You’ve heard of HIPAA. You know it’s best practice to be HIPAA compliant in patient care, that it’s mandatory if you take insurance, and important regardless as a measure to protect the health information of your clients.
So in this post, we provide an overview of HIPAA and how to ensure your practice is HIPAA compliant.
What is HIPAA?
HIPAA, which stands for the Health Insurance Portability and Accountability Act, was passed in 1996 to ensure that a patient’s health information would be protected in a consistent and secure manner by all health professionals. The most relevant section for RD private practices is Title II, or the Administrative Simplification provisions. Title II is focused specifically on maintaining the privacy and security of patients’ health information (PHI) and setting guidelines for how health information should be shared and sent electronically.
Personal Health Information is data that a health professional collects from a patient that could potentially be used to identify them – a patient’s name, Social Security number, and phone number are all considered PHI. If you deal with PHI (which every dietitian does in order to keep in touch with their clients), being HIPAA compliant ensures that PHI is protected, and also can help prevent legal trouble and fines.
Why should I care about HIPAA? What happens if I don’t comply?
The Health Information Technology for Economic and Clinical Health Act (HITECH), which was passed in 2009, substantially cracks down on the penalties for HIPAA non-compliance; practitioners, covered entities, and other organizations that do not adopt the correct safeguards can be fined up to $1.5 million.
I’m just getting started in private practice, or have a practice and want to make sure I’m HIPAA compliant. What can I do?
- Draft a Notice of Privacy Practices, which new clients will be required to sign. The notice doesn’t have to be long, but it should list all the ways you will use a patient’s PHI, what their rights are in keeping their PHI secure, who they can contact to learn more about HIPAA and their privacy, and an acknowledgement that you are bound by law to maintain PHI’s privacy. Also, if you have a Notice of Privacy today, please make sure it’s up to date – the legal specifications of HIPAA change every few years, and you want to make sure your notice is updated and in accordance with current laws.
- Follow a series physical, technical, and network security safeguards:
- Physical safeguards: if you keep paper copies of files, make sure they are stored securely and can be accessed by only a few people. If you have only electronic files, you should have two-factor authentication in order to access them. Two-factor authentication essentially means a user must go through two layers of protection, usually a login and entering a customized code sent to your phone or email, to reach locked information.
- Technical safeguards: Implement features like specialized IDs for every members of your practice, encryption to keep accounts secure, and emergency measures in case of a data breach.
- Network security safeguards: Store information on a HIPAA compliant, protected website or network.
- Do not share client information on an unencrypted network without their explicit written permission. If you’d like to feature a client success story in your newsletter, blog, or social media, have them them sign a HIPAA release.
- Pro tip: if you work with a biller, admin assistant, or other member in your practice, any individual who accesses patient information follow these HIPAA safeguards as well!
HIPAA may seem overwhelming at first, but it’s important to ensure that you are protecting your client’s information, and also protect yourself from legal and monetary implications as well. If you’re working with a third-party (e.g., a technology platform) who may store or have access to PHI, please make sure to have them sign a BAA (Business Associate’s Agreement) – more on that later.
If you have any questions about how to make sure you practice is HIPAA compliant, please feel free to reach out – firstname.lastname@example.org; we’re happy to help!