the compliance regulatory vault.  For more information about our services, contact Alicia N. Mahoney at https://bcmscomp.com/contactus/

Mandatory Claims Submissions… Is it really Mandatory? Here’s What You Should Know!


Physical therapists must submit claims to Medicare for covered services provided to Medicare patients. That’s my story and I’m sticking to it!

Manditory Claims Sumbmissions?  Is it Really Manditory?  Here’s What You Should Know!

Last week I jointly presented a program about Medicare’s Mandatory Claims Submission requirement with Kara Gainer, JD, Director of Regulatory Affairs for the APTA.   The presentation clearly demonstrated that, physical therapists must submit claims for covered services provided to Medicare patients, with a few exceptions. By not doing so they may be subject to civil monetary penalties of up to $2,000 per claim and face exclusion from the Medicare Program for up to five years.

The Legal Opinion

A plethora of legal authorities validated the position upheld and reinforced the fact that there is no wiggle room for accepting cash in lieu of enrolling in Medicare. Physical therapists, at this time, cannot Opt-Out of Medicare like physicians and several other practitioners.

For more information on Opting-Out of Medicare please go to: https://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNMattersArticles/downloads/MM3016.pdf. Therapists are not required to accept Medicare patients but if they do they MUST enroll in the program.

References:  Powers, Pyles, Sutter & VervilleHealth Policy AlternativesMintz an AM Law 100 Firm

The Cash-Based Practice

Physical therapists who have cash-based practices and who are adept in collecting monies at the time of service would do well enrolling as a non-participating Medicare supplier.  This means they choose not to accept Medicare’s allowable fee schedule as payment in full but are subject to the’ limiting charge’ proviso:  i.e. they may not collect more than 115% of Medicare’s allowable fees and they must also comply with other conditions set forth relating to their non-participating status.

For more information on provider enrollment and on non-participating suppliers please go to: https://www.medicare.gov/your-medicare-costs/part-a-costs/lower-costs-with-assignment and https://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNProducts/downloads/MedEnroll_PhysOther_FactSheet_ICN903768.pdf

The Exception

There is an exception to the mandatory claim submission provision, but it isn’t a result of HIPAA’s (HITECH’s) Patient Rights as many individuals believe. It is a Medicare provider specific Patient Right which allows the beneficiary/legal representative to (of his/her free will) refuse to authorize the submission of a claim to Medicare if the provider is enrolled in the Program. The HIPAA Patient Right specific to restriction of Protected Health Information (PHI) is the option to request that a Covered Entity/healthcare provider not disclose (PHI) to a health plan. That right is preempted by the Mandatory Claims Submission requirement as noted in § 164.502(a)(2)(ii), § 164.510(a) or § 164.512, which stipulates:

“If a provider is required by State or other law  (Mandatory Claims Submission) to submit a claim to a health plan for a covered service provided to the individual, and there is no exception or procedure for individuals wishing to pay out of pocket for the service, then the disclosure is required by law and is an exception to an individual’s right to request a restriction to the health plan pursuant to 154.522(a)(1)(vi)(A) of the Rule.”


For more information on Mandatory Claims Submission please see the attached reference document as well as linking into the APTA’s FAQs on the subject: https://www.apta.org/Payment/Billing/CashPractice/MedicareRulesExamples/

Additional references for the relationship between cash practices and Medicare.

Business & Clinical Management Services (BCMS) is an outpatient rehab consulting firm that provides the keys to unlocking the compliance reglatory vault.  For more information about our services, contact Alicia N. Mahoney at https://bcmscomp.com/contactus/

HIPAA Compliance – What Physical Therapy Practice Owners Need to Know

It can be a daunting task for small business owners to navigate the complexities of physical therapy HIPAA compliance.

Questions and Answers Regarding HIPAA that all Physical Therapy Practice Owners Should Know

WHILE WE TYPICALLY FOCUS ON ISSUES RELATED to payment compliance, it is paramount that we understand what other federal regulations apply to us as practitioners in the health care business arena. Understanding the laws, performing associated risk assessments, developing policies and procedures, educating the workforce, monitoring compliance with the statute, and enforcing their requirements is the only way we can mitigate our risk and safeguard our practices.

This article will focus on the Health Insurance Portability and Accountability Act (HIPAA), based on HIPAA questions posed or violations noted from 2016–2018.

Question:  Do I have to encrypt my computers, emails and test messages?

Answer:  Yes, you must address Security Rules 164.312, which mandates encryption of data both at rest and in transmission.  All data, including emails and text messages, that contain ePHI must be encrypted or otherwise addressed to meet the minimum encryption standards before transmission.  The upside, however, is that stolen ePHI that is encrypted does not have to be reported (aka if you have an encrypted laptop or flash drive and it is stolen you do not have to report the ePHI as a security breach).

Question:  Can my staff use personal devices (smart phones, iPad, etc.) for patient documentation?

Answer:  Yes, your staff may use personal devices at work.  However, you need to ensure that they also comply with all provisions under HIPAA, the Security Rule, and the HITECH Act.  All the same rules apply as for your practice-owed computers, laptops, tablets, etc., including encryption, login monitoring, data backup, unique user identification, workstation security, and more.  Additionally, you will need written out policies and procedures in place for personal device use.

Question:  What are the Patient Rights that came about via HITECH and the Omnibus Rule?

Answer:  The newest Patient Rights are in blue and italizes.  These rights must be included in your Privacy Notice

  • Access to PHI
  • Amend PHI
  • Request limited use or disclosure
  • Request confidential communication of PHI
  • Be informed of breach of privacy
  • Make complaints about noncompliance
  • Revoke authorization
  • Be notified of opt-out options for marketing, fundraising, and sale of PHI
  • Restrict PHI from health plans
  • Recieve a paper copy of the Privacy Notice

Question:  What do I have to include in a Breach Notification?

Answer:  When notifying a patient of a breach, include the following information:

  • A description of the breach (what happened)
  • A description of the types of information that were involved in the breach (waht data was shared)
  • The steps that the affected individual(s) should take to protect themselves from potential harm
  • A brief description of what the covered entity (CE) is doing to:
    • Investigate the breach
    • Mitigate the harm
    • Prevent further breaches
    • Provide contact information at no cost to the individual

Also, remember that the breach must also be reported to the secretary of the US Department of Health and Human Services (HHS).  Breaches over 500 individuals require additional reporting to media outlets and websites.  Timelines for breaches vary by state so be sure to check your local reporting requirements.

The exception for reporting comes with knowledge that the breached PHI/ePHI was not usable, readable or decipherable.  According to the American Health Information Management Association:

“The interim final rule defines unsecured PHI as information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the HHS Secretary in the guidance issued under section §13402(h)(2) of the American Recovery and Reinvestment Act. The guidance specifies that only encryption and destruction consistent with the National Institute of Standards and Technology (NIST) guidelines renders PHI unusable, unreadable, or indecipherable.

These guidelines, if used, create the functional equivalent of a safe harbor and notification is not required in the event of a breach. The guidance may be used to render PHI unusable, unreadable, and indecipherable to unauthorized persons, and is published on the HHS website. If PHI has not been secured in accordance with the specified guidance and a violation has occurred, then it must be presumed to be a breach.”

Question: Who should initiate a Business Associate (BA) Agreement (BAA)? The Business Associate or the Covered Entity (CE)?

Answer:  Covered Entities should initiate the BA agreement so that they are certain that all the requirements set forth by the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Omnibus Rule are in the agreement. They are:

  • Allowed and required disclosures:  what the BA can and can’t do with the data, as well as what they’re required to do with the data
  • Reference to “downstream” subcontractors: Ensure that they are responsible to abide by the same terms as the BA’s.
  • BA’s responsibility to safeguard the data: with reference to the security rule
  • Reporting obligations:  BA’s methods for notifying CE of impermissible disclosures, which could include a data breach incident
  • Satisfactory assurance from the Business Associate that it complies with HIPAA Security and Privacy as it pertains to BA’s
  • Termination clause:  CE can terminate contract for violation of terms, and in the event of termination, the BA must return or destroy the data.

In addition to these provisions, there are optional elements such as:

  • Liability and indemnification clauses for both parties
  • Monitoring and auditing rights of the Covered Entity

Question: I have a Privacy Notice available for patients to read if they wish to; most don’t. I heard that I must provide each patient with the notice before I ask them to sign our Acknowledgment of Receipt, is this true?

Answer:  Yes, you are required to offer the Privacy Notice to all new patients and any active patients if the Notice is modified in any way.  In addition to offering the notice, you must post it or have it readily available in the reception or common space so that a patient, visitor, etc., can access it without requesting it from you.  Don’t forget that you must also post the notice on your website, if you have one.

Your patients should never be asked to sign the Acknowledgement of Receipt without first having access to the Privacy Notice.

Question: How do I prove that all my staff need access to both protected health information (PHI) and electronic protected health information (ePHI)?

Answer:  HIPAA requires covered entities to develop role-based access to written policies and procedures to validate that access to PHI and ePHI is based on the individual’s need to access either or both to do their jobs.  If this is the case, you may list all of them with full access to PHI and ePHI.

For more information on HIPAA requirments for Physical Therapist and other outpatient healthcare provides, contact BCMS

HIPAA Compliance Issues for Physical Therapists – Avoid Small Issues that Can Cost Big Money

In this post, BCMS will point out How can you avoid HIPAA Compliance issues for physical therapists. The Office of Civil Rights compiled a list of the top 10 HIPAA compliance issues for 2017.   Their investigations and enforcement of HIPAA resulted in millions of dollars in fines and penalties.   Take a moment to look at the top issues and ensure you are not making the same mistakes!

HIPAA Compliance Issues for Physical Therapists – Avoid These Errors and Put Your Mind at Ease

#1 – Affirmative Disclosures Not Permitted.  This means sharing/posting/disclosing patient photos, reviews, videos etc. without signed disclosures must be avoided.  Double check patients in the background of posted media.  Do you have permission of everyone that is shown?  Having written policies and procedures in place prior to disclosing PHI would ensure that all disclosures are permitted.

#2 – Lack of BAA.  You must have a signed Business Associate Agreement for all Business Associates who have access to your PHI/ePHI.  Be sure you have signed agreements with EMR, IT, Marketing, and other vendors!  A $31K fine was levied last year to a small practice that was missing a BAA.  Be proactive and send a BAA to your vendors; don’t wait until they send one to you.  Per the rule you cannot share PHI/ePHI prior to having a signed BAA in place. Avoid this costly mistake and ensure all yours are in place and signed.

What Is a “Business Associate?” A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.  A member of the covered entity’s workforce is not a business associate.  A covered health care provider, health plan, or health care clearinghouse can be a business associate of another covered entity.  The Privacy Rule lists some of the functions or activities, as well as the particular services, that make a person or entity a business associate, if the activity or service involves the use or disclosure of protected health information. The types of functions or activities that may make a person or entity a business associate include payment or health care operations activities, as well as other functions or activities regulated by the Administrative Simplification Rules.   For more details, see the HHS.gov overview.  

#3 – No, Incomplete or Inaccurate SRA.  You must have an annual Security Risk Analysis per the Security Rule.  This is a comprehensive analysis that includes both an assessment and a review for system vulnerabilities.  The assessment looks at physical, technical and administrative safeguards for ePHI.  It is possible to conduct your own SRA however ensure that the person conducting the assessment has the knowledge and skills necessary to complete the task.  Also, be sure your assessment does not include bias and is objective to ensure your practice is taking the right steps to protect ePHI.  Consider outsourcing this process as a solution to both the knowledge and bias concerns.

Under the HIPAA Security Rule, you are required to conduct an accurate and thorough analysis of the potentialrisks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the covered entity or business associate. Once you have  completed the risk analysis, you must take any additional “reasonable and appropriate” steps to reduce identified risks to reasonable and appropriate levels.  (45 CFR 164.308(a)(1)(ii)).   Click HERE for the Security Risk Analysis Tip Sheet from CMS

BCMS is a full-service compliance consulting firm specializing in outpatient physical therapy practices.  Our focused, PT specific compliance program can help you meet all your compliance needs.  We also offer on-site SRA and include BAAs in our compliance program.  Contact us for more information.  We are the key to unlocking the compliance mystery.  For more information or to contact us, click HERE

Physical Therapy Private Practice Compliance – Where to Start

Many practice owners believe that physical therapy private practice compliance is a complex problem.  It doesn’t have to be.  In this post, we will outline exactly where you should start.

Physical Therapy Private Practice Compliance Points to Address

First, identify the regulations, laws, rules and policies that govern your work.  These could include:

  • Federal, state and local labor laws
  • State Practice Act and Licensing Requirements
  • HIPAA, HITECH and the Security Rule
  • Medicare
  • Other federal and commercial payors
  • OSHA
  • ADA

If you don’t know where to start, the APTA has a great resource with links to physical therapy practice acts in each of the 50 states.

Licensure is required in each state in which a physical therapist practices and must be renewed on a regular basis, with a majority of states requiring continuing education as a requirement for renewal. PTs must practice within the scope of physical therapy practice defined by these state licensure laws (physical therapy practice acts). The entire practice act, including accompanying rules, constitutes the law governing physical therapy practice within a state.  Reference: APTA Website

Next review your existing policies and procedures.  Do you have them in place?  Are they updated annually including staff review and sign off?  Over 70% of a successful compliance program is having the appropriate written policies and procedures in place and understood by staff.  Policies really do matter!

As you implement your policies look at how you do your work. For example, email containing PHI must be encrypted.  Numerous programs are available to facilitate compliance with this requirement, but do you really need the added expense?  Review how often and in what instances you are sending PHI via email.  Perhaps the same outcome can be accomplished by using your EMR internal communications?  A little time looking at the process can save money, and even more time, in the long run.

Finally, create a culture of compliance.  The entire team must work together to ensure your practice stays compliant.  Share the ‘fun’ and have your staff involved in the ongoing compliance requirements. Have regular meetings to discuss successes and challenges.  Encourage suggestions to overcome compliance obstacles. Build a culture and compliance will no longer be a ‘task’ on a to do list but the way your practice moves forward every day!

BCMS is a full-service compliance consulting firm specializing in outpatient physical therapy practices.  Our focused, PT specific compliance program can help you meet all your compliance needs.  Contact us for more information.  We are the key to unlocking the compliance mystery!

For more information and to contact us, click here.