In order to ensure that you have a HIPAA compliant therapy department, it is vital to engage in practices that protect the confidentiality, integrity and availability of patient information. Whether you are functioning as a business associate or a covered entity in the setting you work, it is essential that you are following the HIPAA Privacy and Security Regulations. Below is a quick reference of HIPAA standards that your therapy department encounters on a daily basis.
Sharing Protected Health Information
Many times there is confusion over what patient information can be disclosed. Protected Health Information (PHI) can be shared in the following ways:
- For treatment purposes with another health care provider;
- For payment purposes with another covered entity;
- For health care operations with another covered entity that has a previously established relationship with the patient (i.e., pre-admission activities, verification of insurance benefits and coordination of care discussions); and
- With persons assisting in the patient’s care or payment for their care as long as it is relevant to the person’s involvement for care or payment related issues.
Minimum Necessary Standard
When using or disclosing oral, written or electronic PHI, make sure that you apply the minimum necessary standard or the “need to know test.” Ask yourself, who needs to know this information? Am I communicating to the appropriate people and in the appropriate location? A use or disclosure is not considered a violation of HIPAA if the use or disclosure cannot reasonably be prevented, is limited in nature and occurs as a by-product of an otherwise permitted use or disclosure.
Note: The minimum necessary standard does not apply to information shared for treatment purposes.
Safeguarding information is another key component to having a HIPAA compliant therapy department. The following are strategies that can be used to safeguard information:
- Do not leave patient charts unattended.
- Store charts in locked file cabinets (It is not enough to just lock your department at the end of the day.).
- Destroy/Shred all PHI no longer in use (i.e., a post it note with PHI on it, patient information once the document retention period has expired or a CD-ROM containing patient information).
- Do not share passwords or store passwords in obvious locations.
- Protect electronic PHI (i.e., Log-off computers when not in use, de-identify information over e-mail, use privacy screens, password protect documents containing PHI and only allow authorized staff to use your workstation.).
- Be aware of your surroundings and ensure your environment is safe from unauthorized access.
At the end of the day, you likely have a department that is meeting all of the HIPAA requirements. However, it is important to periodically review your internal procedures and your day-to-day operations to ascertain if there is any privacy or security gaps and address each gap found. With continuous monitoring and vigilance, you will ensure compliance!