To support Vagaro businesses that are in the healthcare and wellness industries, we have redesigned our privacy rules to make sure that we comply with the requirements of the HIPAA Privacy Rules.
Click here to learn how to send HIPAA-compliant text messages, push notifications, and emails to clients in Vagaro.
In this article, we will go over:
- The definition of HIPAA (follows)
- The HIPAA Privacy & Security Rules
- The types of businesses that must follow HIPPA
- The type of information that is protected
- How the Information is Protected
- Recommendations to stay HIPAA Compliant
What is HIPAA?
HIPAA (Health Insurance Portability and Accountability Act) was established to protect patient health information and control its use.
The main goal is to ensure that patient information is properly protected while allowing the flow of health information needed to provide and promote high-quality health care and protect a client's health and well-being.
Since the health care industry is so diverse, HIPAA is designed to be flexible and comprehensive to cover the different ways information is used while protecting the privacy of people who seek care and healing.
The HIPAA Privacy and Security Rule
HIPAA rules consist of national standards to protect patient medical records and other personal health information. It also:
Gives patients more control over their health information.
Sets boundaries on the use and release of health records.
Establishes appropriate measures that health care professionals and others must achieve to protect the privacy of medical information.
Keeps violators accountable by imposing civil and criminal penalties for violating patient privacy rights.
For patients, it means being able to make informed decisions when seeking care based on how personal health information is used. It specifically:
Allows patients to find out how their information is used.
Generally restricts the release of information to the minimum needed for the purpose of the disclosure.
Generally gives customers the right to examine and get a copy of their health records and request corrections.
Permits individuals to control certain uses and disclosures of their health information.
Who Must Follow HIPAA
The following entities are considered covered entities and must follow HIPAA:
- Health Plans, including health insurance companies, HMOs, company health plans, and certain government programs that pay for health care, such as Medicare and Medicaid.
- Most Health Care Providers - especially those that conduct certain business electronically, such as electronic health insurance billing. This includes most doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists.
- Health Care Clearinghouses - businesses that process nonstandard health information they receive from another entity or vice versa.
- Business Associates by virtue of their relationship with covered entities.
What Type of Information is Protected?
- Client medical records inputted by doctors, nurses, and other health care providers.
- Patient conversations with doctors about care or treatment with nurses and others.
- Client information that's entered in a health insurer’s computer system.
- Billing information about the client and clinic.
- Other client health information held by professionals who are required to follow HIPAA laws.
How is the Information Protected?
- Healthcare businesses must have the proper measures in place to protect health information and ensure that it is not used or disclosed improperly.
- Facilities must have procedures in place to restrict who can view and access client health information and implement training programs for employees on how to protect your medical information.
- Entities must have the appropriate safeguards to protect health information and ensure they do not use or improperly release this data.
Recommendations to Stay HIPAA Compliant
Here's a list of recommendations by the U.S. Department of Health and Human Services to help you stay HIPAA compliant.
1 - Establish clinic-wide privacy measures.
Appoint a privacy officer and contact person to oversee privacy issues. This individual is the point person for receiving complaints and training all employees on privacy matters, specifically letting staff know about PHI (protected health information) disclosure restrictions and practices.
2 - Get consent to collect, use, and release PHI.
The keys to proper consent for collecting, using, and disclosing health information under HIPAA are:
- Creating a set of policies and procedures, and
- Documenting those policies and measures along with any cases of use or disclosure.
3 - Develop an emergency plan.
Be sure to create a plan that you can use if an emergency threatens the security and privacy of PHI. Make sure that the right staff members have access to PHI in case of various emergencies. In certain cases, consider restoring data from one location to another.
4 - Come up with processes that give patients easy access to their records.
Under HIPAA, the Privacy Rule requires clinics and healthcare professionals to turn over copies of health records within 30 days of receiving a written request. Clients also have the right to have their health records corrected in a timely fashion.
5 - Make sure your devices, website, and network are secure
Build and maintain a secure website that is in line with all HIPAA privacy requirements for identifying information. Run the site on a secure network with all the proper safeguards and get professional help if you need to. Here are some additional safety precautions to take:
- Require a secure password-protected login.
- Put timeouts on your devices so that they automatically log out if you're not actively using them.
- Train staff to act with integrity when handling electronic health information, including not destroying or changing records.
- Require authentication for all staff or entities who access PHI.
- Make sure that data transfers that include PHI are encrypted.
6 - Think about your PHI storage options
Weigh your options regarding storing your clinic’s health information whether you decide to store it as a hard copy, on your own servers, or in a cloud-based practice management system.
Think about a solution that meets the needs of your daily workflow while also adhering to HIPAA. Also, consider choosing a combination of these storage options.
7 - Sign a Business Associate Agreement (BAA) with software vendors.
HIPAA requires a written contract between clinics and any other entity handling health information. For this contract, HIPAA defines two types of organizations:
- Covered Entity: This is the organization that records the data. This mainly pertains to health clinics and practitioners or anyone treating patients or seeing clients.
- Business Associate: The organization helps store and process data on behalf of the covered entity.
8 - Become familiar with your state laws.
Check state laws that have additional privacy requirements beyond HIPAA. Here are some specific things to consider:
- Where state law is less strict than HIPAA, HIPAA will apply.
- Where state law is stricter than HIPAA, state law will apply.
- In many cases, more stringent state laws involve reporting of public health information, such as communicable disease or child abuse, or birth and death records.
9 - Stay current on Privacy Laws
Remember, laws often change. Ensure that your privacy officer stays informed of any changes to privacy requirements and has a strategy to keep your practice up to date on the latest changes. Also, be sure to update your policies periodically as needed.
To learn more about HIPAA, click here.