HIPAA compliance is a major aspect of running a physical therapy practice. Physical therapists can protect patient information by understanding the regulations, implementing necessary measures, and staying up to date with changes.
Physical therapy practices handle sensitive patient information, including medical records, treatment plans, and billing information. HIPAA compliance is needed for physical therapy practice owners to protect patient privacy, prevent data breaches, and maintain trust with patients.
Patients have specific rights under the HITECH Act and the Omnibus rule, which expanded upon existing HIPAA regulations.
Patients have the right to access their own PHI held by physical therapy practices. This includes the ability to view, obtain copies, and request amendments to their health information.
Patients can request changes or amendments to their PHI if they believe it contains errors or incomplete information. Physical therapy practices must have processes in place to handle these requests.
Patients have the right to request restrictions on the use or disclosure of their PHI. Physical therapy practices must consider these requests but are not obligated to comply if it interferes with treatment or payment activities.
Patients can request that their PHI be communicated to them in a specific manner or at a specific location to ensure confidentiality.
Patients must be informed if there is a breach of their privacy, including unauthorized access or disclosure of their PHI.
Patients have the right to make complaints if they believe a physical therapy practice is not complying with HIPAA regulations. Practices must have procedures in place to handle these complaints.
Patients can revoke their authorization for the use and disclosure of their PHI, except when the disclosure was already made based on the initial authorization.
Patients have the right to opt out of receiving marketing communications, fundraising solicitations, and the sale of their PHI.
Patients can request that their PHI not be disclosed to their health insurance plans if they pay for the services out-of-pocket.
Physical therapy practices must provide patients with a paper copy of their privacy notice upon request.
Read also: What is protected health information (PHI)?
In the event of a breach of unsecured PHI, physical therapy practices must follow specific breach notification requirements.
When notifying a patient of a breach, physical therapy practices must include a description of the breach, the types of information involved, steps the individual can take to protect themselves, actions taken by the practice to investigate the breach, mitigate harm, prevent further breaches, and contact information for the affected individual.
Physical therapy practices must report breaches to the HHS secretary. Breaches affecting more than 500 individuals may require additional reporting to media outlets and websites. Reporting timelines vary by state, so practices should review their local reporting requirements.
Read more: What is the HIPAA Breach Notification Rule?
Physical therapy practices often work with third-party vendors and service providers known as business associates. A business associate agreement (BAA) is a contract that outlines the responsibilities and obligations of both covered entities (physical therapy practices) and business associates.
Covered entities should initiate the BAA to ensure compliance with the HITECH Act and the Omnibus Rule. The BAA should include provisions related to allowed and required disclosures, downstream subcontractors, safeguarding data, reporting obligations, assurance of compliance, termination clauses, liability, indemnification, monitoring, and auditing rights.
The BAA should address the specific requirements set forth by the HITECH Act and the Omnibus Rule, ensuring that business associates abide by the same terms as the covered entity. These provisions include restrictions on the use and disclosure of PHI, security rule compliance, breach notification procedures, and the return or destruction of PHI upon termination of the agreement.
Physical therapy practices must provide patients with a privacy notice that explains how their health information may be used and disclosed. The privacy notice must include specific information and be made readily available to patients.
Physical therapy practices are required to offer the privacy notice to all new patients and active patients if any modifications are made. The notice must be easily accessible in the reception or common areas, allowing patients and visitors to access it without requesting it from the staff.
Physical therapy practices must post the privacy notice in a visible location within the reception or common areas. This ensures that patients have access to the notice without having to request it. Additionally, if a practice has a website, the privacy notice must be posted there as well.
Read more: What is a Notice of Privacy Practices?
Physical therapy practices must implement role-based access to PHI and ePHI, ensuring that staff members have access to the relevant information based on their job requirements.
To validate access to PHI and ePHI, physical therapy practices should develop written policies and procedures that define roles and responsibilities. These policies and procedures should outline the process for granting and revoking access based on job requirements.
Physical therapy practices should validate access to PHI and ePHI based on the individual's job responsibilities. Staff members who require access to PHI and ePHI should be listed explicitly, indicating their need for full access.
See also: HIPAA Compliant Email: The Definitive Guide
Los Angeles-based Complete P.T. Pool & Land Physical Therapy settled HIPAA violations by paying $25,000 for posting patient testimonials without proper authorization, including full names and photos on its website. The settlement, announced by the Department of Health and Human Services Office for Civil Rights, mandates a corrective action plan and annual compliance reporting for one year.
The investigation revealed breaches in safeguarding and unauthorized disclosure of PHI, proving the importance of obtaining explicit authorization under HIPAA regulations for marketing purposes.
How should physical therapists handle patient consent under HIPAA?
Physical therapists must obtain patient consent before disclosing any protected health information (PHI) to third parties, except when the disclosure is for treatment, payment, or healthcare operations.
What are some best practices for maintaining HIPAA compliance in a physical therapy practice?
Can physical therapists communicate with patients via email or text messages while remaining HIPAA compliant?
Yes, physical therapists can communicate with patients via email or text messages, but they must use secure, encrypted systems to protect patient information and obtain patient consent for electronic communication.