ClickCare Café

Getting Started Simply: HIPAA for Dentists

Posted by Lawrence Kerr on Mon, Nov 04, 2013 @ 08:54 AM


HIPAA compliance represents society


We've heard from many of our dentist colleagues that there is increasing pressure to be HIPAA-compliant. Some dentists are choosing to hope for the best and keep using email to communicate about patients. Others are spending upwards of $100,000 to hire HIPAA consultants.

Forget secure email, that is not the answer to keeping you safe. You need to bring your entire office into compliance with HIPAA. 

Here is a brief summary and a tool for how to start the process immediately and quickly, without expensive and slow consultants. You will eventually need more, but this is a start. As you read this, please be aware that we are not lawyers, we do not represent the government, and that this post is merely a place to start. Because our iClickCare Hybrid Store-and-Forward collaboration service was developed from the onset with HIPAA in mind, we want to share some time-saving experience with you. At the end of this post is a link which will bring you to a more complete framework and a tool which reduces 492 compliance questions to only 32

Why should you care and comply with HIPAA, HITECH and the Omnibus Reconciliation 2013 Rule? Increasingly, understanding and adapting to these laws is the only way to care for our patients -- and protect ourselves.

What you need to know about the health privacy laws that affect you as a dentist:

  • HIPAA was passed in 1996. The internet bubble was expanding. The world wide web was born. What about our privacy? The Health Information Portability and Accountability Act came into being. It mandates electronic processes to protect health information. It controls everything from digital electronic information to paper charts to locks on doors and conversations.
  • HITECH is the acronym for Health Information Technology of Economic and Clinical Health Act. It is part of the American Recovery and Reinvestment Act of 2009. It stipulates that healthcare providers be offered financial incentives for demonstrating meaningful use of electronic health records. It also provides penalties for not using them and markedly increases fines and jail terms for disclosure of health information.
  • Omnibus Rule 2013. In 2013, HIPAA was amended with the final rules that expand and detail the reach of the act -- these additional regulations are termed the "Omnibus Rule." The Office of Civil Rights of the Department of Health and Human Services summarized the over 500 pages of Omnibus Rule with four final rules that:
    • Make Business Associates of Covered Entities directly liable for compliance.
    • Strengthen the limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibit the sale of protected health information without individual authorization.
    • Expand individuals' rights to receive electronic copies of their health information.
    • Modify the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to decedent information by family members or others.
    • Require modifications to, and redistribution of, a Covered Entity's notice of privacy practices.
    • Incorporate the increased and tiered civil money penalty structure provided by the HITECH Act.
    • Adopt the provisions addressing enforcement of noncompliance with the HIPAA Rules due to willful neglect. 
    • Replace the breach notification rule's "harm" threshold with a more objective standard [Previously, a breach had to reported if there was a “risk of harm”. The Omnibus Rule requires any breach to be reported.]
    • Prohibit most health plans from using or disclosing genetic information for underwriting purposes.

A risk assessment of your practice is required. There are five components:

  • Administrative Safeguards
  • Physical Safeguards
  • Technical Safeguards
  • Organizational Safeguards
  • Policy and Procedures and Documentation Requirements

This assessment can be done by you. Of course, the findings of the assessment and the plan of action must be documented. The assessments need to be ongoing. In addition to the self-assessment below -- ClickCare's Quick Guide to HIPAA Toolkit -- here are a couple of other tools that might be useful:


For our free kit to bring your dental office into HIPAA compliance, click here:

Download Quick Guide HIPAA Toolkit  


And take a look at some dental cases that can be solved with telemedicine:

What would you do? Fun cases.




Tags: HIPAA, HITECH, HIPAA secure images, Omnibus Rule

HIPAA HITECH Omnibus Rule 2013 and Healthcare Collaboration

Posted by Lawrence Kerr on Sun, Feb 24, 2013 @ 11:23 AM

HIPAA? I know about it, but I text anyway because it is good patient care.HIPAA requirements for telemedicine cannot be contradicted

Do you really want to say that?

Our advice: Don’t even think about it! And moreover, forget it and move on -- there is too much to worry about that you can change, and this, you can’t.

We are taught to understand as well as follow. Here is some understanding.

The Federal Register, on January 25, 2013, added another 563 pages (78 Fed Reg. 5566) to the voluminous hundreds of pages that constitute three acts over the past 17 years. These are HIPAA, HITECH and GINA, and an entire industry has been built on these rules. The 563 pages as a totality constitute the Omnibus Rule of 2013.

What does all of this mean to us providers? What does all of this mean to us who help providers? Since this post is conversing with patient care professionals, many of whom are mere HIPAA laymen, these answers are brief and focused.

Four main points for day-to-day care:

1. There is increased penalty and enforcement. 

Fines can be avoided with use of HIPAA secure telemedicine

2. Business associates are responsible for all their subcontractors. Did a cleaning lady, employed by a cleaning service pick up a CD? Reasonable Cause -- an act or omission in which a CE or BA knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the CE or BA did not act with willful neglect. 

3. Any disclosure of PHI will be presumed to be a breach, and HHS will, not may, investigate.

4. Individuals have enhanced rights to obtain electronic copies of their records. With this, is an enhanced right to restrict disclosure of PHI. Patients who pay solely for care by cash can restrict release to insurance companies and billers.

Some collateral damage to be aware of:

  • Schools  -- Immunizations can be shared.
  • Research -- Special notes about current research releases, and how they may apply to future analysis of the same data with different research.
  • Genetics -- Genetic information is protected and cannot be used against the patient.
  • Marketing and Fundraising -- Defines how information is used. Can you ask for money from patients for a cause you know that they are near and dear to?
  • Notification -- You may have to send new notifications to your patients about your privacy policy. Did you ever get one of those from your credit card company?

How much time is there to comply?

The final rule was announced on January 25, 2013. It is effective March 26, 2013 (including penalties), and compliance (such as notifications) must be completed by September 23, 2013.

Cost and Conclusion.

The cost of all of this...114 to 225.4 million dollars (government estimate, your experience may vary). In 2011, the CDC estimates 1 billion physician office visits. That works out to 23 cents per visit.

Finally, there is a lot to this and a lot to read. Download the "Omnibus Rule -- High Overview" to learn more and send you speedily on your way.


Omnibus High Level Overview


It is not totally depressing. But, as Jim Croce says,

"You don't tug on superman's cape

You dont' spit into the wind

You don't pull the mask of the ol' lone ranger

And you don't mess around with ..."


Find the compilation of References here:


2. Debbie Tokos, RHIT, CHPS, United Health Service, Johnson City, NY 13790


Tags: HIPAA, HITECH, HIPAA Collaboration, Telemedicine and HIPAA, HIPAA secure images, Omnibus Rule

Subscribe By Email

Recent Posts

Posts by Topic

see all