HIPAA Compliance means having written policies and enforcing them!
You should have employee medical records, no not dental records, medical records. OSHA medical records include information about work-related exposures, illnesses, and injuries. These records also include hepatitis B vaccination records. These records are not protected under HIPAA and, as such, are not Protected Health Information.
Another term you should know is ‘Workforce’. Your workforce is your employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity. Consider this, if you pay someone as a W-2 employee, they are considered workforce. If you pay someone as an Independent Contractor, such as an associate dentist, you have no control over their actions/ inactions. HIPAA states you are responsible for training your workforce on federal and state privacy and security regulations. Covered Entities are also responsible for ensuring their workforce is trained on and complies with written policies and procedures.
Here is a sample list of written policies Covered Entities need to have:
• Notice of Privacy Practices• “Minimum Necessary”
• Designated record set
• Access to PHI
• Amendment requests
• Accounting of disclosures
• Business Associate (BA) relationships
• Verification of the Identity and Authority of the Person Requesting Disclosure of PHI Policy
• Use/ Disclosure requiring authorization
• Revocation of authorization
• Routine & Recurring Disclosures
• Use and disclosures concerning decedents
• Safeguarding PHI
• Use and Disclosure of PHI for TPO
• Alternative means of a communication request
• Personal Representatives
• Facsimile transmission
• Restricted use request
• Management of Patient Complaints
• Social Media
• Anti-retaliation
• Breach mitigation/ response
There is a common mistaken belief that a dental practice’s Notice of Privacy Practices (NPP) is their written policies and procedures (P&P). Actually, the NPP is a patient-facing notice to patients that outlines when an authorization is required to disclose PHI to a third-party and identifies patient HIPAA rights. The NPP is a summary of the P&P, which are employee-facing documents that further outline how your workforce complies with HIPAA regulations. As with all written P&P, your HIPAA P&P should be reviewed at least annually to 1). make sure they are up-to-date; 2). make sure your staff know and follow them.
Making sure you and your staff know HIPAA P&P means you (and they) have to read (or somehow learn) what your P&Ps allow and do not allow in regards to HIPAA. I know from previous OCR investigations I have been involved with that OCR is not playing around about this. During an investigation, they will (not may) quiz your staff on your P&P. If you or your staff cannot reasonably articulate what is allowed (or not) by your P&P you are screwed (to put it politely).
At Dental Compliance Specialists, LLC we help Dentists develop and maintain compliance programs with the goal of keeping them out of the regulatory limelight. We have in-office and virtual programs to our clients' needs (and budget). Dental Compliance includes DEA, OIG/Corporate, OSHA, HIPAA, Infection Control, Auditing and Monitoring, Record Auditing, employee training, Radiology Compliance, Medicaid Compliance, and more!