The Health Insurance Portability and Accountability Act (HIPAA) of 1996 isn't restricted solely to doctors and healthcare practitioners. Dentists must adhere to HIPAA, as well. Here are 5 essential tips for HIPAA compliance among dentists.
Destroy Protected Health Information
Don't make the mistake of tossing Protected Health Information (PHI) in the trash without first destroying it to the point where PHI can no longer be retrieved. Each year, the Office for Civil Rights (OCR) fines covered entities for failure to properly dispose of PHI. Perhaps a worker throws away a patient's record, or maybe a worker fails to wipe his or her hard drive clean before recycling it. Regardless, HIPAA requires dentists and other covered entities to destroy PHI – both paper and digital PHI – so information cannot be retrieved from it.
Encrypt Patient Data
Encryption is currently listed as an “addressable” concern, creating confusion among dentists and other covered entities. Because it's listed as an addressable concern, some covered entities believe encryption is not necessary. However, this isn't entirely true, as HIPAA requires covered entities to encrypt patient data in situations where it's both reasonable and appropriate.
Perform System Backups
What would happen if your office's primary data server was wiped clean? Would you be able to continue operating and servicing patients? Hopefully, this never happens, but if it does you need a backup copy of your data ready so you can restore your practice back to working order. HIPAA actually requires covered entities to back up their data offsite. In the event that your server is wiped or otherwise fails, you can restore it back to working order.
Business Associates Agreement
When allowing a third-party organization to access or use PHI, dentists should create a Business Associates Agreement (BAA). This written document details what type of PHI will be accessed, how it will be used, and when the business associate can longer access it (date of termination). BAAs must be used whenever an outside company or organization accesses your practice's PHI.
Technical, Physical and Administrative Safeguards
The HIPAA Security Rule requires all covered entities to implement technical, physical and administrative safeguards to protect their data from unauthorized use or access. Some dentists may implement one or two of these safeguards, but fail to include them all. Unless you have all three types of safeguards present in your office, you could be found in noncompliance with the HIPAA Security Rule. Refer to some of our previous blog posts here at Allpoint Compliance for more information on the different safeguards and their respective meanings.