We seem to be inundated with information and discussions about the new HIPAA regulations and Final Rule. It’s being talked about on listservs and forums, in therapy clinics, and there were even courses about HIPAA compliance at the ASHA convention. Despite all the information and chatter I have found myself a little overwhelmed and wondering if I’m truly complying with all aspects of the law within my practice. I’m confident that as SLPs we’re following general confidentiality and client privacy rules. But, am I following all the rules that are applicable for my business? Is my practice ready if I were to be audited?
These are the questions that inspired me to research further. And what did I find? Well, I was excited to find that resources are plentiful! And many are truly terrific. Not only are there resources that are user-friendly but structured and descriptive as well.
The first go to location is the US Department of Health and Human Services website. In addition to having the lengthy (yet somewhat overwhelming legal documents for HIPAA laws) there are also many summaries of the law and links to additional resources and trainings. Perhaps the most useful resource for questions about getting my private practice in compliance was the HIPAA Security Series. These are a series of 7 documents that educate about various areas of the security rules from the basic standards to risk analysis and assessment. The 7th installment of the series is titled “Implementation for the Small Provider” (http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/smallprovider.pdf). Can you imagine how excited I was when I found this resource?!
According to the HIPAA Security Series to be in compliance private practices should:
1) Complete a Risk Analysis and Assessment: This step requires a thorough analysis and assessment of where confidential PHI (protected health information) is located in the business, who has access to it and how it’s managed. This includes paper files and electronic files. Security procedures then need to be implemented to reduce the risk of the PHI being accessed inappropriately. Some examples are noting that PHI is kept in locked file cabinets and the key is only accessible by those employees working directly with the client for treatment, insurance or billing purposes. Another is that electronic PHI is used in the form of treatment notes and billing done via a password protected computer and/or iPad with data encryption software. Each employee has their own password.
2) Implement Workforce Security and Employee Policies: The business needs to have a plan for who will supervise employee compliance with security measures regarding PHI. There must also be policies and procedures in place for sanctions if an employee fails to comply. An example might be that the policy is for the office manager to supervisor all HIPAA/PHI compliance and that each employee has their own password for the computer system. If an employee was found to leave his/her password written on the workstation then the employee will receive a written notice of noncompliance with the security measures. If done more than once suspension or further penalties could result.
3) Implement Security Awareness and Training: There needs to be a training program in place for all employees in regards to not only HIPAA rules but also the specific security measures that are in place for the clinic/business. An example could be annual HIPAA training for all employees in addition to an annual review of the facility handbook regarding confidentiality measures such as password protection.
4) Implement Facility Controls: Policies and procedures need to be implemented to safeguard and limit physical access to files (paper and electronic) at the facility. This could be policies and procedures about use of locked doors, security system, and security cables on the computer. There should also be maintenance policies and records to specify how repairs to the building/facility (such as hardware, door locks, etc) are completed in order to document protecting of PHI.
In addition to these items I found that a private practice should have policies and procedures surrounding PHI protections at workstations (ie. privacy screens, automatic log-off controls), disposal of hardware and electronic devices to b sure PHI is eliminated, and policies for back-up of PHI data.
5) Contracts for Business Associates: All outside entities and vendors that work with you and your clients that have access to PHI need to have a signed agreement in place. Sample business associate agreements are available at http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html
As overwhelming as this can be upon first glance it seems the HIPAA requirements are quite common sense. They seem to be practices that are for the most part already occurring in the clinic. It appears that it goes back to the age old saying of “if it wasn’t documented it didn’t happen”. It appears we just need to be sure to write down (as policies and procedures) all the routine rules and practices that we use in the day-to-day operations of our clinic.
Additional Resources for HIPAA regulations and trainings:
http://www.asha.org/Publications/leader/2013/130401/Policy-Analysis–New-Patient-Privacy-Rules-Take-Effect/
http://www.asha.org/eweb/OLSDynamicPage.aspx?title=HIPAA:%20Protect%20Your%20Clients%20and%20Yourself%20(On%20Demand%20Webinar)&webcode=olsdetails
http://www.hhs.gov/ocr/privacy/hipaa/understanding/training/
http://www.asha.org/practice/reimbursement/hipaa/
http://myhipaatraining.com/courses.html
http://www.hipaatraining.com/hipaa-training-for-healthcare-providers.aspx
