The Basics of HIPAA Compliance

January 8, 2019

by Nick Jaworski, Digital Community Builder of Circle Social, Inc.

If you work in behavioral health, HIPAA non-compliance can mean having to close your doors.

Fines for violations can be as much as $50,000 per piece of mishandled information.

What's even worse is your center is legally responsible for information handled by third party vendors, like advertisers and marketers.

But thankfully, there are ways to safeguard against HIPAA compliance issues.

What Is HIPAA?

HIPAA stands for Health Insurance Portability and Accountability Act.

The act was passed in 1996 under the Bill Clinton administration, and has 5 sections, or titles.

• Title I: Protects individuals who lose their jobs and prevents denial of coverage for specific pre-existing conditions.
• Title II: Established national standards for processing electronic healthcare transactions, and required healthcare organizations to comply with privacy regulations.
• Title III: Determines tax-related provisions and guidelines for medical care.
• Title IV: Continues determining insurance reform, including more provisions for individuals with pre-existing conditions and those seeking continued coverage.
• Title V: Covers provisions on company-owned life insurance and the treatment of those who lose their U.S. citizenship for income tax purposes.

Whenever people in the healthcare and health services industry talk about potential HIPAA violations, they are usually referring to Article II.

This section is the most talked about because it is one the easiest ones to violate, as communication is vital to both treating and caring for patients, and encouraging people to get treatment (i.e, your marketing efforts!), BUT many of these communications could easily violate a person's privacy.

How Do We Stay HIPAA Title II Compliant?

Title II of HIPAA is mostly about protecting patients' Personally Identifying Information (PII). PII is any information that could possibly identify a specific individual.

Any information that can be used to distinguish one person from another and could potentially be used to de-anonymize anonymous data can be considered PII. In the healthcare environment, one of the most serious PII mishandling mistakes is to reveal an individual's medical status to someone not authorized to have that information.

While this article does not serve as formal legal advice, a general rule of thumb for avoiding a violation like this is to never reference a person's name or descriptors in the same communication as their medical status.

So say that Jane Doe is hypothetically looking for opioid addiction treatment and reaches out to a center or one of their business associates. An e-mail or other electronic communication by staff can mention either that "someone" is looking for opioid addiction treatment, OR that Jane Doe would like to discuss "something" with a doctor or therapist. Do not mention both pieces of information in the same electronic communication.

It is important for both a center's own staff to understand this and for every third party vendor to follow this guideline, because, again, the center is ultimately liable for any and all information about their patients.

This rule alone may not fully protect your center from violations that can incur HUGE fines, however. There are many common HIPAA violations, especially with regards to Title II.

Many medical organizations do not even realize they are violating HIPAA. Some things that seem normal or like they make sense are still in violation of Title II. For instance, all of the following are common violations:

• Mixing PII and PHI (personal health information) in ANY electronic communication. This include text, e-mails, etc. from clinical staff to other clinical staff.
• Improperly responding to reviews online. You cannot respond in any way that even confirms that the reviewer was at your location.
• Including pictures of people online without proper HIPAA waivers. This includes people in the background: even if they are blurry.

Be on the lookout for these common mistakes.

Thomas A. Miles of Wachler & Associates, a law firm specializing in healthcare provider issues, puts the issue into perspective here:

"Mistakes made when disclosing a patient's PHI can have consequences. Health care providers covered by HIPAA must take steps to ensure they handle PHI appropriately and do their best to avoid them. In the event of a violation, it's important to understand the extent of your responsibilities. Seeking legal advice can help ensure that these responsibilities are properly fulfilled.

In 2018, the Office for Civil Rights settled alleged HIPAA violations with ten different entities that together totaled more than $25.6 million dollars in fines. Some of these alleged violations may have been avoided if the PHI at issue had been disclosed in a compliant manner."

How Do Centers Protect Themselves From the Actions Of Third Parties?

Marketers are even less likely than center staff to know that they may be violating Title II, especially if they are uncertified in treatment marketing. As we've mentioned before, this is bad news for your center.

Official relationships between health organizations are commonly known as BAAs, or "business associate agreements." Within the regulations, they are called "business associate contracts," but they are most commonly referred to in conversation as BAAs nonetheless.

A BAA is the only sure way to ensure that your contractors and vendors share liability with you when it comes to staying in compliance. A BAA must be signed any time a business associate relationship exists between two parties, either as a standalone document, or as covered in a contract under terms or service or an other applicable agreement.

Laying out terms and sharing liability do not necessarily ensure that your contractors and vendors understand HOW to stay compliant. Talk to your marketers and vendors to make sure they understand the importance of familiarizing themselves with privacy requirements and best practices to stay in compliance. Check for certificates or other qualifications to handle sensitive information.

With HITECH In Effect, Learning HIPAA Requirements Has Never Been More Important

In 2009, the HITECH Act passed as part of the part of the American Recovery and Reinvestment Act (ARRA). The Act began by creating financial incentives to companies that could show the benefits of keeping electronic health records, which continued until 2015. Since then, fees can be levied against health centers that fail to provide electronic health records to patients, or make use of electronic records in order to cut costs.

This means there is no way of getting around the electronic privacy portions of HIPAA. Your center cannot just keep paper records and operate from there. Attempts to do this can result in fines.

Electronic records with PHI and PII are required. So you, your employees, and your business associates NEED to understand proper HIPAA compliance tactics when it comes to electronic communications.

While many in the healthcare community viewed HITECH enforcement as lax in the past, these fines can catch up with any center. Smaller centers struggling with moving over to an electronic system were being given some time to catch up, but even these exceptions are waning over time.

Do not be caught without a proper electronic health records system in place. Records need to both be in electronic format, and privacy protected. From there, it is essential that those in your circle of business interactions know how/when you are able to communicate those records.

Getting Continued Protection From HIPAA Violations

There are trainings out there to learn all the ins and outs of HIPAA compliance. Several of them offer certificates to demonstrate that someone has completed the training successfully.

Healthcare providers, center owners, and marketers taking on healthcare organizations as clients all benefit greatly from a membership in BHAP. HIPAA compliance keeps the doors to your medical center open. Without it, violation fines alone can put a center out of business, even if there isn't a drawn out legal fight surrounding the violation.