Today for y’all, I’ve got what some might consider a little bit of a hot…
Today, we’re talking HIPAA, because there’s a lot of confusion out there about it.
First, let me note, this video/blog is specific to USA laws and regulations. If you live outside the US, please refer to your local laws regarding privacy and information protection. Also, please know that I am by no means a HIPAA expert, and I’m simply covering whether you need to abide by it or not.
Whether you’re brand new to the massage industry or you’ve been practicing for years, you’ve undoubtedly heard about HIPAA. Unfortunately there’s a lot of misinformation floating around that may be making things confusing for you. So let’s simplify this whole thing so you can determine whether you need to worry about being officially HIPAA compliant or not. Because I’m constantly seeing people screaming “HIPAA violation” at the slightest mention of something about a client.
So first, what is HIPAA? HIPAA stands for the Health Insurance Portability and Accountability Act which was put into place in 1996. The purpose of this law was to require the Department of Health & Human Services to “adopt national standards for electronic health care transactions and code sets, unique health identifiers, and security.” In plain English, it just means that there are very specific guidelines set to make sure patient information is protected.
If you notice in the name, it refers to health insurance. That’s because HIPAA compliance is required for what is referred to as a “covered entity”. What’s that? Here’s the definition according to HHS:
A covered entity as a health care provider includes the following (and this is verbatim from the HHS website)
- Nursing homes
And I quote… “but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard”.
And that’s the key there…if you’re transmitting patient information electronically, like when you’re filing insurance. Then that means you would have to abide by HIPAA guidelines as to whatever standard they’ve set down in that particular type of transaction.
So, even if you are recognized and licensed as a healthcare provider in your state, according to federal HIPAA regulations, unless you are transmitting any information in an electronic form (such as billing insurance) you are not considered a ‘covered entity’. Now, let me note here that some states have their own privacy regulations and it’s important to understand your local laws, because they may be even more stringent than the federal version, and will take precedent. If you’re not sure about your state laws, contact your health board and get some clarification on the matter.
Now, let me establish a distinction I think is of utmost importance, and yet is often confused. As professionals and due to the sensitive nature of the data we collect from our clients/patients, privacy of that collected information is absolutely crucial, regardless of whether you are classified as a ‘covered entity’ under HIPAA or not. You should have safeguards at every step to ensure only the appropriate people have access to that information. This includes password protected computers and software, locked filing cabinets, never leaving client paperwork out for someone else to come across, and not discussing any client (who has not given express written permission to disclose their information) with anyone. Client privacy is imperative, but that is not the same as HIPAA. HIPAA involves some seriously massive protections and regulations that you’re going to need to take classes on, because it’s an entirely different world from just keeping things confidential.
So, I hope this made this law a little less intimidating for you and cleared things up on where your business stands in the matter. If you’d like more information, don’t go to random blogs, go to the source, which we’re linking below.