Six PHI pitfalls for therapy practices that put HIPAA compliance at risk

HIPAA regulations protect patient health information's privacy, which is especially important for therapists. However, there are several common Protected Health Information (PHI) pitfalls that smaller therapy practices can fall into when it comes to safeguarding patients. 

While most therapy practices won't likely end up on the OCR's "Wall of Shame," breaches create a loss of trust between client and therapist, impact patient treatment, and often lead to fines and penalties.

Below are the six common PHI pitfalls for small therapy practices. They're avoidable with a bit of thought and care. 

1. Inadequate physical security of PHI

Inadequate physical security measures make accessing your patients' PHI easy for unauthorized persons. This can lead to identity theft and fraud.

A covered entity must limit physical access to its facilities while ensuring that authorized access is allowed.

Summary of the HIPAA Security Rule

Small therapy practices can take several measures to improve physical security, protect PHI, and remain HIPAA compliant such as:

• Storing physical documents containing PHI in locked cabinets or rooms
• Implementing password-protected screensavers on computers containing PHI
• Encrypting devices that contain PHI
• Properly disposing of any devices or documents containing PHI that are no longer needed

2. Insufficient employee training 

Employees of small therapy practices may not receive adequate training on HIPAA regulations and the proper handling of PHI. This can lead to accidental or intentional violations of patient privacy. 

A covered entity must train all workforce members regarding its security policies and procedures, and must have and apply appropriate sanctions against workforce members who violate its policies and procedures.

Summary of the HIPAA Security Rule

Your practice can ensure that their employees receive proper HIPAA training by:

• Providing regular training on HIPAA regulations and privacy policies
• Conducting refresher training sessions to ensure employees are up-to-date with any changes
• Requiring employees to sign confidentiality agreements to demonstrate their understanding of the importance of PHI protection

Related: Understanding and implementing HIPAA rules

3. Lack of policies and procedures 

Related to the above point about training, a lack of written policies and procedures can lead to inconsistent practices and potential violations of HIPAA regulations. The consequences of a lack of policies and procedures include fines and legal action, loss of trust, and reputational damage.

Written policies provide a framework for managing PHI, making it easier for therapists and staff to protect patient information. 

• Develop written policies and procedures for PHI handling
• Implement protocols for responding to privacy breaches
• Documenti PHI disclosures or access to ensure accountability

Note: The HHS requires that therapists and other healthcare organizations "periodically review and update its documentation in response to environmental or organizational changes that affect the security of electronic protected health information (e-PHI)."

4. Improper disposal of PHI 

Improper disposal of PHI can lead to the unauthorized disclosure of PHI. This can lead to identity theft, fraud, and reputational damage. The consequences of improper disposal of PHI include fines and legal action, loss of trust, and reputational damage.

Small therapy practices can properly dispose of PHI by:

• Shredding paper records containing PHI before disposal
• Wiping data from electronic devices before disposal
• Properly disposing of PHI-containing hardware or media

5. Insecure communication 

Insecure communication methods can lead to the unauthorized disclosure of PHI. This can lead to identity theft, fraud, and reputational damage. The consequences of insecure communication methods include fines and legal action, loss of trust, and reputational damage.

Therapists can implement secure communication methods to protect PHI, such as:

• Using HIPAA compliant email or text messaging to communicate PHI
• Implementing secure messaging systems for communication
• Providing separate login credentials for each employee to avoid sharing of usernames and passwords

Related: How to avoid unsecured transmission of PHI

5. Vendor management 

Small therapy practices may use third-party vendors that handle PHI on their behalf, such as electronic health record (EHR) systems or billing services. Failing to properly manage these vendors can lead to HIPAA violations. The consequences of inadequate vendor management practices include fines and legal action, loss of trust, and reputational damage.

The HIPAA Privacy Rule Summary states that "when a covered entity uses a contractor or other non-workforce member to perform 'business associate' services or activities, the Rule requires that the covered entity include certain protections for the information in a business associate agreement."

Properly manage vendors by:

• Performing due diligence on third-party vendors' HIPAA compliance
• Implementing contracts with vendors that address PHI handling
• Obtaining a Business Associate Agreement (BAA) to ensure that the vendor also adheres to HIPAA regulations

By implementing the measures outlined in this blog post, therapy practices can protect patients' privacy and avoid penalties. With these measures in place, therapy practices can operate with confidence that they are in compliance with HIPAA regulations and are providing the best possible care to their patients.