Too many dental practices stumble over achieving proper HIPAA compliance. Most HIPAA problems come from staff ignorance and mistakes. The road to correct HIPAA compliance begins with information control, doing a practice risk assessment, and in having a written set of guidelines for patient data. Lawyer Simone McCormick, who will be speaking at the AAO 2017 Annual Session, held from April 21-25 in San Diego, California, seeks to build awareness for correct HIPAA compliance for healthcare professionals.
When it comes to proper Health Insurance Portability and Accountability Act (HIPAA) compliance, too many dental practices “stumble over the matter and then give up,” explains one legal expert. “They can’t.”
Simone McCormick, J.D., a West Coast attorney and a partner in the Selman law firm, says, “HIPAA is very important because it affects almost everyone — almost every dental and medical professional nationwide. It’s pretty far-reaching.” McCormick has represented healthcare professionals for most of her legal career, including orthodontists, and has also developed a HIPAA-focused practice.
RELATED: More AAO 2017 Annual Session Coverage
McCormick will speak at the American Association of Orthodontists 2017 Annual Session, held from April 21-25 in San Diego, California. Her topic is “10 Steps To Improve HIPAA Compliance at the Office.”
She says there are a few narrow exceptions to HIPAA (for example, if a person pays for the care themselves) but if an insurer or a government entity pays for the care, then HIPAA applies.
“It’s important to know that an individual can’t enforce HIPAA,” McCormick says. “It’s something that is enforced by the government. The U.S. Department of Health and Human Services (HHS) Office of Civil Rights is the enforcer of violations.”
While dental professionals must notify the government if they suspect a data breach, HHS also gets leads via complaints, McCormick says. HHS also does audits for compliance, “They go out to see if dental professionals are compliant,” she says. Although audits are completely random, McCormick says it is the larger and more significant healthcare organizations that are the usual targets for an audit.
She says the main reason for HIPAA compliance failure comes through the negligence of the dental staff. “The majority of problems are from mishaps,” McCormick explains. “This also includes snooping through patient data by staff. Information access control is vital to proper HIPAA compliance. The best way to prevent this is to have a ‘minimum necessary’ or ‘need to know’ rule to limit the exposure of data.”
In her law practice, McCormick says she sees a lot of noncompliance but most of it is due to ignorance. “It’s not easy to comply,” she says. “With HIPAA there are a lot of things to consider. I’m trying to create awareness. It’s a big mountain to climb but dental practices have to make a start and always try and move in the right direction.”
The best way to begin is through a risk assessment for the dental practice, says McCormick. This begins with the “Where’s my data?” question. “You as the owner of your practice need to ask and understand that question,” McCormick says.
Regarding patient information, doctors must ask “What do I have?” and “Where do I have it?” And then “What is the risk of it being compromised?” To help answer those and other questions, McCormick says the federal government’s HealthIT.gov website offers help with a Security Risk Assessment program. McCormick explains that “at a minimum” dental professionals should “spend some time with this free tool.”
Story continues on the next page.
McCormick also warned that dental professionals should be aware that most electronic health records (EHR) vendors, even if they claim to be, are not HIPAA compliant. You still need to assess the risk with EHRs,” she said.
Another very important step for correct HIPAA compliance is for the practice to set up formal policies and procedures. “HHS won’t care if you are a big or small practice,” McCormick says. “You must have rules and rules for patient data and they should be written down. This way they can be verified. So if you are audited or something bad happens you can pull up the rules that you documented. This formally identifies how you and your staff handle data. Since about two-third of HIPAA problems are mishaps, this will be significantly reduced with written policies.”
McCormick says that penalties for HIPAA noncompliance can be steep. “Fines can come from both the state and federal levels,” she says. “If the practice violations are egregious then the fines can be significant — you’re not going to walk away with just paying a couple thousand dollars. Some first time violators, whose problems aren’t egregious, might get just a warning. And if you do find a violation on your own, always notify the HHS first. It’s important to work with the regulators and not against them.”