Special Note: This article series was originally published on the Private Practice for Midwives blog in 2013. We have had multiple requests to reprint it here on the MN blog. While MN continues to primarily serve midwifery practices in the US, we have expanded our offerings to include obstetric led practices that are drawn to the midwifery model workflows inherent in our platform. We often change terms to be inclusive in all ways, keeping the original title seemed important in reflecting the roots of this company.
The biggest concerns we hear from midwives about their charts center around HIPAA. They wonder whether they need to comply, or more importantly how to do so in a way that retains the personal and flexible style of practice that is inherent to midwifery.
As it’s a 1,000 page law with numerous subsections and amendments, there is no such thing as a “10 Easy Steps to HIPAA Compliance” article, but there is some basic information to help us all get a better understanding of what it is, why it matters, and how you can implement simple steps into your workflow to be more conscientious about HIPAA.
HIPAA In Depth.
For a comprehensive and technical definition of HIPAA, visit the government’s Web site. http://www.hhs.gov/ocr/privacy/hipaa/understanding/index.html. You’ll find everything you could possibly want to know and more. Just about any question you can think of can be answered in the FAQ section alone. The goal of this series of articles (yes, it’s going to take more than one to cover HIPAA in the Midwives Workflow) is to give you the basics in a context that you can really relate to: what you do every day.
What is HIPAA?
HIPAA is an acronym for a federal law that pertains to the protection of personal health information. It stands for the Health Insurance Portability and Accountability Act. HIPAA is divided into two primary “Rules” or sections: Privacy and Security.
Does every midwife have to comply?
You might have noticed that the I in HIPAA stands for “Insurance”, not “Information” as most people assume. This is because HIPAA came about in response to the insurance industry moving toward modernization through electronic billing systems and the concern over intentional or accidental release of insurance related information. HIPAA calls providers who must comply “covered entities” and the definition of a covered entity relates almost entirely to providers and associates who deal with insurance billing.
This effectively means that if you never bill insurance, don’t have a lab account or an account with any other entity that bills insurance, then you can stop reading after you consider this:
HIPAA has rapidly altered the standard of professional health care in this United States. Despite the loophole of insurance billing, all providers are assumed to be practicing in accordance with HIPAA. Though compliance may not be your favorite word, consider the word professional and know that these standards are only going to become more ingrained in our electronic culture.
The Rules: Privacy
Privacy is the easy one to understand and, in many cases, is what you already do for ethical and professional reasons. You don’t talk about your clients to others in the community and you remove all protected health information (PHI) when you have a case in peer review.
What is PHI?
PHI is defined by HIPAA as “individually identifiable health information”. If there is anything in the information that you store or send that can identify who that client is, it is PHI.
The HIPAA Privacy Rule addresses issue of privacy in terms of both formal and informal situations. I could list various scenarios (and would be happy to try to answer your specific questions), but the simple thing to keep in mind is the first step you should take with your clients regarding privacy:
Authorization
Think of authorization as the Informed Disclosure of HIPAA. As you review your workflow and identify places where there is either a need (eg. insurance billing) or a routine (eg. group prenatal care, or a facebook page) that will expose personal health information, you need to put it in writing to your client and get their permission or authorization.
Some examples of situations for which you should get prior authorization:
- Release of records to another provider (except for treatment purposes*)
- Release of records to an insurance company or billing service
- Birth announcements in print or Internet
- Birth data for research, education, or certification (that contains PHI)
There are plenty more examples, but the point is that you need to be sure that you don’t release any PHI without authorization in writing from your client.
*There are exceptions for the authorization requirement. The primary exception that relates to midwives is when the release of records is for treatment purposes. The Privacy Rule allows health care providers to use or disclose protected health information for treatment purposes without the clients’s authorization. This includes sharing the information to consult with other providers to treat or to refer the client. This means that you don’t need to get a HIPAA release when you are transferring care in labor, or anytime, to share the chart with the receiving provider. If the client is no longer under your care and there is a records request, you do need a HIPAA release.
It’s under Privacy, but let’s talk about Security
Just so you don’t embarrass yourself at any hip HIPAA parties, don’t make the gaffe that I did of confusing the steps you need to take to protect your client’s stored records as being part of the Security Rule. It’s part of the Privacy Rule, silly! I’ll mention the Security Rule later, but just so we’re straight…you need to take steps to ensure that all of your active and stored records are secure.
This is the perfect moment for a lawyer joke, but I’ll refrain for the sake of brevity (even the jokes go on and on…). Here’s the simple truth: You need to have a policy that outlines your procedures for security. If you fail to follow your procedures or your procedures result in an unintentional failure to comply with your policies, then you need to tell on yourself via a disclosure. Got it?
I’ll try again, here’s a basic summary of the security safeguards section of the Privacy Rule:
Know where all of your charts are, keeping them locked up when you’re not using them. If you have a practice that includes more than one person (yourself), write out some guidelines for how to keep information secure and make sure everyone follows them. Things like “We will not leave pieces of paper with client’s PHI lying around the office” and “Don’t leave your charts in your car” are good places to start. We’ll talk more in a future post about security in your home or office and how to dispose of PHI.
The Rules: Security
The HIPAA Security Rule specifically relates to electronic transmission of PHI (ePHI) for the purposes of transactions (ie. billing). If you contract with a billing service, then you are responsible for those electronic transactions that the billing service conducts on your behalf. There is not much else to say about this except to make sure your billing service is HIPAA compliant.
So, that’s the basic overview of HIPAA. If you know more now than you did before, that’s great. Get ready to know more, because this was just the start of things to consider regarding HIPAA in your workflow.
Read on: HIPAA for Midwifery 101: Part 2 – Disclosures, Communication and Storage
Disclosure: This article is an attempt to provide information about HIPAA to midwives and related parties who are struggling to understand and integrate HIPAA-compliance. It is meant to support, not supplant, any previous understanding that you may have about HIPAA and should not be considered the first or the last word on HIPAA-compliance.