According to the Bureau of Labor Statistics (BLS), there are over 44,400 licensed chiropractors operating in the United States (source). Unfortunately, many of these chiropractors wrongfully believe they are immune to the Health Insurance Portability and Accountability Act (HIPAA) of 1996. While the profession isn't classified as a hospital or doctor's office, chiropractic offices are still a covered entity under HIPAA; therefore, chiropractors must familiarize themselves with the laws and rules set forth in HIPAA.
Designate a Security and Privacy Officer
Under HIPAA, all covered entities (chiropractors included) must have a Security Officer and a Privacy Officer. The Security Officer is responsible for ensuring the practice abides by the HIPAA Security Rule, such as implementing administrative, physical and technical safeguards to protect electronic patient data, and to set up contracts with business associates to ensure they also have similar safeguards in place. The privacy officer is responsible for preserving the confidentiality of Protected Health Information (PHI) in all forms (e.g. paper, digital/electronic, verbal).
Note: the same person can take the role of both the security officer and privacy officer.
Train Employees on HIPAA
While most chiropractic offices operate with a small number of employees, workers must still be trained on HIPAA. This includes knowing and understanding HIPAA policies, procedures, Rules, breach notifications, patient rights, safeguards, etc. It's recommended that chiropractors document their workers' HIPAA training so there's greater transparency in the event of an audit. Training is also something that should be done regularly, as HIPAA laws often change or update from year to year.
Many chiropractors overlook the importance of keeping disclosure forms on hand. HIPAA states, however, that all covered entities must have written disclosure from a patient's family member or authorized individual before the respective practice can disclose the patient's information. In other words, if the son or daughter of a chiropractic patient requests information about their parent, the chiropractor must first receive a written disclosure notice.
As mentioned above, HIPAA requires all covered entities to implement technical safeguards to protect patient information. This may include the use of computer firewalls, virus protection, encryption, secure web forms, etc. Failure to implement technical safeguards could result in a fine or further consequences handed down by the HHS. Of course, this is a task that your practice's Security Officer should handle.