In 1996, the U.S. government and Department of Health and Human Services (HHS) initiated the Health Insurance Portability and Accountability Act, or HIPAA. It’s an acronym known by many, but understood by few.
But when it comes to online forms, HIPAA has very specific requirements. And as an agency, it’s crucial that you understand the intricacies of not only HIPAA, but how vendor partners and form platforms you choose adhere to HIPAA requirements.
What is HIPAA?
HIPAA serves as privacy protection for patients. Most importantly, it serves to secure protected health information, or PHI. According to the HHS website, “The Rule strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and healing.”
What is PHI?
PHI is anything – however vague or specific – that could reveal the identity of a patient. This could include:
- Someone’s past, present, or future physical or mental health condition
- Healthcare coverage for an individual
- Past, present, or future payment for healthcare services
PHI also includes someone’s name, address, birthday, and social security number, especially when they can be associated with the previously listed health information.
What Does HIPAA Cover?
There are three specific healthcare industries that are covered by the privacy rule and that must adhere to HIPAA requirements:
- Health plans – This includes individual and group health insurance plans that pay the cost of medical care on behalf of patients to covered entities, such as hospitals and clinics. Health plans covers not only private or employer-provided health insurance programs, but health maintenance organizations (HMOs) and government-provided plans, such as Medicare and Medicaid.
- Healthcare providers – HHS identifies that any healthcare provider that electronically transmits health information is a covered entity. This includes medical doctors, dentists, chiropractors, and other practitioners, as well as hospitals, health systems, and clinics.
- Healthcare clearinghouse – These businesses process nonstandard information as well as identifiable health information when processing services for a health plan or health provider, such as billing services, repricing companies, community health services, and other related health networks.
But your client doesn’t specifically have to be one of these organizations to need to adhere to HIPAA. For example, nonprofit organizations that connect people to healthcare resources in their community may also collect personal health information that’s protected under HIPAA.
What You Need to Know About HIPAA Compliance
Handling PHI online through forms is no easy task. It’s more intense than asking someone to subscribe to your newsletter, or completing a contact form. If your client is taking any type of PHI or requires it for their online forms, make sure both you and your client are aware of the following:
1. If you take any PHI, you must be HIPAA compliant
HIPAA violations are expensive. Penalties for noncompliance to HIPPA are based on the level of error, and can range from $100 to $50,000 per record. Even unknowingly violating HIPAA can result in a fine. Not to mention the damage to your client’s brand if the violation made the local news cycle.
This is a very important distinction, too, especially if you’re recommending a form solution to your client. Your form vendors and partners should be clear about their HIPAA compliance, which includes data encryption and storage security of information.
2. Your client must acknowledge how content is collected and stored, and make it transparent to the user
If your client is asking for PHI on their online forms, it’s important that they tell users why certain information is needed and how it’s stored and protected. This information is often found in website documents such as:
- Notice of privacy practices – This should be easily accessible on every website and should outline specifics around how information is gathered, stored, and what the rights of the users are if they want to remove their information from your database.
- Authorization of release of health information – This document or option, which should be acknowledged and signed by the user, authorizes the release of health information\. Releasing health information may be necessary for connecting with healthcare clearinghouses, or with other organizations that need someone’s information to provide services.
Likewise, the form partners you work with should have this information easily available and shared with you as you’re reviewing options. As a partner, their compliance to HIPAA is just as important.
If you aren’t sure how data is stored with your vendor partners, ask! There should be no hesitation from a potential vendor about sharing how they encrypt and protect PHI.
3. Your client may undergo audits from HHS to ensure HIPAA compliance
Audits from HHS ensure that organizations engaging with PHI are following the rules. An audit from HHS may include:
- Risk analysis and assessment – What’s the level of data protection and how at-risk is the information being stored?
- Remediation policies in case of security breaches – How is content protected if there is a security breach? (Particularly important for the form vendor you choose.)
- Personnel policies – How do people in your client’s organization manage PHI and what policies and requirements do employees have for handling that information?
Data breaches are scary for any business and especially so when you’re handling PHI. Ask your vendors and form solution partners how they store and protect data (such as redundant systems), as well as their protocol for breaches.
Regardless of your CMS, you’ll want to ensure the best possible security steps for both you and your users. Check out six web form security best practices to get started.
4. Patients have the right to refuse release of information
HIPAA isn’t just for new patient onboarding in a medical or healthcare practice. Current patients may also receive forms ensuring their privacy – and those also need to be HIPAA compliant.
PHI must be protected at all costs. Even if a patient signs a release statement, it doesn’t mean you don’t have the responsibility to protect their information. And in fact, a patient has the right to revoke their permissions at any time.
Your privacy policies and protection information for people who use your client’s forms should provide information on their rights to data, release, and privacy protection.
Get a Business Associate Agreement from Your Vendor
No matter which vendor you recommend or choose for your client’s form solution, make sure you sign off on a Business Associate Agreement (BAA) if needed. This document is a contract between you and your HIPAA-compliant form builder that outlines permitted use of PHI, how they protect it, and what happens in a data breach.
While some vendors may have a standard BAA, you may have the need to outline specific use cases before entering into a contract.
Talk to your potential vendors about BAAs early in the conversation to ensure this expectation is understood and clear to all parties involved.
Ask for Help
As you’re exploring potential form solutions with your client, reach out to organizations and potential vendors with any questions you have. There’s no question too detailed or complex when it comes to HIPAA compliance, so find a vendor that’s transparent and clear about how their organizations protect people’s health information.
If you’re seeking a healthcare expertise-guided platform with HIPAA-compliancy and an intuitive user experience, request a demo with Formulate to get started.