Using a HIPAA manual for dental office compliance is not the best strategy. A HIPAA manual used to be the industry-accepted method for implementing HIPAA policies and procedures. However, the Department of Health and Human Services (HHS) no longer considers a manual to be HIPAA compliant. This is so because a HIPAA manual is generic, often ignoring the nuances of business. Instead of using a manual for HIPAA dental compliance, it is recommended to draft policies and procedures that directly relate to how your dental office operates. 

How to Draft Policies and Procedures

HIPAA requires covered entities to protect the confidentiality, integrity, and availability of protected health information (PHI) with safeguards. When drafting your office’s policies and procedures, it is important to ensure that the safeguards that you implement adequately secure the PHI that you create, maintain, transmit, and receive. HIPAA mandates that organizations implement administrative, physical, and technical safeguards; however, the HHS leaves it up to you to determine what safeguards are “reasonably appropriate” for your practice.

What are HIPAA Safeguards?

Although the HHS does not provide specific requirements for how to implement the required safeguards, HHS does  provide guidelines on what should be considered when drafting your policies and procedures.

• Administrative safeguards: relate to your policies and procedures that dictate proper uses and disclosures of PHI. HIPAA requires covered entities to only access the minimum necessary PHI to perform their job functions. This is to prevent PHI from being accessed without cause, mitigating the risk of insider breaches. Administrative safeguards also include employee training. All employees that have access to PHI must be trained annually on HIPAA standards as well as your practice’s policies and procedures.
• Physical safeguards: relate to the security surrounding your office.  Areas containing PHI must not be accessible to unauthorized individuals. As such, paper files containing PHI should be stored in locked cabinets or rooms. In addition, it is recommended that you install an alarm system or security cameras to prevent unauthorized access to your office.
• Technical safeguards: relate to the security measures that secure your technology, (i.e. desktop computers, laptops, mobile devices). Devices should be password protected, with automatic logoff setup, ensuring that when left unattended, they lock preventing unauthorized access. However, even with automatic logoff procedures set up, employees should still lock their computers when leaving them unattended. In addition, it is important to have access controls in place. Access controls designate different levels of access to PHI based on an employee’s job role, ensuring that the minimum necessary standard is upheld. Devices should also be secured with encryption, firewalls, and data backup