Article updated June 2019
The Health Insurance Portability and Accountability Act (HIPAA) has been around for a long time — since 1996. The Act was signed into law by President Clinton and, as administered by the Department of Health & Human Services, regulates key parts of the practice of medicine in the United States.
HIPAA has broad purposes, one of which is to establish the legal right of patients to confidentiality. Aspects of HIPAA were designed to ensure the privacy and security of protected health information (PHI) — information which could theoretically be used to individually identify a patient. This is not just to prevent unwilling patients from being targeted by pharmaceutical companies; HIPAA also gives patients a measure of control over their PHI as well as the right to correct inaccurate details.
One of HIPAA’s purposes is to enforce Administrative Simplification. Under this category, its Privacy and Security Rules are extremely relevant to TCM practitioners. The Privacy Rule focuses on PHI in both its paper and electronic forms, while the Security Rule is specifically concerned with how information is managed in Electronic Health Records (EHR). The Security Rule mandates three types of security safeguards:
- Administrative safeguards encompass policy and procedures to ensure a clinic is HIPAA compliant
- Physical safeguards make sure that access to protected information is limited to individuals with the legal right to view it
- Technical safeguards make sure that computer systems and communication channels are secure
Also Read: Did I Just Violate HIPAA By Using My iCal or gCal Calendar?
Like it or not, “covered entities” subject to HIPAA compliance include acupuncture clinics. The increasing professionalization of acupuncture means that practitioners have to take HIPAA seriously.
The consequences of HIPAA non-compliance can be serious. Covered entities can be held responsible for a range of civil offenses. According to the American Medical Association, the U.S. Office for Civil Rights may impose Civil Money Penalties (CMPs) that vary depending on the seriousness of the offense — from an unknowing violation up to willful (and sustained) neglect of HIPAA requirements. This can range from $100 per violation to an annual maximum fine of $1.5 million. There are also criminal penalties for “knowingly” violating HIPAA with criminal intent that, in the most extreme cases, could lead to fines of up to $250,000 and prison sentences of up to ten years.
But don’t worry. Here are some easy but essential first steps you can take toward ensuring your acupuncture clinic is HIPAA compliant. The list is non-exhaustive, but here are some great ways to get started.
7 Ways to Ensure HIPAA Compliance
1. Prepare a compliance manual specific to your acupuncture clinic. This means putting into writing your HIPAA-related policies and procedures. By doing so, you will have a clear document that shows how your clinic has comprehensively engaged with the requirements of HIPAA.
2. Formally give patients written notice of their privacy rights under HIPAA.
3. Identify staff members who can access PHI, and make sure that access is restricted only to staff for whom the information is essential.
4. Appoint both a privacy officer and a security officer in your acupuncture clinic to develop and ensure your respective privacy and security procedures are followed. Of course, for small clinics, the privacy and security officers may simply be you.
5. Devote time to training staff so their activities meet your HIPAA compliance policies. This should be an ongoing project versus a one-off training session.
6. Have procedures in place to respond to patient complaints about how you handle their PHI.
7. Use fully integrated acupuncture management software like Unified Practice that will keep your data secure and save the hassle of doing all the work yourself to ensure HIPAA compliance. Leverage a cloud-based platform and put your mind at ease about data security.
Guest blog post by Matt Leask