J.J. Micro works with a variety of dental practices in the Saint Louis area. We offer a HIPAA compliance as a service package called PracticeProtect™ that brings practices into HIPAA compliance and provides the IT support that all 21st century practices are in need of.
When we first started working with dental practices, we focused all of our HIPAA compliance remediation on the technology side of the business. We were mostly concerned with preventing breaches caused by improper security protocols, lack of encryption, and unsecured networks. But as we started becoming HIPAA certified ourselves, we realized that we were missing about half of the HIPAA compliance equation: the administrative side of HIPAA.
While performing internal HIPAA audits for our clients, we have found that many practices are missing some of the most basic requirements of HIPAA. Things like simple documentation, annual employee HIPAA trainings and refreshers, and many practices even lack a designated HIPAA compliance officer. This led us to design PracticeProtect™ around these failures so that we could offer a solution that automates many of these requirements so doctors and practice managers can focus on providing the best care for their patients.
The purpose of this article is to go over some of the most commonly missed items so that as a practice manager, you can know whether you are HIPAA compliant or not. With the OCR scheduling surprise audits starting in 2016, all covered entities (like dental practices) are at risk of hefty fines if they can’t prove they are HIPAA compliant. Let’s go over some of these commonly missed compliance gaps so that you can work on a plan to become compliant yourself.
HIPAA Documentation Binders
The most commonly missed and arguably most important item to have in an audit is documentation. If an auditor calls, emails, or shows up at your office, the first thing they will ask you for is your HIPAA binder. They will want to see that you are documenting everything from your privacy statement for patients to your record of when each employee last took their HIPAA refresher training. If you don’t already have a HIPAA binder, you should start one today. If an OCR auditor asks you for your HIPAA binder and you don’t have one, they are much more likely to do a full audit and start handing out fines. A thorough HIPAA binder will likely be about 25 to 75 pages and will be updated regularly.
Annual HIPAA Training for your Employees
Many practices do take the time to do occasional HIPAA trainings for their employees. However, we find that it’s not unusual for there to be long lapses in between trainings. HIPAA compliance laws require regular documented training of existing employees and initial training for any new employee. Most experts agree that even though there is no set time limit for regular training intervals, one year between each training should be the maximum. In addition to ensuring these trainings take place, you will need a signed document from each employee each time they take the training so that you can prove to an auditor that each employee understands what is required of them in regards to HIPAA compliance.
BAAs (Business Associate Agreements)
If you do business with any outside vendor that comes into contact or potentially comes into contact with PHI (protected health information), you will need a BAA signed and on file with each vendor. A BAA holds vendors accountable to properly handling your PHI to prevent breaches or losses. Examples of vendors that would require a BAA are IT service providers, insurance billing providers, document shredding handlers, contractors, accounting services, outside janitorial crews, online data backup services, cloud server providers, and email encryption services. Every BAA should be on file in your HIPAA binder and will need to be reviewed annually to ensure that new HIPAA laws aren’t being ignored.
Designated HIPAA Compliance Officer
HIPAA standards require that your practice nominate a HIPAA compliance officer. It is this person’s duty to ensure that the practice is following HIPAA compliance laws in all areas. This person will keep the HIPAA binder up to date, ensure employees are taking their trainings, and be a general watchdog to ensure that employees are handling PHI with care. Most commonly this responsibility falls on the practice manager. If the OCR contacts your practice about a HIPAA audit, lack of a HIPAA compliance officer will be a big red flag.
Regular HIPAA Security Reviews
HIPAA laws require that your practice regularly perform a self audit to address any new gaps that may have opened regarding your HIPAA compliance. Again, most experts agree that regularly in this case refers to yearly. In addition to doing a full internal HIPAA audit yearly, you must document your findings and document any remediation steps you took. This should all be in your HIPAA binder. If the OCR asks for your HIPAA documentation and doesn’t find any information about an internal audit in the last 12 months, that is another big red flag.
Record Retention and Disaster Recovery Plan
An important and often overlooked aspect of HIPAA compliance is record retention and disaster recovery. The state of Missouri requires your practice to keep patient medical records on file for 7 years. If you were to lose any of those medical records during that 7 year period, it would be considered a breach and you would be subject to fines of up to $50,000 per record lost. For this reason, it’s important to have a good backup plan and a documented disaster recovery plan. Do you have a document that outlines what exactly will take place if your building was lost in a flood, tornado, or fire? An auditor from the OCR will want to see that you have a documented step-by-step plan to recover all patient records from an off-site backup.
Time and time again we have found that doctors, dentists, practice managers, and other staff just don’t have enough hours in the day to stay focused on HIPAA compliance. With PracticeProtect™ we automate as many of the steps as we can. You will still need to understand HIPAA compliance and follow security standards to ensure PHI is safe. But employee training, writing BAAs and reviewing them annually, designing privacy forms for your patients, sending patient records over the internet using encryption, performing security audits, and all of the hundreds of other small details will be available to you in a simple and easy to use web platform. J.J. Micro will design a customized compliance plan for your practice and help you follow that plan to maintain compliance. With PracticeProtect™ you can know that even when a new HIPAA law is passed or when HIPAA rules are changed, your plan will be updated accordingly. You will no longer have to worry about a surprise HIPAA audit. When they ask for your HIPAA binder you can hand it to them and smile knowing there won’t be any issues.
Give J.J. Micro a call today at 636-556-0009 to schedule your free, no strings attached, HIPAA compliance check. We can help you decide if you are compliant or if you need PracticeProtect™.