Health Insurance Portability and Accountability Act (HIPAA) was created in 1996 to help protect the privacy of patients especially when health care professionals are using electronic billing, fax and email to send information back and forth. It is still unclear and confusing as to whether or not every Massage Therapist needs to be HIPAA compliant or not.
To find out if you need to be HIPAA compliant you can go to the US Dept of Health website it says:
A Covered Entity is one of the following: A Health Care Provider…..but only if they transmit any information in an electronic form in connection with a transaction for HHS has adopted a standard.
and look at the PDF but here is what it basically says:
Does the person, business or agency transmit (send) any covered transactions electronically? If NO, then it says the person is not a covered entity.
So the question then is – what is a covered transaction? They explain it clear as mud in the PDF.
In the book, Introduction to Massage Therapy By Mary Beth Braun, she says this about a covered transaction:
Covered transactions include using any electronic means to transmit a persons health insurance information such as claims, enrollment, eligibility, explanation of benefits (EOB), premiums, claims status, referral certification, or authorization, and coordination of plan benefits. If your business performs any transactions electronically (computer, electronic media storage, email, internet, personal data assistants etc), then your business is considered to be a covered entity.
Cherie Sohnen-Moe in this Massage and Bodywork Magazine article also says that even if you don’t send things electronically that you need to be HIPAA compliant.
When you maintain client records, gather information from a client, engage in oral communication or transmit records (whether electronic or not), you are considered a covered entity.
If you work for other doctors/healthcare providers that are HIPAA compliant, you also have to be compliant.
To be HIPAA compliant you will need to create a manual for your office that gives the details about what you will be doing under various circumstances with clients information. You will need to have clients sign your HIPAA policy and let them know of any changes in the way you will use their information or secure their information.
So what do you need to do to become HIPAA compliant?
- You need someone in your office to be in charge of this (YOU!) and create a manual. If you hire people to work for you, they need to be aware of the rules.
- Create privacy policies on how you will keep personal health information private.
- Install locks on your computer and file cabinets
- Create a privacy notice for email/text communications
- Give each client a Notice of Privacy Policies form to sign.
- Don’t let clients see your appointment books with the names of people
- Get and National Provider Number (NPI) (Directions from Vivian Madison Mahoney on Massage Today) so that you can bill electronically
- If you collect people’s email address on your intake form, tell them how you will be using it.
- If you plan on selling your business you will need to ensure privacy is maintained with the new owner.