Safeguarding your patients protected health information is essential to your HIPAA compliance. We share the systems and steps that should be in place to keep data properly secured.
Every dental practice is responsible for protecting your patient’s protected health information (PHI) as detailed by the Health Insurance Portability and Accountability Act (HIPAA). However, not every dental practice complies with the HIPAA laws.
Many times, this lack of compliance is not intentional but instead caused by a practice’s lack of understanding of the data protection requirements. John Flucke, DDS, and Technology Editor for Dental Products Report says the lack of compliance sometimes also has other reasons. Some practices resent the added expense and hassle that HIPAA compliance adds to a practice’s bottom line.
Dentists and other covered entities should not to be “penny-wise and pound-foolish” about data protection management and HIPAA compliance, Dr. Flucke advises. From an accounting standpoint, it’s something all practices must do.
“Expenditures to protect data are another form of insurance; they prevent disaster like fire insurance does,” Dr. Flucke says.
Data protection checklists are a useful tool to help you identify where you have HIPAA compliance issues in your current data management system. Marc Haskelson, President and CEO of Compliancy Group, a company that provides HIPAA software with coaching to automate HIPAA compliance, says a checklist is a simple way for a dental practice to gauge where they are currently as far as the HIPAA requirements.
“Checklists are not designed to make people compliant or secure. They're designed to help you understand how far off base you are as a starting point,” Haskelson explains.
There are many checklists available to practices for data management issues brought forth by the HIPAA laws. Perhaps the first checklist you should examine for data management comes from the Department of Health and Human Services (HHS), which oversees the HIPAA requirements. HHS published Seven Fundamental Elements of an Effective Compliance Program. These seven fundamentals were given to help covered entities become compliant and include:
To download the PDF of the HHS Compliance tips, please click here.
Continue reading on the next page...
Haskelson has 14 years’ experience in HIPAA compliance, and Compliancy Group works with all kinds of clients, not just dental practices. None of their clients have ever failed an audit. They designed the Compliancy Group checklist to clear up common misunderstandings people have regarding HIPAA.
Compliancy Group developed the questions on their HIPAA Compliance Checklist because many organizations think they are HIPAA compliant when they are not. Haskelson says these misunderstandings contribute to the high failure rate in the US with audits by the Office for Civil Rights (OCR), the enforcing body for the HHS.
Most of what Compliancy Group chose to include are associated with what federal law requires. Protecting your data is also protecting your business, he notes.
“When it comes to security, you are protecting the assets of your firm,” Haskelson says, adding that your reputation is one part of those assets. “So, you should be using a checklist to evaluate where you are today, as well as your risk profile.”
There are 18 specific identifiers that HIPAA requires you to protect, Haskelson says, the obvious ones being your name, number, email address, and financial information. However, your computer and your home have addresses equally identifiable, he adds. In the end, criminals want your data because they’re trying to get access to your finances, and they will use any of these identifiers in any combination to do it.
Every covered entity is required by HIPAA to complete an audit every year, and these audits identify where you have gaps. Haskelson also says it is essential to look at security reviews and related checklists as a way to improve the practice and the patient experience rather than how not to get caught (and fined or worse) by the OCR.
“Using these results as a guideline, we help an organization to set up their policies and procedures. Those policies and procedures make your staff happy,” Haskelson says. “When your people are happy, and they know what they are supposed to do, they tend to serve your patients better.”
Haskelson also cautions practices that use of a checklist only provides guidelines on HIPAA compliance. You should not think that if you answered yes on all the items in a self-evaluation checklist that you are compliant. These checklists are intended to be educational, he says.
Continue reading on the next page...
“We think it has become way more complicated than it was meant to be, and it really should be simple,” Haskelson says of HIPAA compliance. “The other reason for the checklist is it takes what is several hundred pages of very complex language and brings it down to something straightforward.”
The HIPAA Journal, a publication that provides coverage of HIPAA news, also published a HIPAA Compliance Checklist of self-evaluation for dental practices and other covered entities. Like Compliancy Group, it uses the HHS guidelines to help a practice establish their baseline for getting HIPAA compliant.
For example, the first question identifies the six annual audits and assessments required by the HIPAA laws, which include:
The subsequent questions then address the findings of these audits and what’s been done to solve any vulnerabilities that were found. For example, the second question asks whether you have the documentation for the past six years available in case of an OCR audit of your practice. Like the other checklists available, the HIPAA Journal also emphasizes that completing the checklist does not guarantee HIPAA compliance and recommends you get professional help.
To download the HIPAA Compliance Checklist from the HIPAA Journal, please click here.
Dr. Flucke has his version of a checklist for dental practices that want to ensure they are HIPAA compliant. They include the following:
Dr. Flucke says sometimes dentists don’t want to hear about these steps, especially the extra physical backup, because it is a hassle. However, he thinks all of these are crucial with the level of threat facing dental practices today.
“The last thing you want to hear is your accounting and patient records are gone,” Dr. Flucke says.