HIPAA Compliance for Dermatology: What You Need to Know

HIPAA Compliance for Dermatologists

Are you a dermatologist? Did you know that you need to be HIPAA compliant? As a dermatologist treating patients, you are considered a covered entity under HIPAA, with specific responsibilities. Find out how to become a HIPAA compliant Dermatologist.

What Does HIPAA Require of Dermatology Practices?

As a HIPAA covered entity, it is essential for dermatology practices to be HIPAA compliant. To be HIPAA compliant, you must follow the rules and regulations outlined in the HIPAA Privacy, Security, and Breach Notification Rules. Each of these Rules comes with a specific set of standards to ensure protected health information (PHI) use and disclosure is limited to only authorized parties. 

HIPAA Privacy Rule

The HIPAA Privacy Rule regulates the use and disclosure of PHI. To comply with the Privacy Rule, dermatologists must limit PHI use and disclosure, provide patients with a Notice of Privacy Practices, and grant patients access to their medical records.

Minimum Necessary Standard

The HIPAA minimum necessary standard requires healthcare providers to limit the use and disclosure of PHI to the minimum necessary to perform specific job functions. This means that employees don’t all need access to the same information to complete the tasks of their jobs. 

For example, a Dermatology Physician likely needs access to a patient’s entire medical history to perform their job successfully, but a Dermatology Physician Assistant likely would not need the same level of access to the chart. An Office Manager would also require different access levels to a patient’s chart, limited to the information they need to book patient appointments, accept payment for the appointment, and submit claims to the patient’s health insurance provider.

HIPAA Notice of Privacy Practices

A HIPAA Notice of Privacy Practices (NPP) provides patients with an explanation of how their PHI will be used and disclosed by their healthcare provider. An NPP must be provided to the patient upon intake before receiving treatment.

An NPP must include:

  • A description of how PHI can be used for treatment, payment, and health care operations.
  • A description of the types of PHI uses and disclosures requiring patient authorization.
  • A description of the circumstances in which the covered entity may use or disclose PHI without written authorization.
    •  A covered entity may use or disclose PHI without authorization for a number of purposes. Examples include public health and health oversight activities, and judicial proceedings.
  • The name, title, and phone number of a person or office to contact for further information or questions about the notice.
  • The date on which the notice is first in effect.
  • A statement that an individual may revoke an authorization.

Right of Access

The HIPAA Right of Access grants patients the right to request copies of their medical records from their healthcare provider. 

Under this standard, provider’s must provide patients with access to their records:

  • Within 30 days of the request
  • In the format the patient requested them in (i.e., paper, CD, USB)
  • For a reasonable cost-based fee

In 2019, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) prioritized the enforcement of the right of access standard, imposing most of its HIPAA violation fines on organizations that failed to comply with it.

Rated #1 on G2

“Compliancy Group makes a highly complex process easy to understand.”

Easiest To Do Business With 2024

HIPAA Security Rule

The HIPAA Security Rule requires healthcare providers to ensure the confidentiality, integrity, and availability of protected health information (PHI). To meet the requirements of the Security Rule, dermatologists are required to implement administrative, technical, and physical safeguards.

Administrative Safeguards

To meet HIPAA administrative safeguard requirements, practices must conduct an accurate and thorough security risk assessment (SRA). By completing a risk assessment, you can determine what security measures are reasonable and appropriate for your practice, and identify deficiencies in your current security practices.

To complete a risk assessment, follow the steps below:

  • Collect data
  • Identify and document potential threats and vulnerabilities
  • Assess current security measures
  • Determine the likelihood of threat occurrence
  • Determine the potential impact of threat occurrence
  • Determine the level of risk

To maintain HIPAA compliance, your practice must complete an SRA annually or whenever there has been a change to your business practices.

Technical Safeguards

The technical safeguards required by HIPAA are meant to ensure that electronic protected health information (ePHI) is secure. 

To meet the requirements, healthcare providers must implement: 

  • Access Controls: policies and procedures that allow only authorized persons to access ePHI.
  • Audit Controls: hardware, software, and/or procedural mechanisms to record and examine access in information systems that contain or use ePHI. 
  • Integrity Controls: policies and procedures to ensure that ePHI has not been, and will not be, improperly altered or destroyed. 
  • Transmission Security: security measures that guard against unauthorized access to ePHI transmitted over an electronic network. 

Physical Safeguards

Physical safeguards required by the HIPAA regulation are meant to protect your physical location, your practice’s office. 

Physical safeguards include:

  • Facility access controls that limit access to your office with measures such as locks and security systems
  • Workstation and device security that limits access to devices that have the potential to access ePHI

HIPAA Breach Notification Rule and Breach Notification Requirements

The HIPAA Breach Notification Rule requires healthcare organizations to report breaches that compromise the confidentiality, integrity, or availability of protected health information. 

Incidents that are considered reportable breaches include:

  • Hacking or IT incidents
  • Unauthorized access or disclosure of PHI
  • Theft or loss of an unencrypted device with access to PHI
  • Improper disposal of medical records

When a patient’s PHI is potentially affected by one of these incidents, the affected patient must be informed within 60 days of discovery. Breach notification letters must be mailed to affected patients. If ten or more patients cannot be reached by mail, a substitute notice must be available on the organization’s website. If the incident affected 500 or more patients, the breached organization must notify media outlets to ensure that all affected patients are aware of the incident.

Breach notification requirements to the Department of Health and Human Services (HHS) differ depending on how many patients are affected by the incident.

  • Breaches affecting 1 – 499 patients: organizations must keep an account of any breach that involved less than 500 patients over the course of the calendar year. Organizations have 60 days from the end of the calendar year in which the breach occurred to report these incidents to the HHS – March 1st.
  • Breaches affecting 500+ patients: any incident that affected 500 or more patients must be reported to the HHS within 60 days of discovering the incident. These incidents are posted on the OCR’s online breach portal for public display.

Implementing an Effective HIPAA Compliance Program

Navigating the complexities and nuances of the HIPAA Rules can be difficult to do without guidance. The HHS expects health practices to be aware of their obligations under HIPAA, but they don’t make it easy to understand what exactly that means. To comply with HIPAA, the HHS leaves it up to individual organizations to figure out what is “reasonable and appropriate” to implement in their business. 

But how are you supposed to know what that means for your dermatology practice?

Meeting the HIPAA requirements really boils down to five main points that make up an effective HIPAA compliance program.

Security Risk Assessments, Gap Identification, and Remediation

To be HIPAA compliant, it is crucial to identify where your deficiencies lie. To do so, healthcare organizations must conduct six self-audits annually. These self-audits uncover weaknesses and vulnerabilities in your security practices. To ensure that your organization meets HIPAA safeguard requirements, you must create remediation plans. Remediation plans list your identified deficiencies and how you plan to address them, including actions and a timeline.

HIPAA Policies and Procedures

To ensure that you meet HIPAA Privacy, Security, and Breach Notification requirements, you must implement written policies and procedures. These policies and procedures must be customized for your practice’s specific needs, applying directly to how your business operates. To account for any changes in your business practices, you must review your policies and procedures annually, and make amendments where appropriate.

Employee HIPAA Training

To make sure that your employees are aware of their responsibilities regarding the HIPAA rules, they must be trained annually. This training must cover HIPAA basics, an overview of your organization’s policies and procedures, and cybersecurity best practices.

Business Associate Agreements

Business associate agreements must be signed with each of your business associate vendors. HIPAA defines a business associate as any entity that performs a service for your practice that gives them the potential to access PHI. Common examples of business associates include electronic health records platforms, email service providers, online appointment scheduling software, and cloud storage providers. 

You cannot use any vendor and be HIPAA compliant. They need to be willing and able to sign a business associate agreement (BAA). A BAA is a legal contract that requires each signing party to be HIPAA compliant, and be responsible for maintaining their compliance. When a vendor doesn’t sign a BAA, they cannot be used for business associate services.

Incident Management

To comply with the HIPAA Breach Notification Rule, you must have a system in place for detecting, responding to, and reporting breaches. Employees must also have the means to report incidents anonymously and be aware of what to do if they suspect a breach has occurred.

Dermatologist HIPAA Violations and Fines

Dermatologist HIPAA violations occur when the practice fails to meet the standards set forth by HIPAA. Although a breach can lead to a HIPAA violation, the HHS will not fine an organization simply for being breached. In fact, most HIPAA fines are issued for failing to meet the HIPAA right of access standard, failing to conduct an accurate and thorough SRA, or widespread compliance failures. When an organization has been found in violation of HIPAA, they are subject to fines and corrective actions. Fine amounts differ based on the level of perceived negligence on the part of the healthcare provider, as determined by the HHS’ Office for Civil Rights (OCR).

Patient Photos and HIPAA

Since much of what a dermatologist does involves tracking changes in skin conditions through images, it is also important to understand how you should be handling those photos so that you don’t violate HIPAA.

Things to consider include:

  1. Whether or not the storage of the photos is HIPAA compliant. Do you have a signed BAA with your cloud storage provider? Do you limit access to patient photos to only the employees that need access?
  2. Are you sending patient photos through email? Is your email encrypted? Do you have a signed BAA with your email service provider? 
  3. Are employees aware that patient images can only be shared via social media with explicit patient written authorization? Are you obtaining patient consent to share their images and testimonials on your website?

See How It Works