Intro to HIPAA Compliance for Dental Practices. Do you know if you are protected from your Business Associates?
HIPAA Compliance for Dental Practices
In the nearly 20 years since the Health Insurance Portability and Accountability Act (HIPAA) came into existence, health care providers of all types have scrambled to comply with increasingly complex layers of regulations. Dental practices are acutely affected by these requirements, especially the recently added rule that holds the dental practice responsible for information security procedures of any outside associate with whom it contracts for billing or other purposes.
With the increasing complexity of regulation and the financial risks of noncompliance, many dental practices find that working with a third-party company that is intimately familiar with HIPAA compliance is the only feasible route to practice management. Here's an overview of the problem, together with why working with a company like Phoenix Systems can make it a non-issue for your practice.
Baseline HIPAA Requirements
The HIPAA Privacy Rule, which became effective in 2003, is probably familiar to all dentists. This rule gives patients various rights with respect to their personal health information (PHI), including the right to make changes in their records and to limit who these records can be shared with. The HIPAA Security Rule, (2005), relates to a dental office’s management of its electronic health records (EHRs) and requires a set of ongoing in-office security procedures. These procedures include routine risk assessments, staff training, email encryption, secure off site backup and documentation that “administrative, technical and physical” safeguards for information are in place. An Enforcement Rule (2009) and a Breach Notification Rule (2010) added more reporting requirements and civil penalties. As formidable as these multiple layers of regulations are, however, they pale in comparison with the January 2013 HIPAA Privacy and Security Omnibus Final Rule.
You are responsible for everyone you contract with
While the Omnibus Final Rule strengthens and deepens the rules enacted during earlier years, it also adds an entirely new layer of regulations. These new regulations make a dental practice responsible for the security procedures of any “business associate,” which is HIPAA's term for an outside entity such as a billing service, collection agency, document storage company or shredding service. The dental practice has to maintain current copies of a very specific updated service agreement for every such business associate, containing provisions and language mandated by HIPAA. If a dental practice allows any such third party to have access to patient information without an updated agreement in place, the practice is liable for noncompliance penalties. Depending on the dates when these business associate agreements were entered into or modified, they have been mandatory since September 23, 2013 or September 23, 2014.
Let IT experts handle your HIPAA compliance
If you’re dedicated to treating and maintaining people’s dental health, you probably aren't interested in moonlighting as an IT professional. Information security laws continue to add complex new layers with every passing year, and it’s neither safe nor practical to assign one of your busy in-house staff to keep abreast of constantly changing regulations. Furthermore, enforcement efforts are intensifying, and penalties for being out of compliance cannot be ignored. Contact Phoenix Systems today to learn how our award-winning dental IT services can provide you with peace of mind through a compliant security infrastructure.