Introduction to HIPAA for Audiologists

By Josiah Dykstra, PhD, guest blogger

Josiah Dykstra, PhD is a guest blogger for the SAA Blog. Guest bloggers have agreed to adhere to the American Academy of Audiology’s terms of use and the Student Academy of Audiology’s guest blogger agreement prior to writing for the SAA Blog. This blog post represents the opinions of the author and is not representative of the American Academy of Audiology or the Student Academy of Audiology.

---

Have you heard of the HHS Wall of Shame? Okay, technically the site is called the HHS Office for Civil Rights Breach Portal. This website exists because the law says it must exist. It’s a naughty list of entities guilty of HIPAA violations “…in which the unsecured protected health information of more than 500 individuals is acquired or disclosed.” While a data breach may be accidental or intentional, you certainly don’t want to end up on the Wall of Shame.

Here’s an example: in August 2022, a dermatology clinic in Massachusetts paid a settlement of $300,640 for disposing of specimen containers with patient names in a dumpster outside their building. A security guard discovered the breach. What are the lessons for an audiologist? First, some small clinics would go out of business given the amount of that fine, so strive for compliance (and get cyber insurance). Second, if a box with a hearing aid is shipped to your office and the patient’s name is printed on the box, remove and shred the label before disposing of the box!

Audiologists are responsible for complying with HIPAA (Health Insurance Portability and Accountability Act) because they meet the definition of covered entities: “health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.” Since many AuD programs include little or no training about HIPAA, my guest blogs will cover some relevant and actionable things you must (or must not) do.

In truth, many people already have a general awareness of HIPAA as laws that protect health data. That’s true! The goal of HIPAA is to allow necessary information sharing in a manner that is secure and private. As a practicing audiologist, you take on the responsibility of protecting health information and liability if you break the law. The Office of Civil Rights (OCR) at HHS enforces HIPAA laws and has the power to investigate and fine non-compliant providers.

Now is the time to start getting familiar with HIPAA if you haven’t already. One mandatory HIPAA requirement is training. You can see in the following excerpt from the law that this requirement is somewhat vague (this is true of many requirements):

Training. A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.

It doesn’t say how often you need training, but I (and most other experts) recommend annual refreshers at a minimum. Better yet is building a culture of security where relevant topics and reminders occur in routine staff meetings. Further, it’s in your interest to document or get a certificate of completion to prove you took training in the case of an investigation. An employer should provide training to you, but you are individually responsible for being compliant. One tip: you get what you pay for with training. There are free, online HIPAA refreshers but they’re less tailored to your environment and less often updated than professional, paid training. Awareness of current threats (like ransomware) helps us better implement HIPAA protections. 

In my guest blogs, I will use my 18 years of experience as a cybersecurity professional, researcher, and practitioner to explain a few practical areas of security and privacy for audiologists. HIPAA will touch many parts of your life, from sending work emails to telehealth appointments to smartphone settings. Stay tuned!