SpeechPathology.com Speech Pathology logo Phone: 800-242-5183
Presence Learning

HIPAA: Understanding Privacy Issues in Speech-Language Pathology

HIPAA: Understanding Privacy Issues in Speech-Language Pathology
K. Todd Houston, PhD, CCC-SLP, LSLS, Cert AVT
January 17, 2018

To earn CEUs for this article, become a member.

unlimited ceu access $99/year

Join Now

Introduction and Overview

I want to start by saying upfront that I am obviously not an attorney, so as we work through the definitions and requirements related to HIPAA, I want to make sure that everyone understands this is my perspective and I am not here to give legal counsel. I want to make sure that everyone is on the same page, and if you have questions that concern specific legal issues or legal processes, please see an attorney or some other compliance officer in your facility.

HIPAA: The Basics

What is HIPAA, what does it mean, and what are the areas that we need to focus on as speech-language pathologists? Many people try to spell HIPAA like H-I-P-P-A or H-I-P-P-O. It is H-I-P-A-A, which stands for the Health Insurance Portability and Accountability Act. When we think about HIPAA, we usually think about two different sections called “Title I” and “Title II.”  Title I focuses on healthcare access, portability, how to renew your insurance, and what the laws state about those topics. It provides some information on pre-existing conditions, and some other areas. Most people focus on Title II because it is really within the Title II section of the law that we get into the privacy rules and some of the other more specific issues related to sharing of PHI and how we as practitioners, or the facilities that we work in, could potentially get into trouble with violations. 

Purposes of HIPAA

We are going to focus a bit more on that Title II portion of the law. In other words, how do we interpret the privacy rule, the security rule, and the breach notification rule?

The privacy rule protects the privacy and addresses the use and disclosure of protected health information (PHI). So, we will talk about what that privacy rule says. There is also the security rule that sets the national standards for security of electronic health records, or electronic protected health information. And then the breach notification rule really comes into play when there has been a breach of information, and what you should do as practitioners or what your facility should do when a breach happens. 

Privacy Rule

Covered entities. When we think about the privacy rule, we have to think about covered entities. We will talk about what those mean and what a covered entity is. The privacy rule applies to any healthcare provider that transmits health information, which could be the providers themselves, a health plan, or it could also be the healthcare clearinghouse. 

You, as a speech-language pathologist, would obviously be a healthcare provider, but any healthcare provider would fall under that. Any type of person or organization that furnishes or bills or is paid for healthcare would also be a provider. A nursing home would be a provider as well. Health plans are the insurance companies, the health maintenance organizations (HMOs), government healthcare plans like Medicare, Medicaid, or the Veterans Administration (VA) hospital. Clearinghouses are more the entities that process health information, such as billing services or other healthcare management organizations. These all would be what are considered covered entities. 

Business associates. A business associate is any person or organization that is not part of the covered entity’s workforce that performs certain services for said covered entity that includes use or disclosure of health information. They have to also be in compliance with HIPAA rules.

When we think about the practices or facilities that we may work in, we may have an outside organization or outside contractor that handles legal or billing services, or some other type of service that we depend on for certain aspects of how we practice or certain aspects of administration. Those would be business associates, and they would have to also follow HIPAA rules. This is where we sometimes get into trouble, because while the facility may have really strict HIPAA compliance, they may be contracted with another organization or another service outside of their workforce, and those business associates sometimes get into trouble or have breaches, and the facility is still responsible for them. We have to make sure that anyone we contract with that will come in contact with any protected health information is also in compliance and following HIPAA guidelines. That is often where issues will come up. 

Protected health information. What is protected health information? It is really any piece of information that can be traced back to the patient that you are working with. That would include, of course, name, address, birth date, social security number, and other demographic information that has been collected on that patient. The types of services that have been provided to that patient, and the payment history for that patient would come under protected health information as well. 

The HIPAA privacy rule says all PHI used by a covered entity - you the SLP, or the facility you are working in - must be protected, whether the form of the information is electronic, paper, or oral.  We will not talk as much about oral discussions or how those are recorded, but sometimes you do audio recordings and things like that that you need to also protect. Sometimes we do an audio recording during an evaluation; that becomes protected health information. We have to be careful about those and how we end up storing them. Electronic and paper forms, or anything that is related to that patient, has to be protected. It would fall under this privacy rule. 

Disclosure of PHI. There are times when we can disclose protected health information. Obviously, we want to be able to disclose information to the patient or to that person's designated representative. Sometimes, we also may have to disclose certain information to the Department of Health and Human Services when you are staying in compliance with certain state or federal regulations and policies. We can also send patient information to insurance companies when you are billing and getting payment. That is an appropriate use of protected health information.

There may be some public interest in certain aspects of protected health information. For example, if there were some type of epidemic or outbreak, reporting names to the Center for Disease Control (CDC) would be appropriate in that situation. There may also be limited data used in certain types of demographic research, looking at large numbers of patients; for example, if there is a cancer cluster, so to speak, in a certain area, and we need to follow up on that. So, there are certain situations where names or certain information can be shared and it will not be in violation of HIPAA. Usually, that is in the case of some type of general public health need, or public health situation that needs to be addressed.

We have to work with patients to make sure that we have authorization any time we want to disclose certain aspects of protected health information. We just talked about how we can legally disclose information. If we have some other reason to disclose, we have to get written permission for that. When we think about working with a patient and having to send information, we have to make sure that we have written authorization from the patient. Not only do we have to get a signature from a patient to make sure that we have the authorization, we have to make sure that the patient understands, in very specific terms, in what context we will be disclosing that information and to whom. We have to make sure that our privacy procedures are upheld; that information has to be shared with our patient. 

Privacy practice notice. When the patient signs off on something, he should get a copy of those policies and understand exactly why and how the information will be shared. That is why, when you go into doctors' offices or other offices, you have to sign off that you have received a copy of the privacy practices within that provider's office. That all comes back to HIPAA; the patient has to be informed about how information is going to be shared, and how their privacy is going to be protected. All of this goes into the privacy notice.

Again, every covered entity is required to provide every patient with a notice of its privacy practice. It can be a document or brochure. I have seen some places that have that on a website and then follow up with written information that is provided at the actual visit. 

What should that information be? It should be a description as to why and how the health information may be used, the duty of the entities to protect PHI, and the patient's rights to use and disclosure, including how to report if he/she feels his privacy has been breached. The policy paper or brochure must have a way for the patient to check on how his/her information is being used. If there is a breach, the patient needs to have a way to report that breach; that goes into protecting their rights as a consumer and as a patient.

The covered healthcare providers that have a direct treatment relationship to a patient must deliver the notice of their privacy practices to patients no later than the first service encounter via personal delivery, electronic delivery, or through the mail. They must also do it by posting the notice in a clear and prominent location, like in the waiting room or in an examination room. In emergency situations, the provider must provide the notice as soon as possible after the emergency abates. It must also be available upon request; if a patient asks for that information, it should be available to him very quickly.

As well, that covered healthcare provider must make an effort to obtain written acknowledgement from patients that they have received those privacy policies.  Make sure that has been documented, because when other entities come in for accreditation, they will want to make sure that you are collecting that information -- that patients have been told about their rights in terms of how their information is going to be protected.

Security Rule

Most people refer to this as the “security rule of HIPAA,” but it is also known as the “Security Standards for the Protection of Electronic Protected Health Information.” That is a long title, so most people just refer to this as the “security rule.”

Most of the focus of the security rule is on this idea of electronic protected health information (e-PHI), and thus, the security standards for how PHI is held or transferred in electronic form. When we think about public health information, a lot of that is digitized; it is in electronic form. How is that information being shared between service providers? How is it being shared between a physician and a hospital? If you are working in a hospital, you may be using programs like Epic, or something very similar; how are you sharing that information? Who has access to it? The security rule applies to that.

As I mentioned earlier, it also applies to the same covered entities and business associates as the privacy rule. When we think about how we are keeping that information secure, not only do we, as providers, and the facilities we work in have to follow the security rule, but those business associates that we might be contracting with must also comply with the security rule, and protect that information. It applies to all protected health information a covered entity would create, receive, maintain, or transmit in electronic form -- so that basically is just about everything.

Security rule basics. The basic concepts related to the security rule include confidentiality, integrity and availability of PHI. Obviously, we have to maintain confidentiality. We know that electronic protected health information should not be available or disclosed to unauthorized persons. This rule supports the privacy rule’s prohibition against improper use and disclosure of protected health information. So, confidentiality is extremely important.

We also must maintain integrity of e-PHI. We have to make sure that the electronic medical records are not altered or destroyed in an unauthorized manner. We also need to make sure that they are available so that they are accessible and usable on demand by authorized providers or authorized persons. That is essentially the summary of the components of the security rule.

Because covered entities vary in size and environment, the security rule does not dictate the measures required to ensure security of electronic protected health information. However, it does require covered entities to consider the size, complexity, and capabilities of their organization or facility based on the number of patients they are working with, the technical, hardware, and software infrastructure that is needed to provide that security, the cost of those security measures, and the likelihood and possible impact of potential risks to PHI. We know that there are different-sized practices and hospitals, larger institutions and smaller institutions. Basically, the security rule says - even though it does not dictate how it should be done - that regardless of your size, you need to make sure that you are following this rule. We know that one technology may not be appropriate for a huge hospital system; for example, the Mayo Clinic may have a very involved technological infrastructure devoted to sharing and protecting information, whereas a practice of 20 people is not going to need the same level of hardware or software. You should get what works for the size of practice you are working in.

You still have to make sure that everything is secure, so to accommodate a constantly evolving technology, covered entities must review and modify security measures on a continual basis. We have to make sure that we are staying up to speed with some of the new changes with technology. We now have patients that are texting and emailing and doing lots of things that maybe a few years ago they were not doing. They are expecting us as providers to respond in kind, and to do the same thing. I think we have to be careful about that and make sure that the technology we are using is still compliant with HIPAA, and that we are still protecting the information that is being shared. That being said, sometimes what we see is that these laws do not keep up with the technology that is happening. Technology changes very quickly, we then have new behaviors from the patients that we are working with, and sometimes, those do not quite fit under the law, which might have been written a few years ago. We are going to constantly see those kinds of things as we go forward. But I think we have to do everything we can to make sure that we have the privacy and the security protected for all of our patients. 

The security rule requires certain standards to be addressed: 

Administrative safeguards. First, we must think about administrative safeguards. We have to make sure that the administration of your practice, your hospital, wherever you are working takes this very seriously. There should be some type of security officer, or a compliance officer, that is making sure that security is in place, that privacy is in place and that everyone who works in that facility is following the HIPAA requirements. That security management process must be in place along with assigned security responsibility. There must be workforce security, and the workforce must be trained in HIPAA and how to keep information secure.

To earn CEUs for this article, become a member.

unlimited ceu access $99/year

Join Now

k todd houston

K. Todd Houston, PhD, CCC-SLP, LSLS, Cert AVT

K. Todd Houston, PhD, CCC-SLP, LSLS Cert. AVT is a Professor, speech-language pathologist, and a Listening and Spoken Language Specialist (LSLS) Certified Auditory-Verbal Therapist (Cert. AVT). For more than 20 years, his professional focus has been serving young children with hearing loss and their families who are learning to listen and acquire spoken language. Over the past decade, Dr. Houston has incorporated telepractice into his service delivery and continues to provide direct services each week, both in-person and through telepractice, to young children with hearing loss and their families. He has authored/edited three recent books through Plural Publishing: Telepractice In Speech-Language Pathology (2014), Assessing Listening and Spoken Language in Children with Hearing Loss (with Dr. Tamala Bradham, 2015), and Telepactice In Audiology (with Dr. Emma Rushbrooke, 2016). 

Related Courses

HIPAA: Understanding Privacy Issues in Speech-Language Pathology
Presented by K. Todd Houston, PhD, CCC-SLP, LSLS Cert AVT
Course: #1033635 1 Hour
This course will address the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its application within Speech-Language Pathology. Topics addressed will include who and what is covered by HIPAA, administrative safeguards, penalties for non-compliance, and how HIPAA relates to other laws, such as the Health Information Technology for Economic and Clinical Health (HI-TECH) Act.

Telepractice: Using Distance Technology to Connect, Communicate, & Enhance Language Learning in Young Children with Hearing Loss
Presented by K. Todd Houston, PhD, CCC-SLP, LSLS Cert AVT
Course: #7948 1 Hour
The use of distance technology continues to evolve, and new models of service delivery are emerging to meet the developmental and communicative needs of young children with speech, language, and listening needs. For young children born with hearing loss, telepractice service delivery models may be the most efficient way to connect families seeking services to well-trained professionals who can provide appropriate early intervention.

The AUDacity of Listening: Early Intervention for Children with Hearing Loss
Presented by K. Todd Houston, PhD, CCC-SLP, LSLS Cert AVT
Course: #8068 1 Hour
Today, infants and toddlers with hearing loss have more opportunities than ever to achieve listening and spoken language outcomes that are on par with their hearing peers. With early identification, early intervention, the use of appropriate hearing technology, and the active involvement of parents and caregivers, professionals can support and facilitate these outcomes through the use of Auditory-Verbal Therapy.

Connecting to Communicate: Defining Telepractice
Presented by K. Todd Houston, PhD, CCC-SLP, LSLS Cert AVT
Course: #8368 1 Hour
This is Part 1 of the three-part series, Connecting to Communicate: A Telepractice Series. What is telepractice? How is it different from telemedicine, telehealth, or connected health? Why are schools, hospitals, and other facilities utilizing distance technology to provide diagnostic and treatment interventions for individuals with communication disorders across the lifespan? In this course, telepractice will be defined and examples of telepractice service delivery models will be described. Current professional standards and other policies that shape telepractice service delivery also will be presented.

Connecting to Communicate: Designing Telepractice Services
Presented by K. Todd Houston, PhD, CCC-SLP, LSLS Cert AVT
Course: #8369 1 Hour
This is Part 2 of the three-part series, Connecting to Communicate: A Telepractice Series. How do I get started in telepractice? How do I know my clients or patients will benefit from telepractice services? What is the best technology to use? How do I structure telepractice services in relation to traditional, in-person services? In this course, quantitative and qualitative measures used in decision making will be described that will allow practitioners to evaluate the feasibility of telepractice services. A basic "getting started" checklist will be reviewed that outlines the fundamental technological requirements as well as other preparatory strategies practitioners can employ prior to launching a successful telepractice program.