Building and maintaining a thriving dental practice is not a simple task. Between keeping your staff at peak efficiency, managing vendors, marketing your services, treating patients, and everything else in your day, it’s easy to overlook something like HIPAA compliance. Unfortunately, HIPAA violations in the dental field can create severe issues for your practice.
Who Defines HIPAA Violations in the Dental Field
There are many misconceptions about HIPAA and who must adhere to its regulations. Let’s begin with some background on the law and its implications for your dental practice.
The U.S. Congress passed the Health Insurance Portability and Accountability Act (HIPAA), and it was signed into law in 1996. The Department of Health and Human Services (HHS) has the responsibility to take the law passed by Congress and make it workable.
The Office for Civil Rights is the enforcement arm of HHS. Think of them as the HIPAA police. When data breaches occur or violations are reported, they investigate what happened and who bears responsibility for what happened.
At its core, HIPAA is about safeguarding patients’ protected health information (PHI) as it travels through the healthcare system and making sure patients have access to that information when they need or want it.
Basic Facts About HIPAA Violations in the Dental Field
It is possible to reduce the thousands of pages of HIPAA regulations to a few basic concepts.
HIPAA Privacy Rule – This is the cornerstone of the HIPAA regulations. It defines protected health information (PHI) and specifies how that information should and should not be accessed, used, and stored. PHI is the information that cybercriminals look for when they hack, phish, or use ransomware.
HIPAA Security Rule – The Security Rule applies similar Privacy Rule requirements to electronic protected health information (ePHI). It then goes much further by defining administrative, physical, and technical safeguards that must be achieved to meet implementation standards.
Many people think the Security Rule is only about computer systems security. While that is addressed in the technical safeguards, the Security Rule puts just as much emphasis on the physical safeguards (alarms, security systems, locked doors) and the administrative safeguards (policies, procedures, training).
HIPAA Breach Notification Rule – The regulators at HHS know that breaches can and do happen. The Breach Notification Rule dictates how a provider or business associate must respond to a breach. There are two key points to remember regarding breach notification.
- Anyone whose data may have been compromised in a breach must be notified within 60 days of the discovery of the breach.
- If the breach affects 500 or more patients in any state, it must be reported to the HHS Secretary and prominent media outlets within 60 days of discovery. If less than 500 patients are affected, the breach must be reported to the HHS Secretary within 60 days of the end of the calendar year of its discovery.
The Omnibus Rule – The Omnibus Rule is actually four rules that cover topics ranging from encouraging the use of Electronic Medical Records (EMR) to the Genetic Information Nondiscrimination Act.
You’ll want to focus on the Health Information Technology for Economic and Clinical Health Act (HITECH Act) in your dental practice. This provision expanded the scope of privacy and security protections under HIPAA and increased fines and penalties for breaches caused by willful neglect.
It also clarified the relationship between providers and their Business Associates. Protection of ePHI is considered a joint responsibility, and there is a need to thoroughly verify the measures a business associate takes to protect that information.
The Usual Suspects for HIPAA Violations in the Dental Field
Even though the HIPAA rules and regulations are thousands of pages long, a few violations repeatedly show up in dental offices. Here are five things to watch out for in your practice.
Insufficient Document Access Controls
Your patient records and charts are worthless if the people that need to access them can’t do so. But that doesn’t mean every person in the office needs to access everything.
The dental hygienist likely doesn’t need to know a patient’s payment information. Likewise, those responsible for billing and collections probably don’t need to see x-rays and detailed notes that could be embarrassing for the patient.
Having unique login credentials and secure passwords is the first step. You also need policies that forbid sharing logins and passwords and training to reinforce those policies. Taking the time to set up the system’s access controls is vital to protecting patient ePHI.
Lost or Stolen Electronic Devices
With tablets, smartphones, and laptops, you have the power to review patient records, treatment plans, and insurance claims from virtually anywhere in the world. What happens when one of those connected devices is lost or stolen?
Any electronic device your practice uses that contains ePHI should automatically lock or log off after a very brief time and require appropriate user verification to restart. These devices should be encrypted to protect the data on the device, and you should be able to delete sensitive information remotely. An ounce of prevention is far better than a substantial fine because of a HIPAA violation.
Inadequate Security for PHI and ePHI
Remember that at its core, HIPAA is about safeguarding patients’ protected health information (PHI) as it travels through the healthcare system and making sure patients have access to that information when they need or want it.
Whether that means locking a file cabinet that contains hard copies of patient records or a complete security suite of applications to protect your computer network, you must do what is necessary to demonstrate a good-faith effort to secure PHI and ePHI.
Policies and Procedures That Don’t Meet Your Practice Needs
When a product says “one size fits all,” it generally fits very few people well. That is also true with HIPAA compliance. Mass-marketed “policy kits” are likely to miss critical details that are important to your practice.
Your policies and procedures have to capture and reflect how your practice works. If they don’t, it opens the door to HIPAA violations in ways you may not expect.
Compliancy Group has a library of policies and procedures developed by our team of legal and compliance experts that are customizable to fit the needs of your practice. These policies have been OCR-audit tested. In fact, we have never had a client fail an audit or be fined during our 16 years in business.
Inadequate Employee Training and Attestation
If your policies and procedures aren’t up to standard, your employees will train to the wrong standard. HIPAA best practices suggest annual training of employees that covers employee responsibilities regarding PHI and cybersafety awareness.
Even if you do all of the above, you still have to prove you did it. Just like your high school algebra teacher, OCR investigators insist that you show your work. Adequate record-keeping and the ability to access those records in a timely manner is crucial.
Let’s suppose that your office receptionist recognizes a patient and decides to snoop into his records. That is a HIPAA violation (and it also underscores why document access control is essential). If she shares that information with anyone else, you now have a breach.
The training that we provide at Compliancy Group does highlight the fact snooping into files is not allowed. If the receptionist had received our training, she would have had to attest that she viewed the training and understood the material.
With that attestation stored in our proprietary web-based software “The Guard,” you have grounds for disciplinary action, and you insulate your practice from her willful misconduct.