HIPAA and ABA
HIPAA, or the Health Insurance Portability and Accountability Act (1996), is a law that was developed as a means by which to protect the health care information of individuals. The act provides specific measures that control access and protect information from unauthorized users, disclosure, alteration, or destruction that can negatively affect a patient’s privacy.
HIPAA provides federal protection for personal health information (PHI) that can be used to identify an individual client such as: patient demographics, medical or mental health diagnoses and treatments, health care provisions, health care payment information, names, addresses, birthdays, and social security numbers. However, it is essential for ABA therapists (and all medical professionals) to recognize that any health-related information that can potentially be used to identify a client is also protected, so always be cautious of how specific you are when discussing a patient.
The other intended outcome of the Privacy Rule is to allow the disclosure of personal health information more readily amongst healthcare professionals for patient care and other important purposes.
These allowable disclosures include mandatory request from the Department of Human and Health Services and requests from the individual themselves. There are also permissible disclosures that include providing information to the individual, legal guardians, for treatment, payment or health care operations, underwriting and insurance purposes, and for any reason required by law. Individual state laws set the precedent for these scenarios.
Who does HIPAA affect and how do ABA providers know if HIPAA applies?
HIPAA applies to a number of “covered entities” which include: healthcare provider(s), health plan, and healthcare clearinghouse. In order for HIPAA to apply to a covered entity, transaction or maintenance of personal health information must take place.
Some examples of electronic transactions that are covered by HIPAA include:
- Health claims
- Enrollment and disenrollment in a health plan
- Eligibility for a health plan
- Health care claim status
- Referral certification and authorization
- First report of injury
- Health claims attachments
- Other transactions as recommended by the Secretary of HHS
Other individuals covered by HIPAA include Business Associates, who are defined as “a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected with information.” A business associate can also be a subcontractor that partakes in the transmission of protected health information on behalf of another business associate, thus subcontractors are legally obligated to comply with HIPAA provisions.
An ABA provider may be considered a Covered Entity or Business Associate, depending on the nature of their relationship to the patient, with different HIPAA rules applying to them depending on their role. Business Associates of ABA providers may relate to: practice management system partners, mobile device management vendors, email encryption vendors, or any other party that may create, receive, maintain, or store the ABA provider’s PHI.
How can an ABA provider comply with HIPAA?
In order to comply with HIPAA, ABA providers must follow a number of standards and restrictions set by the law including:
- Providing information, in writing, to patients about their privacy rights and how their information will be used in reference to their health care treatments.
- Get acknowledgement that the patient/family received this information and provide it at or before the first day of delivery of services.
- Define the organization’s Legal Health Record and Designated Record Set.
- Establish safeguards for all PHI including hard copy, electronic, or verbal.
- Limit the number of circumstances under which PHI is disclosed or authorized.
- Develop policies, procedures, and systems to protect the privacy of patients.
- Effectively secure patient data and records from others who should not have access.
- Employ personnel that will make sure privacy policies and procedures are created, adopted, and followed.
- Appoint personnel that will ensure security procedures are developed and adopted.
- Complete Privacy, Security, and Breach gap analysis for the medical practice.
- Establish contracts with business associates and subcontractors.
- Develop an official process for the handling and mitigation of complaints.
- Account for specified disclosures of PHI covered by HIPAA.
- Establish a process and system for dealing with the violation of privacy and security policies and procedures by employees.
- Establish a compliant breach management process.
- Effectively train staff on these procedures.
What are some of the best practices for my staff to follow regarding HIPAA?
Effectively complying with HIPAA requires continual training of staff. As HIPAA standards continue to change because of industry and technology trends, it is important for management to maintain best compliant practices to ensure no violation takes place and that the patient is receiving the best possible care. Some of the best practices include:
- Providing up-to-date training programs for employees handling PHI and performing health plan administrative functions.
- Avoiding accessing a patient’s record unless required by work or with written permission from the patient or guardian.
- Minimizing social interaction with others in regards to patient information.
- Do not use a patient’s full name within hearing distance of others.
- Close computer programs that contains private patient information when not in use. This includes having software that requires usernames and passwords to inhibit non-essential personnel from viewing the information.
- Ensure passwords are never shared between staff members.
- Securing paperwork containing PHI in locked drawers or folders when not in use. This includes never leaving records or PHI strewn about the office.
- Always use a cover sheeting when faxing PHI.
- Properly dispose of information containing private information by shredding paper files.
- Make sure that business associates and partnering vendors are also following HIPAA standards and rules.
- Limit e-mail transmissions of PHI to only when the information cannot be sent in another manner.
- Back up all disks on a HIPAA compliant cloud server for better protection than local servers or paper documents.
For additional information regarding HIPAA consideration for ABA practitioners watch this video.
Amvik Solutions can help you with everything from medical billing, to insurance credentialing, and practice management.
Amvik Solutions offers a bevy of services to help support your practice, beginning with client intake and ending with billing and payroll, with everything in between. Benefits of our webABA practice management software include:
- Client Authorization Management
- Easily search for providers by proximity and availability
- Billing – Private Insurance, School, Regional Center or Private Pay
- Automatically separate rendered sessions under the correct CPT® Category III codes for billing
- Payroll – Integrated with ADP and other 3rd party payroll providers
- HR Module – Track and manage all employee credentials
- Provider Portal – Easy access to schedule, timesheet submission and internal messaging system
- Customizable Reports
- Document Management – For clients and employees
- Management Control – Customizable dashboard for different levels of management
- 24/7 access on any desktop, laptop, tablet or mobile device
- HIPAA compliant
Contact us today at 805-277-3392 to find out how we can help your ABA clinic today.