What Does a First-Year Practicing Dentist Need to Remember about HIPAA?

By Russell Kane, Compliance Consultant at Dental Office Compliance of New England, LLC
March 24, 2023
By:
Russell Kane
What Does a First-Year Practicing Dentist Need to Remember about HIPAA?

HIPAA can seem daunting to a new dentist but it doesn’t have to be. If you understand these four “pillars” of HIPAA, you’ll have a strong foundation for a compliant practice:

  • Notice of Privacy Practices: This Notice – which you should provide to new patients and post in your office as well as on your website – describes to patients:
    • how your practice uses and discloses their protected health information (“PHI”); and
    • how they can exercise certain rights with respect to their own PHI.
  • HIPAA Compliance Policies: The Notice is the “what” your practice does with PHI; the policies are the “how” your practice does what it says it does in the Notice. Good policies are office-specific and should explain, at a minimum, how:
    • to limit PHI disclosures only to those who need to know such information and to provide only what is necessary for the purpose;
    • consent is not required to use or disclose a patient’s PHI for treatment, payment, healthcare operations, and various other circumstances prescribed by HIPAA (but is if you want to use a patient’s likeness or full name for the practice’s marketing purposes);
    • PHI should be stored, secured, and destroyed; and
    • Employees should not use personal computers for business purposes or share their work passwords with anyone, including colleagues.

The practice’s HIPAA Privacy and/or Security Officer should make sure all employees, especially new employees, are trained on the practice’s office-specific policies.

  • Business Associates: The practice should identify all vendors that potentially have access to patients’ PHI and should put in place with each of them a Business Associate Agreement that conveys the practice’s expectations regarding the vendor’s use and protection of such PHI.
  • HIPAA Compliance Policies: The Notice is the “what” your practice does with PHI; the policies are the “how” your practice does what it says it does in the Notice. Good policies are office-specific and should explain, at a minimum, how:
    • the types of PHI that the practice collects and retains;
    • the location of such PHI (e.g., on premises or off-site, hardcopy or digital form, etc.); and
    • whether or not such PHI is safe given the current safeguards.

The practice need not hire an IT company to conduct this gap analysis (although it probably is a good idea to ask your IT person whether your current computer security measures are adequate based on best practices as well as your practice’s risk profile and budget).

If you have any questions or need additional information on any of the above, please feel free to contact me at 781-300-8110 or at Russell@doc4ne.com.

Register for Mr. Kane’s EDIC webinar, HIPAA & Cyber Security Training, which will be presented live on May, 10, 2023 and archived in the EDIC portal for future viewing. The course reviews practical aspects of HIPAA compliance, including risks a dental practice may face as well as how to mitigate those risks.

Categories
Dental Mentor