Attention PT/OT/SLP
How To Get HIPAA Compliant Easily & Quickly Without Spending Thousands of Dollars and Months of Time -- (So That You Can Get To Treating & Succeeding, Fast)
Designed for PT, OT & Speech Clinics.
Optimized To Be Clear and Easy.
Watch the video to see how quickly it can be done.
Who is this for?
New startups or beginning clinic owners who want to get up and running quickly. No fluff. No tedious info. No games.
What is HIPAA compliance?
HIPAA, the Health Insurance Portability and Accountability Act of 1996, establishes a set of regulations that govern the lawful usage and disclosure of Protected Health Information (PHI). This refers to any demographic information that could potentially identify a patient or client of a HIPAA-compliant organization. Examples of PHI include Social Security numbers, medical records, financial information, names, addresses, phone numbers, and full facial photos.
HIPAA also covers the transmission, storage, and access of electronic Protected Health Information, or ePHI. The HIPAA Security Rule oversees ePHI and was implemented to accommodate advancements in medical technology.
Who needs to comply with HIPAA?
Both you and anyone you might give access to patient data (eg. software companies, etc.). You and your business associates who handle protected health information are required to comply with HIPAA regulations.
Covered Entities
As per the HIPAA regulation, a covered entity refers to a healthcare clearinghouse, healthcare provider, or health plan that electronically transmits protected health information (PHI). These entities usually interact with patients directly or use their health information.
How do you comply with HIPAA?
HIPAA regulation mandates a comprehensive set of national standards that covered entities and business associates are required to comply with. They include...
Self-Assessments
HIPAA mandates that covered entities and business associates conduct regular technical and non-technical audits to identify any administrative, technical, or physical gaps in compliance with the Privacy and Security standards. While a Security Risk Assessment is a critical component, it alone does not ensure compliance with HIPAA. Entities subject to HIPAA regulations must perform other essential audits to maintain compliance.
Remediation Plans
After conducting self-assessments to identify gaps in compliance, covered entities and business associates are required to develop remediation plans to address any violations found. These plans must be documented and specify the timeline for remedying identified gaps.
Policies, Procedures, Employee Training
HIPAA regulations require covered entities and business associates to establish and maintain policies and procedures in accordance with regulatory standards. These policies and procedures should be reviewed and updated periodically to reflect any changes in the organization. It is also recommended to conduct annual staff training on these policies and procedures, with documented attestation from employees acknowledging their understanding of them.
Incident Management
When a covered entity or business associate experiences a data breach, they must document the incident and follow the HIPAA Breach Notification Rule, which requires notifying affected patients. More information about this rule is discussed below. Along with this rule, HIPAA regulation encompasses several other rules that have been added since its initial passage in 1996.
Business Associates
HIPAA regulation defines a business associate as an organization that handles PHI on behalf of a covered entity, including those with "persistence of custody" over PHI, such as cloud providers. The vast array of service providers that may handle, transmit, or process PHI has resulted in many examples of business associates that are subject to HIPAA rules. Such examples include billing companies, practice management firms, third-party consultants, EHR platforms, MSPs, IT providers, faxing companies, shredding companies, physical storage providers, cloud storage providers, email hosting services, attorneys, accountants, and many others.
Documentation
It is essential for HIPAA-covered entities and business associates to keep detailed documentation of all their efforts to achieve HIPAA compliance. This documentation plays a crucial role during a HIPAA investigation conducted by the HHS OCR and ensures that they pass rigorous HIPAA audits.
Business Associates
HIPAA regulation defines a business associate as an organization that handles PHI on behalf of a covered entity, including those with "persistence of custody" over PHI, such as cloud providers. The vast array of service providers that may handle, transmit, or process PHI has resulted in many examples of business associates that are subject to HIPAA rules. Such examples include billing companies, practice management firms, third-party consultants, EHR platforms, MSPs, IT providers, faxing companies, shredding companies, physical storage providers, cloud storage providers, email hosting services, attorneys, accountants, and many others. HIPAA regulations require covered entities and business associates to maintain documentation of all vendors with whom they share PHI. These entities and associates must ensure secure handling of PHI by executing Business Associate Agreements (BAAs). BAAs should be reviewed annually to reflect changes in the nature of organizational relationships with vendors. It is critical to execute BAAs before any PHI is shared.
What Are the Rules?
HIPAA includes 4 main rules for entities to follow for compliance. These are:
HIPAA Privacy Rule
The HIPAA Privacy Rule establishes universal guidelines for patients' access to PHI. Among the principles laid out in the HIPAA Privacy Rule are patients' rights to access their PHI, the discretion of healthcare providers to withhold PHI, the contents of HIPAA release forms and Notices of Privacy Practices, and others. The covered entity or business associate must document these regulations in their HIPAA Policies and Procedures and train their staff on them every year, with documented attestation.
HIPAA Security Rule
The HIPAA Security Rule establishes national standards for the secure management, transmission, and handling of electronic protected health information (ePHI). Both covered entities and business associates are subject to the HIPAA Security Rule because of the potential sharing of ePHI. The rule sets forth standards for the integrity and security of ePHI, including physical, administrative, and technical safeguards that must be implemented in any healthcare organization. It is important for organizations to document the specifics of this rule in their HIPAA Policies and Procedures and to provide annual staff training with documented attestation.
HIPAA Breach Notification Rule
The HIPAA Breach Notification Rule requires covered entities and business associates to follow specific standards in the event of a PHI or ePHI data breach. The Rule outlines different requirements for breach reporting depending on the scope and size of the breach. While all breaches must be reported, the protocols for reporting vary depending on the number of records breached. More details about the HIPAA Breach Notification Rule are provided in the following sections.
HIPAA Omnibus Rule
The HIPAA Omnibus Rule is an addition to the HIPAA regulation that extends the compliance requirements to business associates and covered entities. It mandates that business associates must be HIPAA compliant and outlines the rules governing Business Associate Agreements (BAAs). Before transferring or sharing ANY PHI or ePHI, a Business Associate Agreement must be executed between a covered entity and a business associate, or between two business associates.
TO MAKE ALL THIS EASY?
Get HIPAA TOOL KIT now!
The Seven Elements of an Effective Compliance Program
The HHS Office of Inspector General (OIG) developed the Seven Elements of an Effective Compliance Program, which serves as a guide for organizations to either evaluate compliance solutions or create their own compliance programs. These elements represent the minimum requirements for an effective compliance program. Along with complying with HIPAA Privacy and Security regulations, organizations must address each of the Seven Elements. These elements include:
1. Developing written policies, procedures, and standards of conduct
2. Appointing a compliance officer and compliance committee
3. Conducting effective training and education
4. Establishing effective lines of communication
5. Conducting internal monitoring and auditing
6. Enforcing standards through well-publicized disciplinary guidelines
7. Responding promptly to detected offenses and undertaking corrective action
During a HIPAA investigation conducted by OCR in response to a HIPAA violation, federal HIPAA auditors will assess an organization's compliance program against the Seven Elements. To determine its effectiveness, OCR may refer to NIST 800-66 and OCR audit protocols.
Cybersecurity’s role in HIPAA compliance
With healthcare organizations increasingly adopting technology, patient information is now stored in the cloud or other digital formats. As a result, cybersecurity has become critical in ensuring the safety and confidentiality of patient data. When a data breach occurs, the consequences can be severe and far-reaching. Leaked patient data can result in financial and reputational harm, with your organization being held liable for financial penalties due to negligence. Additionally, patients may lose trust in your ability to secure their sensitive information.
Given these risks, it is important for organizations to take proactive measures to prevent data breaches from happening. However, in the event that sensitive patient information is compromised, or if there is a risk of a cyberattack, the U.S. Department of Health & Human Services has outlined a response protocol.
Respond
The organization is required to implement procedures for responding to and mitigating data breaches, as well as contingency plans for managing them.
Report Threat
The entity is advised to report any indicators of cyber threats to the relevant federal agencies and Information Sharing and Analysis Organizations (ISAOs).
Report Crime
The entity is advised to report the crime to law enforcement agencies that deal with criminal activities.
Assess Breach
The entity is required to evaluate the incident and determine if there has been a breach of protected health information. If a breach has occurred, the organization must notify the affected individuals within 60 days of the incident. For larger breaches affecting 500 or more individuals, the organization must report the breach to the media and OCR within 60 days of the incident.
How is HIPAA enforced?
The enforcement of HIPAA compliance falls under the jurisdiction of the Office for Civil Rights (OCR), which is a branch of the Department of Health and Human Services. The OCR's responsibilities include providing regular guidance on emerging issues related to healthcare and investigating common HIPAA violations to ensure medical organizations comply with the regulations.
How is HIPAA audited?
HIPAA fines are imposed by federal regulators and are determined on a sliding scale, with amounts ranging from $100 to $50,000 per incident based on the level of perceived negligence. If the regulators determine that the organization under investigation has not made a good faith effort towards HIPAA compliance, they can expect to receive higher fines. As of 2016, more than $40 million in fines have been imposed. Given this, it is clear that HIPAA compliance is more important now than ever before. It is not enough for healthcare organizations to simply adhere to the regulatory requirements; they must embrace it as a culture to protect the privacy, security, and integrity of protected health information.
If a healthcare organization does not experience any data breaches, leaks, or other issues, it is unlikely to face any consequences. However, if non-compliance is reported by an employee, customer, or vendor, the organization may be subject to significant fines. The cost of a data breach for U.S. healthcare companies is an average of $6.45 million, according to a 2019 IBM/Ponemon Institute report, which exceeds the global all-industry average. That’s an average per-record cost of $429.
The actual amount of federal fines depends on the severity of the breach and negligence, and also includes breach containment and notification costs, business disruption, revenue loss, customer turnover, reputation damage, and other long-term impacts. It's important to note that healthcare companies cannot work with startups involving PHI without a BAA, and failure to become HIPAA-compliant may lead to difficulty in operations.
LET'S MAKE THIS EASY BY GETTING THE HIPAA TOOL KIT NOW!
Feedback From PT/OT's Who've Worked With James Ko
Honestly, I wouldn't want to be a practice owner without the support & backing of James Ko,...
his friendship, and priceless coaching. His advice: it's always a surprise, like right in front of my face and I didn't think of it, but will not ever forget it!
Mindy Murray, OT // Kit Therapy
Morale is at an all time high!
Everybody's happy and excited. Jen's taking charge and showing signs of leadership. fun to watch. Can't say thank you enough.
Reginald Tiu, PT // Restore Plus NY
Absolutely amazing session!
I'm getting ready to launch my third clinic and James helped me put together an amazing marketing plan along with the plan to train my staff for that opening. Thanks James!
Mike Uhrlaub, PT // FLex PT
I strongly recommend listening to every word he says.
I love James's amazing workshops and his insights on the Physical Therapy business are out of this world.
Michael Yehoshua, OT
I would not be where I am without the help and guidance of James Ko.
James Ko has been very instrumental in helping me grow. James is the expert in the field and I recommend him to all my peers. His advice, hands down, is the best when it comes to growing your physical therapy practice. There are many teleconferences throughout the year that provide valuable pieces of information to help your physical therapy practice survive. I learn so much during the weekend courses and you can apply the information the first back at your practice. James Ko is the expert when it comes to billing, documentation, marketing, and overall growth of a physical therapy practice. I would not be where I am without the help and guidance of James Ko. Thank you James for everything that you do for the private practices in physical therapy. I know hundreds of other PTs echo my thoughts.
Benjamin Sowles, PT // Kindred at Home
I recommend James' courses to anyone interested in private practice
James' courses at IndeFree have really been instrumental in preparing me to start my own practice. He is very candid in sharing his experiences of success and failure, and the information he provides is very thorough for every aspect of the PT/OT world. I recommend James' courses to anyone interested in private practice or is in a director/managerial position of influence in their office.
Melody Stevens, PT
I love the hiring process template!
This is exactly what we needed at my clinic to put the hiring process into an automatic system. Thank you!
Chad Clark, PT // PT Connections
Best money ever spent was on James' course,
prior to starting my practice in 2005. Thank you!
Cody Barnett, PT // Bodyworx PT
We are forever in your debt James. You are one in a million.
Alright, time for reflection on the last 3 months. Christy and I opened our doors to Pediatric Therapy 3 short months ago. Attended IndeFree prior to get a crash course on what to do. We opened and had 3 kids scheduled. Fast forward to today, and we are a thriving clinic with 2 OT's, 2 ST's, and one PT looking to hire more. Our booking rate is 94% for May (yes next month) we continue to eval daily. I couldn't have imagined being where we are without the support and motivation of IndeFree community.
Chris Lopez // NV Pediatric
We are hitting $10,000 cash this month!
We were averaging $3k to $4k per month last year. Thank you James for your patience and guidance! I feel like I can breathe again. Money is flowing in the right direction and it feels so great to pay bills!
Mary Kostka, OT // Ohana OT
Great news! We renegotiated rates with Multi Plan from 87% to 110% of the fee schedule!
We used IndeFree renegotiation letters, addressed the right people, personalized the letter to congress woman and cc'd her with all documents! Thank you, James!
Lilly Bojic, PT // Lilly Physical Therapy
I've never had more success than since I went to your class 4 years ago!!!
Thanks for all you do. I know there are skeptics out there but people want this stuff, not pills or shots or surgery!
Eric Reichardt, PT // Spine & Sport Rehab of VA
It has been a priveledge and an honor to know and learn from James Ko.
James delivers top-notch courses for PT/OT private practices. Because of his guidance and expertise I was able to develop my practice, implement training of my clerical staff, and have resources for continued practice management and development. I highly recommend all private practice owners to join IndeFree and participate in the courses and audio conferences James has so generously shared with us over the years. It has been a priveledge and an honor to know and learn from James Ko.
Kerry Siman-Tov, PT, MTC, NCPT // Archer Pilates Studio
I could think of no one else that could deliver such great material.
James is one of the few PTs that i know that goes above and beyond for other therapists. He is consistently trying to help the profession of physical therapy. His courses will inspire and help those that are in need for business guidance. I could think of no one else that could deliver such great material. I only hope to return the favor and follow in james footsteps and help the profession grow to our collective goal
Joseph Simon, PT
Once you attend his course, you'll be glad you did...
I've worked with different business consultants with various outcomes. With James, you get a constant stream of creative and practical ideas for good value that can be implemented ASAP to grow your business. He breaks down these processes to implementable bits and bytes and not the super technical, vague instructions that leaves your head in a spin.
What differentiates him from the rest of the consultants is that he himself is in this business for many years, has several clinics with plans of expansion to different states and he knows the ins and outs of the business as well as the trends. He is always ahead of the game and is generous to share his experiences and expertise to help other PTs build their practices.
He is also a strong advocate of our profession. He is not only talking the talk but he is actually entrenched in the work as well.
James is an outgoing guy, very professional with a kind heart. Once you attend his course, you'll be glad you did, as I am.
Liza Tan // Fresh Pond PT
Seattle in 2013 saved our business.
So glad Steph and I decided to sign up again. Good refresher on what we learned today. Seattle in 2013 saved our business. Thank you!
Lee Wagers // Connect the Dots Pediatric Therapy
The knowledge is life-changing!
It's the best decision you'll ever make!
Laura Coppee, PT // PT Wellness Institute
Passed the $1,000,000 mark our second year!
I look forward to more with James & IndeFree. With the times and industry changes, you change your information. It gives me great things to take back to my clinic. It's been fantastic!
Charles Mills, PT // Midcounty PT
DISCLAIMER:
Purchasing this Tool Kit doesn't automatically make you compliant. You must implement the forms and administrative procedures included in the kit to be compliant. Compliance is the responsibility of the buyer and personnel solely. In no way is IndeFree or James Ko directly or indirectly implying you will be compliant by merely purchasing the kit. You must apply and implement and enforce the appropriate policies, procedures and comply with the law.
NEED HELP?
The fastest way: Message us here
The slow way: Email us at support@indefree.com
3905 Hedgcoxe Rd, #251235, Plano, TX 75056
Get HIPAA Compliant Easily & Quickly Without Spending Thousands of Dollars and Months of Time -- (So That You Can Get To Treating & Succeeding, Fast)
Designed for PT, OT & Speech Clinics.
Optimized To Be Clear and Easy.
Watch the video to see how quickly it can be done.
Trusted By...
PT Clinics
OT Clinics
Speech Clinics
DISCLAIMER:
Purchasing this Tool Kit doesn't automatically make you compliant. You must implement the forms and administrative procedures included in the kit to be compliant. Compliance is the responsibility of the buyer and personnel solely. In no way is IndeFree or James Ko directly or indirectly implying you will be compliant by merely purchasing the kit. You must apply and implement and enforce the appropriate policies, procedures and comply with the law.
Independence & Freedom for PT/OT
Copyright 2024 INDEFREE ASSOCIATION, all rights reserved.