HIPAA FAQs

---

To demonstrate compliance if audited or the subject of a breach investigation, an organization must:

• Have written and up-to-date policies and procedures (HIPAA risk management plan)
• Show how they maintain compliance with those policies and procedures
• Have conducted a HIPAA risk assessment
• Provide annual HIPAA security awareness training for the entire workforce

Regardless of size, an organization must have a HIPAA security and privacy official who manages the compliance program.

Costs for HIPAA compliance packages will vary for each organization and the types of services required to meet regulatory requirements.  In order for us to provide a quote, we typically send out a questionnaire to see what compliance metrics are currently in place for the organization.  This helps us determine what the organization will need to have in place and the associated costs. 

For a free, initial consultation, please contact us today. 

Regardless of the size of the practice, dental offices are required to follow all HIPAA Security and Privacy Rule requirements.  This includes:

• Conducting risk assessments to identify potential vulnerabilities and risks to protected health information maintained by the organization.
• Developing and implementing HIPAA policies and procedures as part of a risk management plan.
• Conducting annual HIPAA Security Awareness and Privacy Training for all members of the workforce including dentists.
• Making sure there are signed Business Associate Agreements in place for all vendors (Business Associates) that will have any access to any patient health information and records.

HITECH is the acronym for the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009, which was signed into law in February 2009. It promotes the adoption and meaningful use of health information technology.

The HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, partly through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.

The final HIPAA Omnibus Rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law.

• Patients can ask for a copy of their electronic medical record in an electronic form.
• When individuals pay by cash for healthcare services, they can instruct their provider not to share information about their treatment with their health plan.
• The rule sets new limits on how information is used and disclosed for marketing and fundraising purposes and prohibits the sale of an individuals’ health information without their permission.

A covered entity is any provider of medical, dental, or other healthcare services or supplies that transmits any protected health information in electronic form. This includes pharmacies, health plans, and healthcare clearinghouses that perform electronic health care billing functions.

If your organization files any insurance claims electronically, including reimbursement from CMS for Medicare and Medicaid services, you are considered a covered entity.

With certain exceptions, a business associate is a person or business that creates, receives, maintains, stores, or transmits PHI for a function or activity for a covered entity.

Examples of business associates are: IT services; billing and coding companies; cloud storage providers; web site hosting companies that maintain any patient health questionnaires; and legal, actuarial, accounting, consulting, data collection and analysis, management, administrative, accreditation, or financial services.

Under HIPAA, a Business Associate Agreement, commonly known as “BAA,” is a contract between a covered entity and a designated business associate. The agreement requires that any protected health information maintained by the business associate must be in accordance with HIPAA regulations.

A BAA must explicitly define how a business associate will report and respond to a data breach, including breaches that are caused by a business associate's subcontractors.

With certain exceptions, a data breach is the acquisition, access, use, or disclosure of electronic PHI in a manner not permitted under the Security Rule, which compromises the security or privacy of the PHI.

A data breach is a release of unsecured PHI/PII to an unauthorized entity or in an insecure environment, whether intentional or unintentional. 

This includes attempted or successful or improper instance of unauthorized access to, or use of information, or misuse of information, disclosure, modification, or destruction of information or interference with system operations in an information system.

Protected health information (PHI) is individually identifiable health information that is:

• Transmitted by electronic media
• Maintained in any electronic medium
• Transmitted or maintained in any other form (paper records or charts)

There are 18 specific types of protected health information, including patient names, addresses, Social Security numbers, email addresses, fingerprints, or photographic images.  

 Electronic protected health information (ePHI) refers to any protected health information (PHI) that is covered under HIPAA privacy and security regulations and is produced, saved, transferred, or received in an electronic form. 

The HIPAA Security Rule requires covered entities and business associates to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting ePHI.

Specifically:

• Ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain or transmit;
• Identify and protect against reasonably anticipated threats to the security or integrity of the information;
• Protect against reasonably anticipated, impermissible uses or disclosures; and
• Ensure compliance by their workforce.