HIPAA Goes Viral : Five Immunity Boosts For Your Practice
The HITECH Act, which became effective February 18, 2010, gave the HIPAA Privacy and Security regulations a shot in the arm. Until then, HIPAA was viewed simply as a set of guidelines for policies and procedures and was not taken seriously by many dental practices. However, with the passage of the HITECH Act comes tougher consequences for noncompliance in this new technological era, including high fines, penalties, and even jail.
You may recall the initial confusion that surrounded the 2003 health information (PHI)?”...or... “Is it okay to fax information?” Over time, and with the help of experts, we learned to incorporate privacy policies into our day-to-day routine.
April 20, 2005 was the effective date for the Security Standards for the Protection of Electronic Protected Health Information (“Security Rule”). This rule established a national set of security standards for protecting certain health information that is stored or transferred electronically. When recently conducting an informal poll asking dental practices about the status of their security policies, fifty percent of the respondents indicated they had security policies in place. The remaining fifty percent either didn’t have security policies or didn’t know the difference between security and privacy policies.
“Fifty percent of the respondents indicated they had security policies in place. The remaining fifty percent either didn’t have security policies or didn’t know the difference between security and privacy policies.”
If you are like the latter half of respondents, you may feel overwhelmed trying to play catch-up, especially now that HITECH has arrived. Among other things, HITECH affects your Notice of Privacy Practices, strengthens the civil and criminal enforcement of the privacy and security rules, and expands patients’ rights. Now is the perfect time to conduct a thorough assessment and analysis of your practice and take the necessary steps to inoculate your practice to protect it from potential HITECH violations.
Just as you develop a comprehensive treatment plan for your patients, consider developing a comprehensive wellness plan for protecting electronic data against cyber risks and security breaches. Doing so protects your biggest asset—your practice. As you develop your electronic wellness plan, consider these five immunity boosters:
1. Immediately Address Key HITECH Provisions
- Update your Notice of Privacy Practices (NPP) to include the HITECH provisions and be sure it contains the contact information for your Privacy Officer. Post the NPP on your website and in your reception room.
- Revise your Business Associate Agreements (BAA) to include the HITECH provisions.
- Become familiar with the enhanced rights of patients. Be prepared when patients request an accounting of disclosures or confidential communication.
2. Revise Policies and Procedures
Review your current privacy and security policies and procedures for compliance gaps. If you have privacy policies but no security policies, your inoculation process will be more extensive. You must develop security guidelines for your practice as well as integrate the HITECH provisions. If you already have security policies in place, your immunity level is moderately strong. Simply review current policies and procedures and add the HITECH provisions.
Your privacy and security policies and procedures serve as tools to communicate your expectations to the team. This enables you to streamline workflow processes and ensure everyone is in compliance. Remember to conduct an annual review of policies and procedures. Here are just a few of the workflow items to review:
- Limit employee access to electronic information only to that which is required to carry out assigned duties.
- Maintain physical, technical, and administrative safeguards that comply with government requirements to keep business and patient-related information safe.
- Update security measures, such as firewalls, anti-virus software, spyware protection software, and encryption software on a regular basis.
- Dispose of physical documents and records containing protected information by shredding them with a crosscut paper shredder or using a professional document destruction company.
- Work closely with your IT team to ensure compliance with the National Institute of Standards and Technology (NIST) standards for destruction of electronic media.
3. Monitor Employee Selection and Training
Well-written policies and procedures are just the first step; you need the right people to implement them. Don’t underestimate the value of good hiring practices, including background and reference checks when hiring new staff. Good hiring decisions help reduce overall risk as well as cyber risk. Given the fact that between 50-70% of all identity theft occurs in the workplace, sound hiring and training must not be overlooked. Whether you provide the training yourself or outsource it, all new employees should be trained on all your policies and procedures (not just HIPAA) initially and, thereafter, annually.
“Given the fact that between 50-70% of all identity theft occurs in the workplace, sound hiring and training must not be overlooked.”
4. Consider Additional Insurance
Transfer the risk where possible. Start by reviewing your current insurance policies (general liability, professional liability, etc.). Determine if you have coverage for cyber risk and, if so, familiarize yourself with the policy limits and exclusions. Also, consider valuable add-on services that your insurance carrier may offer. These may include items such as a risk assessment of electronic data security, staff training, 24/7 claim hotline, and legal consultation with an attorney experienced in cyber risk.
5. Enhance Your Data Protection Plan
Back up your data regularly. This sounds like a needless reminder; however, it’s amazing how many offices are lax about back.
Maintaining strong immunity against cyber bugs or viruses is a top priority. Attack them by using the five steps above to create your HIPAA/HITECH wellness plan.