7 Steps Toward Ensuring HIPAA Compliance For Your Acupuncture Clinic

An Acupunturist who is HIPAA compliant

This summer marks the 21st anniversary of the Health Insurance Portability and Accountability Act (HIPAA). The Act was signed into law by President Clinton in 1996 and, as administered by the Department of Health & Human Services, regulates key parts of the practice of medicine in the United States.   

HIPAA has broad purposes. One of the most important was to establish the legal right of patients to confidentiality. Aspects of HIPAA were designed to ensure the privacy and security of protected health information (PHI) – information which could theoretically be used to individually identify a patient. And this is not just to prevent unwilling patients being targeted by mercenary pharmaceutical companies. HIPAA also gives patients a measure of control over their PHI as well as the right to correct inaccurate details.

One of HIPAA’s purposes is to enforce Administrative Simplification. Under that category, its Privacy and Security Rules are of key relevance to practitioners of TCM. The Privacy Rule focuses on PHI in both its paper and electronic forms. The Security Rule is specifically concerned with how information is managed in Electronic Health Records (EHR). The Security Rule mandates three types of security safeguards:

  • Administrative safeguards encompass policy and procedures to ensure a clinic is HIPAA compliant.
  • Physical safeguards make sure that access to protected information is limited to individuals with the legal right to view it.
  • Technical safeguards make sure that computer systems and communication channels are secure.

Like it or not, “covered entities” subject to HIPAA compliance include acupuncture clinics. The increasing professionalization of acupuncture means that practitioners have to take HIPAA seriously.

The consequences for HIPAA non-compliance can be serious. Covered entities can be held responsible for a range of civil offenses. According to the American Medical Association, the US Office for Civil Rights may impose Civil Money Penalties (CMPs) that vary depending on the seriousness of the offense – from an unknowing violation up to willful (and sustained) neglect of HIPAA requirements. This can range from $100 per violation to an annual maximum fine of $1.5 million. There are also criminal penalties for “knowingly” violating HIPAA with criminal intent that, in the most extreme cases, could lead to fines of up to $250,000 and prison sentences of up to ten years.

But don’t worry. Here are some easy but essential first steps you can take toward ensuring your acupuncture clinic is HIPAA compliant. The list is non-exhaustive, but here are some great ways to get started:

1) Prepare a compliance manual specific to your acupuncture clinic. This means putting into writing your HIPAA-related policies and procedures. That way you will have a clear document that shows how your clinic has comprehensively engaged with the requirements of HIPAA.

2) Formally give patients written notice of their privacy rights under HIPAA.

3) Identify staff members who can access PHI, and make sure that access is restricted only to staff for whom the information is essential.

4) Appoint both a privacy officer and a security officer in your acupuncture clinic to develop and ensure your respective privacy and security procedures are followed. Of course, for small clinics the privacy and security officers may simply be you – you can wear multiple hats on this one.

5) Devote time to training staff so their activities meet your HIPAA compliance policies. And this should not be a one-off training session but an ongoing project.

6) Have procedures in place to respond to patient complaints about how you handle their PHI.

7) Use fully integrated acupuncture management software like Unified Practice that will keep your data secure – and save the hassle of doing all the work yourself to ensure HIPAA compliance. Leverage a cloud-based platform and put your mind at ease about data security.


And don’t forget to check out our earlier post Did I Just Violate HIPAA By Using My iCal or gCal Calendar?.


Guest blog post by Matt Leask.