Here’s the final definitive answer!! Are you ready?...........
It depends. There are several factors to consider when figuring out if you and/or your business need to be HIPAA compliant. Here is some info from the CMS.gov website. Are You a Covered Entity? “The Administrative Simplification standards adopted by Health and Human Services (HHS) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) apply to any entity that is
- a health care provider that conducts certain transactions in electronic form (called here a "covered health care provider").
- a health care clearinghouse.
- a health plan.
The first one does apply to many massage therapists. Just because you use a computer or e-mail that does not mean that you need to be HIPAA compliant.
The actual way that you are using computer transactions is what determines who is a “covered entity” by the HIPAA guidelines.
What are HIPAA covered transactions? “In the HIPAA regulations, the Secretary of Health and Human Services (HHS) adopted certain standard transactions for Electronic Data Interchange (EDI) of health care data. These transactions are: claims and encounter information, payment and remittance advice, claims status, eligibility, enrollment and disenrollment, referrals and authorizations, coordination of benefits and premium payment.” http://www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/TransactionCodeSetsStands/index.html
If you are not using these types of transactions in your business then you are not a “covered entity” and you need not be HIPAA compliant.
Here is a worksheet to help you figure out if you are a covered entity. http://www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/HIPAAGenInfo/Downloads/CoveredEntitycharts.pdf
There is a great deal of information out there regarding this subject. I’ve read articles written by massage instructors and other industry experts with completely opposing viewpoints. I’ve also seen one article, misquoting the other one and things taken out of context!! Personally I wouldn’t take anyone else’s word for it, do your own research. Check your state board requirements. Read the official HIPAA website and documents. Call them if you have questions. You/your business may be a “covered entity” then again it might not.
It is probably a very good idea for most massage therapists to follow HIPAA guidelines. However knowing what is required of you by law can help you to make a logical plan to implement your procedures. I hate to think of a therapist going through a lot of stress and expense, for something that is not required of them. Purchasing a filing cabinet that locks and a good computer firewall system may be sufficient. Spas and in-home massage businesses may just need to use good old fashioned common sense.
Your state board probably has rules about client privacy, record retention, and professional boundaries and conduct. To find them just go to your state board website. For my state (North Carolina) it is listed under documents – practice act- rules and regulations. Any professional organization you are a member of probably will have a code of ethics and information about keeping client records safe and secure.
I hope you have a wonderful day! Gael
Like this post subscribe to our e-mail list for monthly business tips, and exclusive articles