Massage and bodywork professionals live in a shadowy gray area when it comes to complying with the 1996 Health Information Portability and Accountability Act (HIPAA). The act protects all "individually identifiable health information" held or transmitted by a covered entity (or its business associate) in any form or media—whether electronic, paper, or oral.
The HIPAA Privacy Rule calls this information protected health information (PHI). And, because PHI may be stored on paper, transmitted electronically, or even conveyed in conversation, national privacy and security requirements come into play.
Individually identifiable health information (including demographics) relates to the past, present, or future health (or condition) of your client; services you provide; payments for services (past, present, or future); and the identification of your clients. Many common identifiers include your client's name, address, birth date, and Social Security number.
Beginning in 2003, privacy guidelines took effect that govern access to—and distribution of—a person's PHI. These guidelines are important to massage therapists and bodyworkers because, although they don't write prescriptions, they use products (and perform services) that may impact a client. Bodywork professionals may also ask clients about their medical histories, which also falls under HIPAA privacy laws.
Although HIPAA privacy laws are not clear where massage and bodywork professionals are concerned, it is best to comply with the law and eliminate potential problems. Those working in similar businesses are required to follow laws regarding the use or disclosure of health information and may provide services to health insurance companies while processing claims.
Technically, massage therapists do not fall into the protected health information (PHI) category, but there seems to be a consensus that they should act as if they do. Following are some areas to consider to maintain compliance with HIPAA privacy laws and, specifically, PHI.
Consider all the places you keep personal client information—including computers, hard copies, and your phone—that would be considered protected health information. Yikes! Right?
Use the following tips to help keep your patient information private.
• Use an antivirus program to prevent attacks to your hard drive.
• Use a firewall to block unauthorized access while still permitting outward communication.
• Download/install security updates.
• Use a strong password. (See "Password Tips" on page 77.)
• Use caution when opening emails with attachments.
• Do not open personal email on your business computer.
• Back up your records.
• Store records in a location only accessible to you and your employees.
• Shred files that are no longer needed.
• Keep records out of public view.
• After use, return files immediately to the secure location.
• Password protect cell phones. A case was settled in June of 2016 where an iPhone containing a vast amount of PHI, including Social Security numbers, treatment and diagnosis information, medications, and more, was stolen. The facility was fined $650,000.1
• Store cell phones in a secure location at all times. Unfortunately, if devices containing PHI are not secured, they are subject to the possibility of loss or theft. If the information stored on such devices is not encrypted or password protected, the loss or theft of the device becomes an even more severe issue.
The bottom line is this: PHI records must be secure at all times. Also, if information is going to be transmitted to someone else via computer, cell phone, or hard copy, a consent form should be signed by your client.
Keep PHI conversations confidential. Make sure you have privacy when conversing about client details. Casual conversation can be more revealing than you realize. Mentioning anything about your clients publicly is disrespectful and shows a lack of professionalism and a disregard for HIPAA requirements.
Research shows that 91 percent of people regularly or occasionally read online reviews, and 84 percent trust the reviews as much as a personal recommendation.2 What people say about you online matters, and asking your clients to provide service reviews is perfectly legal.
Your clients can even mention you or your staff members by name, and they can also provide information about the services they've received.
Beware of confirming client statements in online reviews. Confirming the statements in their review also confirms they're a customer—and may even disclose the types of treatments they received. Saying any more than "We appreciate your feedback" might land you in hot water regarding HIPAA privacy regulations.
Confirming they're a client or even that they had a particular treatment is a way of revealing private and sensitive information. Keep your review responses vague in order to avoid violations.
For added protection in complying with HIPAA and PHI regulations, consider waivers and disclaimers.
Trying to maintain the confidentiality of your clients may be easier by adding disclaimers to your social media profile—and any other forums you use. For example, if you have a blog, include a disclaimer that tells people you're not giving medical advice—and make sure you don't. The internet is a public venue, so if clients are posting comments, they should know they could be posting private information to a public group of people. Make them aware, and you won't have to worry about violating HIPAA rules.
If you take any photos of clients, make sure you have permission before publishing. Even blocking out facial features—or only showing a part of the body—does not guarantee anonymity. Unless they've signed a waiver, do not include any clients on social media posts or other marketing materials.
Although HIPAA was enacted in 1996, there have been just a handful of updates. The most notable updates were the introduction of the HIPAA Privacy Rule and Security Rule in 2003, the HIPAA Enforcement Rule in 2006, the incorporation of Health Information Technology for Economic and Clinical Health Act (HITECH Act) requirements in 2009, and the HIPAA Omnibus Final Rule in 2013. Following are some of the most prominent changes.
Business associates are no longer just employees but may be third parties, including outside billing firms, transcription services, collection agencies, data backup firms, etc., that might have access to PHI. Your practice is now liable for the actions of any business associates.
Marketing now includes any communication regarding a treatment or service offered by a third party where you or your business associate will be compensated. If this occurs, your client needs to authorize the marketing effort before it begins.
Disclosing PHI for payment must be authorized by your client in advance, and the authorization must disclose (in writing) that you are being compensated for providing PHI. Note that compensation is not strictly monetary; it can also be in the form of goods and services.
Several modifications to patient privacy notices occurred in the 2013 update. One change is to communicate to patients how their PHI will be used. Also, patients are entitled to receive a copy of their PHI in an electronic form within 30 days instead of 90.
Patients may now restrict certain disclosures of their PHI to their health plan or insurance carrier if they pay for services out of pocket.
A single violation penalty ranges from $100 to $50,000, depending on the perceived level of culpability. Violations can be added together, though, until they reach a cap of $1.5 million per calendar year.
The definition of a breach of PHI was substantially changed in 2013. Previously, the presumption was "no breach unless significant risk of harm." Now, the presumption is "breach unless you can show a low probability of PHI being compromised."
HIPAA is primarily focused on protecting patient privacy in the doctor's office, the emergency room, and the hospital, but, as massage and bodywork professionals, you use products and procedures that may affect your clients. Because you care about the well-being of your clients, you gather pertinent and, most likely, confidential information to care for them professionally. This private information is exactly the information you want to protect to stay HIPAA compliant.
When sharing client information—no matter how trivial it may seem—follow HIPAA guidelines to keep you and your business protected. Avoiding these potential pitfalls will ease your mind and alleviate any uncertainty about HIPAA compliance for PHI.
1. Jim Johnson, "Top 10 Most Common HIPAA Violations," December 3, 2016, accessed June 2019, www.grouponehealthsource.com/blog/top-10-most-common-hipaa-violations.
2. Craig Bloem, "84 Percent of People Trust Online Reviews as Much as Friends. Here's How to Manage What They See," Inc., July 31, 2017, www.inc.com/craig-bloem/84-percent-of-people-trust-online-reviews-as-much-.html.
Gossiping with or about clients is always unethical. But there are limited scenarios where it is legally OK to violate confidentiality.
When we use the term emotional release, we create an agenda where none should exist.
What does acting and staying within your scope of practice look like, and when is a referral more appropriate?
Clients and therapists alike have the right of refusal. Don't be afraid to use it.
