One of the reasons so many therapists are moving over to larger medical groups is to escape the threat of oversight violations. The Health Insurance Portability and Accountability Act (HIPAA) was created for important reasons, but it’s often applied in ways that leave clinicians befuddled and ready to throw in the towel.
Worse, ignoring these regulations can land you in hot water. Consider Concentra Health Services’ $1.7 million fine following a security audit triggered by a break-in, or Affinity Health Plan, Inc.’s $1.2 million fine after returning a photocopier to a leasing company without wiping the files from the hard drive. Being clueless isn’t an excuse in an age where patient information has become big business. So how do you protect yourself and your practice?
Is My Mental Health Practice HIPAA Compliant?
If you run your own business, you should really hire a Privacy Officer to audit your practices and make recommendations to ensure you’re meeting your obligations. What are they? Well, it gets complicated quickly. Every business dealing with protected health information (PHI) needs to protect that information in a secure way. When that doesn’t happen, it can open you up to lawsuits and hefty fines.
The HIPAA Privacy and Security rules are in-depth, spelling out various responsibilities and methods of meeting them. Some are required, even if you’re already using a different method that also works. Others are merely helpful suggestions. When requirements aren’t in place, there is still an expectation that you’ll keep that information protected and safe. Suggestions can be replaced by alternative methods, but they cannot go ignored.
So, How Do I Make Sure That My Mental Health Practice Is HIPAA Complaint?
Along with hiring a professional to go over your practices, pay attention to the types of violations established healthcare facilities are being fined for. These issues are a likely a problem for many clinics. For instance, the following are common sources of compromised PHI:
- Lax device security
- Employee misconduct
- Unauthorized disclosure
- Hacking
- Partner violations
- Improper PHI disposal
- Untrained staff
- Unsecured records
- Gossip
Some of these boil down to using technical precautions — like encryption — on any cell phone, tablet or computer used for creating or even viewing protected information. Others involve getting your staff and partner businesses in line by providing clear rules and serious consequences for breaking them. Let your staff know that the fines you face could rise into the millions, which means breaches could result in lost jobs. Have partners sign agreements regarding their liability if PHI is leaked due to their negligence.
Other issues, though, such as the appropriate way to store and dispose of personal files, may require an expert’s touch.
The next time you’re wondering, “Is my therapy business HIPAA compliant?” don’t take any chances. The consequences of making a mistake are extreme, and not just for you. Given the stigma attached to the need for mental health care services, the results for your patients could be devastating. Protect your medical practice and your patient information with help, in part, from BPS Billing.