Has your office been HIPAA-proofed? That is, would you say that your office is totally HIPAA compliant? If so, I need you to just do one thing…call ME!! I need to learn your secret. Because, with all that is expected of you, as a Dental Healthcare Provider, from the Office for Civil Rights (OCR) I don’t know that I believe 100% compliance is attainable. We have a saying here, “compliance is a journey, not a destination.” This could not be more true when it comes to HIPAA compliance.
I couldn’t begin to list here, everything that you need to do to HIPAA proof your office. But I can tell you 4 tips for what I think will start you off on the right foot for your compliance journey.
U DOWN WITH P&P?
HIPAA requires a Covered Entity (aka Dental Offices) to have written policies and procedures to guide you and your staff on how to comply with HIPAA regulations. Having such a manual is a start. More importantly you and your staff have to know and follow your policies and procedures. It is simply inexcusable to have policies and procedures that you and your staff do not follow. Frankly, you are better off not having policies and procedures than you are having them IF you do not follow your policies and procedures and/or you do not know your policies and procedures. Actually, having, but not knowing/following your policies and procedures can actually enhance Civil Monetary Penalties (CMPs) by OCR if you are busted for a HIPAA violation. Such an enhancement can multiply CMPs by five times of more (i.e. $10,000 fine become $50,000 and so on).
TRAINING TRAINING TRAINING
Maybe I didn’t make myself clear. Be sure that your staff is completing their HIPAA training. OCR hasn’t laid out any specific rules on how often HIPAA training must be done, nor has it said exactly what this training should include. Instead, it says this: the frequency of HIPAA training is up to each individual practice, but training must be ongoing and timely, with updates, notices, and reminders issued in a manner that reduces risks associated with existing and newly identified threats. Vague enough for you? So how often should you do HIPAA training? We advise our clients to do annual HIPAA training. This may seem a bit overkill to some of you, but once you start to really dive into HIPAA and all that it entails, you will see that annual updates are a must if you intend to stay up on all of it. We work hard to keep our training current, so that you are always focusing on fresh and relevant material. What’s more is we work with dentists who are being investigated by OCR. Through our work we have learned that OCR expects and enforces not just annual, but ongoing HIPAA training for all persons effected by HIPAA (dentists this means you, not just your staff).
RDFPI&#L@D LQ MRI
Wait, what? Maybe you couldn’t read that piece of advice there. It says ‘Encryption is Key.’ But, if I hadn’t decrypted it for you, you would have no idea right? Right! Point proven. There are cyber space bad guys just waiting for you to get careless with PHI. Email and data encryption is a MUST in your dental office. OCR has identified encryption as an “addressable concern” in the dental office. What does that mean? It means that if it is reasonable and appropriate, you must use encryption. Restated, encryption is not optional, but rather, you have options on how to comply with this HIPAA implementation standard. How do you decide if it is reasonable and appropriate for your office? What if you find that it is NOT reasonable and appropriate so you choose not to do it? In my opinion, that is not the important question to ask yourself. The important question is, “what if OCR finds that it IS reasonable and appropriate for your office, and you have chosen not to do it?” I’ll tell you the if. IF you choose not to use encryption, OCR will take it’s big hand and reach right into your pocket to help themselves. Not only can there be big fines associated with this, the potential damage to your practice’s reputation could be astronomical and irreversible.
BAA – BAA…don’t be a Black Sheep
GET YOUR BAA’s in order. I cannot stress this enough. Many offices have gotten lax with having Business Associates Agreements on file, but OCR has not been lax with issuing fines for not having your BAA’s in place. And don’t think that these fines only come after a breach. OCR recently issued over $200K in fines to a covered entity because their methods for sharing PHI seemed risky enough to OCR to necessitate a fine. BAA’s just might be one of the most misunderstood parts of HIPAA. You might be asking things like, what is a covered entity? Who is a business associate? How often do these need to be signed? Those are all great questions, and you are not alone in asking. OCR defines a covered entity as health plans, health care clearinghouses, and health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards. If you are reading this, you are most likely a covered entity, and you NEED to know these BAA rules. Find out who your business associates are. If you don’t have BAA’s on file get them signed asap! If you need guidance on who needs to sign a BAA we have resources to help you with this too.
This has been a lot of information. Like I mentioned earlier compliance is a journey. Just like Rome, compliance is not built in a day. If you’re already a current client of ours and need help with these, or any other aspects of HIPAA compliance, CALL US. That is what you hired us for, and our resources are available to you! We are here to help. If you are not a current client of Dental Compliance Specialists, and you’d like some HIPAA help, check out our HIPAA+ plus program. It’s never too late to get started on your compliance journey, in fact there is no better time to start than RIGHT NOW.