As a chiropractor, you’re all too familiar with HIPAA. It’s important to make sure you comply so that you don’t face massive fines, but how many of the software tools that you use are HIPAA compliant?
In this blog post, we’ll look at HIPAA compliance as it relates to sales and marketing software solutions for chiropractors.
What is HIPAA?
According to the CDC HIPAA is defined as:
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge.
Why is HIPAA important?
HIPAA is important for a few reasons. It’s important because as a healthcare provider, your job is to help patients and part of helping patients is making sure that their private health information stays private and secure. Next, it’s important because if you violate HIPAA you could be subject to a hefty fine.
According to a blog post by the New Haven Register these fines can be huge:
Fines for reasonable cause cost between $100 to $50,000. Fines for willful negligence are between $10,000 to $50,000 and can also result in criminal charges. For violations that include an intent to sell or use PHI for commercial or personal gain are between $250,000.
How does HIPAA apply to technology?
HIPAA is a far-reaching law and it includes protocols for how to deal with technology and electronic patient health information. They have an entire section devoted to Cloud Service Providers (CSPs), which you can read about here. But to sum up a few of the main points for you:
- A HIPAA covered entity can use a cloud service to store or process ePHI provided they enter into a Business Associate Agreement (BAA) with the CSP. More on this later.
- Even if a CSP stores only encrypted data and doesn’t have a decryption key, they must still enter into a BAA.
- If a covered entity uses a CSP to maintain (e.g., to process or store) ePHI without entering into a BAA with the CSP, the covered entity is in violation of the HIPAA Rules.
- If a CSP experiences a security incident involving a HIPAA covered entity’s or business associate’s ePHI, they must report the incident to the covered entity or business associate.
- HIPAA Rules allow health care providers to use mobile devices to access ePHI in a cloud.
- The HIPAA Rules generally do not require a business associate to maintain electronic protected health information (ePHI) beyond the time it provides services to a covered entity or business associate.
What’s a Business Associate Agreement?
I mentioned a BAA a few times earlier, but what exactly is it? A Business Associate Agreement (also referred to as Business Associate Contract at times) is an agreement between a covered entity (the chiropractor) and a Business Associate. What’s a business associate?
A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.
This BAA between the chiropractor and the business associate must:
- Describe the permitted and required uses of protected health information by the business associate
- Provide that the business associate will not use or further disclose the protected health information other than as permitted by the contract or as required by law
- Require the business associate to use appropriate safeguards to prevent a use or discover of the protected health information other than as provided for by the contract
You can view a sample business associate agreement here.
How does this pertain to you?
If you’re using any software solutions (CSPs) like online scheduling, a CRM, an EHR or more, or if you’re working with an agency that can see patient data, then you need to make sure that you’ve entered into a business associate agreement with these entities since they are acting as a business associate for your practice.
It’s a good idea to do a quick inventory of the contractors, businesses and software solutions that you employ to make sure that the ones that deal with patient information are HIPAA compliant, if they aren’t, then you need to make sure you enter into a BAA with these entities or find another service provider otherwise you’re violating HIPAA.
As always, I hope this blog post was helpful. If you want to learn more about our HIPAA compliant CRM and scheduling solution, then please give us a call at (800) 295-3346.