HIPAA presents many challenges for dental offices across the country. Let’s be frank – complying with government regulations is not fun, especially when it seems complicated, we don’t agree with the regulations, or we are overwhelmed with all that is required to STAY compliant. There is no such thing as ‘set it and forget it’ when it comes to compliance, especially when we’re talking about HIPAA.
Whether you are establishing a HIPAA compliance program for your practice or you are looking to brush up or make sure you are on track with compliance in your practice stick with me as I provide a simplified overview of what it takes to comply with HIPAA – all of it!
From the beginning:
1. What dentists and other healthcare providers are most familiar with are title II provisions of HIPAA (not HIPPA – one p, two ‘a’). Title II includes the Privacy Rule, Security Rule, Breach Notification Rule, and Enforcement Rule.
2. The Privacy Rule regulates uses and disclosures of Protected Health Information (PHI) whether written or spoken.
3. The Security Rule that mandates the security of electronic PHI (ePHI).
4. The Breach Notification Rule spells out what to do when something goes wrong and one or more patient’s PHI or ePHI is improperly used or disclosed (regardless of how).
5. The Enforcement Rule spells out how much it will cost a Covered Entity (i.e. dental office) for the violation if/when they get busted.
6. The Health Information Technology for Economic and Clinical Health (HITECH) Act holds Business Associates to the same standards (with the same consequences) as a Covered Entity.
7. Many states (about 32) have stricter regulations regarding patient privacy. Know your state’s regulations.
8. The Privacy Rule recommends a Covered Entity have a Privacy Officer to establish policies and procedures, facilitate employee training, oversee compliance, maintain records to demonstrate compliance, and receive patient complaints related to Privacy violations. You don’t have to have a privacy officer, but someone has to fill this all-important role.
9. The Security Rule requires Covered Entities to have a Security Officer to conduct Risk Analysis/ Risk Assessments, Management Risks identified through completed Risk Analysis, create/ modify/ implement written policies and procedures related to the Security of ePHI, facilitate employee training, oversee compliance, ensure receipt and maintenance of Business Associate agreements with Business Associates, maintain records to demonstrate compliance.
Compliance with HIPAA is only optional for those willing to take their chances on getting hit with fines and penalties up to $1.5 million dollars (maximum) per year. I am seeing fines for this amount being given to even small Covered Entities.