Dental Consultant Advice: HIPAA
Welcome to the first in an ongoing series on HIPAA compliance for dental practices. As many of you know, HIPAA rules and regulations have completely changed the ways that dental offices need to operate. There are a number of problems, however.
First and foremost, the sheer volume and complexity of the rules can be overwhelming. There are literally hundreds and hundreds of pages of rules, many of them well beyond what a dentist can achieve. Related to this, there are unfortunately a number of companies and sales reps whose sole focus is to sell products and services, quite often based on a perceived need which isn't factually correct.
The goal of this series is to educate dental offices on the main rules, what exactly they require, and how offices can achieve compliance without spending a fortune to get there. For this first article, I wanted to review the main components of the HIPAA rules, so that practices are at least aware of the "view from above".
While HIPAA can be overwhelming, it's important to understand that the concepts behind the creation of the rules actually make a lot of sense. Patients are entrusting dentists with very private information, such as health history, social security numbers, and credit card numbers. As such, they have a reasonable right to expect that dental practices will keep that information private and secure. That's really the gist of what HIPAA is all about. The problem, of course, is exactly how that mandate has been implemented. More than half of all HIPAA rules are administrative in nature, things such as risk assessments, policies and procedure manuals, incident reports, etc.
There are two components to the HIPAA rules. The privacy rule was finalized in the year 2000 and while it does include some rules related to electronic information, it applies to many other aspects of a dental practice, such as handling of paper charts, what information is discussed around other patients, and what information can be disclosed to third parties. The Security Rule, conversely, only applies to electronic Protected Health Information (ePHI). If your IT people have been talking to you about encryption, antivirus software, and firewalls, then that's because they are trying to get you compliant with the Security rule.
There have been two other major updates to the HIPAA rules. The HITECH Act was passed in 2009 and it set up a tier of fines and penalties for non-compliance to these rules. These rules were then made final with the Omnibus Rules, which gave further clarification to the penalties. Of all the penalties out there, the most damaging one is the Breach Notification rule, which in my opinion could easily cause a practice to go out of business immediately.
In the next article, we will look at the need for a contingency plan, what exactly it says, and how easy it is for dentists to develop a HIPAA compliant disaster recovery system.