How to ensure that an organization you work with is HIPAA compliant

Yoga teachers and therapists often handle student information that is considered private and therefore bear certain responsibilities under the HIPAA. It is the personal responsibility of every yoga teacher and yoga therapist to be HIPAA compliant. In addition, if you need to share your student’s Protected Health Information (PHI) with others (accountants, scheduling services, recordkeeping services, email/hosting companies, marketing services, IT firms, etc.) to run your yoga business, you must ensure that each one of those businesses is HIPAA compliant.

Under the HIPAA, you are considered a Covered Entity, which means that you are in a direct relationship with the individuals whose PHI you retain. Any third party that you must share PHI with to run your operations is considered a Business Associate. A Business Associate does not have direct contact with your students but receives, maintains, transmits, or stores their PHI on your behalf. Business Associates are directly regulated and required to be HIPAA compliant (i.e., to have the proper safeguards in place to protect PHI).

To establish a relationship with a third party that will be handling the PHI of your students, you must enter into a Business Associate Agreement with them. A Business Associate Agreement is a written assurance that a Business Associate will appropriately safeguard PHI that was entrusted to them. This agreement also outlines the obligations of a Business Associate; it can either be a new contract or an addendum to an existing service contract.

In addition, to become HIPAA compliant, an organization must implement several key components to abide by the HIPAA Privacy Rule and the HIPAA Security Rule.

To comply with the HIPAA Privacy Rule, an organization must do the following:

1. Appoint a Compliance Officer, who will take responsibility for implementing and overseeing HIPAA privacy compliance at the organization.
2. Conduct regular HIPAA Awareness Employee Training to instruct employees on the proper handling of PHI.
3. Maintain formal documents and controls that protect PHI. These documents should include formal policies and procedures, patient rights documents, Business Associate Agreements, breach notifications, and employee sanction policy.

To comply with the HIPAA Security Rule, an organization must do the following:

1. Appoint a Security Officer who will be responsible for implementing and overseeing HIPAA security compliance at the organization.
2. Conduct regular HIPAA Security Employee Training for compliance and security officers as well as IT staff.
3. Conduct HIPAA Security Risk Assessment to compare the organization’s information technology standards with federal IT standards for HIPAA security to identify and fix any deficiencies.
4. Maintain formal documents and controls that protect electronic PHI (e-PHI). These documents should include formal policies and procedures, security protocols, contingency plans, data backup policy, results of security risk assessments, and steps taken to fix deficiencies.

Whenever you decide to work with a new organization, you should ask a series of questions concerning the above items to ensure that the organization is HIPAA compliant.

At Sequence Wiz Student Management System, we take our responsibilities relating to HIPAA compliance very seriously. All new and existing members are required to enter into a Business Associate Agreement as part of the regular Service Agreement, which clearly outlines the responsibilities of the yoga teacher or therapist as a Covered Entity and Sequence Wiz as a Business Associate. We have appointed a Compliance Officer and a Security Officer, and our staff regularly undergoes HIPAA Awareness Training and HIPAA Security Training. We maintain all required documents and controls that spell out the formal policies and procedures for handling PHI.

Sequence Wiz has also implemented a number of technological safeguards that meet and surpass industry standards to facilitate your compliance with HIPAA: patient/client information is transferred using 168-bit SSL encryption, accounts require secure login with optional two-factor authentication, the production environment is protected by stand-alone firewalls with access limited to authorized personnel via encrypted channels, and offsite backups are made daily and stored in an encrypted state. We also offer a sample HIPAA Notice of Privacy Practices to govern the use and disclosure of protected health information between you and your students. You can read our full HIPAA statement here >

Whenever you decide to entrust the PHI of your students to an organization, you need to ensure that their records stay protected and secure. Asking questions about the organization’s HIPAA compliance and entering into a Business Associate Agreement attest that both parties agree to abide by HIPAA and do their part in protecting PHI.