This Trojan Today Classic was originally published in May of 2016 in Trojan Today.
Why do you have to comply with HIPAA Security Rules? If you are submitting e-claims to a clearinghouse and then the clearinghouse submits the electronic format of the claim to a health plan on behalf of your office, you MUST comply to the Privacy, Security, and Breach Notification Rules of HIPAA.
HIPAA compliance does not need to be difficult. Many offices are well on the way to being compliant and only need to know how to cross their t’s and dot their i’s correctly.
There are ten immediate action items that will help you through the process of getting compliant and staying compliant.
Identify your Team
Has each of your team members signed a Confidentiality and Non-Disclosure Agreement? Who are your HIPAA Privacy Official and Security Official for the practice?
Develop and Implement your HIPAA Privacy Program
The Privacy Official is responsible for developing and implementing the Privacy Practices of the office as well as annual updates of documents. Many offices already have the Notice of Privacy Procedures in their offices and the Acknowledgement of Receipt of Notice of Privacy Procedures, but these must be presented every two years, not just once in a patient’s lifetime.
Evaluate your Practice for Security Risk
How safe is the computer system that contains your patient’s information? What safeguards are in place to protect this information from hackers? When was the last time you had a qualified security tech in the practice to help you identify risks and vulnerabilities involving patient information, especially now that most offices are using electronic transmission messaging like Demand Force, Smile Reminder, Lighthouse 360, and others?
Make a Plan for Getting HIPAA Security Compliant
Is your software HIPAA Compliant? Are your e-mails encrypted and protected? Are you using a disclaimer on the signature of ALL e-mails being sent out by the office?
Develop Written HIPAA Security Policies and Procedures
Formally create your HIPAA Security Policies and Procedures according to your State Laws. These must be in writing and available to be viewed by all team members at any given time. These documents should be kept in a 3-ring binder like your OSHA procedure manual.
Implement Your HIPAA Security Policies and Procedures
It’s not enough to create them. You must implement them as soon as the policies and procedures are created. Schedule quarterly reviews of your HIPAA compliance program. Document who attends the meetings, what is discussed, and action items created from the meetings. These should be mandatory meetings as everyone on the team MUST be HIPAA compliant.
Provide Employee Training
At your initial training session, I recommend hiring a HIPAA compliant officer who will get you and your team started with all the right documents, get you compliant, and help to keep you compliant throughout the year.
Develop Processes to Monitor your Policies
Ongoing maintenance is critical to continued compliance with HIPAA. Review your dental office’s risks, policies, and procedures to determine if changes should be made to your program. New computers, new team members, and new business associates happen at dental practices over time; and when these changes happen, a review team meeting should be implemented immediately to ensure everyone is current and compliant.
Security Awareness
Create systems to guard your computers against, detect, and report malicious software; monitor log-in attempts; and create passwords to safeguard all practice and patient information. Prohibit Internet usage for personal e-mails and social media with any possible patient information. Encrypt and include a HIPAA disclaimer on all e-mails sent out via office computers.
Post reminders at all workstations reminding employees to never leave computer unsecured, to sign out at all times, and to never share password information with fellow co-workers.
Protect Patient Health Information
Require any vendor, dental laboratory, consultant, or subcontractor who wants to view, review, create, transmit, or maintain Patient Health Information (PHI) to sign a business associate agreement.
Remember, there is no “one size fits all” when it comes to your HIPAA security compliance plan. Should your office be subjected to a compliance audit or a complaint be filed, you want your systems, policies, and procedures documented and your HIPAA Security Manual up–to-date.
WORD OF CAUTION: Do not keep doing what you are currently doing in regards to HIPAA as there are many changes that are being implemented since the Final Rule became effective.
All of the above HIPAA documents mentioned within this article will be supplied to your office free of charge during the in-office HIPAA compliance training session completed by me with you and your team members.
FMI: https://www.linkedin.com/in/rozfulmer/
Read more from Roz:
Trojan Today Classic: “Advocating Insurance for Your Patients” by Roz Fulmer (trojanonline.com)
Trojan Today Classic: “Secondary Insurance Plans” by Roz Fulmer (trojanonline.com)