Back in 1996, HIPAA (Health Insurance Portability and Accountability Act) became federal law. The United States government acknowledged the need for people and businesses in healthcare fields to better protect patients’ healthcare records because they are sensitive documents and every patient has a right to privacy and security.
The Healthcare community, health insurance plans and subcontractors were not taking measures to ensure basic security controls and privacy protocols were in place. Much like PCI established the PCI Security Council to oversee credit card account numbers were protected, the federal government established governance and protocols as a baseline to oversee patient rights to their records, disclosures and securing their personal identities contained in the health and dental records.
The Office of Civil Rights (OCR) is a division of Health and Human Services. The OCR was placed in charge of enforcing HIPAA Security and Privacy laws starting in 2009 as part of the HITECH Act to ensure those storing health records are taking basic care to ensure confidentiality, authorization, availability and appropriate disclosures of personal health information (PHI). The OCR is incentivized to enforce HIPAA through Civil Money Penalties (CMP) and publishing investigations and resulting settlements under the Freedom of Information Act.
Dentists can fall in the radar of a Security and Privacy audit in the following ways:
- A patient complains their data isn’t secured or reports a suspected violation of their privacy rights on the HHS website (i.e. Whistleblower complaints).
- The OCR is required to investigate each complaint.
- OCR’s continuing random audit program into 2014-2015.
- A Dental Office could be randomly selected for Meaningful Use audits.
HIPAA has four rules outlined below:
HIPAA Privacy Rule
Every patient has the right to control their personal health records, and each business and its employees are responsible for keeping any unauthorized person from viewing patient files. These health files are now written, stored and shared orally, electronically and on paper, so a lot has to be done to keep these records out of the wrong hands.
HIPAA Security Rule
This rule relates directly to electronic patient files and states each covered entity—which includes Dentists—must keep them safe from any unauthorized access during transit and storage.
HIPAA Breach Notification Rule
The breach notification rule requires all covered entities and business associates to give notification when a breach has occurred in relation to unsecured protected patient health information
Patient Safety Rule
The final rule protects identifiable patient health information from being used to analyze and improve patient safety and events relating to patient safety.
If Dentists don’t comply with HIPAA rules then are audited, they get penalized.
Dental records, in paper or electronic format, are considered Protected Health Information and are subject to the same Federal scrutiny for privacy and security as full medical records.
Dental records contain minimal medical information. Demographic information such as: name plus any numerical identifiers related to Dental health includes. These include: address, birth date, phone numbers, insurance status, patient ID number, SSN, etc.
Penalties vary and are determined by the seriousness of the security or privacy breach. Also taken into consideration are whether you knowingly or accidentally released patient records and private information. Either way, you’re held accountable. Penalties range from fines to being fired from your job to closing an office to potential jail time (in the event of knowingly losing 500+ PHI records and failing to report to HHS within 60 days).
So how can you and your dental office steer clear of these penalties?
First, you must understand and keep up-to-date with all HIPAA rules and regulations. You can also set up a HIPAA program in your office, perform consistent employee trainings, and conduct and document regular HIPAA risk analyses to evaluate and fix any potential problems.
Second, you must make sure that your dental practice management software is HIPAA compliant. Since this is where your patients’ dental records are stored, a breach can be detrimental to your office and can bring several fines.
If your practice is currently running on a practice management system, penetration testing can help you identify different threats and openings that hackers could exploit to gain access into your system. If you’re currently shopping for a software, make sure you choose a platform that is guaranteed to be HIPAA secure.
Complying with HIPAA laws and regulations is crucial so you and your dental practice don’t have to face penalties and to keep the trust and satisfaction of your patients by keeping their healthcare records safe and secure.
About the Authors
This post was co-authored by Steven Marco, the President of HIPAA One® and Modern Compliance Solutions as well as Trevor James, the marketing manager for Viive, a Mac-based dental practice management system, and Dentrix Ascend, a cloud-based dental practice management system.