Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker.
HIPAA covered entities have strict regulatory requirements outlined in by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR).
HIPAA covered entities are clearly defined in the regulation as any health plan, health care clearinghouse, or health care provider who transmits any protected health information (PHI). PHI is any demographic information collected by a covered entity that can be used to identify a patient. That includes names, addresses, dates of birth, social security numbers, and medical information, to name a few examples.
That means that all health care providers, including behavioral health specialists, necessarily fall under HIPAA regulation as a covered entity.
But what does that mean for your practice? Below, we discuss the regulatory requirements that all HIPAA covered entities are mandated to address in order to keep PHI private and secure.
HIPAA Compliance for Covered Entities
A HIPAA covered entity must address all of the regulatory standards set out in the HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Omnibus Rule, and the HIPAA Breach Notification Rule.
An effective HIPAA compliance program must address:
- Self-Audits – HIPAA requires you to conduct annual audits of your practice to assess Administrative, Technical, and Physical gaps in compliance with HIPAA Privacy and Security standards.
- Remediation Plans – Once you’ve identified gaps, you must implement remediation plans to reverse any potential HIPAA violations.
- Policies, Procedures, Employee Training – To avoid HIPAA violations in the future, you’ll need to develop Policies and Procedures corresponding to HIPAA regulatory standards. Annual staff training on these Policies and Procedures is also required.
- Documentation – Your practice must document efforts you take to become HIPAA compliant. This documentation is critical during a HIPAA investigation with HHS.
- Business Associate Management – You must document all vendors with whom you share PHI, and execute Business Associate Agreements to ensure PHI is handled securely and mitigate liability.
- Incident Management – If your practice has a data breach, you must have a process to document the breach and notify patients that their data has been compromised.
Essential Telehealth Law & Ethical Issues
Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!
Please share your thoughts in the comment box below.
Question: I had been told by lawyers at the California Assn of Marriage and Family Therapy that you were only a HIPAA covered entity if you transmitted PHI via the internet, since HIPAA really addresses internet transactions. Therefore, he said, providers who transmitted all info to health plans via fax, phone, and snail mail were not HIPAA covered entities. Your article seems to suggest that all therapists are HIPAA covered entities.
HIPAA covers all electronic transmissions. Please see the http://hhs.gov website for details: https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html If you conduct a few other searches on that site, you’ll see many key facts related to HIPAA and how to comply.