HIPAA for Allied Health Professionals

Editor’s note: This text-based course is an edited transcript of the webinar, HIPAA for Allied Health Professionals, presented by Kim Cavitt, AuD.
Learning OutcomesAfter this course, participants will be able to:
List the main components of HIPAA.List the 18 pieces of protected health information.Identify specifics of the Privacy Rule and explain how it applies to texting, email, and marketing in a healthcare setting.Components of HIPAAHIPAA was a bipartisan piece of legislation in the Clinton administration. HIPAA stands for the Health Insurance Accountability and Portability Act of 1996. The main website for HIPAA information is https://www.hhs.gov/hipaa/, but you will see specific links in this presentation (copy and paste them into your browser) that will direct you to additional information typically from Health and Human Services in the Office of Civil Rights, specifically related to the government and HIPAA. As links often change, please search from the main website previously listed if the link doesn't work.
After 2013, HIPAA has civil and criminal penalties and addresses the following:
Standard Transaction and Code SetsNational Provider IdentifierNational Employer IdentifierHIPAA 5010SecurityHITECH (Breach Notification)PrivacyMarketingBusiness AssociatesThe first thing to think about regarding HIPAA is, are you a covered entity under HIPAA? A general rule of thumb is if you transmit any information electronically, then you are subject to HIPAA rules. You are a covered entity anytime you're submitting a claim to a third-party entity or submitting health information or medical records to a third party.
Standard Transaction and Code SetsLet's start with standard transaction code sets. HIPAA requires that all covered entities use standard transaction and code sets such as CPT (Current Procedural Terminology), ICD 10 (International Classification of Diseases, 10th revision), or HCPCS (Healthcare Common Procedure Coding System), which are the codes for hardware and the services surrounding the hardware or the pharmaceutical (or that type of entity). These are the code sets that you're supposed to follow. 
National Provider Identifier (NPI)Your national provider identifier (NPI) is your unique personal identification number that is now going to follow you for your entire career. That is given out by the national plan and provider enumeration system, or NPPES. You can go to their website at https://nppes.cms.hhs.gov/#/ to get an NPI or look up an NPI, especially if you need it to go out on a claim. Just like the NPI, this number moves with a provider from employer to employer throughout their career. If you submit the information correctly the first time, a new NPI number is usually generated in one to three hours. 
National Employer IdentifierThe next item is the national employer identifier (EIN). The EIN is a unique number that's assigned to your business by the Internal Revenue Service. It's oftentimes also known as your tax identification number. Every business has an EIN except for businesses that are sole proprietors, where the business is operating under the social security number of the owner. Your practice or organization needs an organizational NPI. Remember, the NPI is going to be given out by the NPPES system and the EIN is going to be given out by the IRS.
HIPAA 5010HIPAA 5010 was a systems update that went into effect in 2012. This change allowed for the additional characters of ICD 10 and really affected office management systems, electronic health record systems, electronic medical record systems, software vendors, and clearinghouses. Also, this is where they made the switch from working in a CMS 1500 format, where the electronic format mirrored the form, to working in a format now that's called an 837P format.
The 837 claims submission format was set forth by HIPAA 5010. You should ask your office management vendor or electronic health system (EMR) vendor how your system operates. Many systems, except for certified EHRs, still operate in a 1500 format. Your clearinghouse is doing the conversion to the 837 format. The CMS 1500 format is everything around the paper form that's read, including its electronic version. If your system operates in the 1500 format, or you're still using paper, everything is going to be converted to an 837, either at your clearinghouse or the payer. 
Protected Health Information (PHI)Let's talk about the 18 pieces of protected health information. All 18 pieces are equally protected. That means that they cannot be shared without the patient's authorization except for three exceptions, which we'll talk about in a moment.
NamesStreet number and name, city, and last two digits of the zip codeDates directly related to the individual (birthdate)Phone numberFax numberEmail addressSocial security numberMedical record numberHealth insurance member numberAccount numbersCertificate or license numbersVehicle identifiers and serial numbersDevice identifiers and serial numbersURLsIP addressesBiometric indicatorsFinger, retinal, and voiceprintsPhotosAny unique identifying number, characteristic or codeSomeone's first and last names are protected. In my case, Kimberly Cavitt is a piece of protected health information. Your street number, name, city, and last two digits of your zip code are protected. For example, 2480 State St., Chicago, 60 is protected. Any dates directly related to the individual, such as a birthday, are protected. Your phone number, whether cell or landline, and your fax number are protected. Your email address and social security number are also PHI. I want to really reiterate here that someone's name is equally protected as their social security number. Your medical record number, health insurance member number, account number, certificate or license number, and vehicle identifiers or serial numbers are protected as well.
Any device identifiers or serial numbers are included as PHI. If your patient has hardware, such as a hearing aid or an augmentative communication device, that has a serial number and that number is uniquely assigned to that patient, that serial number is protected. In addition, URLs, IP addresses, and biomedical indicators including finger, retinal, and voiceprints are protected. I cannot stress enough that a patient's image is protected. Before you put a video with a patient on social media, you really need to make sure that you get the patient's authorization to use their image. Again, any unique identifier number, characteristic, or code is also protected.
HIPAA Security RuleThe Security Rule is an extension of the Privacy Policy and went into effect on April 20, 2005. HIPAA security is about protecting the electronic formats that are controlling patient information. Electronic patient health information is called ePHI. HIPAA security is around ePHI and everything that you store. When it comes to security, you have to think about everything in your office that stores or transmits patient information. Providers need to have administrative safeguards, physical safeguards, and technical safeguards. You also need written policies and procedures related to these security provisions. In addition, you need to document how people have been trained and what your audit and sanction processes are in your security policies. We're going to break this down a little bit.
Risk AssessmentThe first thing you need to do is a risk assessment. What do allied health professionals need to think about when they're thinking about HIPAA? You need to think about computers, phones, tablets, fax machines, and answering machines. Remember, a patient's voice and any protected health information they've shared on an answering machine are protected and you need to go through a risk assessment on it. Also think about any test equipment that stores or transmits ePHI as well as your EHR, EMR, and OMS vendors because they have access to your information. While NOAH is unique to audiology, it would also be included in this list. You need policies around anything that is storing or transmitting information and how that information is being protected.
Administrative SafeguardsThe first step is administrative safeguards. What do you have in place to reduce the risk of breaches of protected health information that is stored electronically? What policies and procedures do you have? Every practice needs a security officer. You need to know who is responsible for the securitization of this ePHI. If we are talking about a hospital or large clinic, you probably have a security officer that is the head of IT or the CIO at your entity or facility. Those of you in private practice or nonprofit, you are going to need to assign someone as your security officer. If you have a practice manager in a bigger entity, they or the executive director of a nonprofit would be your security officer. If it's an ownership of a private practice, it's typically the owner that is the security officer.
All the security officers and every facility need to regulate who has access to protected health information and by what means. For example, what equipment can they access PHI on? Can they use personal devices or access the PHI at home? Can every employee access it or do some folks have more access than others? It's all about minimally necessary access. You need to look at each one of your staff members and determine for that position, how, where, and when can they access electronic protected health information. You need training and accountability. You should authorize and document either by individual name or by position who has access to ePHI including where, when, and how. You need to train staff on these policies and procedures once they're created. Audit your staff to make sure you're following the policies and sanction staff who do not comply. That sanction has to be documented. I strongly recommend that you have a process of sanctioning that's outlined in your HR materials including employee manuals. It can include firing or termination.
Physical SafeguardsPhysical safeguards are...