The Basics of HIPAA for Chiropractic
RISK MANAGEMENT
Marty Kotlar
DC, CPCO, CBCS
Question:
Dr. Kotlar, I think I’m HIPAA compliant. I have all of my new patients sign my Notice of Privacy Practices form; all files are kept in a locked cabinet; we keep all patient conversations at a low level; and my billing manager stays up to date by attending coding seminars. Am I HIPAA compliant?
Answer: You are on your way to becoming HIPAA compliant, but unfortunately, you are not, based solely on the items you mentioned. Let’s begin with a little HIPAA background and the basics.
HIPAA is an acronym for the Health Insurance Portability and Accountability Act, which was signed into law on August 21, 1996. It is governed by the US Department of Health and Human Services (HHS) Office for the Office of Civil Rights (OCR). Compliance with HIPAA is mandatory. HIPAA applies to all covered entities, which include health insurance plans, clearinghouses, and healthcare providers (DCs, PTs, MDs) that transmit health information electronically. The main purpose is to safeguard patients’ protected health information (PHI).
The HIPAA privacy rule applies to all PHI. The purpose is to protect patient data and regulate how providers can use and disclose PHI. The HIPAA security rule relates to the protection of electronic PHI (ePHI), which includes ePHI at rest or in transit.
Notice of Privacy Practices:
The Notice of Privacy Practices, also known as the HIPAA notice, is a document provided to every patient who seeks care in your office. It sets rules about who can look at and receive PHI, and it gives patients their rights about how and when PHI can be shared. If a patient refuses to sign the HIPAA notice, keep a record of this fact. The HIPAA notice should be posted in a clear and easy-to-find location where patients are able to see it, and a copy must be provided to anyone who asks for one. If you would like to receive a sample Notice of Privacy Practices, send an e-mail to [email protected].
Compliance Officer:
A compliance officer is an employee of your organization whose responsibilities include ensuring that the company complies with federal and state regulatory requirements and internal policies. A compliance officer may also design or update internal policies to mitigate the risk of the company breaking laws and regulations, as well as lead to internal audits of procedures. If a staff member is not qualified to be a
compliance officer, it is appropriate for the doctor to be the office compliance officer.
The compliance officer must have an excellent and thorough understanding of the business and have skills and human qualities that allow him or her to advise, train, and raise awareness among company staff about the significance of business ethics and compliance. The compliance officer should organize and supervise training sessions either through meetings or e-learning. Compliance officers are expected to provide an objective view of company policies and be on the alert for potential areas of vulnerability or risk.
Business Associates:
Many providers work with and share patient PHI with outside vendors such as billing companies. These types of arrangements are now governed by HIPAA. Billing and software companies are two examples of business associates, and other examples are clearinghouses, attorneys, IT consultants, transcription services, and cloud service vendors. Another example is a staff member paid as an independent contractor who is accessing your ePHI from an external location. Basically, anyone not an employee of your workforce that can access PHI could be considered a business associate. Business associate agreements (BAA) can help protect your practice. Here’s a possible situation: someone hacks into your billing company system and steals a bunch of your patient files. Without a BAA, you are held liable and may have to purchase credit-monitoring services for every stolen patient file, which could become very expensive.
Security Risk Assessment:
All covered entities must perform a security risk assessment. The purpose of a risk assessment is to identify where ePHI is
located as well as the threats and risks to ePHI, and to determine safeguards to better protect ePHI.
Test Your HIPAA Knowledge:
Question #1
Do you have a disaster recovery procedure in place? The HIPAA security rule requires a policy be in place and staff trained in case of fire, vandalism, system failure, and natural disaster that damages systems that contain electronic protected health information. A disaster recovery plan and procedure is required to restore any loss of data.
Question #2
Are workforce members aware of workstation use policies that prohibit online activities, such as e-mail, social networks, etc.? The HIPAA security rule states that all workforce members should be made aware of proper workstation use. Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.
Question #3
Is antimalware (antivirus and antispyware) installed and updated on each of the organization’s workstations and servers? Malware (computer viruses and spyware) is one of the leading causes of data being stolen or breached. It is critical to have antimalware installed on all systems, including workstations, laptops, servers, etc. The antimalware should be automatically updated with new definition files.
Question #4
Do workforce members with laptops take the system home or out of the office? One of the leading causes of ePHI data breaches is lost laptops and portable media. Laptops that contain ePHI should be tracked, and only authorized workforce members should be allowed to remove them from an organization’s offices.
Question #5
Are all the office’s laptops encrypted to protect the data stored on them? One of the leading causes of ePHI data breaches is
lost laptops and portable media. Laptops that contain ePHI should be encrypted to prevent access to ePHI if a laptop is lost or stolen.
Question #6
Are workforce members required to change their passwords periodically? Requiring workforce members to change passwords every 30, 60, or 90 days will help secure their user account. Password changes prevent breached accounts from being accessed over a long period.
Question #7
Do employees protect their passwords and refuse to share them with other employees? When accessing ePHI, every member of the workforce must use a unique user ID and password. Workforce members should not share passwords with each other, including leaving passwords in plain sight, posting them on notes and sticking them to the monitor, leaving passwords written under the keyboard, etc.
Question #8
Are workforce members required to create a complex password? A complex password, also sometimes known as a strong password, consists of at least six characters (and the more characters, the stronger the password) that are a combination of letters, numbers, and symbols (e.g., @, #, $, %), if allowed. Passwords are typically case sensitive, so a complex password contains letters in both uppercase and lowercase. Complex passwords also do not contain words that can be found in a dictionary or parts of the user’s own name.
To begin your path to HIPAA compliance, conduct a security risk assessment, create a policy/procedure manual, designate a compliance officer, provide regular staff training, and log all training in your policy/procedure manual.
Marty Kotlar, DC, CPCO, CBCS, is the president of Target Coding. Dr. Kotlar is certified in CPT coding, certified in healthcare compliance, and has been helping chiropractors nationwide with billing, HIPAA compliance, coding, and documentation for more than 10 years. Target Coding can be reached at 800-270-7044, via the website at TargetCoding.com, or by e-mail at inf b(xf targetcoding.com.
