Your Practice & HIPAA

A Conversation with Cindy Iwlew and Erin Howk

By Cindy Iwlew and Erin Howk

Client confidentiality is a hot-button topic for bodyworkers. How do professional ethics mesh with the government-mandated guidelines of the Health Insurance Portability and Accountability Act (HIPAA)? Cindy Iwlew, cofounder of the software company Bodywork Buddy and massage business Bodywork By Design, and Erin Howk, HIPAA Compliance Officer for a chiropractic office and owner of Therapeutic & Stress Reduction Massage, discuss what HIPAA compliance actually means to massage and bodywork professionals.

Cindy: So, Erin, you and I have been talking a lot about HIPAA and what it means to massage therapists.

Erin: Yes, we have! It started out as a pretty straightforward conversation about something that seemed obvious: massage therapists should maintain client confidentiality.

Cindy: Simple enough, right? Of course, the more we talked, the more we realized there seems to be some confusion in the massage community about client confidentiality and HIPAA compliance. I see a lot of massage therapists using these terms interchangeably when they are actually two different things. First, we should talk about what HIPAA is exactly.

Erin: HIPAA, the Health Insurance Portability and Accountability Act, details how an individual’s health information should be handled by health-care providers (or, as HIPAA calls them, “covered entities” and their “business associates”—more about that later). The law sets out administrative standards for certain transactions and it defines patients’ rights with respect to their health information. There are two important parts of HIPAA: the Privacy Rule and the Security Rule. Privacy is the part everybody is familiar with, because it’s the area that noticeably affects most people. However, there are other aspects to HIPAA people may not be aware of.

Cindy: As massage professionals, it’s important we maintain client confidentiality and adhere to our professional code of ethics. Yet, this is different from being HIPAA compliant, since confidentiality is just one part of HIPAA, and not all practitioners who should respect confidentiality are required to do so by law. HIPAA is not just a blanket term to use in all discussions relating to client privacy.

Erin: Yes, I think that’s a really important distinction to make. As massage therapists, we’re all ethically bound to adhere to the principle of confidentiality. We agree to do that as members of professional associations like Associated Bodywork & Massage Professionals. However, the obligations associated with HIPAA compliance are different. What we’re talking about are legal definitions that apply only to certain professionals, with legal consequences for not being compliant. So this begs the question: how do we know if we are legally required to follow HIPAA standards?
legally required?

Cindy: Figuring out whether you are a “health-care provider,” “covered entity,” or “business associate,” according to HIPAA’s definitions of those terms, is really a question that should be discussed with an attorney familiar with HIPAA. Those terms have specific meanings under HIPAA, and they depend on the types of services provided, not professional titles. That said, generally speaking, if you are a service provider who receives or maintains certain health information, but does not submit claims electronically to a third party for billing purposes, then you are likely not legally required to be HIPAA compliant.

However, it is possible that MTs may provide services to, or on behalf of, covered entities. If so, they could be deemed a business associate of the covered entity. Business associates need to comply with certain Privacy Rule requirements and all of the Security Rule requirements.

These specific definitions make me wonder what it means to be HIPAA compliant in terms of client confidentiality. In your experience, Erin, what does it mean?

What does it mean?
Erin: Being HIPAA compliant involves meeting numerous requirements under the law, and having policies and written procedures in place to ensure you meet those requirements. Confidentiality is just a small part of it. For example, client authorization needs to be obtained for certain uses or disclosures of health information. These practices need to be set forth in policy so staff members understand when an authorization is needed, and under what circumstances it is permissible to disclose the client’s health information without one. Another example is having a written policy and procedure for handling a security breach—how and when you must inform the client and the US Office for Civil Rights, corrective and disciplinary actions you are going to take, and more. If you’re not a covered entity according to HIPAA, you can still honor a personal commitment to maintain a client’s health information without the need to meet these additional legal obligations.

Cindy: Right, and it’s not necessarily a good idea to just say you’re HIPAA compliant, since it involves a lot more than simply stating yourself as such. I compare the relationship between professional ethics and HIPAA compliance to the difference between bodyworkers and Rolfers. All Rolfers are bodyworkers, but not all bodyworkers are Rolfers. We all need to maintain client confidentiality, but we are not all legally required to be HIPAA compliant. Just as a massage therapist would never claim to be a Rolfer if he hadn’t gone through the training to become one, we shouldn’t claim to be HIPAA compliant unless we have those protocols in place in our business.

I have heard some massage professionals argue, “We should be recognized as health-care workers,” and see HIPAA compliance as a step in that direction. While it is certainly understandable that many of us seek the respect and recognition of a health professional, it’s essential to understand that what matters here is HIPAA’s definition of a health-care provider. That definition may likely exclude massage therapists simply based on the types of services performed; it doesn’t imply anything about our professionalism, skill, or training.

Erin: Exactly. It’s not about being recognized as a health professional. It’s about being governed by federal law to comply with numerous regulations associated with HIPAA.

For more than a year, I have been part of a HIPAA-compliance project at the chiropractic office where I work. We’ve been busy bringing our office up to regulation. We dedicate weekly meetings to discuss progress and often have to review changes in the law and adjust our procedures. It is a huge undertaking. Besides all those elements, there are also annual in-services (training and education) that all staff must successfully complete. Covered entities should have a HIPAA compliance officer (HCO) as well. While this role does not necessarily require special legal or compliance training, this individual should be knowledgeable enough about the requirements in order to properly develop and implement necessary HIPAA policies and procedures. The HCO also handles any complaints received.

Cindy: Wow, Erin. It does sound like there is a lot of work involved with actually being HIPAA compliant. It really isn’t a term we should use lightly in discussions about maintaining client confidentiality or even keeping excellent records in a secure location. There’s so much more to it.

Erin: That’s true, Cindy. We are only scratching the surface here, but I know that it is an important topic for our profession. Even though most massage therapists may not fall under the definition of a covered entity, a lot of us feel we should be following the same standards. Can an MT voluntarily do that and then call themselves HIPAA compliant, even if they aren’t a covered entity?

Cindy: If a therapist does not fall within the definition of a covered entity, they can still say they are HIPAA compliant. However, they should be in a position to back up that claim. If a HIPAA violation or issue arises, a therapist who has promoted her practice as HIPAA compliant could be held accountable. So essentially, you shouldn’t call yourself HIPAA compliant unless you are indeed compliant.

Erin: This reminds me of another area of confusion for a lot of therapists—information security. If I wanted to use an online scheduling system that stores client information, would I have to make sure the software is HIPAA compliant?

Cindy: As owner of a software development company, I often get asked if Bodywork Buddy is HIPAA compliant. The truth is, it’s not possible for software to be HIPAA compliant or noncompliant. There is no such thing as “HIPAA-compliant software” because the law’s focus is on you, the user, not the tools you choose.

What a massage professional should ask is whether a software system has effective security features. For example, does it have the capability to offer regular updates with security patching? Are secure and regular backups of data included? Does it have storage and transmission encryption solutions? Are unique user identification and password required to access files? Does it have up-to-date virus and spyware countermeasures?

There are many features that can help protect the security of electronic information, but whether or not you use these features to operate a HIPAA-compliant practice is dependent on you, not the software. On the other hand, software can be a tool to help support your policies and practices, and protect your data.  

Erin: Right, much like a pencil is a tool. Nobody would ask if a pencil is HIPAA compliant. A pencil isn’t going to run out and reveal information on its own, yet the person using the pencil can commit a breach by not following policies and procedures.

Cindy: Great example! Also, if you are not a covered entity, using any given software or web-based service will not turn you into a covered entity. This is why it’s important to seek legal advice in order to confirm what, if any, legal obligations you have based on the types of services you perform. An attorney can help you determine whether you are transmitting health information electronically in connection with a business activity covered by the HIPAA Transaction Rule, and/or whether you are providing a service for (or on behalf of) a covered entity that makes you its business associate.

Erin: Cindy, this has been a great, albeit complex discussion. Though, I have to wonder, does it really matter what we say?

Business honesty
Cindy: Along with professional codes of ethics for maintaining confidentiality, massage therapists are bound by the ethics of honesty in business. Marketing ourselves as HIPAA compliant when we’re actually referring only to privacy and confidentiality would not only be against our code of ethics for the profession, but would ultimately do more harm than good in the goal of being respected by other health-care professionals. As I mentioned earlier, misrepresenting ourselves in this matter could also put therapists at risk of being held accountable in an enforcement action.

Massage therapists are very concerned with educating their clients about the physical and mental benefits of massage therapy, and spend a lot of time learning and discussing massage protocols. We should be spending equal energy educating ourselves on the legal aspects of running a business. Making sure the business side of our practice is up-to-date and accurate will allow us to stay in business long enough to educate our clients and help them for years to come.

It’s important to emphasize that the HIPAA law is very complex and we could never make it crystal clear in a short article. Also, we do not hold ourselves out as legal counsel experienced in this area of the law. We encourage all massage therapists to do further reading on the government website, and if they have questions we suggest they consult with an attorney who is well-versed in HIPAA. There are also companies that specialize in training procedures to maintain compliance for those who fall under the category of a covered entity or business associate.

Cindy Iwlew is cofounder of Bodywork Buddy Massage Software and an authorized instructor of Ashiatsu DeepFeet Bar Therapy. She has researched HIPAA in regard to software and discussed it in depth with an attorney as part of her role at Bodywork Buddy. Contact her at and read her blog at Erin Howk, BS, BCTMB, is a HIPAA Compliance Officer at a chiropractic office in Minnesota. She has received HIPAA training from HIPAA Compliance Services and Mayo Health Systems. Both authors are massage therapists with years of experience running their own businesses and care deeply about the profession and their colleagues.

Confidentiality vs HIPAA Compliance
While massage therapists are bound by professional ethics to maintain client confidentiality, HIPAA compliance refers to the law and its regulations applicable to “covered entities.” Being HIPAA compliant involves compliance with all of the regulatory requirements of HIPAA, and there are many requirements. On the other hand, a representation that you will maintain clients’ privacy and confidentiality means you will take reasonable measures to protect  sensitive information and not share it without the client’s permission.

Who is a covered entity under HIPAA?
Health-care providers (as defined by HIPAA) who transmit health information electronically in connection with a transaction covered by the HIPAA Transaction Rule; for example, submitting health-care claims.

Business associates of such a health-care provider.

Who is not a covered entity under HIPAA?
Massage therapists whose services do not fall under HIPAA’s definition of “health-care provider” and/or do not transmit health information electronically for things such as claims submission.

HIPAA-compliant software?
There are many features that can help protect the security of electronic health information that is maintained by the software company. However, there is no such thing as “HIPAA-compliant software,” because there is no software package or web-based application that will “magically” make you, as “the user,” compliant with HIPAA. If you are required to comply with HIPAA, then you, as the covered entity or business associate, must be HIPAA compliant. On the other hand, software can be a tool to help support your policies and practices that will best protect your data. 

To read this article in our digital issue, click here.