3 HIPAA Compliance Errors Therapists May Be Making
Curious about how therapists can stay HIPAA-compliant and avoid HIPAA compliance errors?
Just over three years ago a Department of Health and Human Services (HHS) audit found that the overwhelming majority of U.S. healthcare providers governed by HIPAA fell short of true HIPAA compliance, even before the COVID pandemic and the federal public health emergency declaration.
The HHS audit identified several specific areas of weakness in providers’ HIPAA-compliance efforts—some of which you may recognize in your own practice.
There are three HIPAA-compliance errors the audit revealed that practitioners can quickly and easily address. (In fact, most practitioners will probably be able to fix these three oversights in about five minutes.) Also, for therapists considering trying out a fully integrated, HIPAA-compliant EHR, SimplePractice gives you everything you need to ensure HIPAA-compliant booking, billing, secure messaging, and telehealth.
1. Not linking to your Notice of Privacy Practices
The audit exposed just how many providers have problems with their Notice of Privacy Practices (NPP). Only 2% of covered entities had an NPP that actually met all of the requirements of the law. A common area of noncompliance? Providers’ websites.
If you have a website, you must link to your Notice of Privacy Practices on your site’s homepage.
The link should be clear and understandable, titled something like “Notice of Privacy Practices.” When you’re choosing a therapist website builder, make sure there’s a quick and easy way for you to include this link and your document, as it’s something your business needs to have.
If you have a web developer or use a more complicated website builder, one way to do this is to have your NPP be a document in a cloud-based service like Google Docs, so that you can easily edit it but other viewers can’t.
Make sure your sharing settings allow for public viewing, but not outside editing. Then just link to that document from your website. This way, you can easily edit your NPP in the future without having to make additional changes to your website.
2. Not telling your clients how to exercise their rights
Many of the audited providers told their clients what their rights were under the law, but left out an important component of HIPAA compliance—they neglected to include any information about how clients can actually exercise those rights.
In private practice, many practitioners prefer a more informal process where clients simply email you to request records or lodge a privacy-related complaint.
In a group practice or larger setting, there may be a more formal process for such requests.
Whatever process is right for you and your practice, you do need to have some kind of documented process for record requests and privacy complaints. And more importantly, clients need to be informed of what that process looks like in your NPP. If this information isn’t in your current NPP, take the time to make the edit to include it.
In the HHS audit, a number of providers did include contact information, but it was contact information for an entirely different provider.
This is one of many reasons why it’s never a good idea to simply copy and paste another provider’s NPP in its entirety and use it as your own. If any specific information is incorrect, your clients would be misinformed of how to exercise their rights in your practice.
Before posting your NPP publicly or sending it to clients, do a thorough proofread to make sure that all the information is accurate and up-to-date.
3. Not keeping a log of all record requests from clients
Under current HIPAA regulations, clients have a right to access their records. Plus, the recent actions taken to enforce HIPAA compliance have focused on ensuring that covered entities respond promptly to those requests.
In the 2020 HHS audit, a number of providers told HHS that they had no client requests for protected information in the past several years—a claim that auditors said probably represented a misunderstanding of the law.
Any time a client requests any portion of their record, that is considered a record request under HIPAA.
Even if a client simply asks you for a copy of their bill, that’s a record request.
You should keep a log that includes all record requests—including the date of the request, the date of your response, and the nature of your response (for example, provided three pages of records in paper format).
Starting this log is a quick and easy process. You can create it in a word processor or a spreadsheet. However, if the log is going to include PHI like client names or other identifiers, you’ll want to provide the same protections you apply to other forms of PHI in your practice.
Keep up-to-date on your HIPAA compliance
If you did all three of these tasks, then in just a few minutes you’ve addressed three of the most common compliance weaknesses identified in the HHS audit. As mentioned before, there were many more areas where providers generally fell short of HIPAA compliance.
The good news here is that the audit process isn’t meant to be punitive or frightening, but rather to inform and educate. Being aware of the common areas of noncompliance and addressing them in your own practice is a good way to ensure you’re protecting your clients’ data—and your business.
The HHS audit report is full of useful takeaways for covered entities. And aside from identifying HIPAA compliance issues in your own practice that might need addressing, you’ll need to think about how new technologies and enforcement actions play into overall compliance. If addressing all these concerns seems overwhelming, you’re not alone. Speaking to mentors, colleagues, or taking an online course can give you a refresher on the basics of HIPAA compliance and also help you look for more advanced ways to improve your overall compliance.
Disclaimer: Though based on a plain-language reading of HIPAA and the December 2020 audit report, none of the above should be considered legal advice. For guidance on how HIPAA applies in your specific situation, please consult with an attorney.
Benefits of using a HIPAA-compliant EHR like SimplePractice
If you’ve been considering trying out a fully integrated, HIPAA-compliant EHR, SimplePractice gives you everything you need to ensure HIPAA-compliant booking, billing, secure messaging, and telehealth.
Used by over 200,000 private practice clinicians nationwide, SimplePractice is the practice management software for therapists, speech-language pathologists, occupational therapists, and other practitioners in the health and wellness industry.
Sign up for a free 30-day trial. No credit card needed.
READ NEXT: What to Do After a Potential HIPAA Violation
More Stories
Stay inspired
Get the latest stories from your peers right to your inbox.