PA G E �1

H I PA A G U I D E A P R A C T I C A L G U I D E T O

P R O T E C T I N G YO U A N D YO U R C L I E N T S L E A N T O WA R D S J OY, L L C

H I PA A G U I D E

A P R A C T I C A L G U I D E T O

P R O T E C T I N G YO U A N D YO U R C L I E N T S

S E C O N D E D I T I O N

L E A N T O WA R D S J OY, L L C

© Copyright 2018

Are You HIPAA Compliant? 5 ............................................................................

Who is This HIPAA Guide For? 7 ........................................................................

This Guide is For Everyone 7 ........................................................................................

What if I already received training from my agency? 7 ...................................................

What if I don’t need to be HIPAA compliant? Why do I need this? 8 ..............................

What is HIPAA? 9 ..............................................................................................

Important Key Dates in HIPAA History 10 ......................................................................

The Main Components of HIPAA 10 ..............................................................................

HIPAA Acronyms 11 ...........................................................................................

Privacy Rule 12 ..................................................................................................

Who and what does it protect? 12 ................................................................................

What is de-identified health information? 13 ..................................................................

Who is covered by the Privacy Rule? 13 ........................................................................

When can a covered entity disclose protected information? 15 .......................................

When can a covered entity disclose protected information without authorization? 16 .......

How does marketing fit into the Privacy Rule? 17 ...........................................................

What privacy notices should be given and when? 18 ......................................................

What are the administrative requirements for the Privacy Rule? 18 ..................................

How does the Privacy Rule apply to minors? 19 .............................................................

Who enforces the Privacy Rule? 19 ...............................................................................

Security Rule 20 ................................................................................................

Who is covered by the Security Rule? 21 .......................................................................

What information is covered under the Security Rule? 21 ................................................

What requirements does the Security Rule have? 21 .......................................................

Does the size of my organization matter? 22 .................................................................

When should a covered entity perform a risk analysis? 22 ..............................................

What are the other administrative safeguards besides risk analysis? 23 ...........................

What are the physical and technical safeguards within the Security Rule? 23 ...................

How does the Security Rule apply to business associates? 24 .........................................

Who enforces the Security Rule? 24 ..............................................................................

Breach Notification Rule 25 ...............................................................................

PA G E �3

What is a breach? 25 ..................................................................................................

When are breach notifications required? 26 ..................................................................

Who is notified when there is a breach? 27 ...................................................................

Business Associates 28 ......................................................................................

Who are they? 28 ........................................................................................................

What is a business associate agreement? 28 ..................................................................

Do all business associates need to be HIPAA compliant? 29 ...........................................

What compliant business associates does your organization use? 29 ...............................

Sample Business Associate Agreement (BAA) 30 ...........................................................

Practical Products For Your Day-to-Day Tasks 35 .............................................

Computers 36 ..............................................................................................................

Mobile Devices 37 .......................................................................................................

Telephones 37 .............................................................................................................

Email Service 38 ..........................................................................................................

Insurance Payment Reimbursement 41 ...........................................................................

Healthcare Clearinghouses 41 .....................................................................................

Data-Storage Companies 42 .........................................................................................

Video-Conferencing Services 44 ...................................................................................

Web Hosting and Forms 45 ..........................................................................................

Therapy Notes 47 ........................................................................................................

Payment Processing 48 .................................................................................................

Bundled Product Comparison 50 ...................................................................................

Mobile Device Security 51 .................................................................................

Encrypting Your Device 53 ...........................................................................................

Enable Remote Wipe 57 ...............................................................................................

Limit App Access 58 .....................................................................................................

Easy HHS and OCR Links 60..............................................................................

PA G E �4

A R E YO U H I PA A C O M P L I A N T ? When I first set out to write this guide, I had a no idea about the complexity of the law. I understood its stated purpose was to protect the privacy of a client. Most people are aware of its obvious compliancy components. For example: don’t share patient information, use encrypted communications, don’t leave your laptop open and unlocked at a coffee shop while you get up for another refill, etc. These are all pretty obvious. However, they are just the tip of the iceberg.

HIPAA compliancy is a big deal. If you don’t think it is worth the time to properly comply, consider the fines associated with a HIPAA violation. A simple “I didn’t know” violation will cost you anywhere from $100 - $50,000 per violation. And if you don’t think the U.S. Department of Health and Human Services is serious about enforcing its policies, just look at the case where they fined Alaska’s own Department of Health and Human Services $1.7 million for an unencrypted USB hard drive being stolen. This fine was levied for poor policies and poor risk analysis. The Catholic Health Care Services of the Archdiocese of Philadelphia was fined $650,000 for one person’s mobile device being stolen. The University of Massachusetts was fined $650,000 for a malware infection. And Lincare, Inc. (a medical supply provider) was fined $239,800 for unprotected documents affecting only 278 clients. How many current and past clients are in your records? Can you afford paying $862 per client for not following the proper guidelines?

I know I might have raised your heart rate a little with my introduction. It is not my intention to freak you out, only to get you to pay attention to the importance of being HIPAA compliant.

The Department of Health and Human Services Office of Civil Rights (OCR) is not a self-funded office. The agents working within the OCR receive their salaries from the federal government’s budget. I mention this because it is important to know that the OCR does not have its eye on the citation. They are not looking to make money off the fines they levy. They are an organization that is truly passionate about protecting patients’ information.

PA G E �5

I have no doubt that you, too have a passion for your clients and the work you do with them. HIPAA violations are seldomly the result of malice actions. Most providers would not want any harm to come as a result of their client’s protected information being disclosed. However, stuff happens. So, you want to make sure you take responsible actions to protect this information. Think of HIPAA as a nice guideline to follow. The writers of this law took into account all the ways information can get into the wrong hands and has laid out some rules to follow.

When you first set out on your heart-centered path for helping people, you did so with the moral intention of doing no harm to your clients. However, by not following proper HIPAA rules, you could potentially be putting your clients at risk. Unfortunately, for most practitioners, you won’t realize the unauthorized use or disclosure of your clients’ information until they have already been harmed.

So, who investigates HIPAA? The Office of Civil Rights (OCR)is tasked with enforcing the Privacy and Security Rules found within HIPAA (more on those later). However, more than likely you will not get a call from the OCR investigating your HIPAA compliancy unless they receive a breach notification by a business associate, an affected client, or an attorney for the opposing party. (The latter example is usually seen with therapists involved in a custody dispute.)

As you are reading this you might be counting all of your cohorts that are in violation of HIPAA; for some it can be comforting to know they are not alone. I see providers several times a week who are unknowingly violating HIPAA guidelines. The key is to start where you are. Now that you know you are doing something wrong or something that is not the “best practice”, make a shift. Becoming HIPAA compliant will not only protect your clients, it will protect your organization.

The following information in this guide is meant to ease your transition into HIPAA compliancy. This guide is a broad overview of the key elements of HIPAA. This information is meant for educational and general information purposes. To make it easier for readers to comply with all the requirements of HIPAA and view the full text of the regulations, I have included links to the Office of Civil Rights (OCR) website at the end of this guide. The OCR office is within the Department of Health and Human Services.

PA G E �6

W H O I S T H I S H I PA A G U I D E F O R ?

T H I S G U I D E I S F O R E V E RYO N E

Whether you are a patient or a provider, it is important to know about HIPAA and what its practical applications are. HIPAA is not about compliance - it’s about patient care.

W H AT I F I A L R E A DY R E C E I V E D T R A I N I N G F R O M M Y A G E N C Y ?

More than likely if you are reading this guide you already know you need to be HIPAA compliant given your profession. Many licensed professionals are familiar with HIPAA through their training and from interning or working at an agency. However, usually the agency provided them with the training, policies, and procedures to stay HIPAA compliant within that agency. Once out on your own, you will need to develop new policies and procedures to stay compliant within your new environment.

PA G E �7

W H AT I F I D O N ’ T N E E D T O B E H I PA A C O M P L I A N T ? W H Y D O I N E E D T H I S ?

HIPAA compliance is meant for more than just therapists and doctors. Covered entities are explored in more detail within the Privacy Rule section of this guide. However, regardless of the Department of Health and Human Services definition, I always advocate HIPAA compliance for any professional providing a healing service to a client. This includes, but is not limited to, Reiki practitioners, massage therapists, and acupuncturists.

Although a non-covered entity may not be held accountable by the Office of Civil Rights, it is still held accountable by its clients. Client care is the reason for your occupation and to protect their personal information is a continuation of that care. Clients assume a level of confidentiality when they use your services. Following the guidelines of HIPAA will protect your clients from unintentional disclosures of their information as well as protect you and your organization from civil lawsuits that could arise from such a disclosure.

PA G E �8