HIPAA can seem daunting to a new dentist but it doesn’t have to be. If you understand these four “pillars” of HIPAA, you’ll have a strong foundation for a compliant practice:
(1) Notice of Privacy Practices: This Notice – which you should provide to new patients and post in your office as well as on your website – describes to patients:
· how your practice uses and discloses their protected health information (“PHI”); and
· how they can exercise certain rights with respect to their own PHI.
The right most likely to be exercised by patients is “Access,” i.e., the ability to review their own records and/or request copies of their own PHI. Practices that do not comply with such requests within the required 30 days can and do face patient complaints and investigations by the Office of Civil Rights that often result in financial penalties.
(2) HIPAA Compliance Policies: The Notice is the “what” your practice does with PHI; the policies are the “how” your practice does what it says it does in the Notice. Good policies are office-specific and should explain, at a minimum, how:
· to limit PHI disclosures only to those who need to know such information and to provide only what is necessary for the purpose;
· consent is not required to use or disclose a patient’s PHI for treatment, payment, healthcare operations, and various other circumstances prescribed by HIPAA (but is if you want to use a patient’s likeness or full name for the practice’s marketing purposes);
· PHI should be stored, secured and destroyed; and
· Employees should not use personal computers for business purposes or share their work passwords with anyone, including colleagues.
The practice’s HIPAA Privacy and/or Security Officer should make sure all employees, especially new employees, are trained on the practice’s office-specific policies.
- Business Associates: The practice should identify all vendors that potentially have access to patients’ PHI and should put in place with each of them a Business Associate Agreement that conveys the practice’s expectations regarding the vendor’s use and protection of such PHI.
- Annual Security Assessment: At least once a year, the Privacy and/or Security Officer should lead an effort to identify:
· the types of PHI that the practice collects and retains;
· the location of such PHI (e.g., on premises or off-site, hardcopy or digital form, etc.); and
· whether or not such PHI is safe given the current safeguards.
The practice need not hire an IT company to conduct this gap analysis (although it probably is a good idea to ask your IT person whether your current computer security measures are adequate based on best practices as well as your practice’s risk profile and budget).