By Herb Miner
From the Spring 2018 Journal of the Colorado Dental Association
Dentistry is rapidly changing in response to a number of factors, not the least of which is technology. Advances in technology now allow you to run your dental practice more effectively and efficiently than you did years, or maybe even just months ago. The benefits technology has brought to the dental industry are obvious, but do not allow these technological advances to put you at risk of violating HIPAA laws. These violations can occur because you are unaware of how the laws apply to your technologically enhanced dental office or because your technology is not up to date on the latest changes in compliance laws.
More than 700,000 health-related entities are required by law to have an annual specialized IT risk assessment performed as part of the Health Insurance Portability and Accountability Act (HIPAA). If your organization is subject to HIPAA, you need to protect yourself from costly violations and the stiff fines levied on those who fail to take proactive measures to prevent them. Where do you begin when you’re not a HIPAA expert?
A HIPAA Review
HIPAA Privacy Rule
The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other Personal Health Information (PHI) and applies to health plans, healthcare clearinghouses, and those healthcare providers who conduct certain healthcare transactions electronically. The rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The rule also gives patients’ rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.
HIPAA Security Rule
The HIPAA Security Rule establishes national standards to protect individuals’ electronic Personal Health Information (ePHI) that is created, received, used or maintained by a covered entity. The security rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity and security of electronic protected health information.
HITECH Breach Notification Rule
The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA-covered entities and their business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the Federal Trade Commission, apply to vendors of personal health records and their third party service providers, pursuant to section 13407 of the HITECH Act.
Tips to Avoid HIPAA Technology Pitfalls
By following these tips and making sure your team puts in the appropriate effort, you can help ensure that your office is HIPAA compliant.
- Create HIPAA compliance and security breach policies and procedures. By developing well thought out, written plans you can ensure that your practice stays in compliance. Your HIPAA compliance policy should clearly state the responsibilities of each staff member within your office and their duties in protecting your patients’ private health information. The policy should clearly outline your office’s remediation and notification protocol following various kinds of security breaches.
- Appoint a HIPAA privacy officer. The HIPAA Privacy Rule requires that you give someone the responsibility of overseeing and applying the HIPAA rules, to assure that your patients’ PHI stays safe. Large offices may want to hire someone to have this sole responsibility. In a smaller office, with a limited budget, the dentist or your office manager can assume this role. Whoever is appointed the HIPAA privacy officer needs to be reliable and organized as well as fully trained on HIPAA laws. Your patients are counting on them.
- Educate your staff on HIPAA laws. HIPAA compliance is a TEAM sport! For your practice to stay HIPAA compliant, each employee must be knowledgeable of their compliance requirements. Have your HIPAA privacy officer hold team lunch-n-learns/trainings where employees sign a written agreement stating they’ve fulfilled the required training. Employees can help prevent HIPAA violations and keep the office compliant when they’re educated on what the HIPAA laws are and the consequences of being non-compliant.
- Identify your ePHI, where it resides and track who has access to it. Document where your ePHI resides on your network and how it can be accessed. Audit and verify this access quarterly. Be sure that access to the data is restricted to authorized employees and vendors only.
- Maintain Business Associate Agreements with your vendors. You should have a Business Associate Agreement (BAA) on file for each one of your technology vendors that have access to your ePHI. This not only means your IT vendor, but also your online backup vendor if you backup your data online (and hopefully you do!). You also need to have a BAA from your email vendor. If you are using a free email service such as Yahoo or Gmail, it will not provide you with a BAA, therefore you are not compliant by using that type of email service.
- Perform regular risk assessments. Security risk analysis is a critical part of maintaining HIPAA compliancy. This helps identify security vulnerabilities in your office and lets you know what actions you need to take to correct and prevent these security violations. Although you can perform these risk assessments on your own, often times it’s more effective when performed by an outside expert or with the help of HIPAA compliance software. Risk assessments should be performed quarterly at a minimum.
Technology will continue to affect our world and evolve it in ways we can only imagine but if we stay the course and keep ourselves on track, there can be many successful years ahead for both our practices and our patients.
Herb Miner is the president and founder of Complete Technology Solutions (CTS). Herb has launched 35 space shuttle missions and 12 satellites into space. Working on programs for NASA, the Department of Defense, the National Oceanic and Atmospheric Administration and Lockheed Martin Space Ops earned Herb the coveted Spaceflight Awareness Award. Herb has a B.S. in computer systems engineering from the University of Arkansas and graduated Beta Gamma Sigma with an M.B.A. in management of technology from the University of Houston. Contact him at 877-287-7762, firstname.lastname@example.org.