In the dental industry, you always hear about the Health Insurance Portability and Accountability Act (HIPAA). But do you really know what it means and more importantly, is your organization HIPAA compliant? Here, we will go over what HIPAA is, which entities are governed by HIPAA, and how your practice can ultimately become compliant.
If you are feeling overwhelmed by the vast amount of digital information technology required to run your practice, it may be time to consider outsourcing. Download our handy checklist “How To Choose a Managed IT Service Provider” to help guide you to a better solution.
What is HIPAA?
Signed into law by President Bill Clinton in 1996, the Health Insurance Portability and Accountability Act provides rules and regulations for medical data protection. It also reduces healthcare fraud and waste. HIPAA covers all patient data, whether written or digital. Here we will focus on digital patient information. Many revisions have been made to HIPAA since its inception, especially as technology in healthcare has changed.
The security standards set forth in HIPAA are meant to protect patients’ private information, including personally identifiable information such as social security numbers, and healthcare data. HIPAA also sets security standards for acquiring, storage, and electronic transmission of patient data. Companies that deal with protected health information (PHI) must have physical, network, and process security measures in place and must follow them to ensure HIPAA compliance.
Who Should Be Compliant?
If your organization has access to electronic Protected Health Information (ePHI), you must be HIPAA compliant. The HIPAA Security Rule applies to all health plans, healthcare clearinghouses, and to any healthcare provider who transmits protected health information (PHI) in electronic form, or electronic protected health information (ePHI). Any outside vendor that does business with this type of company is also required to be HIPAA compliant. All of these organizations are referred to as covered entities.
What Happens if You Fail to Comply?
The Health and Human Services Office of Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules. The OCR will investigate complaints that are filed and will conduct reviews to determine if covered entities are in compliance. The OCR will then review all information that is gathered. It may conclude that the covered entity did not violate HIPAA.
If the OCR does determine there has been noncompliance with HIPAA, civil and criminal penalties may result. For a non-criminal and unintentional violation of HIPAA, the OCR simply require that the entity establish voluntary compliance. They may also require corrective action and/or a resolution agreement from the entity. If a complaint describes an action that could be a violation of the criminal provision of HIPAA, OCR may refer the complaint to the Department of Justice (DOJ) for investigation. The OCR also conducts compliance training.
What Are the HIPAA Requirements?
HIPAA consists of an extensive set of rules. The general rules are to:
-
Ensure the confidentiality, integrity, and availability of all e-PHI entities create, receive, maintain, or transmit, including via email
-
Identify and protect against reasonably anticipated threats to the security or integrity of the information
-
Protect against reasonably anticipated, impermissible uses or disclosures, and ensure compliance by their workforce
Covered entities must also consider risk analysis and management. A risk analysis process includes evaluating the likelihood of the impact of potential risks to e-PHI, implementing security measures to address the risk, and documenting the security measures. Finally, the CE must also maintain continuous, reasonable, and appropriate security protections. Protections should cover administrative, physical, and technical areas of your practice. Covered entities are required to comply with every HIPAA Security Rule "Standard." However, the Security Rule categorizes certain implementation specifications within those standards as "addressable," while others are "required."
All HIPAA requirements can be found at this website: https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html.
What You Need to do to Ensure Your Practice Becomes Compliant
The first thing you need to do to is to become familiar with what the HIPAA Privacy and Security requirements are and how they pertains to your organization. Locating an updated HIPAA checklist is a great way to look at everything your organization needs to do in order to become compliant. Here is a great updated checklist we have found: https://www.hipaajournal.com/wp-content/uploads/2018/08/HIPAA-Journal-HIPAA-Compliance-Checklist.pdf. While going through the checklist, there are many areas where you must make sure your practice is covered. A great way to take the stress out of making sure your IT infrastructure is secure is to choose a managed IT service provider to take care of it for you.
Conclusion
Working with sensitive information is a great responsibility in the medical and dental industry. You must know what to do in order to make sure the patient information is secured and managed properly. Complying with HIPAA is a must and while doing so may be challenging, penalties for not complying can be pretty severe.
Make sure to check out our “What to Look for in a Managed IT Service Provider Checklist” for help choosing the right provider that can assist you with being HIPAA compliant.
