There is much to do to comply with all that HIPAA requires. First, consider ‘what’ you have to comply with (Privacy Rule, Security Rule and Breach Notification Rule. The Enforcement Rule prescribes Civil Monetary Penalties and (often) Corrective Action Plans (ongoing government involvement) to remediate violations.
The privacy rule identifies when Protected Health Information (PHI) can be used and disclosed, under what situations use and disclosure requires express authorization. It outlines concepts like the Minimum Necessary principle, which specifies that each member of a Covered Entity’s workforce and Business Associates should only have access to the least amount of information necessary to perform their role/ function. Then, it requires creation and posting of a Notice of Privacy Practices, which is a patient facing document that describes when the patients’ authorization is required prior to disclosure, patient rights, identifies the privacy officer, and, more recently requires notice that patients will be informed if their information is subject to a breach.
Wait! There is more.
The privacy rule requires covered entities to appoint a Privacy Officer and to have [employee facing] policies and procedures that further define how to protect PHI, how to ensure patients’ rights, prohibited activities (think social media), training requirements and more (yes, more, but we will talk more on this later).
Then there is the HIPAA Security Rule. This requires the appointment of a Security Officer to oversee the security of electronic Protected Health Information (ePHI). I will clarify duties and responsibilities of the Privacy and Security Officer positions in a future post. For now, if you are a Covered Entity you must have one. One person can wear both hats.
There are three major parts of the Security Rule. There are administrative safeguards, physical safeguards and technical safeguards. Each set of safeguards has what are known as implementation standards, or, things you must do to comply. Some implementation standards are ‘Required’ meaning there is only one right way to do and comply. Other implementation standards are ‘Addressable’ meaning they must be implemented, but there are options as to how to implement and comply.
In a nut shell the Security Rule requires ongoing risk assessments, management of identified risks to the information security environment of your practice, workforce training, use of a anti-virus program, adequate data backup, limitations on user access, completed Business Associate agreements/ contracts with vendors who have access to PHI, and lots more. I’ll go more in depth in a future blog.
Next, the Breach Notification Rule place responsibility on Covered Entities to notify affected persons, whether current, former, minor or deceased patients (or their caregivers) when their information is subject to a breach (unauthorized access, use or disclosure). Covered Entities need to train their workforce what a breach is, encourage reporting when a breach occurs, ensure proper notifications of affected persons, U.S. Health and Human Services – Office of Civil Rights (OCR), and, in some situations print and television media.
To protect against HIPAA compliance risks Covered Entities can obtain insurance coverage, which is great, but I find it encourages a ‘wait and see’ approach to compliance. Did you know that insurance coverage can be used for mediation of HIPAA compliance issues (i.e. efforts to control damage, make notifications, provide for identity theft protection, pay for compliance support services to help bring the office into compliance, I.T. services to bring the help bring the practice into compliance)? How do I know this? Simple, we are the people attorneys call to help bring a client into compliance as they notify OCR of a major breach.
While this is true it is also true that HIPAA (or cybersecurity) insurance cannot be used to pay Civil Monetary Penalties to settle HIPAA violations with OCR? Yes, you could have $1.5 million in coverage and be hit with $1.5 million in fines and penalties. You would be left to pay $1.5 in fines and penalties.
Compliance with HIPAA requirements is expensive. The silver bullet is that there is no silver bullet. There are many boxes on the checklist of compliance. None can be satisfied with one product (even one vendor though more vendors are diversifying to try and satisfy all needs). Ultimately, non-compliance with HIPAA is substantially more expensive than compliance.
Find the vendors you need to provide the solutions you need to bring your practice into and maintain compliance. Factor those costs into the cost of doing business and you will hedge your bets against disaster. Or, do it your way and roll the dice and we will wait for your attorney’s call on the other side.
Dental Compliance Specialists, LLC is the Premier Dental Health Compliance and Quality Assurance provider in the country. We help Dentists develop and maintain compliance programs with the goal of keeping them out of the regulatory limelight. We have in-office and virtual programs all catered to the Provider’s specific needs. Dental Healthcare Compliance includes: DEA, ICE/Homeland Security, OIG, OSHA, HIPAA, Infection Control, Auditing and Monitoring, Record Auditing, employee training, Radiology Compliance, Medicaid Compliance and more…It’s not just about OSHA anymore!