A Quick Guide to HIPAA Physical Therapy Guidelines in 2022

What is HIPAA and What is its Purpose?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that established national standards to protect patient privacy and limit the amount of sensitive patient health information disclosed by healthcare professionals without explicit patient consent. HIPAA regulations aim to safeguard patients’ protected health information and implement conditions on how and when this information can be shared, including with other healthcare providers. These regulations provide patients with the right to examine and obtain a copy of their health records at any time and the right to request corrections. To comply with advances in technology that could impact patient privacy, HIPAA also developed federal protections for individually identifiable health information and electronic healthcare transactions and codes. Overseen by the U.S. Department of Health and Human Services (HSS), HIPAA regulations allow a patient to direct a provider to transfer health information electronically.

HIPAA 101 the Basics: What Does PHI Stand For?

PHI stands for Protected Health Information, which the HIPAA Privacy Rule classifies as medical records and other individually identifiable health information. The covered entities who must comply with the Privacy Rule under HIPAA’s requirements include health plans, health care clearinghouses, and health care providers who conduct standard transactions electronically. The HIPAA Privacy Rule limits how and when PHI may be shared without a patient’s explicit authorization; however, the rule is meant to be balanced such that it can still allow for the disclosure of health information required for patient care — like briefing a surgeon on a patient’s current medication regimen before initiating emergency surgery, for instance. Examples of PHI that cannot be shared without patient consent include:

• Patient medical history
• Patient demographic details
• Patient insurance information
• Patient test and laboratory results 
• Patient plans of care or CPT diagnostic codes
• Any data that can be used to identify individual patients

What’s the HIPAA Omnibus Rule?

The HIPAA Omnibus Rule is an amendment of the Health Insurance Portability and Accountability Act (HIPAA) that extends many of the original privacy provisions established under the Health Information Technology for Economic and Clinical Health (HITECH) Act to covered entities’ business associates and subcontractors. The Omnibus Rule implements regulations for disclosing protected health information (PHI) among medical providers and their business associates. The Omnibus Rule also provides guidance for such associates in the case they discover a breach of unsecured PHI and further prohibits health plans (other than long-term care plans) from using or disclosing patient genetic information.

What is the Relationship Between HIPAA and Physical Therapy?

The Health Insurance Portability and Accountability Act (HIPAA) established national standards for disseminating patients’ protected health information (PHI), including physical therapy patients. HIPAA regulates how physical therapists and their business associates disclose patient PHI. The relationship between HIPAA and physical therapy boils down to the fact that patients of a PT practice share the same rights as patients of other health care operations that HIPAA regulates, whether that be a family physician or a neurologist. With more PT practices beginning to conduct standard transactions electronically, such as telehealth appointments, the HIPAA Security Rule and Privacy Rule also implement administrative and technical safeguards for electronically protected health information.

Are Physical Therapists Covered by HIPAA?

Yes, HIPAA guidelines for healthcare professionals cover physical therapists and any medical professional employed or operating from a physical therapy clinic and any of the covered entities’ business associates and subcontractors. PTs handle patients’ private health information, not public health information, so they must comply with HIPAA’s requirements.

What Are Typical HIPAA Violations Seen Within Physical Therapy Practices?

Private practices and physicians, such as physical therapy practices, allegedly commit the second-most HIPAA violations of all covered entities, beating out larger organizations like national pharmacy chains and community health centers. The five most common HIPAA violations seen at PT practices include:

1. Data Breaches: Patient electronic medical record (EMR) data is compromised by a cyberattack. 
2. Improper Disposal of Patient Information: Documents containing sensitive protected health information (PHI) have been discarded in a public or easily accessible manner.  
3. Unprotected Lost or Stolen Electronic Devices: A tablet, personal computer, or other electronic device containing PHI has been removed from the practice and has not been encrypted or password-protected to safeguard patient data. 
4. Inadequate Employee Training: Physical therapists are unaware of HIPAA requirements or who they can legally discuss PHI with, such as family members versus alternative healthcare providers. 
5. Over-Sharing of Patient Information: Physical therapists, PT assistants, or other practice staff have committed a PHI violation by publicly gossiping or chatting about patient information.

What is the Penalty for HIPAA Violation?

There are four potential outcomes for a HIPAA violation: the at-fault individual is dealt with internally by an employer, the at-fault individual is terminated, the at-fault individual incurs sanctions from professional boards or the at-fault individual faces civil or criminal penalties. HIPAA violations are considered civil penalties when the at-fault individual was aware HIPAA requirements were violated or should have been aware if due diligence had been exercised. Civil penalties for HIPAA violations incur a $100 fine per violation, which could increase to $25,000 if there were multiple HIPAA violations of the same type. HIPAA violations are considered criminal penalties when the at-fault individual obtained PHI under false pretenses or knowingly violated HIPAA requirements with malicious intent or for personal gain. Criminal penalties for HIPAA violations include a minimum fine of $50,000 and a maximum fine of $250,000, as well as a prison sentence of up to 10 years in jail.

How to Ensure Your Practice Remains HIPAA Compliant

As more physical therapy practices begin to embrace electronic service offerings, such as telehealth and home exercise programs, your practice must remain HIPAA compliant. Now that you’re more familiar with HIPAA basics for providers, here are five HIPAA compliance tips.

1. Encrypt Patient PHI: Leverage EMR software that comes equipped with HIPAA compliance features, such as encryption technologies to protect sensitive information. 
2. Properly Train Staff on HIPAA Guidelines: Educate new employees on the basics of HIPAA right away and be sure to post notice of privacy practices to instill compliant habits. 
3. Forbid Patient Gossip Practice-Wide: Ensure all staff members know not to entertain practice gossip about patients or patient PHI or risk facing corrective action. 
4. Establish Authentication Requirements for Sensitive Devices: Implement passwords or other authentication requirements for electronic devices containing PHI, taking care not to use just one HIPAA password across all devices.
5. Implement Incident Response Plans: Conduct a risk assessment across the entire practice to identify gaps in patient protection and impose incident response plans.  

The Bottom Line

So, are employers bound by HIPAA? Yes! Physical therapy practices must abide by all requirements established by HIPAA. Fortunately, technology like MWTherapy’s EMR Software makes it easy to remain HIPAA compliant while collecting and protecting necessary patient data. Discover how simple it can be to stay HIPAA compliant when you book a demo to try MWTherapy today.