When you are considering getting started in private practice, then you probably already know that you need to be HIPAA compliant. But what does this mean exactly? What do you need to do to ensure that you are complying?
First things first – Every private Practice needs to do a HIPAA Risk Assessment. Ask yourself….
Are you a covered Entity? If so…
You need to address HIPAA with your clients, ensuring they understand their HIPAA rights and your HIPAA policy. Your paperwork needs to sign they received/were offered a copy and understand it. If you do online therapy, your website should provide access to your HIPAA policy. Another resource for info: https://www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/HIPAA-ACA/AreYouaCoveredEntity
You need a BAA with your business’s systems service providers (e.g. if you use IntakeQ for your paperwork – get an BAA with them. Your video platform, e.g. Zoom needs a BAA).
Who are “providers”? Whatever method you are using to store or transmit data electronically. E.g. consider- how are you collecting intake/consent forms? How are you collecting payment? How are you storing your tx notes? If those methods are electronic, you need to use a system that has higher security to comply w HIPAA, including signing a Business Associate Agreement (BAA)
What Does It Mean To Be HIPAA Compliant?
Simply put, HIPAA is the acronym for the Health Insurance Portability and Accountability Act.
Most private practitioners tend to think about HIPAA as that entity that is always watching them. And the reality is that they are right. After all, being HIPAA compliant is directly linked to your ability to keeping medical records protected and the way you communicate with your clients. You probably already know that if you accidentally share your client information with someone that isn’t supposed to access it, you can get fined.
While protecting your clients’ confidentiality has been a part of private practitioners’ lives for many years, the truth is that things have changed a bit.
In the old days, private practitioners used to only use paper records. So, they had to assure that they had all these documents on a safe and on a closed closet that only a few people could access. But things have changed and most private practitioners use digital records and new technologies to either store private information as well as to communicate with clients.
Ultimately, you need to keep in mind that confidentiality belongs to the client and it is your job to maintain that information private and not share with anyone. Besides, it is also important to discuss with the client how you use or store that information.
Ultimately, you will never share or communicate what a client tells you without a written and signed document – an authorization for release.
Protecting Personal Health Information (PHI)
As we already mentioned above, PHI was easier to protect in the old days when all records were in paper. But now, you need to know how to better protect all the digital files of your clients:
Use A 2-Factor Authentication:
In case you are storing your clients’ files on your computer, then you need to ensure that you use a password for your computer and a different one to access any PHI.
Use Data Encryption:
While having good passwords is a good start, they are only the front door protection. The truth is that your computer can be hacked and this is why you need to encrypt PHI.
Store On The Cloud:
While this may seem strange, the truth is that storing PHI in the cloud can actually be one of the best options you have. However, this is only a good solution if you do it the right way. Ultimately, you need to ensure that you choose a cloud storage service that offers BAAs.
In case you don’t know, BAA stands for Business Associate Agreement and is a written arrangement that specifies each party’s responsibilities when it comes to PHI. No matter if you are doing private practice in an office or online using a video platform, for example, you need to have a BAA signed. Ultimately, the contract needs to describe how you store the PHI and how it is used, as well as it also needs to state that the business associate won’t use or disclose the protected health information.
So, the first thing you should do when you have a new client is to get releases from him or her around how they want to be communicated with for appointment reminders. You should make sure to let them know the risks involved and how you handle communications outside of the session. Clients need to sign that they received HIPAA notice needs to be signed by the client.