Get Live Chat Request a Callback Get live demo

← Back

What 2018 HIPAA compliance means for practice management

Public Policy

If complying with the Health Insurance Portability and Accountability Act (HIPAA) isn’t one of your practice’s top priorities, it should be. While there are no new requirements for 2018, HIPAA is more strictly enforced than ever, and important clarifications have been issued as technology becomes more deeply integrated into practice management. The safety of your patients’ data and the longevity of your practice depend on your compliance.

A brief history of HIPAA

Passed in 1996, HIPAA established the first set of national guidelines for healthcare data maintenance and exchange. Over the next 10+ years, HIPAA expanded to include the enactment of the Privacy, Security and Enforcement rules, which set standards for personal health information (PHI) protection, disclosure, and access. These rules also outlined the compliance infrastructure that healthcare providers, health plans, and clearinghouses should have in place to protect data, monitor HIPAA adherence and report breaches.

The Enforcement Rule put initial financial penalties in place, but HIPAA didn’t gain teeth until three things happened:

  • The HITECH Act expanded HIPAA’s scope as part of a national mandate for implementing and promoting the meaningful use of electronic health records (EHRs)
  • The Office of Civil Rights (OCR) was named enforcing agency for HIPAA violations, commencing nominal audits in 2011 and a second round in 2016.
  • The Omnibus Rule of 2013, among its many provisions, expanded HIPAA requirements to the business associates of covered entities (e.g., EHR vendors) and put more enforcement and penalty provisions into place.

As the law enters its third decade, being “HIPAA ready” means having not only the right systems in place but also having a compliance and risk assessment program that clearly demonstrates a commitment to privacy and security.

A formal compliance program has never been more important

The past two years have seen a dramatic increase in the number of HIPAA-related settlements and associated financial penalties. It’s critical that your practice implement/maintain a formal compliance program with the policies, procedures, and personnel to pass muster with the OCR. While the agency has not yet announced a new round of audits, practices would do well to familiarize themselves with the existing protocols, which cover:

  • Information use and disclosure
  • PHI and authorized representatives
  • Confidential communications
  • Privacy practice notice requirements
  • Business associate agreements (BAAs)

The OCR, along with the Office of the National Coordinator for Health Information Technology (ONC), has also compiled an excellent toolkit for HIPAA compliance, including sample BAAs and privacy notices that practices can freely use.

E-mail and text? Yes, but know the rules

As Smartphones gain dominion over every aspect of our lives, email and text messaging have become powerful tools for patient engagement and health management. Practices are now using marketing automation tools, social media, chatbots, and SMS marketing tools to remind patients of existing appointments and make positive changes through wellness initiatives.

HIPAA allows providers to use these tools for communications to and from patients, but message encryption/security is critical. If not offered, practices must notify patients and allow them to opt out.

In December 2017, the Centers for Medicare & Medicaid Services (CMS) clarified that while providers may text patient information to one another, it must be via a secure platform and cannot include the texting of patient orders. Its position reinforces not only HIPAA but its own Conditions of Participation (CoPs) and Conditions for Coverage (CfCs) agreements.

HIPAA and cloud-based data requirements

More and more patient data is migrating to the cloud, which HIPAA allows. The OCR issued guidance in 2016 outlining requirements for the cloud service providers (CSPs) that medical practices must inevitably turn to for secure system implementation. Critical to note, your CSP is considered a business associate under HIPAA and therefore subject to its rules, even if the CSP only stores your data and does not maintain the encryption key.

Your BAA with your CSP must contain language that holds it liable for HIPAA compliance. This includes adherence to the Security Rule (ensuring limited access to ePHI), Privacy Rule (ensuring proper use and disclosure of ePHI), and the Breach Notification Rule (reporting incidents). Troy Parks with the American Medical Association says it best: “[If] you use or are thinking of using a CSP to create, receive, maintain or transmit ePHI on your behalf, you must have a BAA with the CSP, or both you and the CSP will be in violation of HIPAA.”    

New administration, new competition

Currently, messages are mixed as to whether HIPAA will expand under the Trump Administration. On one hand, the OCR’s 2018 budget includes fewer dollars for enforcement. On the other, OCR Director Roger Severino has indicated that finding a “big, juicy, egregious” data breach case is among his top priorities. Whatever tack the OCR takes, one thing is clear: with nine settlements and more than $17 million in associated fines in 2017, HIPAA compliance will remain paramount.

A final thing practices should bear in mind? The role of new competitors and the impact on the HIPAA landscape. In January of this year, Amazon announced its search for a HIPAA Compliance Lead, fueling speculation that the online retailer is looking to enter healthcare in a big way.

AdvancedMD will continue to watch this space as more players enter the healthcare landscape and look for ways to remain compliant as cloud-based and other tech solutions grow.


Laura Beerman is a writer for TechnologyAdvice. Her insights have appeared in RevCycleIntelligence, Becker’s, InformationWeek and other outlets. She has spoken nationally on population health, long-term care, and been interviewed by The Wall Street Journal for her accountable care predictions. She resides in Nashville with her Canadian husband and American kittens. You can find her on LinkedIn.

Topic: EMR/EHR, Public Policy

Other Resources Related to This Topic


2024 MIPS Improvement Activities (IA) Category Guide

Read this eGuide to learn what’s new, updated or removed for the 2024 IA Category...


How to work with MIPS CQM Data

In this recorded webinar you’ll learn how to collect and submit MIPS CQM data. You’ll...


5 MACRA Facts Every Medical Practitioner Should Know

5 MACRA Facts Every Medical Practitioner Should Know  With so many acronyms and changes happening...

“The money I have invested in AdvancedMD is miniscule compared to the return. I have never been more efficient – ever – in my professional life as I am now.”

Jed Shay, MD
The Pain Care Center

Read the story  ›

“[Our] patients are very well-educated and well-informed, and they want to see results quickly. The practice has to run extremely efficiently and be accessible to them. The nice thing about [AdvancedMD] is it has allowed me to be more efficient both in and out of the office. Now I don’t have to come back into the office, which is great for my family and everything else. It saves me a lot of time – probably an hour a day on the three days I work in the second office.”

Keith Berkowitz, MD
Center for Balanced Health

Read the story  ›
Estaban Lavato, MD - La Loma Medical Center

“The best thing I ever did in private practice was getting AdvancedMD—it has liberated me.”

Estaban Lavato, MD
La Loma Medical Center

“Having integrated practice management and EHR is absolutely wonderful, you don’t have to flip back and forth between systems—all of your information is at hand when needed.”

Raju Raval, MD

Read the story  ›