Tag: bookkeeping and HIPAA

In a previous post, I highlighted a key vulnerability for mental health professionals and other healthcare providers who use online software like QuickBooks Online or Xero for their bookkeeping — the fact that these systems are not HIPAA compliant.

The US Dept of Health and Human Services has recently published a rule reducing the annual limits on penalties for most violations.  Violations are grouped in four tiers: 1) No Knowledge, 2) Reasonable Cause, 3) Willful Neglect – Corrected, and 4) Willful Neglect – Not Corrected.  Under prior rules, the annual limit on penalties was $1.5 million for all four tiers.  The new annual limits are $25,000, $100,000, $250,000, and $1.5 million respectively.  

Despite the lower annual limits, the consequences of HIPAA violations remain considerable.  Each individual instance of a violation is subject to penalty.  Individual violation penalties range from $100 to $50,000 for Tier 1, $1,000 to $50,000 for Tier 2; $10,000 to $50,000 for Tier 3; and $50,000 in all cases for Tier 4.   

For example, consider a therapist whose business books are kept on a non-compliant platform.  If those books contain Protected Health Information of 20 clients, the therapist could be subject to 20 such penalties, up to the annual limit.  It is crucial to protect yourself by using HIPAA-compliant EHR systems to house patient data, and working with a bookkeeper who knows how to maintain compliant business records.

Read the new HHS ruling here: https://www.govinfo.gov/content/pkg/FR-2019-04-30/pdf/2019-08530.pdf

Curious to learn more about what constitutes a HIPAA violation?  I recommend this article:  https://www.medprodisposal.com/20-catastrophic-hipaa-violation-cases-to-open-your-eyes

Mental health professionals in private practice are subject to stringent data security regulations under the Health Insurance Portability and Accountability Act, or HIPAA.  Failure to adequately protect Protected Health Information — such as a patient’s name, health status, provision of care, or payment for care — is potentially subject to severe penalties, including stiff fines and even jail time.

While psychotherapists are well aware of HIPAA, they may not always know what constitutes a violation.  One area of vulnerability is the use of online accounting software, such as QuickBooks Online (QBO) or Xero, to process patient payments and maintain financial records.  While these services are highly secure platforms, both companies explicitly state that they are not HIPAA compliant. 

I recently encountered a psychotherapist who was using QBO to issue invoices to patients and process payments.  For other businesses this would make perfect sense, but in this case, it emphatically did not.  He was exposed to serious risk because he was not aware of the issue.

Psychotherapists should use Electronic Health Record (EHR) systems, such as SimplePractice or TherapyNotes, to store their patient data and process payments, to ensure compliance with HIPAA.  These specialized platforms were designed to maintain compliant data security.  While EHR systems are used to process insurance claims, even practitioners who do not accept insurance should use them for this reason.

So, if you are using online accounting software in your therapy practice, DO NOT assume that it is HIPAA compliant.   A bookkeeping professional can work with you to devise a system that protects your patient’s PHI by keeping all sensitive data in your EHR system, while transferring relevant summary income data to your accounting system to ensure your business books are in order.