HIPAA compliance for speech therapists

Speech-language pathologists, commonly called speech therapists or SLPs, assess, diagnose, and treat speech, language, communication, and swallowing disorders. As part of their professional duties towards the patients they serve, they come into contact with patient-protected health information (PHI), thus making them covered entities under the Health Insurance Portability and Accountability Act (HIPAA). 

HIPAA regulations were adopted for the "establishment of federal standards to guarantee electronically protected health information security to ensure confidentiality, integrity, and availability of health information that ensure the protection of individual's health information while also granting access to healthcare providers, clearinghouses, and health plans for continued medical care," says the NIH.

Scope of practice

Speech therapists work with individuals across the lifespan, from infants to the elderly, addressing various communication and swallowing issues. Their scope of practice includes:

• Speech disorders: Treating articulation, fluency, and voice disorders.
• Language disorders: Addressing issues with understanding and expressing language.
• Social communication disorders: Helping individuals with social communication skills.
• Cognitive-communication disorders: Treating problems with memory, attention, and problem-solving skills.
• Swallowing disorders (dysphagia): Assessing and treating swallowing difficulties.

Given their broad scope of practice, speech therapists handle a wide range of sensitive information, making HIPAA compliance essential.

Types of PHI handled by speech therapists

Speech therapists collect, store, and use various forms of PHI in their practice, including but not limited to:

• Personal identification information: Name, address, phone number, and date of birth.
• Medical history: Previous diagnoses, treatment plans, and progress notes.
• Assessment results: Results from speech and language assessments.
• Therapy records: Detailed records of therapy sessions, goals, and outcomes.
• Billing information: Insurance details and payment information.

Key elements of HIPAA compliance

Privacy Rule

The HIPAA Privacy Rule sets standards for protecting PHI and gives patients rights regarding their health information. Key aspects include:

• Protection of PHI: Ensure all patient information is confidential and secure.
• Minimum Necessary Standard: Access only the minimum necessary PHI to perform job functions.
• Patient rights: Provide patients with access to their PHI, allow them to request corrections, and supply a notice of privacy practices.
  
  

Security Rule

The HIPAA Security Rule outlines safeguards to protect electronic PHI (ePHI):

• Administrative Safeguards: Policies and procedures for managing the security of ePHI.
• Physical Safeguards: Control physical access to areas where PHI is stored.
• Technical Safeguards: Implement technology to protect and control access to ePHI, such as encryption and secure access controls.

Go deeper: What are administrative, physical and technical safeguards?

Breach Notification Rule

In the event of a PHI breach, the Breach Notification Rule requires:

• Breach Reporting: Notify affected individuals, the Secretary of Health and Human Services (HHS), and sometimes the media.

How can speech therapists ensure HIPAA compliance?

Conduct a risk assessment

• Identify where PHI is stored, received, maintained, or transmitted.
• Evaluate potential risks and vulnerabilities to PHI.

Go deeper: How to perform a risk assessment

Develop policies and procedures

• Create HIPAA-compliant policies for handling PHI.
• Train all employees on these policies and the importance of HIPAA compliance.
  
  

Secure communication

• Use secure methods for communication involving PHI, such as encrypted emails and secure messaging apps.
• Ensure teletherapy sessions are conducted on HIPAA-compliant platforms.

See also: HIPAA Compliant Email: The Definitive Guide

Maintain records

• Keep records of all compliance efforts, including risk assessments, training sessions, and policy updates.
• Ensure patient records are stored securely, whether physically or electronically.
  
  

Business associate agreements (BAAs)

• Ensure any third party handling PHI on your behalf signs a BAA, agreeing to comply with HIPAA requirements.
  
  

Patient authorization

• Obtain patient consent for uses and disclosures of their PHI not related to treatment, payment, or healthcare operations.
  
  

Incident response plan

• Develop a plan for responding to potential breaches of PHI, including steps for containment, notification, and mitigation.

Practical tips for day-to-day Compliance

• Limit access: Only provide access to PHI to those who need it to perform their job duties.
• Regular training: Conduct regular training sessions on HIPAA compliance and updates to ensure all staff members are aware of their responsibilities.
• Monitor and audit: Regularly monitor and audit your practices and systems to ensure ongoing compliance with HIPAA regulations.
• Secure devices: Ensure all devices used to access PHI are secure, using strong passwords, encryption, and anti-virus software.

FAQs

What are the patient rights under HIPAA?

Under HIPAA, patients have the right to:

• Access their PHI
• Request corrections to their PHI
• Receive a notice of privacy practices
• Request restrictions on certain uses and disclosures of their PHI

Go deeper: What are patient rights under HIPAA?

What is a business associate agreement (BAA), and when is it needed?

A BAA is a contract between a HIPAA-covered entity (like a speech therapy practice) and a third party (a business associate) that handles PHI on its behalf. It ensures that the business associate will also comply with HIPAA regulations. A BAA is needed whenever a third party accesses, processes, or stores PHI.

Read more: Business associate agreement provisions