Are Medspas Considered “Covered Entities” According to HIPAA?
1What Is a “Covered Entity” According to HIPAA
HIPAA defines a “covered entity” as either a(n):
- Health Plan
- Healthcare Clearing House
- Health Care Providers
- Health Care
MedSpas that perform services or treatments would fall under either category C or D. The difference between Health Care Providers and Health Care is that the former is considered a provider of medical or health services, while the latter relates to care, services or supplies. Whether or not a particular Medi-Spa is a health care provider may be a bit of a gray area: are we more Med or are we more Spa? This is where Health Care comes into play; it includes a laundry list of items that affect either structure or function of the body as well as the dispensing of any drug or prescribed item. So, if any of your treatments involve altering the structure and/or function of any body part – including the skin – you are considered a covered entity. Additionally, even if you only provide cosmetic BOTOX® treatments, since BOTOX® Cosmetics is considered a prescription drug by the FDA (see www.fda.gov), HIPAA would consider your practice a covered entity.
Okay, so your Medical Spa is a covered entity. What’s next?
PHI stands for Protected Health Information. The “health information” part of it includes any information gathered or recorded in any form by a covered entity. Any record of the patient such as history, consultation notes, treatment, or photos satisfies the “health information” part of the definition. The “protected” part applies to information that includes anything that could directly or indirectly identify a patient. The obvious “identifiers,” as they are called, are things such as client’s name, birthdate, account number, patient photos, etc. Less obvious are things such as tattoos, birthmarks, and scars. Even date-of-service or client initials are enough to mark information as PHI. You should be aware of these sorts of identifiers whenever you are working with patient photographs. And since this is not a comprehensive list, if you think something *might* be an identifier, it probably is, and must be handled appropriately as PHI.
PHI is important because it is considered information that must be securely handled by covered entities. This means:
Part c) doesn’t just refer to keeping their name, date-of-birth, address, etc. on a computer that only your staff can access. It also means quickly transferring and wiping photographic information from an SD card that could potentially be left on a desk or taken out of the office – in limbo, if you will.
3The Big Scary Privacy Rule
HIPAA states that covered entities must abide by the Privacy Rule, which mostly involves how to handle PHI. The language in the Privacy Rule leaves a lot open to interpretation. It basically says, “Be aware of how you are protecting your patients. Don’t be negligent.” Alright, so it is a little more rigorous than that, but terms that you see such as “reasonable and appropriate,” “reasonably anticipated threats,” and the requirement of covered entities to “consider” x, y, or z shows that there is some common sense and flexibility involved.
This is not to say that regulations can be ignored. By no means should or can it be. Instead, you must take measures to make sure all PHI is appropriately stored: this means securely and only accessible to your HIPAA-trained staff. You must also have consent forms available to patients if you would like to use any PHI for marketing, presentations, or research purposes. And you must be wary when sending information to third parties. The fees for HIPAA violations are real and can reach the high sum of over $1 million. So be smart and think about how you store client PHI, think about who has access to PHI, and try to eliminate any time when PHI is in limbo in your office.
These are the first steps to understanding HIPAA and the Privacy Rule. A good summary of the Privacy Rule can be found here, if you’d like some of the nitty gritty details. And here is a quick self evaluation HIPPA compliant ckecklist. Otherwise just be aware that you are a covered entity, that you do handle PHI, and that you must handle the PHI in an acceptable manner as defined by the Privacy Rule.
Are you struggling to take high-quality and
consistent before and after photos?