Being 100-percent HIPAA compliant may be impossible, but risk assessment and management plans can save you from hefty violation fines.
Over the past few years, we’ve examined many of the HIPAA laws, looking specifically at some of the most egregious types of mistakes that dentists make, and what not to do. Of course, having a plan in place before you do anything is far better than waiting for disaster to strike and hoping you can recover from it in one piece!
The best analogy I can give is the new patient who shows up at your office. You’re not going to start treating the patient the moment he or she shows up. You can’t treatment plan until you diagnose. You’re likely going to take any needed radiographs, do perio probing, restorative charting, intraoral and extraoral exams, cancer screening, etc. And, based on that evaluation, you will put together a treatment plan, and then start the treatment with the patient.
HIPAA compliance is pretty much handled the same way. You can’t really start to handle HIPAA violations in your practice until you’ve at least done a thorough evaluation of where you stand. HIPAA refers to this as a risk assessment.
What is a risk assessment and why is it important? HIPAA section 164.308(a)(1)(ii)(A) is quite clear, and it states, “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information held by the covered entity or business associate.” This is a required section; you must do this. Another section, 164.316(b)(2)(iii), says you must update it periodically.
The challenge, as is true for much of HIPAA, is that it doesn’t really give you a whole lot of guidance. The only formal publication I know that addresses this is NIST Publication 800-30, Guide to Conducting Risk Assessments. Forget for a second that NIST only officially applies to federal facilities, as many in the IT world consider it be the de facto standard. It’s a 95-page document that honestly will put you to sleep faster than any sleeping pills!
In my experience, a proper risk assessment should include at the very least:
1. A site survey of the physical layout of the practice, looking at the locations and security of the computers, alarm systems, windows and doors, locks, etc.
2. A comprehensive evaluation of the IT systems, looking at security holes, patching of the software, firewalls, antimalware software, password policies, screen savers and many others.
3. An external vulnerability scan. Basically, someone should try to hack into your network to see if you are able to keep the bad guys out.
Once the risk assessment is completed, you should then develop a HIPAA management plan. This is the “treatment plan” we discussed earlier, the actual nuts and bolts of what steps you need to take and what order to take them in to get the practice more compliant.
It’s impossible to get 100-percent HIPAA compliant, as there are 600 or so pages of rules and regulations. However, being audited without having a risk assessment and HIPAA management plan is the best way to incur thousands of dollars in fines and penalties. You need to be prepared. In almost all cases, this is not something you should tackle yourself; you simply don’t have the knowledge and training to do a proper job. Talk with your IT people, or feel free to contact me directly if you want some assistance on this