Are You HIPAA Omnibus Compliant?

As you know, September 23, 2013 marked the compliance deadline for HIPAA's Final Omnibus Rule. With it came the following changes/updates for dental practices:

HITECH Privacy & Security

  • Updated Business Associate Agreements
  • Modified rules and regulations regarding Marketing & Fundraising
  • Modifications to sale of Protected Health Information (PHI)
  • Right to request restrictions (patients who pay in full out of pocket can restrict you from submitting a claim to their insurance company, regardless of what your contract with the insurance company says)
  • Electronic Access

HITECH Breach Notification

HITECH Enforcement

Updated Notice of Privacy Practices

To remain in compliance, the Notice of Privacy Practices now needs to include language regarding how you will protect PHI from a breach, how individuals will be notified if there is a breach and what the practice will do to make amends for the breach. If there is a breach in your practice and it involves 500 or more individuals, not only does the local media need to be notified, the Department of Health and Human Services MUST be notified within 60 days of learning of the breach. If the breach involves less than 500 individuals, the local media DOES NOT need to be notified; however, the Department of Health and Human Services MUST be notified within 60 days of the end of the calendar year that you learned of the breach. 

Don't forget, patients must be aware that you updated your Notice of Privacy Practices and have the right to ask for a hard copy. In addition, you MUST have a copy of the Notice of Privacy Practices available in your reception area AND posted on your website. Your old Notice of Privacy Practices must be retained for 6 years. 

Business Associates must sign an updated Business Associate Agreement, and you should have an effective date and an end date for the agreement. The end date should be the date you intend to stop doing business with your Business Associate. Business Associates need to comply with certain Privacy and Security Rule requirements and they are directly liable for any violations. To ensure your Business Associates are in compliance you should request a copy of their Risk Assessment. 

Patients also have the right to request a copy of their records in electronic format. Remember, emailing records through Outlook, Hotmail, Gmail, etc, is NOT encrypted and therefore can leave you subject to a breach. It is best to provide the patient with an electronic copy on a jump drive or a disk. 

If you have been in compliance all along with HIPAA and the HITECH Act, these changes will not be difficult for you. If you haven't kept up throughout the years, you need to get into compliance. Along with the modifications of the Final Omnibus Rule, there are mandatory audits that will be performed on all Covered Entities and Business Associates so it's no longer a matter of if you will be audited, but when

For more information you can visit the Department of Health and Human Services website at, or contact Amy Smith Consulting at 508-697-7318.