The Health Insurance Portability and Accountability Act, commonly referred to as HIPAA, was established in 1996 to set national standards for the confidentiality, security and transmissibility of personal health information. Most chiropractors are familiar with the HIPAA law and fully aware of the importance of protecting their patients' health information.
However, many DCs across the country still have questions regarding HIPAA's rules and regulations. Those who are not up-to-date on changes in the law may be at risk of a potential violation that could not only damage a practice's reputation, but also result in significant criminal and civil fines.
What Is the HIPAA Privacy Rule?
The HIPAA Privacy Rule requires the protection and confidentiality of personal health information, and sets limits and conditions on its use and disclosure without patient authorization. The rule also gives patients rights to their health information, including rights to obtain a copy of their medical records and request corrections.
However, there are situations that require an exception to the rule, such as if it hindered the ability to provide quality health care services. For example: discussions between two physicians who are both treating a patient; disclosures needed by health plans to resolve billing questions; peer-review activities; and other similar situations.
Who Does HIPAA Affect?
The Department of Health and Human Services defines covered entities as health care providers, health plans, and health care clearinghouses, which include hospitals, physicians, chiropractors, dentists, optometrists, schools, nonprofit organizations that provide some health care services, and even government agencies. However, the list of those affected by HIPAA does not end there.
What Is the Penalty for a Violation?
HIPAA violations can result in substantial fines to a practice, ranging from $100 to $1.5 million. Health care providers also can be at risk for sanctions or loss of license.
Common Reasons for HIPAA Violations
1. Texting patient information: Texting patient information such as test results or vital signs is often an easy way providers can relay information quickly. While it may seem harmless, it is potentially placing patient data in the hands of cybercriminals who could easily access this information. There are new encryption programs that allow confidential information to be texted safely, but both parties must have it installed on their wireless device, which is typically not the case.
2. Lost or Stolen Devices: Another common HIPAA violation is the theft of PHI (protected health information) through lost or stolen laptops, desktops, smartphones and other devices that contain patient information. Mobile devices are the most vulnerable to theft because of their size; therefore, the necessary safeguards should be put into place, such as password-protected authorization and encryption to access patient-specific information.
3. Using home computers to access patient information: Most clinicians use their home computers or laptops after-hours to access patient information to record notes or follow-ups. This could potentially result in a HIPAA violation if the screen is accidentally left on and a family member uses the computer.
Make sure your computer and laptop are password protected, and keep all mobile devices out of sight to reduce the risk of patient information being accessed or stolen.
4. Employees illegally accessing patient files: Employees accessing patient information when they are not authorized to do so is another common HIPAA violation. Whether it is out of curiosity, spite, or as a favor for a relative or friend, this is illegal and can cost a practice substantially. Individuals who use or sell PHI for personal gain also can be subject to fines and even prison time.
5. Lack of training: One of the most common reasons for a HIPAA violation is employee lack of familiarity with HIPAA regulations. Often only managers, administration and medical staff receive training, although HIPAA law requires all employees, volunteers, interns and anyone with access to patient information to be trained.
Compliance training is one of the most proactive and easiest ways to avoid a violation.
6. Social media missteps: Posting patient photos on social media is a HIPAA violation. While it may seem harmless if a name is not mentioned, someone may recognize the patient and know the doctor's specialty, which is a breach of the patient's privacy. Make sure all employees are aware that the use of social media to share patient information is considered a violation of HIPAA law.
7. Employees disclosing patient information: Employees gossiping about patients to friends or co-workers is also a HIPAA violation that can cost a practice a significant fine. Employees must be mindful of their environment, restrict conversations regarding patients to private places, and avoid sharing any patient information with friends and family.
8. Social breaches: An accidental breach of patient information in a social situation is extremely common, especially in smaller, more rural areas. Most patients are not aware of HIPAA laws and may make an inquiry to the provider or clinician (e.g., in church or while at an event) about their friend who is a patient and having back problems or may be suffering from heart disease.
While these types of inquiries will happen, it is best to have an appropriate response planned well in advance to reduce the potential of accidentally releasing private patient information.
9. Overlooked authorization requirements: A written consent is required for the use or disclosure of any individual's personal health information that is not used for treatment, payment or health care operations, or permitted by the Privacy Rule. If an employee is not sure, it is always best to get prior authorization before releasing any information.
10. Mishandling of medical records: Another common HIPAA violation is the mishandling of patient records. If a practice uses written patient charts or records, a physician or nurse may accidentally leave a chart in the patient's exam room available for another patient to see. Printed medical records must be kept locked away and safe, out of the public's view.
The privacy and security of patient health information should be a priority for all doctors of chiropractic. Make sure your materials are current, update your manuals and conduct annual HIPAA training to prevent potential violations.
Most violations can be easily be prevented by implementing HIPAA regulations into practice policies and procedures, and ensuring all individuals with access to patient information receive the proper training.
When I graduated from chiropractic college in 1981 and started practice, I heard it all, and very little was positive. “You are a quack; you do not know what a subluxation is; you couldn’t get into a real health care program, so you chose the one that is slightly above a mail-order degree; you have no proof that chiropractic works; Are you really licensed?”, and so much more.
| Digital Exclusive
A central challenge in creating our identity is that chiropractic is a method of care, not a technique or procedure. This is an important concept for us to promote. Our patients are treated with lifestyle modification, exercise, nutritional supplements, diet and a whole-body approach to accelerate the natural healing process. We are not simply CMT providers.
The results of a global survey released late last year (2023) unveiled some startling findings among medical and nursing students. The “Clinician of the Future: 2023 Education Edition” surveyed 2,212 students, of which 446 were in the United States, from 91 countries.
