As many of you know, I do website design for massage therapists and other health care people. One thing I’ve noticed that concerns me is that many of you do not understand HIPAA and are collecting client information that could be exposed to hackers and the general public.
Online Intake Forms – not the best idea
Some of you have built a form in your website that serves as an online intake form. You’re collecting clients
- Phone Numbers
- Social Security Numbers
- Medical History
the client fills that in, clicks submit, and you have all their information handy when they show up for their first appointment. Easy peasy, right?
You are collecting data that is considered Protected Health Information. And you’re doing it all wrong. And it’s going to cost you. Big.
HIPAA covers all Protected Health Information held or transmitted
If you are storing client PHI (Protected Health Information) on a computer, you must comply with HIPAA.
If you are collecting sensitive information that could be used by identity thieves, such as social security numbers, dates of birth and the like, you could be liable if that information is compromised.
What constitutes PHI?
From the U.S. Department of Health & Human Services website:
“Individually identifiable health information” is information, including demographic data, that relates to:
- the individual’s past, present or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual,
and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.13 Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).
You might want to tighten up your seat belts, kiddies, because Aunt Kelli is about to go on a big ole rant!
Why in blue blazes are your collecting someone’s protected health information online? Would you be willing to submit your information online using your form? Would you trust that information to just anyone? Are you willing to be liable should that information get into the wrong hands? Are you insured for that kind of event?
For all that’s holy, people, quit being so fucking cheap and trying to do this on your own!
There are companies that specialize in this sort of thing and they aren’t that damn expensive. They know what they are doing. They are paying for the extra encryption. They will provide safe, secure, HIPAA compliant data collection and storage.
If you don’t want to pay for that service, then put a pdf of your intake forms on the web and have your clients bring them in with them.
Use some common sense, people. Seriously. You’re professionals; start acting like it. Either pony up the money for a professional, secure service, or go old school with paper. Either way, protect your clients’ information like it was your own. They will love you for it!
The fines for violating HIPAA are substantial
$100 to $50,000 or more per violation, with a calendar yearly cap of $1,500,000. That’s $1.5 MILLION dollars. Hope you’ve got some savings.
Every month, it seems, we see a story in the news about how one service or another is compromised and user data is exposed. I’ve seen massage therapists get up in arms about those “evil corporations” who don’t care about their customers. Some of them are doing worse.
Some therapists won’t even provide a name when they want to get a freebie from Allissa or me, but they have no problems asking their new clients for sensitive data over the internet. That’s being hypocritical.
Protect your clients. Protect your practice.
Know what you are doing when using online intake forms. Either know and use the technology, pay a service for their knowledge and skills, or skip it and use paper.
Rant over. Thanks for indulging me. Now be safe on the internet and stay in practice for many years to come.