Follow us:

What to include in Electronic Health Records

HIPAA Compliance

Reviews

New releases

Contact

Start Free Trial
Sequence Wiz electronic health records system for yoga therapists

HIPAA Compliance

To improve the efficiency and effectiveness of the health care system, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, included Administrative Simplification provisions that required HHS to adopt national standards for electronic health care transactions and code sets, unique health identifiers, and security. At the same time, Congress recognized that advances in electronic technology could erode the privacy of health information. Consequently, Congress incorporated into HIPAA provisions that mandated the adoption of Federal privacy protections for individually identifiable health information.

The Health Insurance Portability and Accountability Act (HIPAA) defines the security and privacy regulations required to protect sensitive patient health information. Specifically, the Act addresses requirements for handling protected health information (PHI) and electronic protected health information (ePHI). All companies operating in the healthcare industry in the U.S. must comply with HIPAA regulations. This includes business partners such as cloud service providers who process ePHI for healthcare companies.

PHI includes any health-related information that you receive or create during your work with your student if it contains individually identifiable information, such as a name, an address, an email address, a medical record number, an IP address, facial photographs, or any other unique identifiers or codes. For example, if your student emails you a lab report, a physical therapy exercise sheet, or a doctor’s recommendation, and the document contains a name, email address, or other identifiable information, it is PHI, and you are responsible for keeping it safe. Moreover, any notes you make in the process of working with your student, whether paper or electronic, which identify your client in some way, are considered PHI. And HIPAA protects any data considered to be PHI.

According to the HIPAA, as a yoga teacher or therapist, you are a Covered Entity, which means that you are in a direct relationship with the individuals whose PHI you retain. As a Covered Entity, you bear certain responsibilities under the law that fall under two main categories: the HIPAA Privacy Rule and the HIPAA Security Rule. The HIPAA Privacy Rule focuses on the protection of all PHI from a people standpoint, and the HIPAA Security Rule establishes minimum safeguards for electronic PHI in terms of technology standards.

Under the HIPAA Privacy Rule, as a yoga teacher or yoga therapist, you are required to do the following:

  • Avoid sharing private client information with anyone, even in casual or educational environments, unless it is necessary for running your practice.
  • If you have to share a client’s PHI as a necessary part of running your practice, you need to take two precautions:

1. Share the minimum amount of information necessary to perform the task.
2. Ensure that the businesses or people you share this information with (accountants, scheduling services, recordkeeping services, email/hosting companies, marketing services, IT firms, etc.) are HIPAA compliant.

  • Never leave private records lying around; keep paper records locked in a cabinet and electronic records stored under password protection.
  • Always log out of websites and accounts before leaving your computer unattended.
  • Use a secure email service when sharing PHI.
  • Keep PHI records for at least six years.
  • Dispose of unnecessary records properly (shredding paper records and erasing electronic records completely).
  • Notify clients about the improper use or disclosure of records.
  • Make all records available to clients upon request.

Under the HIPAA Security Rule, as a yoga teacher or therapist, you are required to set up the following safeguards to protect PHI:

  • Administrative safeguards: Contingency plans for emergencies (floods, fires, theft, etc.) and procedures for reporting security incidents to clients
  • Physical safeguards: Door locks and cabinet locks to protect paper records and computers, and data backups stored off site
  • Technical safeguards: Encrypted computer hard drives (not required but recommended), usernames, and passwords, firewalls, and other access controls that discourage hackers and protect information from malware and viruses

In addition, as a yoga teacher or therapist, you need to do the following:

  1. Provide all students with a HIPAA notice of privacy practices (and follow the responsibilities outlined in that document).
  2. Store and transmit records securely (following the physical and electronic security requirements outlined above).
  3. De-identify records by removing any identifiable information when using them as case studies or teaching examples.
  4. Have action protocols for potential security breaches.
  5. Ensure that organizations you use to manage student’s data are HIPAA-compliant and sign a Business Associate Agreement with each organization.
  6. (Recommended) Take HIPAA awareness training to better understand the intricacies of the law.

These measures might seem overwhelming, but in reality, they are commonsense and are already implemented in other industries. All of our students should trust that whatever information they share with us is handled carefully and stored securely. It is always better to be prepared than to be caught off guard.

Yoga teachers and therapists often handle student information that is considered private and therefore bear certain responsibilities under the HIPAA. It is the personal responsibility of every yoga teacher and yoga therapist to be HIPAA compliant. In addition, if you need to share your student’s Protected Health Information (PHI) with others (accountants, scheduling services, recordkeeping services, email/hosting companies, marketing services, IT firms, etc.) to run your yoga business, you must ensure that each one of those businesses is HIPAA compliant.

Under the HIPAA, you are considered a Covered Entity, which means that you are in a direct relationship with the individuals whose PHI you retain. Any third party that you must share PHI with to run your operations is considered a Business Associate. A Business Associate does not have direct contact with your students but receives, maintains, transmits, or stores their PHI on your behalf. Business Associates are directly regulated and required to be HIPAA compliant (i.e., to have the proper safeguards in place to protect PHI).

To establish a relationship with a third party that will be handling the PHI of your students, you must enter into a Business Associate Agreement with them. A Business Associate Agreement is a written assurance that a Business Associate will appropriately safeguard PHI that was entrusted to them. This agreement also outlines the obligations of a Business Associate; it can either be a new contract or an addendum to an existing service contract.

In addition, to become HIPAA compliant, an organization must implement several key components to abide by the HIPAA Privacy Rule and the HIPAA Security Rule.

To comply with the HIPAA Privacy Rule, an organization must do the following:

  1. Appoint a Compliance Officer, who will take responsibility for implementing and overseeing HIPAA privacy compliance at the organization.
  2. Conduct regular HIPAA Awareness Employee Training to instruct employees on the proper handling of PHI.
  3. Maintain formal documents and controls that protect PHI. These documents should include formal policies and procedures, patient rights documents, Business Associate Agreements, breach notifications, and employee sanction policy.

 

In addition, as a yoga teacher or therapist, you need to do the following:

  1. Provide all students with a HIPAA notice of privacy practices (and follow the responsibilities outlined in that document).
  2. Store and transmit records securely (following the physical and electronic security requirements outlined above).
  3. De-identify records by removing any identifiable information when using them as case studies or teaching examples.
  4. Have action protocols for potential security breaches.
  5. Ensure that organizations you use to manage student’s data are HIPAA-compliant and sign a Business Associate Agreement with each organization
  6. (Recommended) Take HIPAA awareness training to better understand the intricacies of the law.

These measures might seem overwhelming, but in reality, they are commonsense and are already implemented in other industries. All of our students should trust that whatever information they share with us is handled carefully and stored securely. It is always better to be prepared than to be caught off guard.

Whenever you decide to work with a new organization, you should ask a series of questions concerning the above items to ensure that the organization is HIPAA compliant.

At Sequence Wiz electronic health records system for yoga teachers and yoga therapists, we take our responsibilities relating to HIPAA compliance very seriously. All new and existing members are required to enter into a Business Associate Agreement as part of the regular Service Agreement, which clearly outlines the responsibilities of the yoga teacher or therapist as a Covered Entity and Sequence Wiz as a Business Associate. We have appointed a Compliance Officer and a Security Officer, and our staff regularly undergoes HIPAA Awareness Training and HIPAA Security Training. We maintain all required documents and controls that spell out the formal policies and procedures for handling PHI.

Sequence Wiz has also implemented a number of technological safeguards that meet and surpass industry standards to facilitate your compliance with HIPAA: patient/client information is transferred using 168-bit SSL encryption, accounts require secure login with optional two-factor authentication, the production environment is protected by stand-alone firewalls with access limited to authorized personnel via encrypted channels, and offsite backups are made daily and stored in an encrypted state. We also offer a sample HIPAA Notice of Privacy Practices to govern the use and disclosure of protected health information between you and your students. You can read our full HIPAA statement here >

Whenever you decide to entrust the PHI of your students to an organization, you need to ensure that their records stay protected and secure. Asking questions about the organization’s HIPAA compliance and entering into a Business Associate Agreement attest that both parties agree to abide by HIPAA and do their part in protecting PHI.