HIPAA compliance audit: Lessons learned apply to dental practices

Transcription

1 HIPAA compliance audit: Lessons learned apply to dental practices Executive summary In 2013, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 Omnibus Rule put healthcare providers on notice that it is not just larger healthcare organizations with thousands of electronic records that must take appropriate steps to safeguard protected health information (PHI). The Omnibus Rule not only outlined and strengthened enforcement strategies for all healthcare organizations, but it also expanded HIPAA requirements to hold business associates and their subcontractors to the same standards as covered entities. A greater focus on enforcement of privacy and security requirements also includes higher penalties for noncompliance even in smaller provider organizations. In 2012, increasing oversight of HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act compliance resulted in a number of fines, including a $100,000 fine for a five-physician surgical practice and a $50,000 fine to a hospice organization for a breach that affected 441 patients. While these fines don t match the headline-grabbing multi-million dollar fines imposed on large organizations, the financial burden can be crippling to a smaller organization, such as a dental practice. Another significant data breach impact for dental practices is the loss of patients trust in the provider s ability and willingness to properly protect their personal information. Protecting a dental practice s financial assets as well as patient base requires establishment of a HIPAA compliance program that addresses all potential risks to avoid fines and civil monetary penalties for non-compliance. Compliance with HIPAA regulations is not a task that can be checked off a to-do list as complete. Because privacy and security rules, technology and business practices change, effective HIPAA programs are continuous processes that go beyond a manual on a bookshelf or duplicating another organization s forms and policies. This white paper outlines strategies and tactics based on actual experience of a dental organization s HIPAA audit experience along with real-life examples of successful dental practice strategies to comply with HIPAA and HITECH regulations.

2 HIPAA audit experience provides lessons No healthcare organization looks forward to an audit, but OneMind Health s participation in a 2012 HIPAA pilot audit program gave the organization a first-hand look at what is expected of all providers, including dentists. Key areas of auditor focus included: Risk assessment; Policies and procedures; and Business associate agreements. While constant change can make HIPAA compliance more complex than meeting other regulations, such as Occupational Safety and Health Administration, dental providers must take proactive steps to address these issues in their HIPAA compliance strategy. 1. Risk Assessment The foundation of any HIPAA strategy and the first document an auditor will request is a current risk assessment. Dental practices increasingly rely on electronic communication to share patient files with referral sources, communicate with patients, enable online scheduling and submit insurance claims. While HIPAA privacy requirements apply to paper records as well as electronic records, the use of electronic PHI in communications increases the number of records at risk, even for small dental practices. Add to that the growing reliance on mobile devices, such as smartphones, tablets and laptops, to document clinical findings and transmit information and the number of opportunities for data breaches increase dramatically. The first step in a comprehensive risk assessment is to identify where all patient information lives while in use, at rest or in storage. This requires looking beyond the use of a desktop computer at the front desk. Identify all mobile devices on which PHI may be located the dentist s smartphone, a tablet in the operatory or the laptop the insurance coordinator uses to prepare insurance claims for transmittal from the home. Don t forget to include servers outside the practice office, cloud services or financial management organizations that manage claims. Other locations of PHI commonly missed in a risk assessment are flash drives and the hard drives in digital clinical equipment, scanners, copiers and fax machines. Once the list is complete, evaluate the risk of a data breach in the following situations: Loss or theft of mobile device or computer; Unauthorized access by employees; System hacked by outside source; and Natural disaster such as tornado or hurricane.

3 As risk is evaluated, also identify steps to protect data in these situations. A few tactics to protect PHI include encryption of files and hard drives, unique passwords that are changed periodically, firewall and other technology to protect against system intruders, and use of wipe applications that can remotely delete all information from mobile devices when lost or stolen. A dental practice risk assessment is not a one-time activity. The risk assessment should be reviewed and updated periodically. While HIPAA rules do not specify a timeframe for risk assessment reviews, an annual review is a best practice if there are no changes that affect data risk during the year. The addition of a new provider, a change in process such as a move from filing paper claims to filing electronic claims or implementation of new technology, for instance a patient portal, are all examples of changes that warrant conducting further risk assessments. 2. Policies and procedures Written policies and procedures are essential to prove HIPAA compliance, even if a dental practice is small with longtime employees who understand the policies, all dental practices need written policies and procedures in place. Without such written policies and documentation to prove the policies are implemented as written, auditors have no way to deem the provider as compliant. Policies and procedures should be specific to the dental practice and incorporate strategies that mitigate potential risks identified in the risk assessment. For this reason, policies must be unique to each dental practice. If a template is used, add information that tailors the policies to the specific practice. For example, if a practice uses electronic claims filing, be sure to address who has access to the information and any restrictions, such as prohibiting download of claims data to a mobile device. Review and update policies and procedures every two years, or anytime there is a change in business structure or privacy laws. Areas that policies should address include: Process and forms used to notify patients of privacy rights; Notification protocol if a data breach occurs regulatory agency and patient notification responsibilities; Procedure if a mobile device is lost; Revocation of access for employees or associates who are terminated or leave the practice; Proper disposal or destruction of data files; and Delineation of staff responsibilities, access to data and HIPAA training requirements.

4 Educating all dental team members is a critical component of a HIPAA program. In addition to reviewing policies with new team members, all team members should be re-educated annually or anytime there is a change in policies due to new regulatory rules or changes in the practice. Document HIPAA training and keep proof of training readily accessible for auditor review. Oversight of privacy and security processes is the responsibility of the practice s privacy and security officers two positions required by HIPAA regulations. Since dentists typically make the final decisions regarding technology or security investments in the practice, they are the best candidates to fill the role of security officer. The office manager may also serve as the privacy officer, and oversee dayto-day responsibilities such as staff training, handling patient questions about privacy, oversight of policy and procedure implementation and identification of necessary updates to risk assessments and policies. Additionally, job descriptions that name and delineate responsibilities for each of the two officers are required for HIPAA compliance. 3. Business associate agreements Privacy and security officers are charged with the responsibility to stay up-to-date on new regulations and interpretations of their application in a dental practice. For example, the Omnibus Rule expanded responsibility for protection of PHI to include all business associates and their subcontractors. Dental practices with business associates are responsible for updating all business associate agreements to reflect the new level of accountability and to delineate notification requirements for the business associate. Failure to address a business associate s responsibility and to verify the associate s knowledge of and compliance with HIPAA requirements increases the dental provider s liability in the event of a business associate data breach. While templates can be used to create an initial business associate agreement, each agreement should be tailored to the specific vendor. Identify the type of data that will be shared with the vendor and how it is to be used. If the business associate is working on a specific project with a beginning and ending date, be sure to include dates in the agreement along with instructions on how to handle the data when the task is complete. Even if the business agreement is long term, such as benefits verification or claims filing, all business associate agreements should include instructions on how to handle data after use disposal using specific techniques or return to the dental practice. As dental providers turn to a greater number of technology-related business associates to handle verification of benefits, claims management and communication with patients and referral sources, the need to verify a potential business associate s ability to meet HIPAA requirements increases. Conducting surveys and meetings with potential business associates to evaluate their HIPAA compliance program can help determine if they actually understand their responsibilities and have implemented a HIPAA compliance program.

5 Another way to vet potential business associates is to check with other organizations using their services and to check the Health and Human Services (HHS) website to see if the business associate has been involved in a previous data breach. HHS lists those involved with a data breach affecting over 500 individuals. If the vendor was involved in a data breach, dental providers have the right to ask about it, including the cause of the breach, steps taken to remediate the problem and procedure changes to prevent another breach. If responses are not satisfactorily answered, a provider may want to consider another business associate. HIPAA updates with special challenges for dentists In addition to strengthening enforcement activities, increasing fines for HIPAA violations, and expanding business associate liability, the Omnibus Rule also includes a few changes that present unique challenges to dental practices changes that may be overlooked by many dentists: Patients have the right to restrict information shared with insurance companies if the patient pays out-of-pocket for a procedure. This makes submitting follow-up care for insurance payment without information about the primary procedure a challenge. Dental practices should establish a protocol that honors the patient request not to submit information to insurance and explains the consequences if a procedure will require subsequent visits. If a patient understands that subsequent claims may be denied without information on the first procedure, the decision to restrict information may change. New limits on the use of patient information for marketing and fundraising activities. As dentists build lists of patients to use for appointment reminders, clinical follow up or office announcements such as phone number changes or holiday schedules, providers must be careful not to use the information for marketing purposes unless it meets the stated criteria in the Omnibus Rule. To prevent former employees or associates from accessing lists to contact patients with the announcement of their new employment location, be sure procedures are in place to eliminate access to information upon termination. More importantly, grant access to lists or any comprehensive database of patient information only to team members who need access to perform job responsibilities.

6 Preparation is the best HIPAA-compliant solution The HITECH Act mandates the Department of Health and Human Services (HHS) to conduct random audits of dental providers, as well as business associates, so dental providers and business associates should maintain a state of compliance readiness. For this reason, the best mitigation strategy is a thorough risk assessment with policies developed specifically for the practice, implementation documented, business associates vetted properly and ongoing evaluation of policies and procedures. This preparation best positions a dental practice and business associates to properly handle a breach or successfully undergo an audit. Many dental providers are also obtaining privacy insurance policies as an added layer of financial protection in the event of a breach. Just as professional liability insurance provides a resource in the event of malpractice accusations, privacy insurance addresses situations in which HIPAA violations are alleged. Another key investment to ensure protection of data is encryption of any device that may hold patient information. This includes clinical, business and personal devices. The initial investment in this technology not only minimizes the risk of a breach, but also demonstrates a proactive effort to prevent breaches. Participation in the pilot HIPAA audit program enabled OneMind Health to see firsthand what auditors evaluate and what details are easily overlooked as a covered entity implements privacy and security strategies. Not all vendors or providers will have an opportunity to undergo an audit for educational purposes and neither will every organization experience an audit, however, everyone must be prepared for a random audit. Preparation not only protects the dental practice, but also provides the highest level of protection to patients privacy. Resources for success The U.S. HHS, Office of Civil Rights, Health Information Privacy website, provides information on privacy and security rules, implementation guidelines and answers to frequently asked questions. A complete list of data breaches affecting more than 500 individuals and the associated organizations can be found on this site under breach notification rule. The U.S. HHS, Audit Program, includes specific details about the HIPAA audit program.

7 The American Dental Association, offers The Complete HIPAA Compliance Kit, a comprehensive tool that includes background information, guidelines, strategies and forms. About the Author Linda Harvey, RDH, MS, LHRM As a nationally recognized, healthcare risk manager and compliance expert, Linda Harvey teaches dentists and teams how to effectively integrate regulatory compliance into their practices. Her expertise and knowledge translate into easy to understand and implement risk reduction and patient safety strategies. Linda s hands-on risk management experience in handling workers compensation claims, legal inquiries and various regulatory requirements enable her to understand your practice from the inside out. In addition, she brings real-world experience having worked with professionals who have undergone HIPAA, OSHA and Dental Board audits. Linda speaks and consults in the areas of risk management, regulatory compliance, remediation courses and dental record audits. In acknowledgment of her efforts, Linda was recognized as a Distinguished Fellow in the American Society of Healthcare Risk Management. Clients benefit from her practical, user-friendly style to mitigate liability, restore peace of mind and ultimately save money.