Adam Lueken
Whether you own and/or practice in a dermatology clinic, medspa, laser treatment center or any other facility that provides medical or cosmetic dermatology care to patients, you deal with protected health information (PHI), which makes you subject to HIPAA regulations. Neglecting HIPAA compliance can be costly.
Passed in 1996, the Health Insurance Portability and Accountability Act (HIPAA) is a federal law that helps protect the privacy and security of individuals’ health information. HIPAA requires organizations that handle PHI to set physical, technical and administrative safeguards to ensure confidentiality, integrity and availability (CIA). It also sets limits on how and when PHI can be used or disclosed. In addition, HIPAA requires organizations to provide patients with access to their health records and the right to request corrections.
There are two main parts to HIPAA: the Privacy Rule and the Security Rule.
The Privacy Rule mainly requires that your practice achieves the following:
Protect patients’ PHI.
Provide patients access to their medical records.
Maintain patient confidentiality.
Engage in limited, minimum necessary use and disclosure of patient PHI for the purposes of treatment, payment, and health care operations.
Designate a privacy officer or responsible person in the practice who will be responsible for the implementation and oversight of the HIPAA Privacy Rule.
The Security Rule encompasses applies to all data that is created in an electronic format, with regard to PHI as addressed by the Privacy Rule. This rule applies only to electronic PHI (ePHI), not oral or paper PHI, and mainly requires that your practice achieves the following:
Ensure the confidentiality, integrity, and availability (CIA) of ePHI that the covered entity creates, receives, maintains or transmits.
Protect against any reasonably anticipated uses or disclosures of ePHI which are not permitted by the Privacy Rule.
Ensure that the practice and its workforce, including business associates, understand and comply with the Security Rule’s requirements.
Typically, patients have to give permission for PHI to be shared, but physicians and other providers can share some PHI without the patient’s written consent if it is for treatment, payment or operations.
The primary purpose of HIPAA is to prevent PHI breaches. Providers can protect themselves from breaches by taking a few key actions. A Security Risk Analysis (SRA) should be completed to identify gaps in compliance. Data encryption should be used on any device that houses PHI. This is because the government does not require breach reporting if a lost or stolen device was encrypted. Also ensure that HIPAA policies and procedures are current and implemented, including an annual HIPAA compliance training for all team members with access to PHI (clinical and administrative). You can use the AAD’s HIPAA Training for Medical Office Module to comply with this requirement.
In addition to that took, the AAD has several other resources to help you ensure HIPAA compliance:
HIPAA security risk analysis tool
HIPAA Training for Medical Office Module
HIPAA compliance is not just about avoiding breaches and the related financial penalties that come with them. It is also about creating and maintaining trust with your patients and keeping a good reputation in your community.
If you are looking for additional HIPAA compliance support along with relief from other administrative burdens, we’re always a phone call or click away. Schedule a consultation with one of our practice management experts today!