We hear from so many doctors’ and dentists’ offices that they are “HIPAA-compliant” because they have completed the required annual HIPAA training for their staff. FALSE! HIPAA Training is not HIPAA Compliance. HIPAA Training is only one of the components of HIPAA Compliance – thinking otherwise could lead to a false sense of security.
HIPAA law consists of various requirements in the areas of security and privacy, use and disclosure of PHI (protected health information) and in breach notification rules.
Minimum steps needed for HIPAA Compliance:
At the very minimum, a doctor’s or dentist’s office must do the following for HIPAA Compliance:
- Exercise privacy in the office everywhere. Be careful about accidental disclosure of patient information.
- Display the Notice of Privacy Practices prominently in your office lobby and on your website.
- Exercise caution in the use and disclosure of PHI (Protected Health Information). Patients have the right to review and obtain their PHI. The onus falls on the medical practice to secure and protect PHI from unauthorized disclosure of any kind.
- Conduct the mandatory annual risk assessment, or hire an expert to conduct it for you. The assessor must take into consideration all the security and privacy related criteria while conducting the assessment, including all your administrative, physical and technical safeguards. A detailed list of recommendations and action items should follow as a result of the risk assessment.
- Prepare and follow security and privacy policies and procedures. Your risk assessment should highlight the minimum required policies and procedures that you would need to prepare or obtain. Physicians and staff members should be familiar with and should follow these policies and procedures on a daily basis.
- Provide annual HIPAA Training to your staff and physicians.
Breach notification:
Breaches have unfortunately become only too common these days in an environment where medical records are extremely valuable in the black market. HIPAA law also specifies strict breach notification requirements in the event of a breach. The Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) requires the practice to inform all individuals whose data might have been lost or stolen. A breach of more than 500 records is considered a reportable breach, that is, the practice must notify HHS. This could result in an audit of the practice by federal agencies, and the first thing they are going to ask you for is a copy of your last annual risk assessment.
Small practices may be targets of breaches too:
Many small practices think that they are too small to be targeted. False again! If you look at the HHS "Wall of Shame" which lists reported breaches of more than 500 patient records, you will see several small practices listed there who have undergone breaches. The reality is that smaller practices are likely to be even more affected by a breach considering the high expenses and workload that follow. The Ponemon Institute has calculated the average healthcare data breach cost to be $380 per record - for 500 records, that comes to approximately $190,000, which can be highly damaging for a small healthcare practice.
We often hear from dentists that they do not believe they need to comply. Also False! In fact, just recently, in January 2018, Steven Yang, DDS of California and Zachary Adkins, DDS of New Mexico had breaches of 3000+ patient records each due to theft of a laptop and and other portable electronic device respectively. Robert Smith, DMD of Tennessee reported 1500 records breached after a hack. Several other providers such as physicians, hospitals, pharmacies, health plans and business associates have experienced breaches in the recent past. It can and will happen to anyone regardless of size - please do not think that it won't happen to you!
Culture of Security and Privacy:
HIPAA Training is not HIPAA Compliance. Practices should take these requirements seriously as they are here to protect patients and medical professionals. Protect yourself and your patients by incorporating a culture of security and privacy compliance in your medical practice.
