HIPAA is a governmental effort to ensure that personal health information remains private and secure. It’s up to healthcare practices and facilities to ensure that they follow HIPAA requirements.
When patients and doctors communicate using Zwivel’s online consultation tool, the information is transferred and stored in accordance with all HIPAA Privacy & Security Rules.
Here are some of the basics facts surrounding HIPAA that patients and healthcare practitioners should be aware of:
What is HIPAA?
HIPAA, short for the Health Insurance Portability and Accountability Act of 1996, resulted in the development of federal regulations to protect the privacy and security of personal health information.
HIPAA privacy rules govern how personal health information is protected, such as by having patients identify exactly who is permitted to have access to their records. HIPAA security standards established requirements for how medical facilities and practices must store or transfer electronic information.
What does it mean for patients?
Patients should feel assured that any information about their procedures will not be shared with anyone without their knowledge and written consent, including other doctors or healthcare offices. And practices that already have possession of patients’ private information have administrative procedures and technology in place that will keep it confidential.
What does HIPAA mean for plastic surgery practices?
Plastic surgery practices have been required since 2003 to use technology and new administrative procedures to ensure that patient information is always private and secure. To avoid hefty fines, practices should remain up-to-date on HIPAA laws and requirements.
What are the sanctions for non-conformity to HIPAA requirements?
Financial penalties are immediately steep for failure to adhere to HIPAA guidelines, whether the practice was aware or not. According to the American Medical Association, the annual maximum fine is $1.5 million, with starting fines ranging from $100 to $50,000 per civil violation. Criminal penalties include fines up to $50,000 and up to a year in jail.
What can practices do to ensure HIPAA compliance?
Since personal information privacy and security are at the heart of HIPAA, to be compliant, plastic surgery practices should do everything possible to ensure that information is inaccessible except by authorized staff members. To achieve that, consider:
- Installing network security measures to prevent hacking
- Installing individual computer firewalls
- Installing and maintaining up-to-date anti-virus programs
- Encrypting email messages between other healthcare providers, where personal information might be shared
The American Academy of Family Physicians offers additional recommendations here.
What are the regulations regarding contact information gathered through email?
According to the U.S. Department of Health and Human Services, when patients make contact with healthcare providers via email, practices can continue to correspond with them electronically. However, if the practice believes the patient may not realize the potential risks of communicating via unencrypted email, it is their responsibility to relay that cautionary information.
Are website contact forms HIPAA-compliant?
Contact forms or “request an appointment” forms on practice websites are compliant as long as they collect contact information only. For example, name, address, phone number, and email address are fine to request via a form.
However, if any medical information is requested, such as the reason for the appointment or a description of specific complaints, the data entered must be encrypted. Otherwise, the form is not compliant. On top of that, the data then needs to be stored on a HIPAA-compliant server; not only does the data transfer process need to be encrypted, but the storage device needs to be as well.
A workaround for practices without encrypted forms is to collect contact information and ask patients to print off a pdf form that requests a personal health history in writing, to be delivered to the first appointment. Since such information is not being delivered electronically, the contact page is compliant.
Finally, you need a clearly-stated security policy with rules that guide who has access to the data and requires a log of when an employee views the data.
