The Health Insurance Portability and Accountability Act of 1996 (HIPAA) applies to any entity that is:
- A healthcare provider that conducts certain transactions in electronic form
- A healthcare clearinghouse, or
- A health plan
An entity that is one or more of these types of entities is referred to as a “covered entity”. Therefore, if you are a medical provider, submitting claims to insurance companies for services, you are considered a covered entity under HIPAA.
There is plenty of confusion around HIPAA and its requirements, especially as it applies to small providers. Here are a few considerations.
1. You Must Have Written Privacy Policies
If you are a medical practice owner, you are eligible for a HIPAA audit. Government regulators are more likely to audit your practice, which are more likely to fall short of HIPAA’s requirements—and a failure to maintain adequate policies and procedures is one of the biggest reasons that practices are fined. The auditors will begin by reviewing the policies and procedures adopted and employed by your practice. HIPAA requires that all covered entities maintain written privacy policies and procedures addressing HIPAA’s three main components: privacy, security, and breach notification. Your policies should address these requirements at minimum. It is not only mandatory for your practice to have written policies in place, employees must also be trained on the policies.
2. A Notice of Privacy Practices Does Not Make You HIPAA Compliant
Am I HIPAA compliant if I have a Notice of Privacy Practices, and I distribute it to all my patients? If that’s all you have, then no. Although distributing a Notice of Privacy Practices is part of being HIPAA compliant, HIPAA requires much more. If you don’t have written privacy policies, your notice of privacy practices may be misleading, and certainly does not in and of itself make your practice HIPAA compliant.
3. Other HIPAA Requirements
The HIPAA security rule requires all covered entities to conduct a risk analysis to identify any risks to electronic protected health information and to address such risks. It also requires them to implement technical security mechanisms to prevent unauthorized access to patient data. Covered entities are also required to implement administrative procedures, physical safeguards, and technical security services to guard the integrity, confidentiality, and availability of patient data.
4. You Must Have HIPAA Agreements With Anyone Who Handles Your Patient Information
Business associate agreements can help make HIPAA compliance much easier for small practices and help avoid fines in case of an audit. You should enter into a business associate agreement with any entity that handles or has access to your patient’s protected health information.
5. Do I Need an Attorney?
Certainly, you should contact your attorney if you suspect your practice has a HIPAA breach or violation. However, since HIPAA isn’t one-size-fits-all, it is a good idea to contact a knowledgeable attorney to help your practice get HIPAA compliant, starting with written privacy policies and employee training.