Painful but Necessary

HIPAA is a federal mandate first introduced in 1996 that requires a health care organization to keep patient data secure. As a dental office that stores, processes, transmits and receives, and maintains protected health information, you must be compliant with the mandate. Over the past 17 years, there have been many iterations and modifications to the original mandate. The culmination of these changes is called The 2013 HIPPA Omnibus Final Rule and was enacted in January 2013. This rule enhances a patient’s privacy protections, provides individuals new rights to their health information, strengthens the government’s ability to enforce the law, and increases penalties for security violations. The deadline to comply was September 2013.

Compliance requires a number of privacy and security actions including, but not limited to, completing what is called a risk analysis, creating a risk management plan, continuous employee training, and the implementation of updated policies and procedures. It is all pretty daunting for the typical small business. You can get dizzy and overwhelmed just trying to follow all the rules and understand what is required -never mind implementing solutions and systems.

What has prompted me to write about this topic is that I am finding in my conversations and meetings with clients that not one single office has taken ALL of the major required steps to be in compliance. The Department of Health and Human  Services (HHS) Office for Civil Rights (OCR) is the federal agency responsible for enforcing HIPAA compliance. These people take their job very seriously. If you are found in violation of HIPAA, you could be assessed large fees. I am reading about fines of $25,000 to $50,000 per day!! That can put you out of business! And if your lack of compliance leads to a security breach, the fines will be even larger.

The bottom line here is that you can’t afford to be complacent about the potential economic disaster that would result from an audit or a breach. Under the Final Rule, the general presumption is that any improper use or disclosure of protected health information (PHI) is a breach UNLESS the covered entity (your dental practice) can show that there is a low probability that the PHI has been compromised. In other words, your are essentially guilty until proven innocent.

The word is that the OCR is performing 1200 random audits a year. Computers can get stolen from your office. Back up discs or tapes somehow disappear or get lost. A disgruntled employee or patient can become a whistle blower.  Your financial exposure as a dentist could be enormous.

In my next post, based on my research, I will offer advice on where you can find reliable and professional help at a modest cost.