HIPAA Compliance Reminder

On February 1, 2017, the U.S. Department of Health and Human Services (HHS) announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) civil penalty of $3.2 million against Children’s Medical Center of Dallas based on its breach of unsecured electronic protected health information, as well as its noncompliance with HIPAA requirements over the years. In light of this announcement, it’s a good time to make sure your dental office is in compliance with HIPAA rules.

• I/we have an NPI number.
• I/we have a designated HIPAA Coordinator and Privacy/Security Officer.
• I/we have a Notice of Privacy Policy to post in the office and distribute to each patient, and a patient acknowledgement receipt of the Notice?
• I/we have a written HIPAA Plan onsite specifying office HIPAA policies and procedures.
• I/we have procedures in place allowing patients to access, or to amend, their medical records.
• I/we have procedures in place for receiving, investigating, and documenting complaints.
• I/we have procedures establishing rules and levels for restricting access to computer systems, programs, processes, or means of obtaining electronic PHI.
• I/we have procedures to ensure that access to PHI is provided to only those employees and business associates who need the information to perform their job, with unique passwords per individual.
• I/we have procedures for data encryption, to ensure that a breach or theft causes minimal risk. (If email is used to transmit PHI, it should be encrypted or via a secure server.)
• I/we have procedures for backing up information, including frequency, retention times, and location of back-up copies.
• I/we have procedures for handling and disposing of hardware and storage media.
• I/we have procedures to test new equipment and/or software to ensure security attributes.
• I/we maintain a record of repairs or modifications to the office’s security system?
• I/we have procedures to routinely assess information system activity and actual or potential security incidents. A security incident log should be maintained to record any unauthorized attempts to access PHI.
• I/we have procedures to protect data from being altered or damaged.
• I/we have procedures to protect data from malicious software and electronic viruses.
• I/we have a Disaster Recovery and Contingency Plan to meet HIPAA requirements for securing PHI.
• I/we have procedures in place identifying our Business Associates.
• Our employees and Business Associates sign agreements delineating HIPAA accountability for maintaining confidentiality.
• I/we have procedures for documentation and notification of security breach incidents, including actions to be taken to prevent such incidents?
• I/we have policies stating disciplinary actions in the event of employee misuse or misappropriation of PHI.
• I/we have procedures detailing the reception of visitors/patients to control access to sensitive data?
• I/we have procedures delineating steps to take when an employee terminates, or when user access must be revoked for other reasons (i.e. changing locks/combinations/passwords, removal from access list(s), revoking user accounts giving access to data, returning keys).
• I/we have procedures for training employees and Business Associates in HIPAA awareness, including information accountability, PHI confidentiality, password maintenance, incident reporting, breach notification, and virus protection.

For our OSHA Review Subscribers… The July/August 2014 issue of OSHA Review covers HIPAA compliance. A sample Notice of Privacy Policy, template HIPAA plan, sample business associate contract, and breach documentation can be downloaded from OSHA Review’s website in the clients-only section under Document List.

Since 1992, OSHA Review, Inc. has provided dental professionals with comprehensive programs to support regulatory compliance and infection control. We are a registered continuing education provider in the state of California, specializing in Dental Practice Act, infection control, and OSHA training.