Answer: This marks the date for all dental providers to be compliant with the new HIPAA Omnibus rules, a sweeping change to the original HIPAA rules of the past few years.
Having just conducted an EHR workshop for the Minnesota Dental Association, I was pleasantly surprised that many dentists and practice managers in attendance were not only aware of the enactment of the new HIPAA rules but also bombarded me with questions regarding how they can be assured that they are HIPAA compliant. Of course, the fact that penalties have been extended to a potential liability of $50,000 per occurrence and $1.5 million aggregate per year has helped fuel this interest and thirst for information. And, in addition to federal penalties, we’re seeing more state and local lawsuits involving HIPAA.
And just how does the new HIPAA rule intersect with electronic health record adoption? HIPAA and EHR have been intertwined for a number of years and the new updated rule makes this relationship even closer.
Patients’ rights to their electronic information
A patient has the right to request and receive all of their Protected Health Information (PHI) in electronic form from their dentist’s office. In addition to basic information, any associated electronic images or other supplementary materials need to be provided to the patient in electronic format as well. An EHR system needs to be compliant with this requirement. It is important to note that a dental office cannot just send this electronic information to a patient via Outlook, Hotmail, Gmail, or one of the more commonly used large file repositories on the Internet such as Dropbox. These are not HIPAA-compliant methods of transmitting personal health information from provider to patient.
Expanded need for business associate agreements
With the growth of cloud computing and the popularity of third-party implementations of electronic health records, the practice needs to recognize that they must execute separate business associate agreements (BAA) with each partner involved when they are implementing an electronic health record system. This is especially true more than ever as the patient information privacy requirements, along with associated liabilities and penalties, are increasing more than ever. Now, instead of the practice being the only entity with access to a patient’s electronic health record database information, all their partners potentially have access to this information as well. The mechanism that provides rules and regulations surrounding this level of access is the BAA. A well-structured and solid BAA will cover the areas of:
- Confidentiality of patient information between entities doing business together
- Obligations of each business associate in protecting the practice’s patient information
- Breach notification processes
- Permitted use of information
- Auditing of disclosures
- How protected health information is handled following a contract termination
Any organization that you do business with, and that has potential to come into contact with your patient’s personal health information, should sign a BAA with you. If any of these organizations refuse to sign the BAA, you should question why and consider not doing business with them.
Choosing a HIPAA-compliant cloud company
Over the years I have represented many practices that preferred to purchase a cloud-based EHR solution. And, as a technical person, I'm always interested in making sure that the cloud-based vendor has the kind of HIPAA security and compliance that is necessary to reduce its practice’s liability. Bottom line is that that all cloud vendors and data centers are not created equal when it comes to patient information security and HIPAA.
Some general areas to be aware of when it comes to a data center or cloud vendor’s adherence to HIPAA are:
- HIPAA education
- Privacy and security protections
- Data storage
- Data disposal
- Auditing and logging capabilities
The best data centers and cloud vendors have done internal audits on their HIPAA compliance and patient data security risks which they should be open to sharing with a practice that is interested. In addition, there should be internal training programs for data center staff to make sure that they understand the various aspects of HIPAA compliance from a data center perspective.
When it comes to hosting personal health information, it is also imperative for the data center or cloud vendor to have contingency procedures in place should there be any issues. For example, having redundant servers in different locations can help get a practice up and running quicker should there be a failure. Along with this come policies and procedures for backing up data regularly.
HIPAA covers not just the concepts of protected health information confidentiality and security, but also the integrity of the information itself.
There are also a host of physical and architectural requirements at the data center (too numerous to mention), but nonetheless critical from a HIPAA perspective.
In this day and age it seems that liability can be assessed on many fronts: the dental practice, the cloud vendor, or data center – even contractors that have come into contact with personal health information. There have been occasions where even though the actual data center had a breach and was most culpable, the dental practice was still responsible for the confidentiality of their patients’ data. So, the bottom line is to become familiar with the new HIPAA Omnibus rules, and follow them, so you can avoid steep penalties down the line.
More articles by Mike Uretz
- Team EHR: Negotiating your dental electronic health records system
- Team EHR: EHR and the office manager: The chart stops here
- Team EHR: Electronic health records and the dentist