To demonstrate compliance if audited or the subject of a breach investigation, an organization must:
Regardless of size, an organization must have a HIPAA security and privacy official who manages the compliance program.
Costs for HIPAA compliance packages will vary for each organization and the types of services required to meet regulatory requirements. In order for us to provide a quote, we typically send out a questionnaire to see what compliance metrics are currently in place for the organization. This helps us determine what the organization will need to have in place and the associated costs.
For a free, initial consultation, please contact us today.
Regardless of the size of the practice, dental offices are required to follow all HIPAA Security and Privacy Rule requirements. This includes:
HITECH is the acronym for the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009, which was signed into law in February 2009. It promotes the adoption and meaningful use of health information technology.
The HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, partly through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.
The final HIPAA Omnibus Rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law.
A covered entity is any provider of medical, dental, or other healthcare services or supplies that transmits any protected health information in electronic form. This includes pharmacies, health plans, and healthcare clearinghouses that perform electronic health care billing functions.
If your organization files any insurance claims electronically, including reimbursement from CMS for Medicare and Medicaid services, you are considered a covered entity.
With certain exceptions, a business associate is a person or business that creates, receives, maintains, stores, or transmits PHI for a function or activity for a covered entity.
Examples of business associates are: IT services; billing and coding companies; cloud storage providers; web site hosting companies that maintain any patient health questionnaires; and legal, actuarial, accounting, consulting, data collection and analysis, management, administrative, accreditation, or financial services.
Under HIPAA, a Business Associate Agreement, commonly known as “BAA,” is a contract between a covered entity and a designated business associate. The agreement requires that any protected health information maintained by the business associate must be in accordance with HIPAA regulations.
A BAA must explicitly define how a business associate will report and respond to a data breach, including breaches that are caused by a business associate's subcontractors.
With certain exceptions, a data breach is the acquisition, access, use, or disclosure of electronic PHI in a manner not permitted under the Security Rule, which compromises the security or privacy of the PHI.
A data breach is a release of unsecured PHI/PII to an unauthorized entity or in an insecure environment, whether intentional or unintentional.
This includes attempted or successful or improper instance of unauthorized access to, or use of information, or misuse of information, disclosure, modification, or destruction of information or interference with system operations in an information system.
Protected health information (PHI) is individually identifiable health information that is:
There are 18 specific types of protected health information, including patient names, addresses, Social Security numbers, email addresses, fingerprints, or photographic images.
Electronic protected health information (ePHI) refers to any protected health information (PHI) that is covered under HIPAA privacy and security regulations and is produced, saved, transferred, or received in an electronic form.
The HIPAA Security Rule requires covered entities and business associates to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting ePHI.