There is much to do to comply with all that HIPAA requires. First, consider ‘what’ you have to comply with (Privacy Rule, Security Rule and Breach Notification Rule. The Enforcement Rule prescribes Civil Monetary Penalties and (often) Corrective Action Plans (ongoing government involvement) to remediate violations.
The privacy rule identifies when Protected Health Information (PHI) can be used and disclosed, under what situations use and disclosure requires express authorization. It outlines concepts like the Minimum Necessary principle, which specifies that each member of a Covered Entity’s workforce and Business Associates should only have access to the least amount of information necessary to perform their role/ function. Then, it requires creation and posting of a Notice of Privacy Practices, which is a patient facing document that describes when the patients’ authorization is required prior to disclosure, patient rights, identifies the privacy officer, and, more recently requires notice that patients will be informed if their information is subject to a breach.
Wait! There is more.
The privacy rule requires covered entities to appoint a Privacy Officer and to have [employee facing] policies and procedures that further define how to protect PHI, how to ensure patients’ rights, prohibited activities (think social media), training requirements and more (yes, more, but we will talk more on this later).
Then there is the HIPAA Security Rule. This requires the appointment of a Security Officer to oversee the security of electronic Protected Health Information (ePHI). I will clarify duties and responsibilities of the Privacy and Security Officer positions in a future post. For now, if you are a Covered Entity you must have one. One person can wear both hats.
There are three major parts of the Security Rule. There are administrative safeguards, physical safeguards and technical safeguards. Each set of safeguards has what are known as implementation standards, or, things you must do to comply. Some implementation standards are ‘Required’ meaning there is only one right way to do and comply. Other implementation standards are ‘Addressable’ meaning they must be implemented, but there are options as to how to implement and comply.
In a nut shell the Security Rule requires ongoing risk assessments, management of identified risks to the information security environment of your practice, workforce training, use of a anti-virus program, adequate data backup, limitations on user access, completed Business Associate agreements/ contracts with vendors who have access to PHI, and lots more.
Next, the Breach Notification Rule place responsibility on Covered Entities to notify affected persons, whether current, former, minor or deceased patients (or their caregivers) when their information is subject to a breach (unauthorized access, use or disclosure). Covered Entities need to train their workforce what a breach is, encourage reporting when a breach occurs, ensure proper notifications of affected persons, U.S. Health and Human Services – Office of Civil Rights (OCR), and, in some situations print and television media.
To protect against HIPAA compliance risks Covered Entities can obtain insurance coverage, which is great (and I recommend dentists maintain 'enough' coverage to adequately address a worst case scenario), but I find it encourages a ‘wait and see’ approach to compliance. Did you know that insurance coverage can be used for mediation of HIPAA compliance issues (i.e. efforts to control damage, make notifications, provide for identity theft protection, pay for compliance support services to help bring the office into compliance, I.T. services to bring the help bring the practice into compliance)? How do I know this? Simple, we are people attorneys call to help bring a client into compliance as they notify OCR of a major breach.
While this is true it is also true that HIPAA (or cybersecurity) insurance cannot be used to pay Civil Monetary Penalties to settle HIPAA violations with OCR? Yes, you could have $1.5 million in coverage and be hit with $1.5 million in fines and penalties. You could easily be left to pay $1.5 million (annual maximum) in fines and penalties.
The Office for Civil Rights (OCR), AKA the HIPAA police, LOVE dentists because it is well known that dentists generally don't spend much time or effort on HIPAA compliance (and you/they have deep pockets), so dental cases of HIPAA violations often present as low hanging fruit to HIPAA enforcers. Hey, doc, the government's got LOTS of things to spend your money on and they'll take every penny they can get from you, so don't be an easy target.
The silver bullet is this - there is no silver bullet. There are many boxes on the checklist of compliance. None can be satisfied with one product (even one vendor though more vendors are diversifying to try and satisfy all needs). Ultimately, non-compliance with HIPAA is substantially more expensive than compliance.
Find the vendors you need to provide the solutions you need to bring your practice into and maintain compliance. Factor those costs into the cost of doing business and you will hedge your bets against disaster. Or, do it your way and roll the dice.
Make today your greatest ever!
Dental Compliance Specialists helps make dental offices safer for patients, dentists and their employees. We help our clients develop and maintain their compliance programs including OSHA/Infection Control, HIPAA, DEA regulations and prescribing practices, Radiation Safety, OIG/Medicaid Compliance, Record Auditing, and more by providing actionable systems, easy-to-use tools, robust training, and accountability. Most of our clients have never been in trouble and want to keep it that way. Sometimes, though, dentists call when they are in trouble. In either case, we are there to make a meaningful difference. If you need help call us at 817-755-0035.