Opening the hips can create an energetic shift. Opening your mind to understanding HIPAA compliance is another thing and is probably as painful as your first Eka Pada Rajakapotonasana. However Yogic tradition holds the hips as a storage ground for negative feelings and pent-up emotions, especially ones related to control in our lives. Hip-opening can also create space for the birth of new ideas and new pathways. So I am hoping that improving your knowledge of HIPAA will take some of the stress out of your compliance obligations.
The concepts of security of information, client privacy & client confidentiality are not new terms to most of us. However, when you raise the issue of HIPAA, are you fully aware what you are asking when you ask about HIPPA compliance?
My answer to this question is always - Are YOU fully HIPAA compliant?
This post is aimed at USA therapists but the concepts can be applied anywhere – HIPPA is an American Act however nearly every country has a similar legislation and you should be familiar with the legislation in your own country.
Focus on your breath & lets dive in!
The Anatomy of HIPAA – The Basics
First, let’s get familiar with the acronyms. HIPAA stands for the Health Insurance Portability and Accountability Act (1996). HIPPA was enacted by the U.S. Congress in 1996. Those thoughtful people gave health professionals until April 14, 2003 to comply fully with all properties of the act. For those of you counting, that was seven years to get things in order. The intent of this Act is to protect clients, reduce fraud, improve quality of health care, and set strict standards for how private information about clients is transmitted (the widespread use of electronic data transmissions made things faster but is considered risky; HIPAA, 1996). Think about the International Association of Yoga Therapist (IAYT) code of ethics & standards for training. Like the code of ethics & standards for training, HIPAA was presented to ensure that health providers have common standards of practice, legitimacy, and to protect our clients.
Ready for the next acronym? This is an important one, PHI, which stands for Protected Health Information. This concept is the backbone, the purpose, of HIPAA in that information must be protected for privacy and security. Finally, TPO stands for Treatment, Payment and Operations. This final acronym is really just interchangeable with PHI.
Next, get on-line and save http://www.hhs.gov/ocr/hipaa and http://www.hipaa.org on your browser’s favorites or the equivalent based on the service you use. Then, get into your email account and save these two addresses, AskHIPAA@cms.hhs.gov (transaction/code set issues) and email@example.com (privacy questions). Finally, go to the phone and save the Office for Civil Rights (OCR) hotline number.
Now, at the ease of your fingertips you can have your questions answered. I don’t claim to be an expert & there is no way we can cover it all for you here.
The biggest asset you just gained for yourself is that of our government’s Office for Civil Rights (OCR) web page. Spend some time making your way through all of the links. The web page offers a wealth of information under several main categories. While you are there make sure to sign up for the OCR updates. Our suggestion is to print off the complete Act and the Fact Sheets, just to get started. Then move on over to the Education Materials and start from the top, we particularly like the sample Business Associate contract. Make sure to take advantage of the forms.
Something important to know is that in some cases a clinic may not be required to adhere to the rules and regulations of HIPAA. The Office for Civil Rights will definitely help you decipher whether or not you need to maintain compliance. Not having to would be a relief wouldn’t it? Don’t get too excited, whether or not you have to maintain compliance, my suggestion is to go ahead and do so. First, you may eventually evolve into a practice in which you will have to be in compliance, and hey, look you already are! Second, it simply gives you professionalism, it will legitimize your work, and increase confidentiality for your clients, and are they not who you work for?
Now, let’s shift our focus to the materials included in HIPAA. In a snapshot, this regulation is broken up into two Titles.
Title I: Health Care Access, Portability, and Renewability is designed to protect health insurance coverage for workers and their families when they change or lose their jobs. This title stops group health
plans from creating eligibility rules or assessing premiums for individuals in the plan based on health status, medical history, genetic information, or disability (HIPAA, 1996). Also, limits on restrictions that a group health plan can place on benefits for preexisting conditions are provided.
Title I also forbids individual health plans from denying coverage or imposing preexisting condition exclusions on individuals who have a specified set period of creditable group coverage without significant breaks and who are not eligible to be covered under any group, state, or federal health plans at the time they seek individual insurance (HIPAA, 1996).
Are you asleep yet??? Just checking!
Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform,
is broken into five rules. These rules include:
The Privacy Rule;
The Transactions and Code Sets Rule;
The Security Rule;
The Unique Identifiers Rule; and
The Enforcement Rule.
This title is focused on defining offenses relating to health care and sets civil and criminal penalties for them. The rules apply to health plans, health care clearing houses, billing services, community health information systems, and health care providers (you) that transmit or may transmit health care data (HIPAA, 1996).
1. Privacy Rule
Two of the Title II rules are of the most interest to us as providers: The Privacy Rule and The Security Rule. The Privacy Rule establishes regulations for the use and disclosure of PHI (HIPAA, 1996). In case you have already forgotten, PHI is Protected Health Information. Generally, PHI is any information about health status, provision of health care, payment, and medical records (HIPAA, 1996). Basically, anything that identifies an individual. Now you can see why TPO (Treatment, Payment and Operations) is an interchangeable acronym with PHI. Now you have a general idea of what PHI is, ready for the specifics? The list reads as follows:
name of relatives,
name of employers,
date of birth,
social security number,
medical record/account number,
any vehicle or serial number,
finger or voice prints,
photographic images, and
any other unique identifying code or characteristic
Which even means using the word “blonde” in an elevator could be a violation (as if talking about a client in an elevator isn’t bad enough.
A common concern for providers is the terms in which information can, should, or must be disclosed. If your client requests their information you have 30 days to provide it. Also, by law a provider can be required to disclose information. For example, if child abuse is a concern with a client then your state child welfare agency requires some identifiable information. Give it to them, but limit what you provide to the minimal amount that still allows you to achieve your intended purpose.
So now that you know that information can leave your office it is time to hear the catch.
The Privacy Rule requires that you keep a record of your disclosures (HIPAA, 1996). For a counselor or therapist this means that you should chart your interactions with others, file your Release of Information forms, and make sure you have privacy policies and procedures created and available upon request. Ready to add a new title to your resume? Your private practice needs to appoint a Privacy Official and contact person responsible for receiving complaints, and train all members of your office how to handle PHI.
Now I think you are awake!
2. Security Rule
The Security Rule is broken into three specific types of security safeguards:
For each of the three types the Rule identifies security standards and both required and addressable implementation specifications. Required specifications are a must and are expected to be followed down to the letter. The term addressable means there is some flexibility so that a clinic can evaluate how to best address the specifications with consideration to their unique situation (HIPAA,1996).
1. Administrative Compelling Counseling Interventions Safeguards are the policies and procedures designed to clearly show how your practice will comply with HIPAA (1996). Make a list and start checking things off. First, write a set of privacy procedures and make sure to cite: the Privacy Official, reference management (who will also be in compliance with security and any one that will have access to PHI), authorization, establishment, modification, and termination. Second, make a plan that outlines ongoing training regarding the handling of PHI. Third, if you use any outside business as a support to your practice, such as a transcription company, make sure to ensure that they also have a framework in place to comply with HIPAA requirements. Fourth, create a contingency plan for responding to emergencies, include data priority and failure analysis, testing activities, and change control procedures. Fifth, make a plan for internal audits to monitor security violations. In this plan, document the scope, frequency, and procedure of audits. Audits need to be routine and event-based, meaning if something seams fishy, do an audit. The final component of your procedure creations is that of a document that addresses how security breaches that are discovered will be addressed. Remember, you do not have to reinvent the wheel. Examples of these procedures are available through the web.
2. Physical Safeguards are those expectations to physically monitor any inappropriate access to protected data. This part of the Rule states that hardware and software must be introduced to your clinic safely and be removed properly (HIPAA, 1996). For example, if you hire a technician to come into your clinic to add new technology, make sure they cannot access clients’ information. If you decide to get a new computer, make sure the old one is completely cleared out before you donate it. Keep your records in a place that no one can get to unless they are authorized. Employ the double lock rule, which means that someone must get through two locks before getting to any PHI (e.g., locked door to file room and locked filing cabinet). Now, PHI is not the only information you need to keep in secure areas, do not forget the facility security plans, maintenance records, visitor sign-in, and even parking permit lists, just to name a few (HIPAA, 1996).
The design of your office must also be a physical safeguard in itself. Have the workstations removed from high traffic areas and make sure your computer screens face away from anyone other than the person sitting at the desk. Computer screen attachments are available that add additional safety in that the user must be directly in front of the screen to view material. Critically examine the work places and remember that ancillary workers such as cleaning staff and paper shredding companies may make their way through the areas and you are responsible for their training or ensuring their knowledge of physical access responsibilities (HIPAA, 1996).
3.Technical Safeguards speak to your responsibility to govern your computer systems and people you deal with through technological means (fax, email, phone, etc.). Think to yourself, “How will I ensure the person I intend to receive this material REALLY receives it?” To do this, you should employ encryption systems and make sure that the people you deal with do the same (HIPAA, 1996). Remember, you need to have your plan for virtually everything written out and you should make them available to the government to prove that your therapy practice is in compliance.
Just a Short Word on Connection to Others - Business Associates
General Provision. The Privacy Rule requires that a covered entity (you) obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity. The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate. Business associate contracts are readily available on the following link Business Associate Agreement
Compliance is taken seriously by the United States Government. Just say the word “audit” and watch
people sweat. As with any offense there comes fines and time behind bars. Compliance violations start
with $100 fines and can go all the way up to $250,000 and 10 years in prison (HIPPA, 1996). Value your clients and do not ever consider compromising their privacy whether inadvertently or with intent for personal gain. Now, after hearing those scary fines we imagine you are ready to throw in the towel and just hire some outside consultant to come in and do it for you. You need to be aware that there have been reports of fraudulent consulting companies claiming to have the endorsement of the Office of Civil Rights. If you decide the task it too challenging, first, review the HIPAA website again and seek support through the email addresses and hotline number your saved earlier.
Second, go to your favorite book retailer and ask them to help you find a resource guide, there are a number of quality books in publication focused completely on HIPAA regulations. If you still feel the need to hire a consultant, demand them to show you proof of their accreditation by the United States Government, Office of Civil Rights, and then follow that up by checking with the Office itself to confirm the legitimacy of the accreditation.
If you take nothing else from this piece, please remember to use the Office of Civil Rights by emailing or phoning them to seek consultation. Keep in mind that there are simple ways to ensure the safety of our clients and their sensitive materials. For example, knock on doors before entering, use professional shredding companies to ensure proper disposal, do not talk about clients in public areas, clear PHI from your computer screen before walking away, understand the statute of limitations in regards to files (6 years for HIPAA ), do not leave messages on answering machines regarding clients, and do not mix PHI files with other files….you get the picture.
So just as Yoga requires an ongoing commitment so does some of the administrative requirements of managing a practice. Think of it terms of creating a safe space for your clients.
Health Insurance Portability and Accountability Act (HIPAA) of 1996, P.L. 104-191, 119 Stat.
United States Health and Human Services.
C-IAYT, E-RYT200hr, RN, M.Nursing Crit Care.
Full time Yoga Therapist.
Founder & CEO Zmaaya software for holistic practitioners.
Having worked in more than 10 developing countries over the last 18 years of which 13 of those were with the worlds largest medical assistance company International SOS, (head office Philadelphia). Roles within International SOS included; Medical Facility Management/commissioning, flight nurse, call center manager & quality management/facility auditor. Clients included; expatriates from all over the world (insurance clients), insurance companies from all over the world with one of the largest clients being the USA Department of Defense – Tricare.
An Executive Director of a 350-bed Hospital in Bali that underwent Joint Commission International (JCI) accreditation during her tenure. JCI is one of the most prevalent healthcare accreditation bodies in the USA. Last consulting position was for 3 small hospitals in the north of Zambia assisting with quality improvement & capacity building. That position expanded to project management role that had direct oversight on the development & inception of a nursing faculty in Solwezi Zambia, a partnership between Northrise University Zambia & Baylor University USA. The nursing school opened 2015. Although she does not live in the USA & is not an expert on HIPAA, she believes that her knowledge of, and understanding of security, privacy & confidentiality are reasonable & the concepts of HIPAA apply in nearly every country.