HIPAA Compliance and Your Good Faith Effort
Good Faith Effort & Your Risk Tolerance
Lots of smart therapists, who care deeply about being ethical and compliant with the law, find themselves confused and frustrated about certain HIPAA compliance items.
Credit card receipts are a good example–if you use a smart-phone based system for taking credit cards, you might be sending receipts to your clients through that system. HIPAA says that basic financial transactions do not require a BAA, so that credit card processing is probably fine. Fine, that is, until a receipt is sent: receipts are not considered a basic financial transaction, and is therefore not okay to do (unless your system signs a BAA with you.)
That’s not the only example, either–the federal and state privacy laws are chock full of details that can get overwhelming, especially for the solo provider.
What to Do
You could spend several months and the financial equivalent of your mortgage sweating the details of HIPAA compliance. At the end of it, you might be rock solid, for the moment, but you’d still have risks and need more effort for ongoing maintenance. Also, you’d probably be broke and out of business. Not exactly the goal! We need to find a middle ground, between doing nothing and everything.
As I often say to live workshop attendees when I’m sensing anxiety related to highly specific details about compliance: wait until the end of the workshop, review the notes and see which compliance items really stand out to you. Where are your practice’s biggest ‘red flags’? Start there. It doesn’t make sense to worry overmuch about whether your credit card processor is sending receipts without a BAA if you don’t have a lock or password on your clinical files.
Do the work to identify risks, and then put forth a “good faith effort” to address those risks. What defines a “good faith effort” will vary from provider to provider, depending on many different factors, including your clients’ needs, your risk tolerance, and more, but as a concept, it’s a great place to start.
Look at the big picture, prioritize smartly, and make that good faith effort. One step at a time.
Here are a couple of ways to start today:
Online HIPAA training for private practice therapists
Live HIPAA training (in Austin, TX September 18th)