HIPAA Manual for Dental Office Compliance
Using a HIPAA manual for dental office compliance is not the best strategy. A HIPAA manual used to be the industry-accepted method for implementing HIPAA policies and procedures. However, the Department of Health and Human Services (HHS) no longer considers a manual to be HIPAA compliant. This is so because a HIPAA manual is generic, often ignoring the nuances of business. Instead of using a manual for HIPAA dental compliance, it is recommended to draft policies and procedures that directly relate to how your dental office operates.
How to Draft Policies and Procedures
HIPAA requires covered entities to protect the confidentiality, integrity, and availability of protected health information (PHI) with safeguards. When drafting your office’s policies and procedures, it is important to ensure that the safeguards that you implement adequately secure the PHI that you create, maintain, transmit, and receive. HIPAA mandates that organizations implement administrative, physical, and technical safeguards; however, the HHS leaves it up to you to determine what safeguards are “reasonably appropriate” for your practice.
What are HIPAA Safeguards?
Although the HHS does not provide specific requirements for how to implement the required safeguards, HHS does provide guidelines on what should be considered when drafting your policies and procedures.
- Administrative safeguards: relate to your policies and procedures that dictate proper uses and disclosures of PHI. HIPAA requires covered entities to only access the minimum necessary PHI to perform their job functions. This is to prevent PHI from being accessed without cause, mitigating the risk of insider breaches. Administrative safeguards also include employee training. All employees that have access to PHI must be trained annually on HIPAA standards as well as your practice’s policies and procedures.
- Physical safeguards: relate to the security surrounding your office. Areas containing PHI must not be accessible to unauthorized individuals. As such, paper files containing PHI should be stored in locked cabinets or rooms. In addition, it is recommended that you install an alarm system or security cameras to prevent unauthorized access to your office.
- Technical safeguards: relate to the security measures that secure your technology, (i.e. desktop computers, laptops, mobile devices). Devices should be password protected, with automatic logoff setup, ensuring that when left unattended, they lock preventing unauthorized access. However, even with automatic logoff procedures set up, employees should still lock their computers when leaving them unattended. In addition, it is important to have access controls in place. Access controls designate different levels of access to PHI based on an employee’s job role, ensuring that the minimum necessary standard is upheld. Devices should also be secured with encryption, firewalls, and data backup
Understanding Why a HIPAA Manual for Dental Office Compliance is Insufficient
Practices that choose to use a HIPAA manual for dental office compliance, when audited, can be subject to costly fines. When HIPAA was enacted, it was left vague to apply to a wide variety of health institutions, both big and small. A HIPAA manual for dental office compliance may not apply to your daily operations, as they follow the same concept, they are written to apply to a large variety of healthcare institutions.
Since HIPAA requires practices to implement measures that are “reasonable” and appropriate” for your practice, a HIPAA manual could be asking you to include measures that would be irrelevant to your practice. In addition, a HIPAA manual will most likely leave your practice vulnerable, since they are not customized for your practice. For instance, you may be using a third-party electronic health record (EHR) platform to maintain your patient records. Your EHR would be considered a business associate (BA), requiring you to have a signed business associate agreement (BAA) before you can utilize the EHR for your patient records. A HIPAA manual for dental compliance would be unaware of this relationship, and unless you have a compliance expert, you may be unaware that you need a BAA.