HIPAA for Chiropractors
HIPAA FAQs
HIPAA is complex. It can often be difficult to determine what aspects of HIPAA apply to your organization, and how to implement HIPAA compliant practices. Chiropractic practices often consist of sole practitioner offices, with a handful of support staff, making it difficult to scale HIPAA requirements, generally meant for larger healthcare organizations. To provide guidance to chiropractic practices, HIPAA for chiropractors and HIPAA FAQs are discussed.
HIPAA and Chiropractors
Yes, as healthcare providers, chiropractors are considered covered entities under HIPAA. HIPAA defines a covered entity as healthcare providers, health plans, and healthcare clearinghouses involved in the transmission of protected health information. This transmission can take place for the purpose of payment, treatment, operations, billing, or insurance coverage. Covered entities can include organizations, institutions, or persons.
Yes, as HIPAA covered entities, chiropractors must follow the standards set forth by HIPAA. This includes the rules and regulations established in the HIPAA Privacy, Security, and Breach Notification Rules.
HIPAA compliance for chiropractors requires safeguards to be implemented to ensure the confidentiality, integrity, and availability of protected health information (PHI). By implementing an effective HIPAA compliance program, chiropractors are enabled to do so. An effective HIPAA compliance program includes self-audits, gap identification and remediation, policies and procedures, business associate management, employee HIPAA training, and incident management.
HIPAA training for chiropractors is required annually. All staff members must also be trained on an annual basis. Training must include HIPAA basics, cybersecurity best practices, and policy and procedure training specific to your practice.
There is no specific HIPAA form for chiropractors, however, chiropractors must obtain an authorization form from patients to use or disclose their protected health information for purposes beyond treatment, payment, or healthcare operations.The HIPAA Privacy Rule requires that an individual provide signed authorization to a covered entity, before the entity may use or disclose protected health information for certain purposes. This authorization form enables chiropractors to use the patient’s PHI for marketing purposes, or for reasons other than regular use and disclosures for treatment, payment, or healthcare operations.
HIPAA Overview
HIPAA standards require that covered entities and business associates protect the confidentiality, integrity, and availability of protected health information (PHI). HIPAA’s standards are further defined by the HIPAA Privacy, Security, and Breach Notification Rules.
The HIPAA Privacy Rule dictates the proper uses and disclosures of protected health information (PHI). This includes how PHI can be shared between providers, health plans, and business associates. The Privacy Rule also dictates that PHI use and disclosure should be limited to only the minimum necessary to perform a job function.
The HIPAA Security Rule dictates the security measures that are required to be in place securing protected health information (PHI). This Rule requires organizations to implement security measures that are “reasonable and appropriate” for their organization. This means that it is not expected for a sole practitioner chiropractic office to have the same security measures in place that a hospital has. To determine what measures are appropriate for your organization, you are required to conduct a security risk assessment annually to identify risks and vulnerabilities to PHI.
The Breach Notification Rule requires covered entities and business associates to report breaches that compromise the privacy or security of protected health information (PHI). Depending on how many patients are affected by a breach, reporting requirements differ. Breaches affecting less than 500 patients must be reported to affected patients and the Department of Health and Human Services (HHS’) Office for Civil Rights (OCR). These breaches can be reported annually, by March 1 of the year following. Breaches affecting 500 or more patients must be reported to affected patients, HHS’ OCR, and media outlets. These breaches must be reported within sixty (60) days of discovering the incident.
Protected health information is an individually identifiable health information created, used, or disclosed during the course of diagnosis or treatment. This can be related to the past, present, or future provision of healthcare.
The Department of Health and Human Services classifies PHI into 18 identifiers as follows:
- Name
- Address (including subdivisions smaller than state such as street address, city, county, or zip code)
- Any dates (except years) that are directly related to an individual, including birthday, date of admission or discharge, date of death, or the exact age of individuals older than 89
- Telephone number
- Fax number
- Email address
- Social Security number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate/license number
- Vehicle identifiers, serial numbers, or license plate numbers
- Device identifiers or serial numbers
- Web URLs
- IP address
- Biometric identifiers such as fingerprints or voice prints
- Full-face photos
- Any other unique identifying numbers, characteristics, or codes
HIPAA regulation defines a covered entity as healthcare providers, health plans, and healthcare clearinghouses involved in the transmission of protected health information (PHI). This transmission can take place for the purpose of payment, treatment, operations, billing, or insurance coverage. Covered entities can include organizations, institutions, or persons.
HIPAA business associates perform certain functions that involve the use or disclosure of protected health information either through services provided to or action taken on behalf of a covered entity.
A HIPAA business associate may include:
- Medical billing services
- IT service providers
- Practice management services
- Software providers
- Storage providers (both cloud and physical)
- EHR providers
A business associate agreement (BAA) is a legal agreement between a covered entity and business associate, or two business associates. A BAA limits the liability for both parties as it requires each signing party to be HIPAA compliant, and be responsible for maintaining their compliance. A BAA also dictates which party is responsible for reporting a breach, should one occur.
A business associate agreement (BAA) is required to be signed with any business associate that has the potential to access or view protected health information (PHI). A BAA must be signed before PHI is shared between entities.
A Notice of Privacy Practices (NPP) describe how the covered entity may and may not use protected health information (PHI), and what the patient’s rights and obligations with respect to the PHI are. The NPP must be distributed to patients on or before their first visit, and a copy must be available for patients upon request. Covered entities that must develop an NPP are defined as 1) health plans, (2) health care clearinghouses, and (3) healthcare providers who electronically transmit any health information in connection with a HIPAA-related transaction.
The HIPAA Privacy Rule dictates that protected health information (PHI) use and disclosure should be limited to only the minimum necessary to perform a job function. This means that healthcare providers should only access a patient’s PHI when they need to do so. The minimum necessary standard also requires PHI access to be limited based on an employee’s job role, and PHI access to be monitored and logged to ensure adherence to the standard.
The HIPAA Privacy Rule generally provides individuals with a legal, enforceable right to see and receive copies, upon request, of the information in their medical and other health records maintained by their healthcare providers and health plans. This right is known as the HIPAA right of access. Under this standard, patients must be provided their requested records within thirty (30) days of the request, in the format they requested them in (i.e. paper records, CD, digital copies).
HIPAA Violations and Fines
HIPAA violations occur when covered entities or business associates fail to make a “good faith effort” to ensure the confidentiality, integrity, or availability of protected health information (PHI). Failure to address just one requirement of HIPAA can result in a HIPAA violation, subjecting the organization to fines and corrective actions.
Common HIPAA violations include:
- Improper use or disclosure of PHI
- Improper security safeguards
- Failure to conduct a risk assessment
- Failure to comply with the minimum necessary rule
- Failure to implement access controls
- Failure to provide patients with Notice of Privacy Practices
- Failure to encrypt devices containing PHI when it was reasonable and appropriate to do so
- Failure to comply with the HIPAA right of access standard
The Department of Health and Human Services (HHS’) Office for Civil Rights (OCR) determines fine amounts based on the level of perceived negligence. There are four penalty tiers, ranging from least severe violation to most severe violation.
- Tier 1 is the “No Knowledge” Tier. Under this tier, an organization did not know that a member of its workforce violated a HIPAA provision. The maximum fine amount under this tier is $58,000 per violation.
- Tier 2 is the “Reasonable Cause” Tier. Under this tier, the violation was due to reasonable cause, not willful neglect. “Reasonable Cause” means an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated a HIPAA regulation. However, the act or omission was not due to willful neglect. The maximum fine amount under this tier is $58,000 per violation.
- Tier 3 is the “Willful Neglect – Corrected” Tier. Under this tier, the violation is due to willful neglect, but the violation is timely corrected. The maximum fine amount under this tier is $58,000 per violation.
- Tier 4 is the “Willful Neglect – Not Corrected” Tier. Under this tier, the violation is due to willful neglect, and is not timely corrected. The maximum fine amount under this tier is $1.75 million per violation.
Any HIPAA violation should be reported upon discovery, however patients and employees have no legal obligation to do so. Under HIPAA, employees have the right to report suspected violations of HIPAA anonymously, without fear of repercussion.