The basics of HIPAA

HIPAA stands for the Health Insurance Portability and Accountability Act. It is a federal law introduced in 1996 that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge. It has been amended over the years but still has the same goal.

It creates a framework for protecting privacy, security and accuracy of Personal Health Information (PHI) that is handled by Covered Entities and their Business Associates in the course of care

What is considered PHI?

Any information that can identify a patient, as well as information about their care, is considered PHI. This includes names, addresses, contact information, dates of care, treatment notes, as well as payment information.

Some examples include:

  • Name
  • Address
  • Phone
  • Email
  • Social Security number
  • Vehicle identifiers, serial numbers, or license plate numbers
  • Full-face photos
  • Any dates directly related to an individual, including birthday, date of admission or discharge, date of death
  • Amounts or methods of payments for health services

Do I need to be HIPAA compliant?

Covered entities as defined by HIPAA regulations need to be HIPAA compliant. As a doula, you may or may not be a covered entity. Whether or not you are is dependent on several factors, some of which don't necessarily have an exact answer. There are two questions which answering Yes to means you need to be HIPAA compliant:

  1. You submit health information to insurance, Medicaid, Medicare or other organizations.
  2. You have signed (or need to sign) a Business Associate Agreement to handle the data for another organization that is HIPAA compliant.

There are also a few questions below that if you answer "Yes" to, you may consider becoming HIPAA compliant:

  • Do you work closely with medical offices, staff or agencies in a medical setting?
  • Do your clients often request information regarding your HIPAA status?

What are the rules of HIPAA?

Permitted Uses

Under HIPAA, covered entities are allowed to use PHI for the following purposes only:

  1. Treatment: Providing care to a patient
  2. Payment: Requesting and collecting payments from a patoent
  3. Operations: Managing aspects of the business, personnel, facilities and other activities

Rules

Transmitting and storing PHI is governed by 3 primary rules:

  1. Privacy Rule: Establishes guidelines for the use and disclosure of PHI by covered entities. Partners, subcontractors or data processors of PHI are considered business associates of the covered entity, which means they must comply with the Privacy Rule when handling PHI also. Key aspects include obtaining patient consent, providing notice of privacy practices, and ensuring the confidentiality of PHI.
  2. Security Rule: Sets standards for the security of electronic PHI (ePHI). If you are using a software platform as a doula, it's essential to ensure it adheres to the Security Rule requirements. This involves implementing technical safeguards (e.g., encryption, access controls), physical safeguards (e.g., secure facilities, limited access), and administrative safeguards (e.g., security training, risk assessments) to protect ePHI.
  3. Breach Notification Rule: Mandates that covered entities and their business associates report any unauthorized acquisition, access, use, or disclosure of PHI. In the event of a breach, doulas must follow the necessary procedures to notify affected individuals and appropriate authorities promptly.

How do I know when I'm compliant?

There is no "magic moment" that you, as a Doula, become HIPAA compliant. Your status as compliant or not is defined by your ability to prove you are complying with the HIPAA rules and have the appropriate safeguards in place.

There are companies that will audit and certify HIPAA compliance, but they are expensive and out of reach for most except large health organizations.

In general, here is a short checklist you can do to get started and go a long way:

  1. Thoroughly understand HIPAA's 3 rules
    1. Privacy Rule
    2. Security Rule
    3. Breach Notification Rule
  2. Do a risk analysis
    1. Determine what PHI you collect and how you will store it
    2. Decide which Security Rule specifications apply to you and your business
    3. Decide what risks are present and how to prepare for them
    4. Determine your business relationships and who handles PHI for you
  3. Implement the security specifications and policies
    1. Technical safeguards
    2. Physical safeguards
    3. Administrative safeguards
  4. Create a breach notification plan
    1. Decide who you will notify, how and when
  5. Document your plan and policies
    1. Keep all of your HIPAA plans, policies and procedures in a central place
  6. Decide how often to review your policies

Recommended Steps for Doulas

  • Use a HIPAA-compliant software platform: Using Doulado makes this one easy. However, you should evaluate all of the software you use to store client information and verify which systems are HIPAA compliant and which are not (hint: most are not).
  • Sign a Business Associate Agreement (BAA): Doulado will provide a BAA to sign. If you use other software that is HIPAA-compliant, getting a signed BAA is the only way that can happen, otherwise your business relationship is not compliant.
  • Train and educate yourself: Familiarize yourself with HIPAA regulations and best practices for handling PHI. Stay up-to-date with any changes in the law and maintain ongoing training to ensure compliance. Make sure any other doulas you work with are also trained, aware, and have subscribed to a compliant plan if needed.
  • Implement privacy and security practices: Take steps to protect PHI during your interactions with clients. Ensure physical documents are securely stored, limit access to electronic PHI, use secure communication channels, and regularly review your business practices.

We are here to help

HIPAA is fairly complex, especially for a solo doula. Reach out to us as a resource if you need to become compliant, and we can help navigate the process.