Boulevard's customers often operate in a unique space bridging spas or salons and medical practices, offering both routine services and medical products and services (referred to as "Healthcare Services" and defined further below). Healthcare Services require regulatory compliance and additional review by Boulevard. This review is necessary for you to receive Payment Processing Services and to ensure compliance with our Master Services Agreement (“MSA,” Section 2.2.6), Acceptable Use Policy, and Protected Health Information (PHI) Security Requirements.
This Healthcare Services Guide clarifies the distinction between Healthcare Services and routine services offered by our Customers. It outlines the regulatory requirements for providing Healthcare Services and details the specific requirements and restrictions Customers must adhere to when offering Medical Services through Boulevard.
Is your business subject to HIPAA requirements?
The Health Insurance Portability and Accountability Act of 1996, or "HIPAA," is a federal law designed to safeguard sensitive patient data in the United States. HIPAA compliance is mandatory for "Covered Entities."
A Customer is considered a covered entity if it (1) provides “Health Care Services” and (2) transmits health information electronically in connection with a “Covered Transaction.”
Health Care Services. Under HIPAA, a health care services typically refers to care, services, or supplies related to an individual’s health. These encompass a wide range of activities, including:
Medical Care: Diagnosis, treatment, and management of diseases or health conditions.
Preventive Care: Services aimed at preventing diseases or health conditions, or detecting them early.
Surgical Services: Operations or surgical procedures.
Psychiatric and Psychological Care: Mental health services.
Prescription Services: Dispensing and/or managing medications.
For instance, Healthcare Services include medical treatments or procedures such as injectables (like Botox), laser treatments, prescription services, or other services that affect body structure or function in a medical context.
Electronic Transmission related to a Covered Transaction. To trigger HIPAA compliance, a Healthcare Service provider must also transmit health information electronically in connection with a Covered Transaction. Covered Transactions are transactions for which the Department of Human Health and Services, or “HHS” has published standards as part of HIPAA (45 C.F.R. Part 162). Covered Transactions include:
Healthcare claim transmissions: Submitting or checking the status of medical claims or encounters for payment, including claims to Health Reimbursement Arrangements (HRAs) or Health Savings Accounts (HSAs).
Payment and remittance advice: Processes related to medical claim payments, benefit coordination, and sending or receiving payment advice.
Eligibility checks: Verifying patient eligibility for specific healthcare programs or benefits.
Referral certification and authorization: Obtaining authorization for referrals or services.
What if my business doesn’t accept insurance?
Even if your business doesn't accept insurance, you may still be involved in Covered Transactions or otherwise trigger the need to comply with HIPAA. These include:
Processing Electronic Payments from Health Accounts: Transactions involving Health Reimbursement Arrangements (HRAs) or Health Savings Accounts (HSAs) are covered by HIPAA.
Sending a Superbill Electronically: While a Superbill alone isn't a covered transaction, it becomes one if a patient submits it to their insurance company for eligibility verification or reimbursement.
Sending Electronic Prescriptions to Pharmacies: This is considered a covered transaction under HIPAA.
Using Electronic Health Records (EHRs) or other health record databases: If you manage patient information electronically—including referrals or sharing treatment information with other providers—your business falls under HIPAA regulations.
Obtaining Electronic Authorizations for Services: Electronic authorizations for healthcare services can be covered transactions, especially when they involve verifying coverage or benefits with health plans.
State Law Considerations: Many state privacy laws mirror HIPAA compliance obligations. Even without a Covered Transaction, your services may trigger similar state privacy requirements.
Remember: If you use a service provider (like Boulevard) to conduct Covered Transactions electronically, you're considered to be conducting the transaction yourself.
I'm not a Covered Entity subject to HIPAA. Do I still need to worry about privacy and security rules?
While it's ultimately up to each Customer to determine whether HIPAA applies to their business, non-Covered Entities still have significant obligations regarding the privacy and security of patient health information. These include:
Federal Level:
FTC Act: Customers must avoid unfair or deceptive practices in commerce. This includes ensuring any claims about customer data privacy and security is accurate and not misleading.
FTC Health Breach Notification Rule: If a Customer experiences a breach involving unsecured personally identifiable health data, it must notify affected individuals, the FTC, and sometimes the media. This rule is particularly relevant for Customers that conduct transactions electronically but do not fall under HIPAA.
State Level:
Privacy Laws: Many states protect consumer data, often categorizing health-related data as particularly sensitive. For example, California's Consumer Privacy Act (CCPA) classifies health information as "sensitive personal information," requiring additional safeguards and specific obligations for its handling.
Health Privacy Laws: Some states have enacted health privacy laws that apply to entities not covered by HIPAA. For instance, Texas's Medical Records Privacy Act extends HIPAA-like protections to entities within the state.
Even if you've determined HIPAA doesn't apply, it's best to follow the "General Best Practices" described below. Additionally, remember that Boulevard's Healthcare Service Requirements, discussed below, apply to any business handling patient health information.
Ok, I’m a Covered Entity. What does that mean?
As a Covered Entity, you're required to comply with HIPAA's rules that focus on protecting patient data:
The HIPAA Privacy Rule governs patient data confidentiality. It lays out how you should control access to sensitive information, manage Protected Health Information (PHI) access for your team and service providers, and keep patients informed about these practices.
The HIPAA Security Rule specifies administrative, physical, and technical safeguards for Covered Entities. These include conducting risk assessments, implementing encryption, and securing devices and facilities that store PHI.
In a nutshell, HIPAA compliance ensures you're handling patient records properly, conducting secure virtual consultations, and sharing PHI safely with your staff and patients.
What are some best practices for privacy and security compliance when offering Healthcare Services?
To ensure your business complies with HIPAA and other privacy and security obligations, implement these essential protocols:
Adhere to Boulevard's PHI Security Requirements: Familiarize yourself with these requirements, which dictate how to use Boulevard Services when processing Protected Health Information (PHI). These apply regardless of your Covered Entity status.
Train staff on HIPAA and privacy/security compliance: Educate your team on handling sensitive health information confidentially. Consider engaging a professional training program to establish robust systems and processes.
Implement strong PHI safeguards: Beyond staff training, employ password protection, device and workplace controls, encryption, regular security audits, and breach notification protocols. For photo and video management, establish clear procedures for camera handling, file storage, and data wiping before equipment leaves your facility.
Obtain signed consent for marketing use of patient photos or PHI: In medical aesthetics, before-and-after photos are crucial for marketing. Always secure written, signed patient consent before using any images. Have a lawyer review your consent forms to ensure patients fully understand how their photos will be used, whether for internal or marketing purposes.
Create a comprehensive privacy policy: Draft an easily accessible policy detailing how your medspa collects, uses, stores, and protects personal information. Include information on how customers can access or correct their data.
Exercise caution in online communication: While your practice likely uses emails, texts, and social media for patient communication and marketing, be discreet. Even acknowledging someone as a client (e.g., a social media post saying "Thanks for coming in!") can violate HIPAA.
Carefully select service providers and use Business Associate Agreements (BAAs): Understand what PHI is transferred to your service providers (like Boulevard) and how they use it. Ensure they comply with privacy and security standards. Use a BAA with any service provider processing PHI on your behalf. If a provider won't sign a BAA, you may need to reconsider your partnership.
What are Boulevard’s Healthcare Service Requirements?
To provide Healthcare Services in connection with Boulevard Services, you must comply with our Master Services Agreement (MSA) (Section 2.2.6), Acceptable Use Policy (AUP), and PHI Security Requirements. These restrictions apply to all Customers offering Healthcare Services and/or processing Protected Health Information (PHI) in connection with Boulevard Services, regardless of their Covered Entity status or whether they've entered a Business Associate Agreement (BAA) with Boulevard.
The following restrictions apply to Customers providing Healthcare Services:
Telehealth: Customers may not exclusively provide Healthcare Services online or over the phone. They must have a physical location and require an initial in-office appointment before providing any Healthcare Service. Clients must return to the office at least every 6 months for ongoing treatment. However, Customers may offer a free initial virtual consultation for informational purposes only.
Online Prescriptions: Customers may not exclusively provide prescriptions in connection with Telehealth services.
Compliance with Applicable Law and Boulevard’s Acceptable Use Policy: Customers may only provide Healthcare Services and process PHI in compliance with all Applicable Law, our MSA, applicable Documentation, and the AUP.
Supervision and Licensing: Customers may only provide Healthcare Services under the supervision of a licensed and certified physician. In addition, Customers must have all necessary and applicable licenses and certifications for each specific Healthcare Service they offer.
Healthcare Services Onboarding Requirements
To ensure compliance with industry best practices and various regulations for Customers offering Healthcare Services, Boulevard requires the following during customer onboarding and before initiating Payment Processing Services:
Provide the name, title, National Provider Identifier (NPI), state of licensing and state license number, and contact information of each Customer location’s Medical Director.
Confirm that you are not providing services prohibited by our Acceptable Use Policy.
If issuing prescriptions, provide the name of your eScrip partner. Boulevard does not allow acceptance of prescription payments.
Confirm that your website and privacy policy has been reviewed for legal compliance with healthcare advertising requirements.
Please note: If you are not in compliance with the above terms, Boulevard may, at its sole discretion, suspend or terminate all Boulevard Services, including all Payment Processing Services, and void or refund any related transactions in full.