HIPAA Information

Following is a brief summary of the most recent HIPAA changes made by the US Department of Health and Human Services, and how they may affect you. The entire Final Rule can be found here.

What is HIPAA?

HIPAA (the Health Insurance Portability and Accountability Act) is a federal law that has been in place since 1996, with new rules added in 2013 that changed some aspects of the law. HIPAA has three components: the portability of health-care coverage, recordkeeping, and the privacy of patient health information. The third component most directly impacts the practice of massage therapists.

To Whom Does HIPAA Apply?

The 2013 rule changes did not affect who is covered by HIPAA. Just as before, HIPAA only applies to massage therapists who are Covered Entities. A "Covered Entity" means any health-care provider who electronically transmits health information in connection with certain types of transactions, which include:

Claims submission
Coordination of benefits
Eligibility verification
Enrollment checking
Health claims status
Health-care explanation of benefits
Health-plan premium payment
Referral certification and authorization

The federal rule listing the types of covered transactions is available online at www.aapsonline.org/confiden/hipaacovered.htm.

If you do not perform any of these types of electronic insurance transactions, then you are not a Covered Entity, and HIPAA does not apply. Merely using electronic technology, such as email, does not mean you are a Covered Entity; you must perform electronic transmissions in connection with one or more of the above types of transactions. HIPAA applies to health-care providers, whether or not they do this themselves or if they use a billing service or other third party to do so. 1

However, even if you are not technically covered by HIPAA, you must still maintain the privacy of client health information because your state may have separate patient privacy laws, and because protecting client privacy is critical to maintaining a successful, ethical practice. One aspect of good practice is recording an initial health history for each new client. Conscientious massage therapists also ask clients on each subsequent visit whether anything else is new on the health front; significant disclosures are then usually recorded on client files. Massage therapists have a responsibility—either under HIPAA, state laws, or simply under principles of professional ethics—not to disclose to third parties' information linking an identifiable client to a particular medical condition or treatment. Massage therapists should maintain client files in a secure place, such as a file or desk drawer in a room that is locked when not present. If massage therapists do practice with other individuals, those individuals should be trained about confidentiality requirements. Massage therapists should never discuss a client’s health information with anyone outside of their practice, and should instruct all of their employees and coworkers to follow this rule as well.

What Changed in 2013?

Following is a summary of some of the most important changes to the new HIPAA rules.

Changes to What Constitutes a Breach of Protected Information

Under both the old and new HIPAA rules, if a Covered Entity discovers a breach of electronically stored or transmitted health information that contains anything that could identify the patient, otherwise known as "Protected Health Information" (PHI), then the breach has to be reported to the patient, to the US Department of Health and Human Services, and sometimes to the media. However, the old rules stated that the improper use or disclosure of PHI constituted a breach only if the Covered Entity determined, after performing a risk assessment, that the use or disclosure posed a significant risk of financial, reputational, or other harm to the patient. Under the new rules, the improper use or disclosure of PHI is presumed to be a breach unless the Covered Entity can show that there is a low probability that the PHI was compromised. Factors involved in making that determination include whether the PHI was actually viewed by anyone, whether the risk to the PHI has now been mitigated, and who used or viewed the information. 2

The new standard means that Covered Entities will have to report improper uses and disclosures of PHI more often.

Changes to the Definition of "Business Associate"

HIPAA covers not only health-care providers, but also their "Business Associates," meaning people or entities that perform services for the provider involving the use or disclosure of PHI. "Business Associates" are generally defined as those entities outside of the Covered Entity's workforce who handle PHI on behalf of a Covered Entity in performing functions like benefit management, billing claims processing, data analysis, practice management, and accounting, administrative, actuarial, financial, or legal services. 3

HIPAA has always required that a Covered Entity must have a written contract with its Business Associates containing specific contract provisions that are listed in the HIPAA regulations. The new rules add more provisions to that list, including a provision that the Business Associate agrees to report breaches of PHI to the Covered Entity and that it will make certain that its subcontractors who handle PHI agree to all of the same contract terms. The US Department of Health and Human Services has provided a sample Business Associate contract online at www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html.

The new rules also expand the definition of Business Associate. As a result, the following people and entities now also qualify as Business Associates:

People or entities who provide data transmission services of PHI to a Covered Entity and require access to PHI on a regular basis.
Subcontractors of Business Associates that handle PHI.
People or entities who maintain PHI on behalf of a Covered Entity, even if they do not access or view the PHI.

As a result, Covered Entities need to execute Business Associate contracts with those in categories 1 and 3, and a Business Associate must have a contract with its subcontractors under category 2.

Changes to the HIPAA Notice Requirements

HIPAA requires that Covered Entities provide a written Notice of Privacy Practices to their patients that includes certain statements set forth in the HIPAA law. The notice must be posted on a covered entity's website as well. Under the new rules, the Notice must also:

Describe the types of uses and disclosures that require authorization under HIPAA (if the Covered Entity intends to engage in any of them).
Inform individuals that they have the right to opt out of receiving fundraising communications (if the Covered Entity uses PHI to conduct fundraising activities).
Inform individuals that they have a right to pay out-of-pocket for a service and the right to require that the Covered Entity not submit PHI to the individual's health plan if they do so.
Inform individuals that the Covered Entity has a duty to notify affected individuals following a breach of unsecured PHI. 4

Covered entities are required to ask patients to acknowledge in writing that they received a copy of the Notice; however, a patient's refusal to sign an acknowledgement does not prevent a provider from disclosing health information.

More Information

Summary of the HIPAA Privacy Rule: www.hhs.gov/ocr/privacy/hipaa/understanding/summary/
HIPAA - Health Information Privacy Complaint Form
HIPAA Form