There are around 190,000 licensed dentists working in the United States (source). Unfortunately, a large percentage of them overlook the importance of maintaining a HIPAA-compliant practice. This places their patients' health information at risk for disclosure, while subsequently increasing the risk of fines and other penalties being handed down from the Department of Health and Human Services (HHS).
Business Associate Agreement
It's estimated that 30-70% of all security breaches involve a third-party vendor. Just because you take all of the necessary precautions to ensure Protected Health Information (PHI) is safe and secure doesn't necessary mean that your business associates will do the same. This is why it's important to create a Business Associate Agreement, which outlines whether or not your dental practice works with third-party companies and who those compares are.
HIPAA requires all covered entities (including dentists) to train their employees on HIPAA compliance. Whether they are full-time or part-time workers, every employee working at a covered entity must be trained on HIPAA. This includes knowing the Privacy Rule, Security Rule, patients' rights, disclosure forms, breach notifications, etc. So, what should you do if an employee violates one or more HIPAA requirements? In this instance, you should file an incident report with the HHS and take disciplinary action to ensure it doesn't happen again.
Security and Privacy Officer
Don't forget to designate a Security Officer and a Privacy Officer for your dental practice. HIPAA states that all covered entities must have both of these roles filled. The good news is that a single person can act as both the Security Officer and Privacy Officer. The Privacy Officer is responsible for ensuring the implementation of HIPAA-related policies and procedures, whereas the Security Officer is responsible for the implementation of policies and safeguards associated with the Security Rule (e.g. implementing technical and physical safeguards to protect patient information).
Designate a Security and Privacy Officer
Under HIPAA, all covered entities (chiropractors included) must have a Security Officer and a Privacy Officer. The Security Officer is responsible for ensuring the practice abides by the HIPAA Security Rule, such as implementing administrative, physical and technical safeguards to protect electronic patient data, and to set up contracts with business associates to ensure they also have similar safeguards in place. The privacy officer is responsible for preserving the confidentiality of Protected Health Information (PHI) in all forms (e.g. paper, digital/electronic, verbal).
Another HIPAA requirement that's often overlooked by dentists is the use of disclosure forms. When someone requests a patient's information, you must first receive a disclosure form completed by that individual or organization.