Selecting and Training your HIPAA Privacy Officer
Under HIPAA, every practice large and small is required to designate a privacy officer. Many times, this role is given to the office manager or to the dentist. Under the HIPAA Privacy Officer title, this officer will need to dole out tasks to other employees so that your state of compliance is diligently addressed by your team.
Before selecting your HIPAA Privacy Officer, it’s important to understand the scope of the duties involved. The title can not be applied without a sizable addition to the employee’s job responsibilities, and it also requires a dedicated, high functioning person who is competent and meticulous in his or her duties.
The Role of the HIPAA Privacy Officer
The role of the HIPAA Privacy Officer, in short, is to oversee all ongoing activities related to the development, implementation and maintenance of the dental practice’s privacy policies, and staying up to date on changes to the law and how it impacts both your technology, and your internal security measures for patient data.
The first step after selecting your HIPAA Privacy Officer is to get this person fully trained. There are a variety of low-cost seminars, many which offer Continuing Education Units, which address the scope of HIPAA and how it applies to your dental practice. It is vital that your HIPAA Privacy Officer, at minimum, attends at least one and possibly many of them. In order to oversee the state of compliance of your dental practice, your Officer must become well versed in the law, and most importantly must become competent in conducting a full Dental Risk Assessment. A risk assessment is the single most important document that you will need in order to document your current state of compliance, as well as challenges and a roadmap to addressing critical security issues.
Your chosen HIPAA Privacy Officer not only must be accountable to the practice owner, but also must demand accountability from the rest of your staff. The road from non-compliance to compliance will introduce a lot of new forms, new technologies, and new methods for controlling workflow. After being trained, this person must be trusted to understand and implement the necessary workflow changes, and ensure that all of your practices are documented.
Resources your HIPAA Privacy Officer will need
By designating an employee to this position, you are asking them to become fully responsible for compliance with a very complicated law. As such, you will need to establish a few relationships that your employee will use as a resource. For example, legal counsel is recommended for common points of confusion such as your Business Associate Agreements with third parties and subcontractors, such as your IT team or Practice Management Software provider. Additionally, technology consultants will be needed in order to ensure your computer systems adhere to the strict requirements for encryption, audit trails for data access, and endpoint security.
Your HIPAA Privacy Officer will be the point-person involved with any HIPAA audit or communication with the Office of Civil Rights (OCR), which enforces the law. This person will need to be fully invested in the role, and have the time available to dedicate to the changes to his or her job description. The Officer will also need strong communication and presentation skills, as well as strong personnel management abilities.
Job #1 should be to understand and complete your Risk Assessment, which is no small feat. During the process, it is important not to learn it alone, with no resources. Find a consultant that can help. For clients in Northern California, dmi offers free HIPAA consultations with the goal of helping your Privacy Officer begin the task of completing the Risk Assessment.
Documentation is the Biggest Part of the Job
When all is said and done, the major role of your HIPAA Privacy Officer will be to document the current state of compliance, keep documentation of workflow practices up to date, and develop forms, policies and procedures that your staff will follow. The ADA Complete HIPAA Compliance Kit is a terrific resource, and has many templates for policies and assessments. Many practices already have this guide on their shelves. If not, the $300 price tag for ADA members is incredibly reasonable.
From our experience conducting free HIPAA consultations to the dental community, we have developed a list of data security vulnerabilities which we have determined are the most common findings in a dental practice.
Give us a call, or visit our contact page to request more information.