The Health Insurance Portability and Privacy Act is more than just that piece of paper you have your patients sign. Overlooking the “privacy” part of the act can get dental practices into real trouble – a real punch in the mouth!
Don’t allow yourself to become sloppy and think that your small size will be a defense in the case of a breach. It won’t. Instead, create a policy and follow it. Most of the requirements for complying with HIPAA make good business sense anyway. I’m going to share a few tips for HIPAA compliance followed by some of the penalties you could be liable for.
11 HIPAA Compliance Tips
Here are 11 tips for keeping your practice on the good side of HIPAA.
I’ll start off with the most important tip of all: Have a HIPAA compliance plan. This isn’t optional.
1. Don’t use Yahoo for email. Yahoo email is NOT HIPAA compliant and transmitting patient information with Yahoo email is not in compliance. And Yahoo was hacked in 2014 and the hack was discovered in September of this year. If you have used Yahoo, you need to check if any of your patient data was compromised.
2. Encrypt patients’ private information.
3. Understand how to disclose violations. Know and understand your obligations.
4. Post a document that states patient rights under the law somewhere visible and provide a copy to each patient when admitted.
5. Don’t talk about patients where other patients can overhear your conversations.
6. Don’t forget your offices copiers and printers. Don’t allow confidential patient information to stack up in the output trays.
7. Consider shutting down USB ports to prevent thumb drives from being loaded with protected information.
8. Protect your network and IT infrastructure with anti-virus and other security software.
9. Maintain control over devices that access patient information – such as smart phones, tablets, or laptops. Make sure that they are secured in the evening.
10. Dispose of information and devices that access patient information properly. Digitally shred hard drives in your computers and copiers (they have hard drives too). Shred paper documents and dispose of those properly too; don’t just ball it up and throw a document with patient information into the trashcan.
11. Restrict file access. Restrict access to patient files to those with permissions. For electronic files, ensure you have audit trails to track staff access – or attempted access – to patient documents.
HIPAA Violations and Penalty Structures
Regardless of how small your practice, ignorance of the law is no defense in the case of non-compliance. There are four categories of penalty structure:
Category 1: A violation that the covered entity (CE) was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules
- Category 2:A violation that the CE should have been aware of but could not have avoided even with a reasonable amount of care. (but falling short of willful neglect of HIPAA Rules)
- Category 3:A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation
- Category 4:A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation
In some cases, such as a breach from a totally unexpected source, the Department of Health and Human Services Office for Civil Rights (OCR) has discretion to wave a financial penalty – unless the violation occurred due to willful neglect.
There are also four categories in the penalty structure:
Category 1: Minimum fine of $100 per violation up to $50,000
Category 2: Minimum fine of $1,000 per violation up to $50,000
Category 3: Minimum fine of $10,000 per violation up to $50,000
Category 4: Minimum fine of $50,000 per violation
Penalties vary based on openness and helpfulness (or not) of the CE, how long before the violation was reported, number of people affected, etc. In general, the more honest you are, the better off you’ll be.
As the saying goes, “it’s not the crime, it’s the cover up.”
We hope these tips help and that the reminder of the fines acts as incentive to take action. Who knows, maybe a violation will go unnoticed. Why take the chance? Especially when it just makes good business sense to have a solid IT infrastructure and the ability to protect your patients’ protected health information.
For frequently asked questions, the American Dental Association website has more helpful advice. Read the HIPAA FAQ here. http://www.ada.org/en/member-center/member-benefits/practice-resources/dental-informatics/electronic-health-records/health-system-reform-resources/hipaa-faq