In the past, randomized HIPAA audits have been carried out by Health & Human Services and the Office for Civil Rights (HHS & OCR). First, an letter or phone call is made requesting your latest risk assessment. Those who have a detailed risk assessment are generally left alone, as the document shows actions taken to discover and remediate risk. In the absence of a HIPAA risk assessment, however, the OCR has sent an auditor on-site for a detailed evaluation of workflow, security practices, and administrative, physical, and technical safeguards.
A HIPAA Risk Assessment: What do I Need?
The best template for a risk assessment for a dental practice is found in the ADA Practice Guide to HIPAA Compliance. This guide has detailed steps on reaching HIPAA compliance. Although following their exact template is not required, your risk assessment should contain risk identification and management which includes all of the content needed to fill out their example.
Is my Dental IT Company a Trusted Resource?
That is the question that you must answer before following the advice of your Dental IT company. To identify their expertise, consider the following:
1. Speak with their HIPAA Privacy Officer. Your dental IT company is required to have a dedicated HIPAA Privacy Officer, as they are Business Associates under the law and must comply to the same degree as your practice. The absence of a person holding this title is a red flag.
2. Review their HIPAA compliance checklist. If your dental tech support company does not have one, then this is another red flag. HIPAA compliant IT practices by a Business Associate must undergo review to ensure compliance with the law. Their checklist should contain items regarding the the Security Rule of HIPAA – technical and physical safeguards must be addressed, and the HIPAA Privacy Officer should be able to speak on these points with expertise. Remember, there is always more than one way to meet compliance, especially in the addressable portions of the law.
3. Ask for a Face-to-Face Visit from their Privacy Officer. Speaking with a dental technician about HIPAA compliance is a good start. However, the expertise of your technicians revolve around dental technology and server/workstation security. The expertise of HIPAA, however, rests mostly on the shoulders of the Privacy Officer, as a large portion of his or her job surrounds compliance. Having a face-to-face meeting with this person can give you insight into the “why’s” as well as the “how’s”.
4. Dental IT Companies Also Have a Risk Assessment. Finally, it is important to note that your dental IT company not only has expertise in dental technology, but they also have to adhere to the same regulations that you do. As such, the company should have an internal Risk Assessment of their own. While this is not generally provided to clients, it is a good idea to ask their Privacy Officer about some of the pitfalls and experiences he or she has come across when completing their own risk assessment. This vital piece of the conversation can tell you a lot about the company and its state of HIPAA compliance.
dmi Networking is a provider of dental IT in the Bay Area, and offers HIPAA consultations and data security solutions.