There are a lot of small medical practices out there who believe they are safe from HIPAA regulations simply because they don’t take insurance. They are a cash or credit card only business and believe this keeps them being considered a “covered-entity.” Practices like chiropractors, natural health practitioners, acupuncturists, massage therapists, etc.
Well, in one sense they’re right.
If you are a medical practice who doesn’t take any insurance and only accepts credit cards or cash, the U.S Health and Human Services Office of Civil Rights Complaint Portal won’t accept a complaint on you from a patient or employee. Safe! Right? Wrong!
Just because you don’t fall under HIPAA’s umbrella doesn’t mean that being NON-HIPAA Compliant can’t bite you big time!
HIPAA IS ABOUT ePHI
HIPAA compliance is all about ePHI, electronic Protected Health Information, and making sure you are not allowing patient health information to leave your medical office without patient consent. But what happens if it does? What happens if their medical records gets stolen because a laptop was stolen out of your car or lost because someone was careless with a USB flash drive? What if someone’s identity is compromised because of an employee’s actions?
A lot!
All it takes is for someone to be able to connect the theft of their identity to an incident in your office OR make the ASSUMPTION it occurred because of your office’s policies. Is the Office of Civil Rights coming after you? Probably not. But that doesn’t mean you can’t be involved in a Civil Suit brought by the patient OR a Criminal Suit prosecuted by the laws of your state. Yes, HIPAA is a federal law with certain powers and restrictions, but it isn’t the only law controlling how patient medical records are handled or stop a patient from taking you to court.
LET’S PLAY THE COURT GAME
And let me ask you this, when you are sitting on the witness stand testifying about your medical offices security policies, how will you answer this defense lawyer’s question:
“Sir / Madam, as head of the practice, can you tell me that you followed BEST PRACTICES for securing my client’s patient data which is considered to be the Federal HIPAA Guidelines? or simply put, “Was your practice HIPAA Compliant or TRY to follow those guidelines for being compliant in order to protect my client’s patient information?”
When you say, “No.” go ahead and reach for your checkbook, because saying, “you didn’t have to since you were a cash only business” isn’t going to work.
Yes, you didn’t have to be HIPAA Compliant, but you should’ve been and your “cash only” excuse won’t save you when you sign that check.
Want to learn more HIPAA information and the myths & misconceptions risking the safety of today’s practices? Send us an email for more information at [email protected] or call our office at 336-303-1730 and ask to speak with Andy King.