The Health Insurance Portability and Accountability Act (HIPAA) has been in place for a long time now. It covers all healthcare practices, including chiropractic practices. The Office of Civil Rights (OCR), which is part of the Department of Health and Human Services (HHS), is responsible for HIPAA compliance and conducting reviews to determine if covered entities are in compliance with the laws.
Established in 1996, a major purpose of HIPAA compliance for chiropractors is to safeguard patients’ protected health information (PHI). HIPAA rules define and regulate how providers can use and disclose PHI.
As a chiropractic practice, you may be following all HIPAA regulations, asking your patients to sign the Notice of Privacy Practices form, keeping all patient conversations at a low level, and staying up to date with HIPAA changes. But do you think you are completely HIPAA compliant?
“According to HHS, 70% of the healthcare industry is not HIPAA compliant while CMS states that 79% of Meaningful Use Audits have resulted in failure.”
Sometimes, despite taking appropriate measures, there are potential areas of vulnerability or risk. We call it ‘symptoms of non-compliance’. What are those symptoms? Read below to know.
1. Running outdated, unsupported software
A healthcare service provider had to pay $150,000 OCR to HHS because it failed to protect electronic PHI (ePHI) due to malware compromising the security of its IT resources. The provider failed to address security risks, such as reviewing systems for unpatched vulnerabilities and outdated software that can leave patient information susceptible to threats and risks.
With the increase in the adoption of chiropractic EHR software, it is important for practices to implement secure electronic systems to protect electronically protected health information (ePHI). Chiropractic EHR must fulfill the requirements of the HIPAA regulations by having administrative, physical, and technical safeguards with written policies in place to protect and safeguard ePHI.
Secure chiropractic software minimizes the possibility of compromising ePHI by protecting against data breaches and vulnerabilities. At zHealthEHR, we understand that it is absolutely critical for chiropractors to be HIPAA compliant. Our chiropractic EHR software has been to make it easy for DCs to keep their practices HIPAA compliant.
2. Still using paper files
With the increasing adoption of EHR by chiropractic practices, paper files are now not so common in offices. But still, some clinics use and maintain paper records. Research by Ponemon Research Institute found that the average data breach in 2015 cost $398 per record. Another survey revealed that 54% of patients are likely to change their provider following a security data breach.
When patient records are not maintained and stored properly, it could lead to HIPPA violations. The best way to remain compliant is to prevent violations through secure and reliable chiropractic EHR systems. However, make sure the personal computer, tablets, and other electronic devices you use in your practices are not left unattended.
If unauthorized staff members or other patients visiting your practice read the private information of a patient on a screen, it would be seen as a violation of HIPAA regulations. Train your staff on how to use electronic devices and EHR systems to prevent security breaches.
3. Staff members are not trained properly
Simply handing out policy playbooks to staff members won’t help chiropractic practices become HIPAA compliant. A staff member gossiping about a patient to a person outside of his organization could also be seen as a violation of HIPAA regulations.
A healthcare organization received a $1.4 million fine because one of its staff members shared confidential medical information about a patient. That’s why it is crucial to train all your staff members and business associates (including but not limited to chiropractic assistants, front desk staff, office managers, billers, and other third-party vendors you’re working with) on private health information security. Here is what you must do:
• Take appropriate steps to maintain the integrity of the patient record and confidential information and make your staff strictly follow the policies.
• Conduct weekly HIPAA training for employees and maintain detailed records showing when employees attended the sessions.
• Followed by HIPAA training, conduct tests or surveys showing they understood the content.
4. Not conducting compliance risks analysis
HIPAA’s Security Rule requires that covered entities, including chiropractic practices, complete security risk assessments. All types of electronic patient health information that your clinic creates, receives, uses, or transmits are subject to this security rule.
A healthcare firm received a $50,000 HIPAA fine because it failed to conduct a risk analysis and they did not have mobile device security policies or procedures in place. To avoid HIPAA penalties for security risk assessment, chiropractic practices need to:
- Create their own assessment method that meets security rule standards
- Use the downloadable tool by the Office of the National Coordinator for Health Information Technology (ONC) to review your practice’s compliance (Although not required but may prove beneficial).
- Review your practice’s workflow to determine how securely patient data is recorded, used, accessed, and transmitted.
- If using paper records, review how you and your staff are handling and storing them
- If you’re using partners, EHR vendors or billing consultants, review how your patients’ data are being used.
- Make sure all your electronic devices are encrypted and have a firewall installed. Keep policies and procedures around device usage and security up to date. Device theft containing unencrypted patients’ data resulted in a costly HIPAA violation for a therapy center in the US. A healthcare clinic received a $1,975,220 fine for the potential HIPAA violations caused by the theft of a laptop containing unencrypted ePHI data.
- As you conduct the above assessments, make sure to document everything and identify areas of weaknesses. Create a plan to address these weak areas and resolve the security issues as quickly as possible.
5. Not having a data recovery plan
According to the HIPAA Final Security Rule, providers and their business associates must securely back up “retrievable exact copies of electronically protected health information.” Data backup (and recovery) is the process by which the information is stored.
Apart from the nefarious hacking, natural disasters like fire accidents and floods could limit access to your patients’ information. That’s where using cloud-based chiropractic practice management software makes sense. Choose a SaaS vendor that offers secure EHR software with data backup and recovery as part of the package. The software vendor must meet the regulations of HIPAA regarding data backup and recovery.
HIPAA Compliance Checklist
| Conduct regular audits of your practice and analyze results to determine deficiencies |
| Appoint a HIPAA-compliant officer or security officer to conduct an annual audit of your practice |
| Conduct weekly HIPAA training of staff members and also ask the designated compliance officer to train your staff on HIPAA regulations. |
| Perform due diligence on business associates and vendor partners to review their HIPAA compliance with your patient data |
| Identify, analyze, and put measures in place to resolve the actions by completing a comprehensive risk assessment of ePHI. |
| Put physical safeguards in place to protect and manage devices, workstations, facilities, and servers (if using any). |
| Use encrypted devices and EHR systems that enable automatic auto-logoff after a certain set time frame. |
| Build and test your data backup and recovery processes on a regular basis to keep your data safe. |
What happens if my chiropractic practice violates HIPAA?
| • A HIPAA violation that occurs without the knowledge | • $100-$50,000 |
| • A HIPAA violation due to reasonable cause | • $1,000-$50,000 |
| • A HIPAA violation due to willful neglect, but fixed within 30 days | • $10,000-$50,000 |
| • A HIPAA violation due to willful neglect, but not mitigated within 30 days | • $50,000 |
Keep Your Chiropractic Practice HIPAA Compliant with zHealthEHR
zHealthEHR provides highly secure, cloud-based chiropractic practice management software. If you perform in-depth security and risk assessments of your practice, follow the aforementioned HIPAA compliance checklist,and use our HIPAA-compliant software, you keep your business as healthy as you keep your patients. Contact us to request a free demo or give us a call at +1 (800) 674-2908.
