HIPAA is nothing to ignore! We recently attended a seminar on HIPAA and felt it was important to share some of the material with you. In April of 2003 the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) became law and on April 21, 2005 the Security Rule became law as well. Most dental practices implemented at least some of the Privacy Rule, but very few implemented the Security Rule. Now it is 2011 have you implemented the very important - HIPAA HITECH (Health Information Technology for Economic and Clinical Health) Act that became law on February 19, 2010?
As covered entities we need to comply with the HIPAA requirements and have policies and procedures in place as well as provide training for all employees. It involves much more than having patients just sign a consent form and "promising" not to speak about their healthcare with anyone. With the introduction of the HITECH Act came increased civil fines and penalties for breaches and an increased knowledge by patients of who is looking at and who should be looking at their dental record. Keep in mind, HIPAA’s civil and criminal fines and penalties are not just imposed on the doctor or owner of the practice, all team members are accountable and subject to fines and penalties. The HITECH Act increased the civil penalties and to date since the act came into effect in 2010 there have been over $5 million in penalties, the most recent being $1 million to Massachusetts General Hospital.
Did you know that if there is a breach within your practice and you have 500 patients or more then the media MUST be notified? This is not the type of publicity you want for your practice.
Teams are required to have HIPAA training annually and every new employee must be trained on your practice’s HIPAA Privacy and Security Policies. There needs to be documentation of this training, including sign in sheets and materials that is kept on file (In some states, this is a license requirement).
Some things to consider when evaluating your practice for HIPAA compliance:
-- Do you have documentation of annual team HIPAA training?
-- Does your team understand what the "minimum necessary" Protected Health Information (PHI) is to carry out their job functions?
-- Have your HIPAA privacy and security policies been updated to include the HITECH revisions?
-- Have you updated your HIPAA Business Associate Agreements to include HITECH Act provisions (as of February 18, 2010)?
-- Do you have policies/procedures outlining your security measures? Are they updated annually?
-- Have you appointed a Security Officer as well as a Privacy Officer? Do you have current job descriptions for both?
-- Do you e-mail PHI to patients or referring doctors? Are those emails encrypted or do you have permission from the patient to send PHI in an unencrypted format?
If you have answered no to one or more of the above questions, please contact Amy or Michelle and we can assist you in making your practice HIPAA compliant.