HIPAA refers to the Health Insurance Portability & Accountability Act that was originally signed into federal statute, in 1996. This law is essential for your alcohol and drug rehabilitation facility to follow and abide by, assuming that you plan on staying in business. Violation of HIPAA mandates can result in heavy fines, which could quickly put your treatment center’s livelihood in jeopardy. The HIPAA law essentially mandates that all health care providers protect their patient’s privacy and personal information with the utmost security and confidentiality. In a nutshell, HIPAA means you should simply just “shut-up” about your patient’s personal information. Just for one example: you can neither confirm nor deny that a patient who left a review on Google was someone who actually attended treatment at your drug rehabilitation center. Being extra careful with your words should be a priority as you interact with anyone in a public setting, especially when you’re acting online.
HIPAA was set up in 1996 in an effort to modernize the flow of medical information.
HIPAA stipulates that the personal data of patients should be protected by their healthcare providers and health insurance companies. This was a major step towards protecting your client’s personal information from theft and fraud by private entities and third party organizations, among various other mandates. HIPAA came into being just as the internet was being born, inevitably protecting the free-flow of information and preventing it from getting into the wrong hands.
Operating an addiction treatment center is no different from any other healthcare service. HIPAA laws apply to you just as much as any hospital or insurance company. Many rehabilitation clinics have multiple people handling the phones, emails, social media accounts and your website submission forms. Are you sure that every entry point for your patient’s private, personal information is being handled with HIPAA compliance in mind? Is your staff fully-trained to understand the complexities of what constitutes privacy? If you are not sure, we strongly suggest you keep reading. No one wants to violate federal law and more importantly, no one wants to jeopardize your client’s private, personal information.
HIPAA is constantly changing with advances in technology.
When HIPAA was first created and enacted into law, modern technological advents such as Facebook and Google definitely weren’t around. The implementation of privacy rules regarding personal information are regularly being reworked in congress and in practice, as advances in technology are happening on a near daily basis. Arguably every new social media platform or new technological tool could pose a threat to the protection of your privacy and personal information. Therefore, numerous new directives have been added to the original Health Insurance Portability and Accountability Act, since its inception in 1996.
While the technological landscape of health insurance companies and healthcare providers have drastically changed since 1996, much of the original law has remained the same. HIPAA was written to cover a broad array of potential situations and circumstances that could affect a patient’s private information. A security vulnerability is treated the same by HIPAA, whether it’s on social media, in the digital cloud, or on a piece of paper in your drug rehab facility’s filing cabinet.
Why HIPAA compliance matters to your drug rehabilitation clinic.
In the eyes of regulatory agencies, like the Department of Health and Human Services, privacy is applicable regardless of the type of health care your clinic offers. In the world of addiction treatment, it is easy to imagine how personal privacy can be important. Many addicts who come to your facility for treatment will be likely to hold a bit of shame about their personal situation. They want to get help from someone they can trust and they should expect them to protect their personal privacy, in a confidential and professional manner.
If your addiction treatment center is found violating one, or many tenants of HIPAA protections, your facility may face substantial fines, along with the auditing of your business practices. This could even uncover further violations you may not even be aware of. The Department of Health and Human Services’ Office of Civil Rights can aggregate prior violations and fine you for all previous years where the violations took place. Even if an external privacy breach did not occur, if your data is not secure, you could still face financial penalties for the violation of protected personal information.
The sharing of information on behavioral and mental health issues is sometimes essential, as it allows you to provide the best treatment options, based on your patient’s individual needs.
Since your facility’s caregivers play an important role in the care of your client’s treatment program, some information about your patient’s medical history is essential to know, because you want to give them the best help possible. HIPAA not only protects the privacy of people’s personal information, but also makes sure that pertinent health information is available when necessary for treatment and other appropriate reasons.
HIPAA also allows for doctors to share some health information with a patient’s family members or loved ones in an emergency situation, such as the unfortunate event of a drug overdose, or other dangerous incident. This is especially important when the patient is unconscious, or incapacitated and the information shared is directly related to the safety of the patient.
When handling protected health information (PHI) it is extremely important for your drug rehab facility to enact policies and procedures that will ensure HIPAA compliance.
Since we’ve outlined how much HIPAA violations can negatively impact your addiction treatment facility’s financial well-being, we should probably talk about what is considered “protected health information” (PHI) in federal privacy laws. (Note that each state also has laws pertaining to your client’s PHI, so an adequate degree of study may be warranted for your particular state’s privacy laws).
Protected health information that should absolutely not be shared by you or your staff includes:
- A patient’s name, or parts of their names.
- Phone numbers.
- Email addresses.
- Geographical location identifiers.
- Dates of treatment or visits to your facility.
- Social Security numbers or details.
- Health insurance beneficiary numbers.
- Medical record numbers.
- Account numbers or details.
- Personally identifiable physical information (fingerprints, retinal scan data, etc.).
- License plate number.
- Identification card (driver’s license, etc.) or certificate numbers.
- Website URL’s and IP addresses.
- Personal device identifiers, like serial numbers or account numbers.
- Photographic images that include a person’s face or other physical identifiers.
- Fax numbers
- Any other unique, identifying characteristics.
This is a pretty extensive list of data that simply should be kept out of public view or in any position where it could be easily compromised. This information could happen to be on an employee’s phone, tablet or laptop, for example. We’ve all heard stories of data breaches by simple human error and sometimes, even as a result of gross negligence. Set aside some time to think about your drug rehabilitation center’s vulnerabilities and come up with an action plan to avoid any costly mistakes. Even just think about it, as if it was your own personal data. Would you want it ending up in the wrong hands?
PJ is the author of The Softwire Series and was nominated for an Emmy for his commercial work with drug and alcohol addiction treatment centers. Trained in digital marketing analytics at MIT, PJ helps ethical health and wellness centers find clients. www.redbear.tv
