By Dan Gospe
When conducting HIPAA consultations for dentists, this is one of the most common questions I am asked: “How, exactly, does HIPAA apply to me?”
HIPAA is designed to protect patient data on a huge scale. It is effective in guiding large organizations such as hospitals, insurance companies and labs for being as secure as they possibly can be. But with this in mind, how exactly does HIPAA apply to the small, 2 chair dental practice? Surely the breadth of protections needed on the enterprise level can simply be bypassed for the smaller practice with only a small amount of PHI on the server and workstations?
How HIPAA Applies to Dentists:
The goal of HIPAA is to be an advocate for patients, and to ensure that wherever their data is stored it is protected. After all, we are all patients of some doctor and dentist somewhere, and as patients we really have no control over how our data is handled on a provider’s various systems. HIPAA aims to protect information from databases both large and small by stretching requirements throughout the country, wherever patient data is found.
At the root, the entirety of HIPAA applies to dentists. But, the risk profile of the dental practice will look much, much different than that of a hospital. And as such, the protections that the dentist needs to put in place look a lot different than the bigger companies.
“It’s Too Much: My Dental Practice is Too Small!” – Taking a Measured Approach
It’s easy to get overwhelmed when you first dig into the HIPAA requirements, mainly because the requirements are designed with the largest of entities in mind. But you can approach it in a way that doesn’t overwhelm you. Taking a measured approach to meeting the requirements will help you not feel in over your head. Take it slowly – start with your risk assessment (the most important document you will have regarding HIPAA). Your Risk Assessment will guide you toward the things you need to address for your practice, and you can take each section one at a time. Sit down with your office manager, and look over a risk assessment template together. If you’re not sure what they are asking, ask your IT provider or HIPAA consultant. They will have some ideas as to what the law is asking for.
The Risk Assessment template that I use is from the American Dental Association, whose Complete HIPAA Compliance Kit gives you a great starting point. It is a great resource for the small-to-mid sized dental practice.
Following your Risk Assessment
Your risk assessment is a collection of questions that you answer based upon how your office performs certain tasks, or how your network and computers are set up. On each question, you’ll assign a risk score from 1 to 6; 1 being no risk, and 6 being imminent breach. In general, 1’s and 2’s are risks that don’t necessarily need action, but as you get to 3’s and above you’ll want to do something in order to lower that risk.
There are a great many ways to address any risk, and there’s no “rightest answer”. The right answer is the one that lowers your risk profile, and ideally you’ll want the solution not to create additional daily work for your staff.
Many parts of the risk assessment will refer to office policies that you may or may not have. The most common policies that are missing in the consultations I’ve performed are the Sanction Policy, the Audit and Logging Policy, and the Disaster Recovery Policy. The links here go to templates and ideas that you can use to form your own, unique policies that work with your practice.
It Gets Much, Much Easier
The first time you do a Risk Assessment is the most time consuming by far. You’ll be doing a lot of research; not only into the law itself, but into how your computers and network are set up. You’ll also be designing or editing your office policies to abide by the law.
Thankfully, once you finish up, you don’t need to update it for another year. And, when its time to update, everything is mostly done. You’ll just need to note how you’ve reduced risk, or how your network has changed over the past year. In general, your office policies won’t change year-over-year unless you adopt a new type of strategy or system to protect your patients’ data.
Take it slowly, and give yourself a month or so to get it all done.
Read More about HIPAA for Dentists
If you want to read more about HIPAA for dentists, here is an article about 5 Common Mistakes Made by Dentists in regards to HIPAA compliance. Or, if you are interested in a free HIPAA consultation either in the Bay Area or throughout the US, you can contact us through our web page.