The Ultimate HIPAA Cheat Sheet to Help You Manage Compliance for Your Holistic Practice

One vital component for your holistic practice’s success is maintaining HIPAA compliance because it protects patient information, secures your operations, and prevents the chance of a breach that can greatly impact your practice’s reputation. We’ve compiled this comprehensive HIPAA cheat sheet to help you further understand this important legislation and how it pertains to your holistic practice.

History of HIPAA

The Health Insurance Portability and Accountability Act was signed into law on August 21, 1996. This vital piece of legislation created national standards to protect sensitive information regarding patient health from being shared or disclosed without the patient’s knowledge or consent. Basically, HIPAA prevents personal health information (PHI) from being discussed without the patient’s awareness and fortifies a patient’s privacy.

In addition to securing patient privacy and health information, HIPAA legislation aimed to prevent fraud and waste while also promoting medical saving opportunities across the healthcare industry as a whole. For example, certain tax breaks were established in this Act.

In 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH) was passed, which establishes technological compliance requirements in alignment with HIPAA practices. This Act encourages the implementation of electronic health records to secure patient information and features the Breach Notification Rule stating that breaches exceeding 500 individual records must be reported to the Department of Health and Human Services’ Office for Civil Rights (OCR).

The latest legislation related to HIPAA was the Final Omnibus Rule, approved in 2013. The purpose of this Rule is primarily to refine HIPAA definitions and include compliance requirements for new pieces of technology, such as mobile devices.

Why Is HIPAA Important for Your Holistic Practice?

Besides protecting your patients’ information and safeguarding their privacy, HIPAA provides some administrative benefits to your holistic practice. Encouraging the transition from paper to electronic health records streamlines your practice and allows for more collaboration with other providers pertinent to your patients. Plus, all HIPAA-covered entities must utilize the same set of codes, so communication from one practice to another organization is further streamlined for efficiency.

Your HIPAA Cheat Sheet

Let’s break down some of the most essential components of HIPAA for your holistic practice’s reference:

PHI and ePHI

Personal health information, known as PHI, can take on a variety of forms that are all relevant to following HIPAA compliance. Here are the 18 types of information that are considered protected health information (PHI) under HIPAA: 

1. Name
2. Address (Including any information more localized than state) 
3. Any dates (except years) related to the individual, including birthdays, date of death, date of admission/discharge, etc. 
4. Telephone Number
5. Fax Number
6. Email address
7. Social Security number 
8. Medical record number 
9. Health plan beneficiary number
10. Account number 
11. Certificate/license number
12. Vehicle identifiers, serial numbers, license plate numbers
13. Device identifiers/serial numbers
14. Web URLs
15. IP address
16. Biometric identifiers such as fingerprints or voiceprints
17. Full-face photos
18. Any other unique identifying numbers, characteristics, or codes

ePHI, or electronic personal health information, simply refers to PHI that is transferred, accessed, or stored electronically. The same protections apply across PHI and ePHI.

Who Needs To Follow HIPAA Compliance?

Since PHI can be present in a variety of fields and formats, there are multiple types of individuals and organizations who must comply with HIPAA guidelines as they come across it, including:

• Healthcare providers: This is obvious, but it’s worth noting—healthcare professionals can have access to a plethora of patient information, so it’s crucial that they maintain HIPAA confidentiality when handling this sensitive data
• Health plans: Whether privately run or publicly operated programs like Medicare, health insurance-related agencies and their staff must adhere to HIPAA regulations
• Healthcare clearinghouses: These companies act as a kind of go-between for processing sensitive information and still need to maintain HIPAA standards
• Business associates: This covers the overarching third-party vendors or other businesses who interact with PHI for a variety of reasons

The ultimate aim of HIPAA legislation is to protect sensitive patient information across all platforms, so it’s vital that all parties follow HIPAA regulations when applicable.

Privacy Rule

The Privacy Rule essentially dictates that sensitive information is only used or disclosed with appropriate safeguards in place. It also stipulates that patients have rights to access their personal health information, obtain a copy of their records, authorize the communication of their records, and more.

The Privacy Rule is located at 45 CFR Part 160 and Subparts A and E of Part 164

Security Rule

Proposed in 1998 by the Department of Health and Human Services, and later ratified in 2003, the Security Rule sought to improve the security of a person’s health information that is shared between authorized parties, such as healthcare providers, health plans, and other pertinent organizations.

The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164. 

Breach Notification Rule

The Breach Notification Rule was officially adopted in September 2009 and stipulates that any breach of electronic personal health information exceeding 500 individual records must be reported to the OCR and that each individual must be alerted to the breach, as well.

A breach is defined in HIPAA section 164.402 as:

“The acquisition, access, use, or disclosure of protected health information in a manner not permitted which compromises the security or privacy of the protected health information.”

When a breach occurs, the business or organization affected must determine the severity by considering what type of information was involved, who potentially saw this information, and evaluate the risk of the incident. From there, the organization can proceed with either patient notification—if the incident qualifies as a breach—or further risk mitigation.

There are also three exclusions to what counts as a breach:

• If the exposure was unintentional and is not expected to be a repeated offense
• If it was an accidental exposure from one HIPAA-certified person to another HIPAA-certified person
• If the covered entity—or organization—has reason to believe the unauthorized person wouldn’t be able to retain details of the personal information

Omnibus Rule

The Omnibus Rule is the latest piece of legislation to be associated with HIPAA. Taking effect in 2013, this Rule updates some definitions contained within the original act and expands the liability of businesses for not being HIPAA compliant. It also further protects patient information since it requires businesses to adhere to the Privacy and Security Rules which strengthen security measures when handling PHI and ePHI.

Maintain HIPAA Compliance with HBS

The experts here at Holistic Billing Services are HIPAA certified to handle your patients’ personal health information while streamlining your overall revenue cycle with excellent medical billing and coding processing. Your success is our success, and we offer a range of services to partner with your holistic practice including medical billing, consultation services, and more!

Our expertise is rooted in professional, technical, and global billing for hospital and stand-alone holistic care practices. To learn more about how outsourced medical billing with Holistic Billing Services can empower your practice, contact us today. We’ll work with you to build a customized solution that meets the specific needs of your practice and allows you to get back to treating patients.