The Health Insurance Portability and Accountability Act (HIPAA) became a law in 1996 and it's extremely important to anyone in the business of providing health care in the United States. Many of you know all about HIPAA, however there still exists a lot of confusing and sometimes even contradictory information. This post is designed to provide a very gentle introduction to some basic HIPPA terminology and concepts. HIPAA can be overwhelming, but it needn't be!
This post should clear up some misconceptions about HIPAA compliant online tools and services. By the way, we are not attorneys and thus nothing in this post should be considered legal advice.
What is a HIPAA Covered Entity?
A covered entity is a health plan, a health care clearinghouse or a health care provider who electronically transmits health information. So, for example, if you submit health claims electronically to an insurance company -- you are transmitting health information and thus are a covered entity.
If you are 100% paper based and never do anything electronically, then you are not a covered entity and thus HIPAA does not apply to you.
This is a great simplification of covered entity, but a good rule of thumb is that if you store anything about patients electronically, it's safer to assume you are covered by HIPAA. For example, if you enter a patient's name in your Google calendar or in your iPhone calendar -- that data is patient information and that data is being transmitted to "somewhere else" even if it's only accessible by you. The actual rules are much more complex, but being HIPAA-aware is much better than assuming you are not covered.
What is a Business Associate?
A business associate is a vendor that performs activities using protected health information on behalf of a covered entity.
So, for example, if you have a billing company that submits claims for you, that billing company is a business associate. iCouch is an example of a business associate. If you're using Gmail to send appointment reminders, Gmail is functioning as a business associate (unbeknownst to them) -- however...
A business associate has no obligations to your HIPAA compliance unless there is a Business Associates Agreement (BAA.) What that means is that if you're using Gmail to email your patients or you're using PayPal to invoice for therapy sessions, unless you have a Business Associates Agreement with Google or PayPal -- you are liable for anything that happens on their systems. If you store patient data on Dropbox and Dropbox gets hacked -- you are the one that will pay the fines!
HIPAA-compliant technology is meaningless unless you have a Business Associates Agreement. HIPAA-compliant technology is meaningless unless you have a Business Associates Agreement.
That was repeated for a reason. Any vendor that claims HIPAA compliance without actually providing you a Business Associates Agreement should never be used for any patient information! Them saying they are HIPAA compliant doesn't make one bit of difference legally without a Business Associates Agreement. I know I've really hammered that point, but it's critically important. Without a BAA, there's no practical difference between HIPAA compliant or not. Compliance is irrelevant if there's no BAA to indemnify you from a failure of their systems.
By the way, here's a link to the iCouch Business Associates Agreement.
The first question you should ask a potential technology vendor is "Where's the Business Associates Agreement?" If there isn't one, then all of the compliance in the world is irrelevant to you -- because you will not be protected. You will assume all liability for any protected health information contained in their system on your behalf.
What is Protected Health Information?
Protected Health Information (PHI) is any information about health status, the provision of health care or payment of health care that is created or collected by a Covered Entity or a Business Associate of a Covered Entity that can be linked to a specific person.
A PayPal invoice for a therapy session -- that's PHI. An appointment confirmation? That's PHI. A treatment plan? Also PHI. An email reply to an inbound appointment request? That's also PHI because it is information about the provision (or attempted provision) of health care.
This isn't meant to scare you. It's to demonstrate that Protected Health Information isn't always as obvious as a progress note or treatment plan. Sometimes it's as seemingly benign as an email reply saying "See you tomorrow for your appointment! Sincerely, Dr. Joan A. Therapist, HappyWays Counseling Center"
This was meant to be a short, gentle introduction to some basic HIPAA topics. There's a lot more you should know, but understanding some of the basic terminology is a good first step to ensuring you're compliant.
We've written a lot about HIPAA, here are some other articles that you might find helpful:
- HIPAA and behavioral health: can you share with friends and family?
- Therapist website security and why it should scare you
- Is Skype HIPAA compliant? No, it's not.
- Therapy client emails can get you in trouble with health privacy
Are you interested in an absolutely free consultation about HIPAA compliance and how iCouch might be able to help? Book a video consultation with me to get your questions answered! The purpose of the consultation is to learn more about your practice, answer questions you might have about HIPAA and provide you with some guidance.