ACA HIPAA Compliance

HIPAA for Chiropractors


HIPAA is complex. It can often be difficult to determine what aspects of HIPAA apply to your organization, and how to implement HIPAA compliant practices. Chiropractic practices often consist of sole practitioner offices, with a handful of support staff, making it difficult to scale HIPAA requirements, generally meant for larger healthcare organizations. To provide guidance to chiropractic practices, HIPAA for chiropractors and HIPAA FAQs are discussed.

HIPAA for Chiropractors

HIPAA and Chiropractors

Yes, as healthcare providers, chiropractors are considered covered entities under HIPAA. HIPAA defines a covered entity as healthcare providers, health plans, and healthcare clearinghouses involved in the transmission of protected health information. This transmission can take place for the purpose of payment, treatment, operations, billing, or insurance coverage. Covered entities can include organizations, institutions, or persons.

Yes, as HIPAA covered entities, chiropractors must follow the standards set forth by HIPAA. This includes the rules and regulations established in the HIPAA Privacy, Security, and Breach Notification Rules.

HIPAA compliance for chiropractors requires safeguards to be implemented to ensure the confidentiality, integrity, and availability of protected health information (PHI). By implementing an effective HIPAA compliance program, chiropractors are enabled to do so. An effective HIPAA compliance program includes self-audits, gap identification and remediation, policies and procedures, business associate management, employee HIPAA training, and incident management.

HIPAA training for chiropractors is required annually. All staff members must also be trained on an annual basis. Training must include HIPAA basics, cybersecurity best practices, and policy and procedure training specific to your practice.

There is no specific HIPAA form for chiropractors, however, chiropractors must obtain an authorization form from patients to use or disclose their protected health information for purposes beyond treatment, payment, or healthcare operations.The HIPAA Privacy Rule requires that an individual provide signed authorization to a covered entity, before the entity may use or disclose protected health information for certain purposes. This authorization form enables chiropractors to use the patient’s PHI for marketing purposes, or for reasons other than regular use and disclosures for treatment, payment, or healthcare operations.

HIPAA Overview

HIPAA standards require that covered entities and business associates protect the confidentiality, integrity, and availability of protected health information (PHI). HIPAA’s standards are further defined by the HIPAA Privacy, Security, and Breach Notification Rules.

The HIPAA Privacy Rule dictates the proper uses and disclosures of protected health information (PHI). This includes how PHI can be shared between providers, health plans, and business associates. The Privacy Rule also dictates that PHI use and disclosure should be limited to only the minimum necessary to perform a job function.

The HIPAA Security Rule dictates the security measures that are required to be in place securing protected health information (PHI). This Rule requires organizations to implement security measures that are “reasonable and appropriate” for their organization. This means that it is not expected for a sole practitioner chiropractic office to have the same security measures in place that a hospital has. To determine what measures are appropriate for your organization, you are required to conduct a security risk assessment annually to identify risks and vulnerabilities to PHI.

The Breach Notification Rule requires covered entities and business associates to report breaches that compromise the privacy or security of protected health information (PHI). Depending on how many patients are affected by a breach, reporting requirements differ. Breaches affecting less than 500 patients must be reported to affected patients and the Department of Health and Human Services (HHS’) Office for Civil Rights (OCR). These breaches can be reported annually, by March 1 of the year following. Breaches affecting 500 or more patients must be reported to affected patients, HHS’ OCR, and media outlets. These breaches must be reported within sixty (60) days of discovering the incident.

Protected health information is an individually identifiable health information created, used, or disclosed during the course of diagnosis or treatment. This can be related to the past, present, or future provision of healthcare.

The Department of Health and Human Services classifies PHI into 18 identifiers as follows:

  1. Name
  2. Address (including subdivisions smaller than state such as street address, city, county, or zip code)
  3. Any dates (except years) that are directly related to an individual, including birthday, date of admission or discharge, date of death, or the exact age of individuals older than 89
  4. Telephone number
  5. Fax number
  6. Email address
  7. Social Security number
  8. Medical record number
  9. Health plan beneficiary number
  10. Account number
  11. Certificate/license number
  12. Vehicle identifiers, serial numbers, or license plate numbers
  13. Device identifiers or serial numbers
  14. Web URLs
  15. IP address