Simply performing an online risk analysis may not be enough to properly protect your dental practice.
In a previous article, I talked about the need for a risk assessment/analysis and why it is critical for every office have one. I mentioned that taking an online risk assessment is one method to accomplish this. While I still feel that part of the risk assessment can be done online, new information leads me to believe that a more comprehensive approach is indicated.
As many offices know, the Office of Civil Rights oversees the HIPAA program. In 2012, a series of 150 random audits were performed and the results tabulated and reviewed. To nobody’s surprise, the results showed that many practitioners were not adequately meeting the HIPAA standards. In an attempt to increase compliance, the number of random audits was increased to 1,200 for 2016. The first round of these audits was sent out on July 11.
One of the critical areas of concern that the audits discovered was the absence of a risk assessment. Most dentists understand this concept as it relates directly to how we treat patients. When a patient comes to your office for the first time, you perform a series of diagnostic tests to determine what pathology or other issues exist, and based on those tests, you can then develop an appropriate treatment plan. Well, HIPAA compliance works the same way: How can you take the necessary steps to get compliant unless you know which areas you aren’t compliant in? This is exactly what a risk assessment accomplishes: It identifies where the practice is at risk, so that you can then develop a plan to mitigate this risk.
The challenge for many offices is that there are three specific areas where practices can be at risk, and all of these have to be evaluated. The first is physical. Are your computers locked down? What about the charts? Is there an alarm system or monitoring? Secondly, there is administrative risk. Do you have systems in place to notify patients in the event of a breach? Have you adequately trained your staff? Do you have Incident reports filed properly? Finally, the one that most people focus on, is technical risk. Do you have firewalls in place? Antivirus software? Are your backups meeting HIPAA regulations? Is everything encrypted?
Continue to page two to learn about the consequences if you don't act on your risk analysis...
Another caveat: If you perform a risk assessment, and decide to do nothing about it, you are actually at risk of even higher fine and penalties. HIPAA has four different classifications of fines, and the highest level are for what they determine to be “willful neglect.” This means you knew about the problems but chose not to do anything about them. In other words, if you commit to a risk assessment, be prepared to follow the process through to the end.
I would encourage all dental offices to evaluate how they have conducted their risk assessment and decide if further analysis is needed. OCR demands that a risk assessment be completed on a periodic basis, in my opinion, this should be done yearly, and even twice a year if possible. My company, the Digital Dentist, has worked with other companies to develop a more thorough risk assessment, and we continue to offer this as a free service to anyone that is interested. Just call us at 866.204.3398 x200 to get more information.