Editor’s note: This text-based course is an edited transcript of the webinar, HIPAA for Allied Health Professionals, presented by Kim Cavitt, AuD.
Learning Outcomes
After this course, participants will be able to:
- List the main components of HIPAA.
- List the 18 pieces of protected health information.
- Identify specifics of the Privacy Rule and explain how it applies to texting, email, and marketing in a hearing healthcare setting.
Components of HIPAA
HIPAA was a bipartisan piece of legislation in the Clinton administration. HIPAA stands for the Health Insurance Accountability and Portability Act of 1996. The main website for HIPAA information is https://www.hhs.gov/hipaa/, but you will see specific links in this presentation (copy and paste them into your browser) that will direct you to additional information typically from Health and Human Services in the Office of Civil Rights, specifically related to the government and HIPAA. As links often change, please search from the main website previously listed if the link doesn't work.
After 2013, HIPAA has civil and criminal penalties and addresses the following:
- Standard Transaction and Code Sets
- National Provider Identifier
- National Employer Identifier
- HIPAA 5010
- Security
- HITECH (Breach Notification)
- Privacy
- Marketing
- Business Associates
The first thing to think about regarding HIPAA is, are you a covered entity under HIPAA? A general rule of thumb is if you transmit any information electronically, then you are subject to HIPAA rules. You are a covered entity anytime you're submitting a claim to a third-party entity or submitting health information or medical records to a third party.
Standard Transaction and Code Sets
Let's start with standard transaction code sets. HIPAA requires that all covered entities use standard transaction and code sets such as CPT (Current Procedural Terminology), ICD 10 (International Classification of Diseases, 10th revision), or HCPCS (Healthcare Common Procedure Coding System), which are the codes for hardware and the services surrounding the hardware or the pharmaceutical (or that type of entity). These are the code sets that you're supposed to follow.
National Provider Identifier (NPI)
Your national provider identifier (NPI) is your unique personal identification number that is now going to follow you for your entire career. That is given out by the national plan and provider enumeration system, or NPPES. You can go to their website at https://nppes.cms.hhs.gov/#/ to get an NPI or look up an NPI, especially if you need it to go out on a claim. Just like the NPI, this number moves with a provider from employer to employer throughout their career. If you submit the information correctly the first time, a new NPI number is usually generated in one to three hours.
National Employer Identifier
The next item is the national employer identifier (EIN). The EIN is a unique number that's assigned to your business by the Internal Revenue Service. It's oftentimes also known as your tax identification number. Every business has an EIN except for businesses that are sole proprietors, where the business is operating under the social security number of the owner. Your practice or organization needs an organizational NPI. Remember, the NPI is going to be given out by the NPPES system and the EIN is going to be given out by the IRS.
HIPAA 5010
HIPAA 5010 was a systems update that went into effect in 2012. This change allowed for the additional characters of ICD 10 and really affected office management systems, electronic health record systems, electronic medical record systems, software vendors, and clearinghouses. Also, this is where they made the switch from working in a CMS 1500 format, where the electronic format mirrored the form, to working in a format now that's called an 837P format.
The 837 claims submission format was set forth by HIPAA 5010. You should ask your office management vendor or electronic health system (EMR) vendor how your system operates. Many systems, except for certified EHRs, still operate in a 1500 format. Your clearinghouse is doing the conversion to the 837 format. The CMS 1500 format is everything around the paper form that's read, including its electronic version. If your system operates in the 1500 format, or you're still using paper, everything is going to be converted to an 837, either at your clearinghouse or the payer.
Protected Health Information (PHI)
Let's talk about the 18 pieces of protected health information. All 18 pieces are equally protected. That means that they cannot be shared without the patient's authorization except for three exceptions, which we'll talk about in a moment.
- Names
- Street number and name, city, and last two digits of the zip code
- Dates directly related to the individual (birthdate)
- Phone number
- Fax number
- Email address
- Social security number
- Medical record number
- Health insurance member number
- Account numbers
- Certificate or license numbers
- Vehicle identifiers and serial numbers
- Device identifiers and serial numbers
- URLs
- IP addresses
- Biometric indicators
- Finger, retinal, and voiceprints
- Photos
- Any unique identifying number, characteristic, or code
Someone's first and last names are protected. In my case, Kimberly Cavitt is a piece of protected health information. Your street number, name, city, and last two digits of your zip code are protected. For example, 2480 State St., Chicago, 60 is protected. Any dates directly related to the individual, such as a birthday, are protected. Your phone number, whether cell or landline, and your fax number are protected. Your email address and social security number are also PHI. I want to really reiterate here that someone's name is equally protected as their social security number. Your medical record number, health insurance member number, account number, certificate or license number, and vehicle identifiers or serial numbers are protected as well.
Any device identifiers or serial numbers are included as PHI. If your patient has hardware, such as a hearing aid or an augmentative communication device, that has a serial number and that number is uniquely assigned to that patient, that serial number is protected. In addition, URLs, IP addresses, and biomedical indicators including finger, retinal, and voiceprints are protected. I cannot stress enough that a patient's image is protected. Before you put a video with a patient on social media, you really need to make sure that you get the patient's authorization to use their image. Again, any unique identifier number, characteristic, or code is also protected.
HIPAA Security Rule
The Security Rule is an extension of the Privacy Policy and went into effect on April 20, 2005. HIPAA security is about protecting the electronic formats that are controlling patient information. Electronic patient health information is called ePHI. HIPAA security is around ePHI and everything that you store. When it comes to security, you have to think about everything in your office that stores or transmits patient information. Providers need to have administrative safeguards, physical safeguards, and technical safeguards. You also need written policies and procedures related to these security provisions. In addition, you need to document how people have been trained and what your audit and sanction processes are in your security policies. We're going to break this down a little bit.
Risk Assessment
The first thing you need to do is a risk assessment. What do allied health professionals need to think about when they're thinking about HIPAA? You need to think about computers, phones, tablets, fax machines, and answering machines. Remember, a patient's voice and any protected health information they've shared on an answering machine are protected and you need to go through a risk assessment on it. Also think about any test equipment that stores or transmits ePHI as well as your EHR, EMR, and OMS vendors because they have access to your information. While NOAH is unique to audiology, it would also be included in this list. You need policies around anything that is storing or transmitting information and how that information is being protected.
Administrative Safeguards
The first step is administrative safeguards. What do you have in place to reduce the risk of breaches of protected health information that is stored electronically? What policies and procedures do you have? Every practice needs a security officer. You need to know who is responsible for the securitization of this ePHI. If we are talking about a hospital or large clinic, you probably have a security officer that is the head of IT or the CIO at your entity or facility. Those of you in private practice or nonprofit, you are going to need to assign someone as your security officer. If you have a practice manager in a bigger entity, they or the executive director of a nonprofit would be your security officer. If it's an ownership of a private practice, it's typically the owner that is the security officer.
All the security officers and every facility need to regulate who has access to protected health information and by what means. For example, what equipment can they access PHI on? Can they use personal devices or access the PHI at home? Can every employee access it or do some folks have more access than others? It's all about minimally necessary access. You need to look at each one of your staff members and determine for that position, how, where, and when can they access electronic protected health information. You need training and accountability. You should authorize and document either by individual name or by position who has access to ePHI including where, when, and how. You need to train staff on these policies and procedures once they're created. Audit your staff to make sure you're following the policies and sanction staff who do not comply. That sanction has to be documented. I strongly recommend that you have a process of sanctioning that's outlined in your HR materials including employee manuals. It can include firing or termination.
Physical Safeguards
Physical safeguards are about the actual hardware that is storing and transmitting things. You have to limit access and control to that hardware. Think about who can have access to the equipment, when, and how. Are laptops and other hardware locked down? How can people move laptops or personal devices from location to location? Can they take them home? You need to have facility access and control over any hardware that stores and transmits EHR. You should have workstation and device security, including proper use of electronic devices and workstations. Ensure that you have policies and procedures related to the transfer, removal, disposal, and reuse of both ePHI and the hardware that is storing ePHI. How do you get rid of a laptop? How do you get rid of a personal device that has access to ePHI? You have to have this all documented for your practice.
Technical Safeguards
Technical safeguards include how we control access to the software. That is typically through password protection or authentication. How are you gaining access from a software perspective to systems that hold ePHI? One thing that a lot of entities are looking into is two-step authentication so information is not just password protected. There's a second step of authentication. You're going to need to audit and determine how you are going to take your policies and make sure your staff is following them. You have to audit how your policies are being followed. Be sure that whatever electronic system you are using to store or transmit ePHI does not allow things to be improperly altered or destroyed.
If you are using a notation system for your notes, you need to have a system that doesn't allow those notes to be permanently deleted. Certified type systems, like if you had a certified EHR, will let you hide things that you've amended, appended, or modified, but they never can be deleted. They can never permanently go away. It's something that you can always see and pull up if need be. You should never be operating in any form of an electronic patient management system that lets you delete information. I know I'm saying this repetitively in a lot of different ways, but it's really important. You should never be working in a system where you're just putting notes, for example, in Notes on an Apple device or in Word or in Excel and then you can just delete it and wipe it. You have to be able to be in a system that cannot be altered. Then you need to put in place all of the software around transmission security so that you can reduce the risk of being hacked.
Mobile Devices and HIPAA Security
HIPAA has a lot of implications and things you have to consider around using mobile devices. I'm going to consider mobile devices for us today to be a laptop, a tablet, a phone, or a smartwatch. We have to be very cognizant of all of the rules around these mobile devices.
Every practice needs to consider if they want to allow, by policy, their staff to access ePHI on mobile devices that the facility or practice does not own? That's your first decision. If you do allow that, then you need to make policies around those two separate pathways. Many entities that work in large medical facilities would never allow people to access ePHI on a personal device. They have a lot of rules around that and you have to log into a portal to be able to do anything using multi-step authentication. You have to determine what the rules are for your practice. Let's say you are allowing access to ePHI on a mobile device. You need to make sure that you use a password or user authentication. There have to be steps to be able to open the device itself before getting into the software. The first step is having to use a password to get into the laptop or other device.
You need to enable and install encryption. We should not be communicating any ePHI to any entity, including the patient, without going through an encrypted service. You can communicate with the patient about an appointment. You can communicate with the patient about services they need, such as a COVID test, what your policies are, or reminders. But you cannot communicate any ePHI, any test results, or anything specific to that patient without going through an encrypted service.
Install and activate remote wiping and/or remote disabling. I am an Apple person, so that's what I'm going to give an example of. Essentially, that's where you find your iPhone and you kill your iPhone remotely. At any point in time, you can go to a third-party site and literally make that device a brick so that it doesn't actually function anymore. That's what you need to be able to do. If you have a device that is transmitting or storing ePHI, you need to be able to remotely shut that device down and remotely wipe it.
Disable and do not install or use file-sharing applications, such as Dropbox that multiple people, including people outside your facility, can access or utilize. This is especially important in your home or other location. You don't want to use file sharing when you're communicating about ePHI. The entity that might be file sharing with you may not be allowed access to that ePHI. The rule of thumb is to turn off all file sharing unless you're keeping everything internal-only in your practice.
Install and enable a firewall as well as security software, such as Norton or another protection software. Keep your software up to date. When your service vendor provides a software update, whether that's Microsoft, Android, or Apple with an iOS update, make sure you download it and keep your software updated. Many times the iOS updates are around bugs and security fixes. That's why you always want to keep that up-to-date and current.
Maintain physical control. If you have a device that you're traveling with that stores or transmits ePHI, you want to make sure you keep that device on your person as much as possible. If you are doing work and accessing ePHI, you should not be on a public Wi-Fi network, whether that's at the library, Starbucks, or in your own hospital. You should never be doing report writing or communicating with your patients or anything that involves protected health information on a public unsecured network. Make sure that before you recycle a laptop, a tablet, your watch, or a phone you have completely wiped that device. Delete everything off the device before it's either recycled or destroyed.
Telehealth and HIPAA Security
Medicare defines telehealth as "the use of electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient and professional health-related education, public health and health administration. Technologies include videoconferencing, the internet, store-and-forward imaging, streaming media, and terrestrial and wireless communications.” Store-and-forward means that it is recorded and stored, and then it is forwarded to another entity. Store-and-forward is asynchronous because it's not happening in real-time. That's an important distinction because many health insurers don't pay for asynchronous telehealth. Telehealth can include streaming media and terrestrial and wireless communications such as online, telephone, and video. Synchronous is real-time telehealth. Asynchronous is typically store-and-forward where it's not happening in unison.
Before they begin providing telehealth, allied health professionals have to ensure that their transition systems meet all the HIPAA security requirements and that they are able to maintain the confidentiality, integrity, and availability of ePHI that they create, retain, maintain, or transmit. You are responsible for making sure that the transmission from your end is secure. You cannot control the patient end. If it is with your facility, whether from you to the patient, a technician that might be with a patient, or a student, or somebody at another location that works for you, you are responsible for controlling the security of those transmissions. The only transmission you are not responsible for is if the patient is doing telehealth in their home or office and the transmission back to you.
As a general rule of thumb, we cannot use FaceTime, TikTok, Facebook Live, Messenger, Google Hangouts, Twitch, SMS, Skype, Zoom, or unencrypted email (to store or forward) for telehealth. When I say all of these things, I'm talking about software that is free, such as the free versions of Skype and Zoom. Skype and Zoom also have healthcare versions. I'm talking about their free versions of things or any unencrypted email for telehealth. That is the general non-COVID rule of thumb. As I mentioned before, you can buy paid services through Skype and Zoom that are HIPAA compliant. Those free versions, as a rule of thumb, are not allowed for telehealth because of HIPAA security provisions. There have been COVID allowances that will expire when the public health emergency expires. So if in your state your public health emergency has already expired, a lot of those provisions have already expired.
At the time this course was created, the federal government, which is the main controller of HIPAA, has not gotten rid of the public health emergency yet. When they do, those HIPAA allowances will go away. The HIPAA allowances for COVID included allowing FaceTime, Messenger, Google Hangouts, Zoom, and Skype. As a general rule of thumb, those are not allowed under the HIPAA compliance provisions. I recommend to people before they get into telehealth that they hire an IT consultant to make sure that their transmissions are secured. Have someone help you set up a program at the outset to make sure you're going to meet all these HIPAA security provisions.
Business Associates
A business associate is a person or organization, other than a member of a covered entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involves the use or disclosure of individually identifiable health information. Business associate functions or activities on behalf of a covered entity include claims processing, data analysis, utilization review, and billing.
To break this down, a business associate is someone that you are sharing protected health information with during the processing of your business. For example, you might share PHI with a vendor if you are ordering a product for the patient. The patient gave you their information as a covered entity and now you are giving it to a third party. That third party is a business associate. You as a provider are responsible for your business associates securing your patients' health information. Every practice needs to have a business associate agreement between themselves, one that you and your practice generate, and the business associate, the entity that you are sending protected health information to.
This needs to be supplied by you, not the vendor. Many vendors may want you to sign their business associate agreement, but that means that they're the covered entity, and it's going to all be adjudicated in their state. You are the covered entity who has gotten the information from the patient. They should be completing your business associate agreement. Some common business associates include medical device manufacturers and vendors, such as those who manufacture or sell hearing aids, augmentative communication systems, or compression equipment for patients. Other business associates are your accountant if they have access to ePHI through your QuickBooks or your attorney because you're transmitting information to them. Your EHR, EMR, or OMS (office management system) vendors are also business associates.
Your clearinghouse, the entity between your computer and the computer of the payer, also needs a business associate agreement since you're giving them ePHI. So does your cloud services provider, because they again are storing your information, and any IT consultants you may hire that you're bringing in and giving access to your systems. If you were in a buying or management or cooperative group where you're sharing information with a business development team, they need to sign a business associate agreement, because they're typically able to access your systems. You can see a sample business associate agreement when you go to the HHS.gov website that can be customized to a degree.
Hitech-Breach Notification
The HITECH-Breach notification applies to both paper medical records and electronic medical records. It addresses how to handle a breach, which is an impermissible or unauthorized use or disclosure of PHI. This is a good time to give you my general rule of thumb about HIPAA. You want to do unto others as you want to be done unto you. We are all HIPAA consumers and we are all someone's patient. Before you do an action, you want to think about what you would want someone to do for you. I really want to bring this up as we talk about a breach. If someone lost your medical record or sent your information to the wrong person, what would you want to be done for you? The government requires you to do a risk assessment if you believe that there is a breach. The risk assessment is taking a look at what the risk is of this ePHI or PHI being used for illicit or nefarious purposes.
I'm going to give you a few examples. Let's say you were going to fax or email a report to a physician and you sent the report or patient information to the wrong physician's office, either by email, mail, or fax. In this case, I would consider it low risk. You are sending information to another entity, which is also a HIPAA compliant entity. I would think the risk of that information being used for illicit or nefarious purposes would be very low. In this case, you would contact the physician's office that you sent it to incorrectly and request that they destroy it by whatever means, either deleting the email or shredding the fax or mailed copy. Then you would go into the affected patient's medical record and document that breach. Next, you need to go to the portal at this link. Here you will document the breach including what occurred and that it was a low-risk breach. You have to document all of your breaches.
Now let's look at another situation. You emailed or mailed a report to the wrong patient. You sent information or documents from a patient's medical records and put them in the wrong envelope or sent it to the wrong email address. In this case, you don't know the end entity and what they could use that information for. In that case, I would consider it a moderate to high risk and you should notify the patient. You have 60 days from the date of a breach to notify a patient of that breach and you have the burden of proof to show that you notified them. You want to notify them in a way that you can prove receipt. If you can do that by email and you have systems that you feel like you can prove receipt, you could do it by that mechanism. Lots of folks do it by certified mail because they can prove that the person signed for it and received it. If business associates have a breach, they have the burden of proof to tell you, but you have to notify the individual within 60 days of the breach. You also then need to give them identity theft protection. The standard in the industry is for you to give them a year of identity theft protection.
Let me give you another example. Let's say you are still working with paper charts and records and you lose a paper chart. I can tell you from my experience of being in this industry for a while, that's actually where I've seen some of the biggest HIPAA problems and things being used illicitly. Someone stole a paper chart and then tried to take on that person's identity. I've seen that more with paper records, but I've also seen that with electronic records on small, singular breaches. I recommend that you try to find the lost chart. If you don't, consider that a high or moderate breach and notify that patient accordingly.
Let's say someone hacks into your system. Many of you may have gotten a letter in the mail from a health system saying that someone breached their systems. If someone hacks into your system, and it's a large breach of over 500 people, you have to notify your local media and health and human services. That large breach is absolutely something you have to report in the portal. Any breach, no matter the size or if it's at low risk, needs to be reported in the portal at the link I provided earlier. Big breaches must immediately be reported to your local media, to health and human services, and then all the affected patients need to be contacted. Again, think about how you would want someone to treat you.
Privacy Rule
The privacy rule is really the hallmark of HIPAA. This was the first thing created, and it is the meat and bones of HIPAA. All of the other things are equally important, but this is the one that really affects us the most in daily practice. It protects both electronic and paper formats and was first set forth in 2003 and later updated in 2013. We should expect an update to HIPAA in 2023 from the government. Every time the government makes an update, we typically have to make updates to our notice of privacy practices in all our forms, documents, processes, and procedures. Everyone needs to be prepared that there could be an update in 2023.
HIPAA privacy protects "individually identifiable health information" including demographic data. In a nutshell, it's everything that's in your medical record. Everything that's stored either by paper or electronically in a patient's medical record is subject to HIPAA privacy. Everything that's there, even things from other providers is still covered under the HIPAA privacy umbrella. This includes an individual's past, present, and future physical and mental health or conditions, the provision of their healthcare, their past or future payments, all payment information, and any of those 18 pieces of individually identifiable health information. All of that is protected under HIPAA privacy. It's the 18 pieces plus all of their records, chart notes, test results, inventories, inquiries, and invoices that the patient has access to and is protected under privacy.
Notice of Privacy Practices
Every practice needs to have a notice of privacy practices. These are your practice's rules and policies around the privacy policy and protecting health information. You can find a template on the health and human services website. You have to have the patient sign an acknowledgment of the receipt of your privacy policy. Most patients will never read it, but you have to be able to give them the opportunity to read it if they so choose. Most big healthcare systems are constantly changing their privacy policies and updating privacy officers so they typically have people sign it every visit. There is no requirement to have people sign at every visit. The requirement is that any time you make any change at all, whether it's a word, letter, or you make something plural, you have to have the patient sign a new acknowledgment and all changes need to be dated. You always need to have the date on your privacy policy reflect the last time it was changed. Acknowledgments need to be replaced every time you change your privacy policy, even if all you did was change your privacy officer, all your privacy policies need to be updated.
If your privacy policy is dated prior to 2013, it isn't valid. That should have been updated with 2013 information. If your acknowledgment was signed prior to 2013, it's not valid. You need a new, signed acknowledgment. The notice must be readily available to your patients so you must prominently post it in your office and you must have copies available if the patient wants a copy of your privacy policy. In the practice I used to run, we had a supply of printed copies for patients who requested a copy of the policy. We could just hand it to them. Some people have posters in their offices and others have a brochure of it that is in a brochure holder. Some people have it bound in a booklet that sits in their lobbies and exam rooms. You just have to make it prominently available. The biggest way you make it prominent is to put it on your website. Everyone's website needs to have their notice of privacy practices on the site. You have to make a good-faith effort to get the acknowledgment of the notice of privacy practices signed. If that cannot be obtained or the patient refuses, you need to document that in the patient's medical record. You have to document what happened and why you didn't get it signed. It's very important that that documentation exists.
Transfer From Paper to Electronic Records
Some people ask me all the time, what happens when I transfer records from paper to electronic? The first thing you have to do is always consult your state's medical record retention laws. HIPAA's requirements are to retain records for six years. But many states have rules that exceed that. You need to know what your individual state or territory's medical record retention policies are. My next question is, was it a one-to-one transfer? What that means is, was every piece of paper in the paper file transferred over and scanned in electronically? If the answer is yes, you can properly destroy the paper file. If the answer is no, you need to retain the paper record through the state medical record retention policies.
Disclosures that Do Not Require Authorization
There are three times that you can disclose protected health information without the patient's written authorization. They are for treatment, payment, or health care operations. Let's take a closer look at each of these.
You can disclose PHI without the patient's written authorization if you are communicating with the ordering and referring physician or the physician or healthcare practitioner you're referring to because that's all-around coordination of care. I am always going to tell you to err on the side of being conservative. Here's an example. A physician referred a patient to your practice. You could send results back to that physician and not need the patient's authorization to do so. But let's say a different physician reaches out to you and wants a copy of the patient's records. You should get authorization from the patient to send to that new entity or to transfer your records to another provider. You should get authorization from the patient. Let's say a school system reaches out to you. I would not send results to a school without the patient's authorization.
You do not need a patient's authorization to send claims to their insurance company. It's important to note that patients can restrict disclosures to their insurance company and waive their insurance benefits if they want. Health care operations generally include anything around your business. This could be administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business. Remember, you're going to have business associates' agreements with your accountant and your attorney, things regarding accreditation, and insurance or other audits and you do not need the patient's authorization. You can disclose information that's in your medical record that was provided by another provider because it's now part of your record.
Privacy Rule Specifics
Regarding the privacy rule, there are several specific things you need to do. You need to keep disclosures to the minimum necessary. You need to have a privacy officer. I would have that privacy officer be consistent with what I had spoken of about the security officer. It could be the practice administrator, executive director, owner, or manager. All your staff needs to be trained on privacy. This includes all new hires within 90 days of hiring and all of your staff that should be trained annually on privacy. This course can be used for that purpose. You must have a complaint process that is clearly documented on your notice of privacy practices. That is complaining both to you, the practice, through your privacy officer, and directly through health and human services or the office of civil rights.
You must have record safeguards for the storage, disposal, and access of protected health information. You can think back to some of the security provisions, but think about how would you secure things for paper? How is your paper stored? It doesn't have to be locked if it's got a staff member in front of it all the time. If not, is it locked up? Is it somewhere behind a secure door when your business is closed? Think about how those things are stored and secured. How are you going to destroy them? HIPAA records have to be kept for six years from the last encounter with the patient. Remember, state record retention policies really vary and they vary a lot around children so you want to be very aware of what those are.
I'll give a disposal example. I was always taught that if you're going to dispose of medical records, you pulverize them. When I had medical records in my office here in Chicago, I hired someone to come destroy them. I can account for what records I was having destroyed. They were scanned into a secured system. Mine was batched by dates and not by individual names, so I wouldn't have ePHI held in my system, but you could have it by individual records. Once the information was scanned in, I literally had it pulverized into dust and then that vendor gave me a receipt to show what had happened on which date. Then I scanned that in with the documents that I had destroyed. You should always keep a record of what was destroyed, when, why, and how.
Texting and Email
Again, ePHI should only be submitted through encrypted email service providers and text providers. Your practice needs a written policy and email and text need to be mentioned in your notice of privacy practices. Again, you need to have an email and text consent from your patients that you can communicate ePHI via text and email. Some patients may not want that. That's why you need to give them the opportunity to opt-in. I'm going to tell you the same for telehealth. You need to have a telehealth informed consent policy that states patients want to participate in telehealth systems.
Use and Disclosure
Use and disclosure is the HIPAA version of a medical release. Again, this includes who information can be disclosed to and what can be disclosed. It's a very specific HIPAA form. It allows the patient to list what they want to be disclosed and to whom. They can also restrict disclosures here if they don't want some information disclosed to certain parties.
Marketing
The Privacy Rule defines marketing as making a communication about a product or service that encourages the recipients of the communication to purchase or use the product or service. The HIPAA marketing provision only applies to a communication sent to your database. HIPAA is very clear that if a third party is paying in whole or in part for communication, then that becomes marketing, even if it's merely educational. It's really important that if you are going to communicate to your database, you pay for your own communications.
Testimonials
It's also important that you have the patient's acknowledgment if you are going to use testimonials in your marketing. You can't share ePHI in a testimonial, published review, or response review. You really shouldn't respond to negative reviews online without consulting your attorney and having them give you guidance on how you should best respond. You need a patient's authorization to use their image, their review, or their name. Your notice of privacy practices needs to outline your use of testimonials and reviews and all your staff needs to be trained on these policies and that training must be documented. One physical therapy practice had a pretty hefty HIPAA fine of about $25,000 over the inappropriate use of testimonials in their communications.
Marketing Versus Education
Let's talk about the difference between marketing and education. Marketing requires authorization. It is always going to be marketing if a third party is paying in whole or in part for the communication, if you're trying to get a patient to purchase an item or service, or if you're marketing a specific price, product, or promotion. That is marketing, and it requires authorization. Education is when you're just training people. That's when it's informational only. You don't talk about a specific product, price, brand name, or anything of that nature. You are talking about general healthcare topics or general information about your practice locations and staff. That's educational. That's allowed without authorization. But the minute you're trying to drive a purchase, whether it's the purchase of your services or purchase of a product, it becomes marketing. Again, HIPAA marketing provisions only apply when you're communicating to your database.
Marketing Authorization
There are two different types of marketing authorization. Let's say you want to market to your database. There are two different requirements based upon who's paying for the communication and if money is exchanging hands. You can have a short authorization that you get at intake. See the example of a short form below. The short form is used when there is no remuneration, in cash or in kind, and no money is exchanging hands in any form for products you market. If you are marketing something and paying for it yourself or marketing another product and they aren't giving you anything back in return, such as free training, a lease, a loan, or a trip, you can use the short form. Once you receive anything of that nature you need to disclose it on a long form marketing authorization.
Example of short form:
By initialing this section and signing below, I authorize Clinic A to send me educational and/or marketing information on the products and services offered by Clinic A. No remuneration is involved in this communication. I understand that I may revoke this authorization, in writing, at any time.
You need a long form the minute any money, in cash or in kind exchanges hands. You have to disclose to your patient what you got in return, and who paid for what. It is a very long form that you're going to need your attorney to help you create. I will tell you from experience that patients are not going to be excited to sign that form. It has a lot of perceptions of your practice. A great rule of thumb that I really want you to take away is if you want to market to your database, get a short form marketing authorization. You cannot market to them without authorization. Pay for every one of those communications and pay for everything around your business yourself. Don't let vendors pay for them.
Omnibus Rule
The Omnibus Rule was a change to HIPAA that became effective in 2013. It meant that business associates are responsible for notifying you of breaches. That includes business associates and their contractors and subcontractors. If you store protected health information electronically, the patient has the right to access it and receive it electronically. They have the right to request that you send a copy of their electronic medical record, often as a PDF, to them through secured encrypted systems. They have the right to restrict disclosures to their insurance company and waive their insurance benefits so that you are not sending any information to them. You will need a specific insurance waiver form.
Marketing has been redefined as any patient communication where a third party is paying for that communication in whole or in part. Even if it's educational it's deemed marketing and you have to go through the marketing provisions. You can't sell protected health information. There must be a defined breach notification process where any breach, even a minor one, has to go through a risk assessment process and be documented, both in the patient's record and to the government.
Omnibus allows for broader uses of ePHI for fundraising and research. Again, in those situations, I would have your attorney involved to help define it for you and your situation because sometimes state laws can come into play. Finally, the penalties for HIPAA got bigger because people were just saying, well, I'll just pay the fine. Now they've made the fine up to $1.5 million per calendar year, and now you can go to jail because they have criminalized HIPAA provisions.
HIPAA and Social Media
Remember, don't disclose any ePHI on any form of social media format. This includes sites such as Facebook, Twitter, LinkedIn, Instagram, Yelp, Google, etc. This includes, but isn't limited to, responding to reviews. Responding to a review confirms the patient was seen in your practice and could be deemed a privacy violation. Always start by contacting that patient who gave you the review directly and not in a public forum. If you've worked it out, ask them if they'll remove their review. Before you post anything on social media around a patient, ask your attorney because this is a complaint-driven process. You want to make sure that you know how this should legally be handled before you start responding online, posting testimonials, patient pictures, or patients' test results for feedback. Remember, patients' test results are protected. You can't just post it on social media to get feedback from your colleagues without the authorization of the patient.
Examples of HIPAA Violations
Here are some examples of HIPAA violations within healthcare.
Physical Therapy:
Additional examples:
- https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html
- https://etactics.com/blog/social-media-hipaa-violations
- https://www.hipaajournal.com/hipaa-violation-cases/
- https://healthitsecurity.com/news/ocr-settles-with-dental-provider-for-potential-hipaa-violation-on-yelp
- https://assets.hcca-info.org/Portals/0/PDFs/Resources/Rpt_Privacy/2016/rpp0716.pdf
Resources
Here are some professional resources from your associations. If your profession isn't listed here, it's because they don't have specific HIPAA guidelines or those HIPAA guidelines were behind a member-only firewall that I could not access. If you are a member of a national association in your profession, see if that association has HIPAA provisions that can help guide you specifically to your profession.
- American Physical Therapy Association: https://www.apta.org/your-practice/compliance/hipaa
- American Speech-Language-Hearing Association: https://www.asha.org/practice/reimbursement/hipaa/privacy/
- National Association of Social Workers: https://www.socialworkers.org/About/Legal/HIPAA-Help
Citation
Cavitt, K. (2022). HIPAA for allied health professionals. PhysicalTherapy.com, Article 4831. Available at https://www.physicaltherapy.com