Editor's Note: This is the fifth article in David's 2022 series devoted to assisting acupuncture practitioners in understanding and complying with different aspects of the Health Insurance Portability and Accountability Act (HIPAA). The first article appeared in the February 2022 issue.

Acupuncturists should identify which state and federal laws apply to creating, receiving, managing, and destroying all written and electronic protected health information (PHI and ePHI). No single resource for this information exists, so begin by doing a local web search for "[state name] health privacy laws;" e.g., "California health privacy laws."¹

Not Just Federal Rules

It's easy to assume federal HIPAA laws and rules are the only comprehensive regulations covering patient privacy and data security, because "HIPAA" gets all the attention. But over the past decade, individual states have enacted strict consumer protections; many now include civil and criminal codes allowing for prosecutions and hefty fines for patient privacy and data security violations and noncompliance. The best way to avoid these issues is to know which state and federal laws apply to your practice, and update your existing technology, documentation and training accordingly.

Definitions and concepts found in the 1996 HIPAA law and 2002 privacy rule have undergone a major overhaul in the past 25 years – specifically, to strengthen requirements and fines for "covered entities" and "business associates"; and expand patients' rights to access and amend their health data, and limit the sharing of their PHI.

Gone is the loophole under federal law for covered entities who were exempt from HIPAA compliance because they did not manage "electronic transactions" related to insurance billing practices.²  States have modernized privacy laws and now define covered entities to mean licensed health care providers who furnish health care services. For example, per California HSC §1280.18(a):

Every provider of health care shall establish and implement appropriate administrative, technical, and physical safeguards to protect the privacy of a patient's medical information. Every provider of health care shall reasonably safeguard confidential medical information from any unauthorized access or unlawful access, use, or disclosure.

Laws vary from state to state; but many states now regulate acupuncturists as both health care providers and "covered entities." This requires that digital data created, stored, received, and transmitted by acupuncturists be securely encrypted. Clinics must create, document, update and follow office policies and procedures that assure patients' rights are being respected; along with implementing specific safeguards to assure patients' PHI, whether in paper or electronic form, is always secure.

Required "Safeguards"

State laws and the HIPAA privacy and security rules require covered entities to document and implement policies, procedures and technology to address three "safeguards": administrative, physical and technical. These safeguards are needed to manage and secure PHI and ePHI, which are designed to protect confidentiality, integrity and accessibility.

Administrative safeguards help covered entities identify and use policies and procedures to prevent, detect, contain, and correct security deficiencies. Four areas have to be documented: 1) security risk analysis; 2) risk management plan; 3) workforce sanction policy; and 4) information system activity review.³

Physical safeguards are the physical measures, policies and procedures to protect electronic information systems, buildings and equipment. Successfully implemented, these standards help protect covered entities' ePHI from natural and environmental hazards, as well as unauthorized intrusion. Use of these documented policies is helpful for training and audit purposes.⁴

Technical safeguards describe and address access controls, data-in-motion and data-at-rest requirements. A covered entity must document and implement technical policies and procedures to maintain and restrict (PHI and ePHI) data access to only those individuals who have been granted specific access rights. Four basic implementation specifications for the access controls standard are: 1) unique user identification; 2) emergency-access procedure; 3) automatic logoff; and 4) encryption and decryption. Other technical safeguard must be implemented to secure patient data at rest (stored) and in motion (transmittal).⁵

Knowledge is Power

States typically follow federal guidelines under HIPAA and the National Institute for Standards & Technology (NIST) to assess and enforce providers' compliance with completing a security risk analysis (SRA), clinic privacy rule and security rule policies / procedures, business associates agreements and data breach notifications.⁶

Achieving patient privacy and data security compliance that meets state and federal requirements is an ongoing challenge for all health care providers, but understanding and following the law will simplify the process.

References

1. Federal and State Health Laws. State of California Office of Health Information Integrity: www.chhs.ca.gov/ohii/health-laws/.
2. Health Care Transactions Basics. Centers for Medicare & Medicaid Services.
3. Security Standards: Administrative Safeguards. U.S. Dept. of Health & Human Services.
4. Security Standards: Physical Safeguards. U.S. Dept. of Health & Human Services.
5. Security Standards: Technical Safeguards. U.S. Dept. of Health & Human Services.
6. Security Rule Guidance Material. U.S. Dept. of Health & Human Services.

Author's Note: For more information related to this article, please visit www.patientdataprotection.com or call Matthew Fiorenza, compliance and security specialist, at 352-268-5088, ext. 4. 

David Bibbey is the president of the Florida State Oriental Medical Association (FSOMA) and the CEO of Patient Data Protection, LLC, a HIPAA and ADA compliance company specializing in supporting small practices and sole providers with HIPAA Privacy & Security Rule technologies and ADA website accessibility. You can contact David with questions and comments: Tel: 352-268-5088, ext. 4; Web:www.patientdataprotection.com.