What is HIPAA?
HIPAA or Health Insurance Portability and Accountability Act is a federal law signed by President Clinton in 1996. It was meant to create a set national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. There is a Privacy Rule and a Security Rule which we will cover here. HHS or Health and Human Services enforce HIPAA.
Who is subject to HIPAA?
HIPAA has something call a Covered Entity. If you are a Covered Entity, you need to follow the HIPAA rules. The funny thing is, if you don’t transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard, HIPAA doesn’t apply to you!
Healthcare providers: Every healthcare provider, regardless of size of practice, who electronically transmits health information in connection with certain transactions. These transactions include claims, benefit eligibility inquiries, referral authorization requests, and other transactions for which HHS has established standards under the HIPAA Transactions Rule.
Health plans: Entities that provide or pay the cost of medical care. Health plans include health, dental, vision, and prescription drug insurers; health maintenance organizations (HMOs); Medicare, Medicaid, Medicare+Choice, and Medicare supplement insurers; and long-term care insurers (excluding nursing home fixed-indemnity policies). Health plans also include employer-sponsored group health plans, government- and church-sponsored health plans, and multi-employer health plans.
Exception: A group health plan with fewer than 50 participants that is administered solely by the employer that established and maintains the plan is not a covered entity.
Healthcare clearinghouses: Entities that process nonstandard information they receive from another entity into a standard (i.e., standard format or data content), or vice versa. In most instances, healthcare clearinghouses will receive individually identifiable health information only when they are providing these processing services to a health plan or healthcare provider as a business associate.
Business associates: A person or organization (other than a member of a covered entity’s workforce) using or disclosing individually identifiable health information to perform or provide functions, activities, or services for a covered entity. These functions, activities, or services include claims processing, data analysis, utilization review, information technology, and billing.
As a Orthodontist, you are a healthcare provider covered entity. As a IT (Information Technology) company, I am a business associate covered entity.
HIPAA privacy and security rules
According to HIPAA, you need to take “reasonable” precautions to prevent a data breach. Any vendor that has access to your data needs a BAA or Business Associate Agreement on file. You need to be able to track who accessed what record at what time. You should be encrypting your server and all computers. You must have policies in place that define how your users access data and what to do in case of a breach, etc… You need a HIPAA Compliance Officer either on staff or 3rd party such as Quick MSP!
Most dental offices in general don’t meet all the requirements and most IT companies try to stay “hands off” with HIPAA because they don’t want to take “risk”. The IT offices don’t realize that they are just as liable as the practice if they don’t take reasonable steps to protect the data.
We’d recommend that you work with a company such as HIPAA Compliancy Group or a IT company that is partnered with them such as Quick MSP! We will help you write your policies, do annual training, and annual security training! We also have plans where we will be your compliance officer.