With all the requirements and changes that HIPAA regulations demand of a typical dental office, it makes sense to review three important requirements that could be easily overlooked.
First – Everyone knows a dental office must provide a new patient with a copy of their HIPAA Notice of Privacy Practices. This notice must also be posted in a prominent location in the practice. But did you remember to post a copy of this on your website as well? HHS is very black and white about this requirement:
Specifically, HHS.gov states: “If an organization has a website, it must post the notice there.” If you aren’t sure how to post the notice to your website or the format needed, please feel free to contact The Dental Record team. We’ll provide you the formats and steps needed to upload this to your website.
Second – HIPAA Risk Assessments are ongoing. Most offices by now have completed an initial HIPAA Risk Assessment. Remember though, that this needs to occur consistently to meet the standards.
HHS.gov specifically states: “Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents,12 periodically evaluates the effectiveness of security measures put in place,13 and regularly reevaluates potential risks to e-PHI.14 “. We recommend completing a Risk Assessment each time something significant changes (a staff or technology change, for example) in the practice, or every 12-24 months, whichever is sooner.
Third – The Security Rule, which was published in 2003 to provide covered entities with procedures to safeguard PHI, is not just about using software like secure email and online backup. The security rule also requires you to document and update policies and procedures you’ve implemented to comply with the HIPAA Security Rule.
Specifically, HHS.gov states: “A covered entity must adopt reasonable and appropriate policies and procedures to comply with the provisions of the Security Rule. A covered entity must maintain, until six years after the later of the date of their creation or last effective date, written security policies and procedures and written records of required actions, activities or assessments.30 “
For more information on HIPAA laws and regulations, contact The Dental Record team at 800-243-4675.
