Dental practices[i] have been grappling with HIPAA compliance for over 10 years. Ask any dentist, office manager, receptionist, dental assistant, dental hygienist, dentist spouse, IT professional, or consultant about HIPAA and you will likely receive a negative response. No doubt that negative response relates to the challenges of HIPAA compliance, which includes ongoing training, voluminous policies and procedures, never-ending documentation, complicated risks assessment, and convoluted risk management plans.
According to the Department of Health and Human Services, HIPAA’s final Omnibus Rule enhanced patient privacy protections to include new rights to their health information, as well as strengthening the government’s ability to enforce the law.
A recent security breach involving a copy machine resulted in a $1.2M fine. Incidents like this scare the average practice into questioning whether their compliance program is intact. You may be saying, “Please, will somebody help me?”
Help is here! This article contains a brief overview of the latest HIPAA updates. Dental practices must take the time to review the recent changes and make adjustments in their HIPAA compliance program. Remember, simply purchasing a manual with fill-in-the-blank templates does not equal HIPAA compliance, and doing nothing may result in willful negligence. To avoid being overwhelmed, it is helpful to dissect the information into small, mentally digestible pieces.
---------------------------------------------------------------------
MORE HIPAA ARTICLES:
How a stolen USB memory stick led to $150k HIPAA settlement for a small practice
4 Essential Steps to HIPAA success
Are patient names on dental lab labels a HIPAA violation?
------------------------------------------------------------------------
Notice of Privacy Practices
The Notice of Privacy Practices must be updated to reflect the Omnibus Rule’s expanded rules. Relevant to dental offices, this includes a patient’s right to restrict disclosures to insurers if services were paid in full, as well as a patient’s right to receive an electronic copy of electronic PHI. (Of course, you will need to review provider contracts.)
The Notice details the greater responsibilities and accountabilities of business associates, and the need to identify whether they are using subcontractors. The Notice should also include the practice’s responsibility to notify an individual if there is a breach of unsecured PHI. The new version of the Notice of Privacy Practices is made available to individuals at the initial encounter, and should be available on the practice’s website. Retain previous versions for six years.
Business associates
HIPAA’s updates expanded the requirements of business associates. These are non-employees that create, receive, maintain, or transmit PHI. Examples of Business Associates include IT professionals, vendors such as software companies, bookkeepers, accountants, trainers, consultants, and other contractors that have access to the practice’s PHI.
Previously, dental practices simply obtained a Business Associate Agreement from their business associates with the understanding that the associate safeguarded PHI. However, now business associates are held to the same standard as covered entities (such as dental practices), including the risk of penalties and fines.
The Business Associate Agreement must identify if the associate subcontracts with other individuals or groups. For example, if the dental office contracts with an IT professional and the IT professional subcontracts a computer technician and a breach occurs, who is responsible? This can have a domino effect in determining which group is responsible and accountable for fines and penalties.
It is not unusual for practices to ask if the business associate carries adequate liability insurance. Furthermore, the practice may request a summary of the associate’s Security Risk Management Plan. According to one resource, 30% to 70% of privacy and security breaches involve a vendor.[ii] Do you have the updated Business Associate Agreement on file? Have you verified that the agreement does not disclaim responsibility? Are you confident in your business associates?
Breach notification
The Department of Health and Human Services defines a breach as an impermissible use or disclosure of PHI unless there is a low probability that the data has been compromised. Therefore, the Omnibus Rule removed the “harm standard” in defining a reportable breach, meaning that the assessment is no longer based on harm to the patient or individual, but whether the information was compromised. If the covered entity could not determine whether there is a low probability that the information was not compromised, the entity would treat it as a bona fide breach.
To avoid the demise of breach notification, the data must be secured. Secured PHI is rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology such as encryption or destruction of data.
The most common cause of PHI breach is by portable devices such as laptops, flash drives, and improperly stored hard drives. Numerous security experts reveal that the weak link in the program is a lack of a security risk assessment and corresponding risk management plan.
Security Risk Assessment
HIPAA’s general security rule addresses the confidentiality, integrity, and availability of electronic PHI. Risk assessments should be accurate and thorough. Recommendations for conducting risk assessments are available through the National Institute of Standards and Technology (NIST).
A good place to start is to identify the system contacts and individuals authorized to make decisions. This may include the practice owner, privacy/security officers, IT analyst, practice administrator, and health-care attorney.
Next, categorize information systems. You cannot secure information if the practice is uncertain where it is saved. Devices should include the file server, workstations, external hard drives, flash drives, copiers, scanners, backup tapes, DVDs, and so forth. Make certain that obsolete information such as outdated DVDs, CD-roms, and hard drives are properly stored or destroyed.
Identify realistic threats and potential vulnerabilities such as natural, human, environmental, technical, and non-technical threats. Natural threats include floods, tornados, electrical storms, etc. Ways to minimize these risks are storing data offsite and encryption.
Human threats include inadvertent data entry, theft, fraud, and more. Establish a work clearance procedure and provide training for the entire workforce. Create and deploy strong security policies such as no one shares log-ins and passwords.
Employees must be informed that the practice protects patients’ privacy; however, employee workstations and portable devices are subject to view, such as the systems audit trails. If the practice issues work-issued mobile phones, implement a remote wipe utility to protect the PHI stored on the phone, such as emails, texts, and photos, if the device is stolen or lost.
Employees must understand that security infractions result in discipline and possible termination of employment. Develop and implement a sanction policy to formally address system misuse, abuse, and fraudulent activity. Determine how the practice deactivates log-ins and passwords when an individual’s employment is terminated, regardless if termination is voluntary or involuntary. Include the topic of remote access and how such access is immediately deactivated when an employee/provider ceases employment.
Physical safeguards include securing the file server. Some practices secure the file server to the floor with brackets. Others utilize a locked file server closet or other method of protecting the server from theft. Inquire how you may encrypt the server when it is at rest.
Other physical safeguards include an alarm system, secured windows, and prevention of unauthorized entry through a back door. If you practice in a professional building, make certain the dropped ceiling does not risk unauthorized access.
Assess the technical aspect of compliance. Keep in mind that Windows will no longer support XP after April 2014. Consult with your IT professional to find out if you are affected by this change.
Enable automatic logoff features. Inquire if necessary testing has been completed to ensure that the authentication system is working as prescribed. Encrypt emails that contain PHI. If emails are not encrypted and the patient requests the PHI via email, make sure they understand that there is a level of risk during transmission.
Prepare in advance how the practice will handle a security incident. NIST provides a guide for implementing HIPAA’s security rule at csrc.nist.gov.
Once the risks are identified, prepare a Risk Management Plan. Also, maintain a privacy policy, security policy, contingency plan, and back-up procedures. To avoid being overwhelmed with changes, create an action plan that prioritizes tasks according to the level of risk. Basically, document, document, document. No one ever graduates from HIPAA compliance training because it is an ongoing endeavor.
You can, however, gain confidence in your HIPAA compliance program through solid preparation. Review your current materials. Take an accurate pulse of your practice’s security, and customize policies to fully meet the needs of your organization. Repeat the risk assessment periodically as your technology needs changing.
Olivia Wann, RDA, JD, founded Modern Practice Solutions, LLC, in 2000. She attended Tennessee Technology Center as a RDA, graduated magna cum laude from St. Joseph’s College with a bachelor of science degree in Health Care Administration, and from Nashville School of Law with a Doctorate in Jurisprudence. For more information, visit www.modernpracticesol.com.
NOTE: This article does not constitute legal advice, nor does reading the material create an attorney/client relationship.
[i] Dental practices that meet the definition of covered entities
[ii] Ready or not: HIPAA gets tougher today, available at www.healthcareitnews.com accessed 2/2/14