HIPAA compliance for physical therapists: A guide

HIPAA compliance is a major aspect of running a physical therapy practice. Physical therapists can protect patient information by understanding the regulations, implementing necessary measures, and staying up to date with changes.

Why is HIPAA important for physical therapy practice owners?

Physical therapy practices handle sensitive patient information, including medical records, treatment plans, and billing information. HIPAA compliance is needed for physical therapy practice owners to protect patient privacy, prevent data breaches, and maintain trust with patients. 

Patient rights under HITECH and Omnibus rule

Patients have specific rights under the HITECH Act and the Omnibus rule, which expanded upon existing HIPAA regulations.

Access to PHI

Patients have the right to access their own PHI held by physical therapy practices. This includes the ability to view, obtain copies, and request amendments to their health information.

Amendment of PHI

Patients can request changes or amendments to their PHI if they believe it contains errors or incomplete information. Physical therapy practices must have processes in place to handle these requests.

Limited use or disclosure requests

Patients have the right to request restrictions on the use or disclosure of their PHI. Physical therapy practices must consider these requests but are not obligated to comply if it interferes with treatment or payment activities.

Confidential communication of PHI

Patients can request that their PHI be communicated to them in a specific manner or at a specific location to ensure confidentiality.

Breach of privacy notification

Patients must be informed if there is a breach of their privacy, including unauthorized access or disclosure of their PHI.

Complaints about non-compliance

Patients have the right to make complaints if they believe a physical therapy practice is not complying with HIPAA regulations. Practices must have procedures in place to handle these complaints.

Revocation of authorization

Patients can revoke their authorization for the use and disclosure of their PHI, except when the disclosure was already made based on the initial authorization.

Opt-out options for marketing, fundraising, and sale of PHI

Patients have the right to opt out of receiving marketing communications, fundraising solicitations, and the sale of their PHI.

Restricting PHI from health plans

Patients can request that their PHI not be disclosed to their health insurance plans if they pay for the services out-of-pocket.

Receipt of a paper copy of the privacy notice

Physical therapy practices must provide patients with a paper copy of their privacy notice upon request.

Read also: What is protected health information (PHI)? 

Breach notification requirements

In the event of a breach of unsecured PHI, physical therapy practices must follow specific breach notification requirements.

Information to include in breach notifications

When notifying a patient of a breach, physical therapy practices must include a description of the breach, the types of information involved, steps the individual can take to protect themselves, actions taken by the practice to investigate the breach, mitigate harm, prevent further breaches, and contact information for the affected individual.

Reporting breaches to the US Department of Health and Human Services (HHS)

Physical therapy practices must report breaches to the HHS secretary. Breaches affecting more than 500 individuals may require additional reporting to media outlets and websites. Reporting timelines vary by state, so practices should review their local reporting requirements.

Read more: What is the HIPAA Breach Notification Rule? 

Business associate agreements (BAA)

Physical therapy practices often work with third-party vendors and service providers known as business associates. A business associate agreement (BAA) is a contract that outlines the responsibilities and obligations of both covered entities (physical therapy practices) and business associates.

Initiating the BAA

Covered entities should initiate the BAA to ensure compliance with the HITECH Act and the Omnibus Rule. The BAA should include provisions related to allowed and required disclosures, downstream subcontractors, safeguarding data, reporting obligations, assurance of compliance, termination clauses, liability, indemnification, monitoring, and auditing rights.

Mandatory provisions in the BAA

The BAA should address the specific requirements set forth by the HITECH Act and the Omnibus Rule, ensuring that business associates abide by the same terms as the covered entity. These provisions include restrictions on the use and disclosure of PHI, security rule compliance, breach notification procedures, and the return or destruction of PHI upon termination of the agreement.

Privacy notice requirements

Physical therapy practices must provide patients with a privacy notice that explains how their health information may be used and disclosed. The privacy notice must include specific information and be made readily available to patients.

Offering the privacy notice to patients

Physical therapy practices are required to offer the privacy notice to all new patients and active patients if any modifications are made. The notice must be easily accessible in the reception or common areas, allowing patients and visitors to access it without requesting it from the staff. 

Posting the privacy notice in the reception area and on your website

Physical therapy practices must post the privacy notice in a visible location within the reception or common areas. This ensures that patients have access to the notice without having to request it. Additionally, if a practice has a website, the privacy notice must be posted there as well.

Read more: What is a Notice of Privacy Practices? 

Role-based access to PHI and ePHI

Physical therapy practices must implement role-based access to PHI and ePHI, ensuring that staff members have access to the relevant information based on their job requirements.

Developing role-based access policies and procedure

To validate access to PHI and ePHI, physical therapy practices should develop written policies and procedures that define roles and responsibilities. These policies and procedures should outline the process for granting and revoking access based on job requirements.

Validating access based on job requirements

Physical therapy practices should validate access to PHI and ePHI based on the individual's job responsibilities. Staff members who require access to PHI and ePHI should be listed explicitly, indicating their need for full access.

See also: HIPAA Compliant Email: The Definitive Guide

In the news

Los Angeles-based Complete P.T. Pool & Land Physical Therapy settled HIPAA violations by paying $25,000 for posting patient testimonials without proper authorization, including full names and photos on its website. The settlement, announced by the Department of Health and Human Services Office for Civil Rights, mandates a corrective action plan and annual compliance reporting for one year. 

The investigation revealed breaches in safeguarding and unauthorized disclosure of PHI, proving the importance of obtaining explicit authorization under HIPAA regulations for marketing purposes.

FAQs

How should physical therapists handle patient consent under HIPAA?

Physical therapists must obtain patient consent before disclosing any protected health information (PHI) to third parties, except when the disclosure is for treatment, payment, or healthcare operations.

What are some best practices for maintaining HIPAA compliance in a physical therapy practice?

• Regularly train staff on HIPAA regulations and ensure they understand the importance of safeguarding patient information.
• Conduct regular risk assessments to identify vulnerabilities in the practice's handling of PHI and take steps to address them.

Can physical therapists communicate with patients via email or text messages while remaining HIPAA compliant?

Yes, physical therapists can communicate with patients via email or text messages, but they must use secure, encrypted systems to protect patient information and obtain patient consent for electronic communication.