Issue link: https://www.massageandbodyworkdigital.com/i/1128556
HOW DO I STAY IN COMPLIANCE WITH HIPAA AND PHI? Although HIPA A privacy laws are not clear where massage and bodywork professionals are concerned, it is best to comply with the law and eliminate potential problems. Those working in similar businesses are required to follow laws regarding the use or disclosure of health information and may provide services to health insurance companies while processing claims. Technically, massage therapists do not fall into the protected health information (PHI) category, but there seems to be a consensus that they should act as if they do. Following are some areas to consider to maintain compliance with HIPA A privacy laws and, specifically, PHI. Information Storage Consider all the places you keep personal client information—including computers, hard copies, and your phone— that would be considered protected health information. Yikes! Right? Use the following tips to help keep your patient information private. PHI data on computers: • Use an antivirus program to prevent attacks to your hard drive. • Use a firewall to block unauthorized access while still permitting outward communication. • Download/install security updates. • Use a strong password. (See "Password Tips" on page 77.) • Use caution when opening emails with attachments. • Do not open personal email on your business computer. • Back up your records. Hard copy files: • Store records in a location only accessible to you and your employees. • Shred files that are no longer needed. • Keep records out of public view. • After use, return files immediately to the secure location. PHI data on cell phones: • Password protect cell phones. A case was settled in June of 2016 where an iPhone containing a vast amount of PHI, including Social Security numbers, treatment and diagnosis information, medications, and more, was stolen. The facility was fined $650,000. 1 • Store cell phones in a secure location at all times. Unfortunately, if devices containing PHI are not secured, they are subject to the possibility of loss or theft. If the information stored on such devices is not encrypted or password protected, the loss or theft of the device becomes an even more severe issue. The bottom line is this: PHI records must be secure at all times. Also, if information is going to be transmitted to someone else via computer, cell phone, or hard copy, a consent form should be signed by your client. Private Conversations Keep PHI conversations confidential. Make sure you have privacy when conversing about client details. Casual conversation can be more revealing than you realize. Mentioning anything about your clients publicly is disrespectful and shows a lack of professionalism and a disregard for HIPA A requirements. We Appreciate Feedback … Research shows that 91 percent of people regularly or occasionally read online reviews, and 84 percent trust the reviews as much as a personal recommendation. 2 What people say about you online matters, and asking your clients to provide service reviews is perfectly legal. Your clients can even mention you or your staff members by name, and they can also provide information about the services they've received. But … Beware of confirming client statements in online reviews. Confirming the statements in their review also confirms they're a customer—and may even disclose the types of treatments they received. Saying any more than "We appreciate your feedback" might land you in hot water regarding HIPA A privacy regulations. Confirming they're a client or even that they had a particular treatment is a way of revealing private and sensitive information. Keep your review responses vague in order to avoid violations. HOW DO I PROTECT MYSELF? For added protection in complying with HIPA A and PHI regulations, consider waivers and disclaimers. Disclaimers Add a Layer of Protection Trying to maintain the confidentiality of your clients may be easier by adding disclaimers to your social media profile— and any other forums you use. For example, if you have a blog, include a disclaimer that tells people you're not giving medical advice—and make sure you don't. The internet is a public venue, so if clients are posting comments, they should know they could be posting private information to a public group of people. Make them aware, and you won't have to worry about violating HIPA A rules. Sign a Waiver, Please If you take any photos of clients, make sure you have permission before publishing. Even blocking out facial features—or only showing a part of the body—does not guarantee anonymity. Unless they've signed 74 m a s s a g e & b o d y w o r k j u l y / a u g u s t 2 0 1 9