Facebook, Equifax, Target, Panera Bread, Home Depot… the list goes on and on and on. Data breaches and privacy issues dominate headlines more often than political scandals or celebrity gossip. Ironically, with nearly unlimited resources and multimillion-dollar IT budgets, these corporations have proven that no organization can implement an ironclad IT network.
Enterprise-level organizations aren’t the only companies in the crosshairs of cyber criminals. The American Medical Association notes that 83% of physicians have experienced a cyberattack of some type. With protected health information commanding top dollar on the black market, regardless of how large or small you may feel your practice might be, it is a matter of when and not if your cybersecurity and HIPAA compliance programs will be called into action.
Wait. Cybersecurity and HIPAA compliance what?
That’s right. When your practice experiences a data breach, you must provide vital documentation to comply with state and federal laws. The caveat here is that should you decide to wait until a cyber incident occurs, you likely are too late to comply.
The Office for Civil Rights (OCR) requires proper HIPAA compliance programs that also address cybersecurity to be implemented proactively and documented appropriately before, not after, a breach has taken place. OCR has been very forthcoming in recent months highlighting the need for medical businesses of all sizes including dental practices to abide by HIPAA privacy and security rules.
To limit your liability in the case of a data breach, OCR says you must implement and document an accurate and thorough analysis that examines risks within three critical areas of your practice: physical, technical, and administrative safeguards.
The risk analysis is the responsibility of the practice to document an evolving self-assessment that highlights its strengths and weaknesses when it comes to securing protected health information. The assessment should highlight the safeguards the practice has in place in each of those three areas, as well as the areas where it might not have safeguards that meet best practices for HIPAA compliance. Per the government requirement, this is an “ongoing process” that never ends.
Next, practices also must implement and document the policies and procedures they use to keep their protected health information safe. Like disaster recovery plans, business continuity plans, and password policies, these policies and procedures should be specific to the practice. They should not be based on generic documents.
Furthermore, practices must conduct HIPAA training at least once a year for all doctors and staff. The OCR says that training must be completed in a module type of format, which requires a quiz for proper documentation. New employees must be trained and quizzed within 90 days of being hired as well.
Finally, OCR requires practices to implement and document:
- How they mitigate risks found in the risk analysis
- How they get patients to sign the notice of privacy practices and HIPAA authorization forms
- How they get business associates such as practice management/electronic medical record companies, IT companies, and third-party billing companies to sign business associate agreements that offset liability in case of a data breach
- HIPAA manuals that include all HIPAA documentation; OCR highly recommends backing up the manual electronically
If a data breach prompts an investigation into your compliance program, regulators may call upon some or all of this documentation. Keeping it up to date and accurate can provide the burden of proof you need to avoid costly penalties.
At Abyde, we feel as though doctors and staff are better off focusing on patient care and building profitability, rather than being consumed by these requirements. It’s why we created our revolutionary software solution, which has quickly become the gold standard for dental practices. If you have any questions about HIPAA or interest in seeing how your practice can experience stress-free HIPAA compliance, call (800) 594-0883 or email email@example.com.
Mr. DiBlasi is president and cofounder of Abyde and a frequent speaker on HIPAA compliance at industry events. Passionate about providing easy-to-understand HIPAA education and user-friendly solutions to dental professionals, he launched Abyde in December 2016. Under his direction, Abyde, based in Tampa, Fla, has quickly cemented itself as the dental industry’s preferred HIPAA resource. He can be reached at firstname.lastname@example.org.