What Does HIPAA Require of Dermatology Practices?
As a HIPAA covered entity, it is essential for dermatology practices to be HIPAA compliant. To be HIPAA compliant, you must follow the rules and regulations outlined in the HIPAA Privacy, Security, and Breach Notification Rules. Each of these Rules comes with a specific set of standards to ensure protected health information (PHI) use and disclosure is limited to only authorized parties.
HIPAA Privacy Rule
The HIPAA Privacy Rule regulates the use and disclosure of PHI. To comply with the Privacy Rule, dermatologists must limit PHI use and disclosure, provide patients with a Notice of Privacy Practices, and grant patients access to their medical records.
Minimum Necessary Standard
The HIPAA minimum necessary standard requires healthcare providers to limit the use and disclosure of PHI to the minimum necessary to perform specific job functions. This means that employees don’t all need access to the same information to complete the tasks of their jobs.
For example, a Dermatology Physician likely needs access to a patient’s entire medical history to perform their job successfully, but a Dermatology Physician Assistant likely would not need the same level of access to the chart. An Office Manager would also require different access levels to a patient’s chart, limited to the information they need to book patient appointments, accept payment for the appointment, and submit claims to the patient’s health insurance provider.
HIPAA Notice of Privacy Practices
A HIPAA Notice of Privacy Practices (NPP) provides patients with an explanation of how their PHI will be used and disclosed by their healthcare provider. An NPP must be provided to the patient upon intake before receiving treatment.
An NPP must include:
- The following statement, as a header, or otherwise prominently displayed: “THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.”
- A description of how PHI can be used for treatment, payment, and health care operations.
- A description of the types of PHI uses and disclosures requiring patient authorization.
- A description of the circumstances in which the covered entity may use or disclose PHI without written authorization.
- A covered entity may use or disclose PHI without authorization for a number of purposes. Examples include public health and health oversight activities, and judicial proceedings.
- The name, title, and phone number of a person or office to contact for further information or questions about the notice.
- The date on which the notice is first in effect.
- A statement that an individual may revoke an authorization.
Right of Access
The HIPAA Right of Access grants patients the right to request copies of their medical records from their healthcare provider.
Under this standard, provider’s must provide patients with access to their records:
- Within 30 days of the request
- In the format the patient requested them in (i.e., paper, CD, USB)
- For a reasonable cost-based fee
In 2019, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) prioritized the enforcement of the right of access standard, imposing most of its HIPAA violation fines on organizations that failed to comply with it.