We've heard from many of our dentist colleagues that there is increasing pressure to be HIPAA-compliant. Some dentists are choosing to hope for the best and keep using email to communicate about patients. Others are spending upwards of $100,000 to hire HIPAA consultants.
Forget secure email, that is not the answer to keeping you safe. You need to bring your entire office into compliance with HIPAA.
Here is a brief summary and a tool for how to start the process immediately and quickly, without expensive and slow consultants. You will eventually need more, but this is a start. As you read this, please be aware that we are not lawyers, we do not represent the government, and that this post is merely a place to start. Because our iClickCare Hybrid Store-and-Forward collaboration service was developed from the onset with HIPAA in mind, we want to share some time-saving experience with you. At the end of this post is a link which will bring you to a more complete framework and a tool which reduces 492 compliance questions to only 32.
Why should you care and comply with HIPAA, HITECH and the Omnibus Reconciliation 2013 Rule? Increasingly, understanding and adapting to these laws is the only way to care for our patients -- and protect ourselves.
What you need to know about the health privacy laws that affect you as a dentist:
- HIPAA was passed in 1996. The internet bubble was expanding. The world wide web was born. What about our privacy? The Health Information Portability and Accountability Act came into being. It mandates electronic processes to protect health information. It controls everything from digital electronic information to paper charts to locks on doors and conversations.
- HITECH is the acronym for Health Information Technology of Economic and Clinical Health Act. It is part of the American Recovery and Reinvestment Act of 2009. It stipulates that healthcare providers be offered financial incentives for demonstrating meaningful use of electronic health records. It also provides penalties for not using them and markedly increases fines and jail terms for disclosure of health information.
- Omnibus Rule 2013. In 2013, HIPAA was amended with the final rules that expand and detail the reach of the act -- these additional regulations are termed the "Omnibus Rule." The Office of Civil Rights of the Department of Health and Human Services summarized the over 500 pages of Omnibus Rule with four final rules that:
- Make Business Associates of Covered Entities directly liable for compliance.
- Strengthen the limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibit the sale of protected health information without individual authorization.
- Expand individuals' rights to receive electronic copies of their health information.
- Modify the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to decedent information by family members or others.
- Require modifications to, and redistribution of, a Covered Entity's notice of privacy practices.
- Incorporate the increased and tiered civil money penalty structure provided by the HITECH Act.
- Adopt the provisions addressing enforcement of noncompliance with the HIPAA Rules due to willful neglect.
- Replace the breach notification rule's "harm" threshold with a more objective standard [Previously, a breach had to reported if there was a “risk of harm”. The Omnibus Rule requires any breach to be reported.]
- Prohibit most health plans from using or disclosing genetic information for underwriting purposes.
A risk assessment of your practice is required. There are five components:
- Administrative Safeguards
- Physical Safeguards
- Technical Safeguards
- Organizational Safeguards
- Policy and Procedures and Documentation Requirements
This assessment can be done by you. Of course, the findings of the assessment and the plan of action must be documented. The assessments need to be ongoing. In addition to the self-assessment below -- ClickCare's Quick Guide to HIPAA Toolkit -- here are a couple of other tools that might be useful: