HIPAA – The new normal?
With malicious and criminal data breaches on the rise, taking the traditional wait and see approach is no longer practical for healthcare providers and their business associates. This includes dental practices, dental specialists, IT providers, back-up service vendors, accountants, attorneys, and more.
HIPAA, the Health Insurance Portability and Accountability Act, is federal law enacted in 1996 . The purpose of these regulations are to safeguard patient protected health information (PHI) and to thwart malicious attacks through proactive strategies before they happen. HIPAA laws are flexible to accommodate from large multi-site hospitals to small dental practices. This may cause confusion and questionable interpretation of the rules, policies, and procedures.
No longer are the days of paper files stacked in basements under lock and key. Before HIPAA was enacted, access to patient records were without restriction. Practice management software stores patient information in an electronic record which benefits quick access anywhere and any time. Unfortunately, there are risks that range from breach attacks by cyber-criminals to human error and theft.
Three rules were established to safeguard PHI (protected health information) and provide individuals with certain rights to their health information.
Three rules of HIPAA
- The HIPAA Privacy Rule (15 regulations) provides federal protections for personal health information and gives patients rights to their own records. The Privacy Rule permits the disclosure of PHI needed for patient care and other important purposes. The Privacy Rule applies to all healthcare providers, including those who do not use an Electronic Health Record (EHR) system, and includes all mediums: electronic, paper, and oral
- The HIPAA Security Rule requires covered entities, business associates, and their subcontractors to implement 54 regulations to protect electronic protected health information (ePHI) that is created, received, or maintained. It covers administrative (30), physical (12), and technical (12) safeguards to ensure the confidentiality, integrity, and availability of ePHI. Most violations of the HIPAA Security Rule result from businesses not following policies and procedures to safeguard ePHI.
- The Breach Notification Rule requires covered entities, business associates, and their subcontractors to provide notification following a breach of unsecured PHI to affected individuals, the Secretary of Health and Human Services (HHS), and the media (if breach affects more than 500 residents of a State or jurisdiction). The Breach Notification Rule consists of protocols a business must undertake in the event of data compromise
Business Associates
Business associates help your practice succeed, but are they a liability? When your BA’s are not HIPAA compliant, your business and your data are at risk. With the latest changes to HIPAA compliance in force, not knowing how your BA’s handle your data isn’t an option.
For dentist’s, the first step in protecting your PHI is identifying all business associates that need to become HIPAA compliant. If you work with organizations that store, transmit, process, maintain, or access your PHI, then you need a Business Associate Agreement in place.
Examples of Business Associates:
Accountant (if access to PHI)
Attorney (if access to PHI)
IT Provider, Data Backup Vendor, Data Conversion Vendor
Billing and Coding Services
Data Backup Vendor
Data Conversion Vendor
The last word
When it comes to HIPAA compliance and data security, taking the old-school wait and see approach is precisely what hackers are looking for. Security threats are ubiquitous and this new normal necessitates action. Proactive thinking requires solid strategies to mitigate the risks before they occur, all while protecting your patients and practice by conforming to HIPAA regulations.
