Chat with us, powered by LiveChat

HIPAA One Releases Privacy Risk Analysis

After releasing the HIPAA One Security Risk Analysis, we received exceptional feedback on the product and how much our clients appreciated the simplicity and automation provided by the product. We have been committed to expanding our solutions and add products to be “all things HIPAA”. With the launch of the Privacy Risk Analysis, we now offer a full suite of products to address all citations and requirements related to HIPAA Security, Privacy and HITRUST.

Having implemented and performed the HIPAA One Security Risk Analysis at over 2000 locations, we know the importance of having a cloud-based process that is easy to understand and allows collaboration among different departments.   Furthermore, our Privacy Analysis, like our Security Risk Analysis, is offered in three different levels of engagement to meet the needs of not only the large practices, but also the small health and dental practices.

With the rise in hacking and breaches, our goal is to provide timely solutions to clients to ensure the patient information they keep is safe and secure. Furthermore, the OCR is accelerating the frequency and number of audits, with HIPAA One solutions, you are guaranteed to pass.


Why Dentists Should Be Concerned about HIPAA Laws and the Security of Their Patient Records

dental officeBack in 1996, HIPAA (Health Insurance Portability and Accountability Act) became federal law. The United States government acknowledged the need for people and businesses in healthcare fields to better protect patients’ healthcare records because they are sensitive documents and every patient has a right to privacy and security.

The Healthcare community, health insurance plans and subcontractors were not taking measures to ensure basic security controls and privacy protocols were in place.  Much like PCI established the PCI Security Council to oversee credit card account numbers were protected, the federal government established governance and protocols as a baseline to oversee patient rights to their records, disclosures and securing their personal identities contained in the health and dental records.

The Office of Civil Rights (OCR) is a division of Health and Human Services.  The OCR was placed in charge of enforcing HIPAA Security and Privacy laws starting in 2009 as part of the HITECH Act to ensure those storing health records are taking basic care to ensure confidentiality, authorization, availability and appropriate disclosures of personal health information (PHI).  The OCR is incentivized to enforce HIPAA through Civil Money Penalties (CMP) and publishing investigations and resulting settlements under the Freedom of Information Act.

Dentists can fall in the radar of a Security and Privacy audit in the following ways:

  1. A patient complains their data isn’t secured or reports a suspected violation of their privacy rights on the HHS website (i.e. Whistleblower complaints).
    1. The OCR is required to investigate each complaint.
    2. OCR’s continuing random audit program into 2014-2015.
    3. A Dental Office could be randomly selected for Meaningful Use audits.

HIPAA has four rules outlined below:

HIPAA Privacy Rule

Every patient has the right to control their personal health records, and each business and its employees are responsible for keeping any unauthorized person from viewing patient files. These health files are now written, stored and shared orally, electronically and on paper, so a lot has to be done to keep these records out of the wrong hands.

HIPAA Security Rule

This rule relates directly to electronic patient files and states each covered entity—which includes Dentists—must keep them safe from any unauthorized access during transit and storage.

HIPAA Breach Notification Rule

The breach notification rule requires all covered entities and business associates to give notification when a breach has occurred in relation to unsecured protected patient health information

Patient Safety Rule

The final rule protects identifiable patient health information from being used to analyze and improve patient safety and events relating to patient safety.

If Dentists don’t comply with HIPAA rules then are audited, they get penalized.

Dental records, in paper or electronic format, are considered Protected Health Information and are subject to the same Federal scrutiny for privacy and security as full medical records.

Dental records contain minimal medical information.  Demographic information such as:  name plus any numerical identifiers related to Dental health includes.  These include: address, birth date, phone numbers, insurance status, patient ID number, SSN,  etc.

Penalties vary and are determined by the seriousness of the security or privacy breach. Also taken into consideration are whether you knowingly or accidentally released patient records and private information. Either way, you’re held accountable. Penalties range from fines to being fired from your job to closing an office to potential jail time (in the event of knowingly losing 500+ PHI records and failing to report to HHS within 60 days).

So how can you and your dental office steer clear of these penalties?

First, you must understand and keep up-to-date with all HIPAA rules and regulations. You can also set up a HIPAA program in your office, perform consistent employee trainings, and conduct and document regular HIPAA risk analyses to evaluate and fix any potential problems.

Second, you must make sure that your dental practice management software is HIPAA compliant. Since this is where your patients’ dental records are stored, a breach can be detrimental to your office and can bring several fines.

If your practice is currently running on a practice management system, penetration testing can help you identify different threats and openings that hackers could exploit to gain access into your system. If you’re currently shopping for a software, make sure you choose a platform that is guaranteed to be HIPAA secure.

Complying with HIPAA laws and regulations is crucial so you and your dental practice don’t have to face penalties and to keep the trust and satisfaction of your patients by keeping their healthcare records safe and secure.

About the Authors

This post was co-authored by Steven Marco, the President of HIPAA One® and Modern Compliance Solutions as well as Trevor James, the marketing manager for Viive, a Mac-based dental practice management system, and Dentrix Ascend, a cloud-based dental practice management system.

Is a Covered Entity Liable For, or Required to Monitor The Actions of Its Business Associates?

Luckily, the answer to this question is a good one for covered entities. Business associates are liable for their own actions and every piece of protected information they are given. The important thing that covered entities need to be sure of is to properly enter into a contract that protects the privacy of protected information.

Monitoring or overseeing the work or actions of business associates is not required nor is it expected. Business associates are wholly responsible for complying with the privacy safety measures spelled out in the contract between the covered entity and the business associate.

The biggest concern a covered entity has when it comes to its business associates is acting upon the information or evidence that their business associates are not doing or complying with the contract. If a covered entity neglects to act on evidence found, or discovered, that indicates the business associates are not in compliance with the precautions in place in the contract, then the covered entity can be charged for neglect.

The actions that a covered entity is expected to take when a breach or violation is discovered are: take appropriate action to secure the breach or end the violation, if it is not possible to secure the breach or end the violation the entity is expected to terminate the contract.

There are several details that can’t be succinctly explained in a short summary, therefore, it is up to the covered entity to make sure they are operating within the policies of the HIPAA laws.

Can A Business Associate Self-Certify or Be Certified By A Third Party As HIPAA Compliant?

Too often there are misconceptions about new laws or policies because there has been too little effort to educate or to elaborate on details concerning the changes that the new laws or policies will effect.

That is the case with the new HIPAA laws that have been in effect since September 2013. Evidence of this is the overwhelming number of people who are asking for clarification on many of the details of the new changes and restrictions applicable to their organizations.

The question that serves as the title of this post is an example of the many questions that have been surfacing ever since the initiation of the enforcement of the new policies regarding the new HIPAA laws. To answer that question it is a simple response in the negative. No, a business associate cannot self-certify or be certified by a third party as HIPAA compliant.

The reason behind this is the business associate has a responsibility towards the covered entity while performing their paid duties to be subject to exactly the same restrictions and laws that the entity is. Therefore it is required that the business associate be under contract in order to be HIPAA compliant.

So, what must the contract include in order to be compliant under the new HIPAA law?

The contract must make them accountable for the proper use of protected medical information. It must also restrict the business associate to how it uses said information. Additionally, it must make available any health information to the parties to whom it belongs as well as the covered entity.

Apart from these there are several other details that a covered entity should research and abide by for protection and comply with the new HIPAA laws.

Advocate Medical Sued for Breach of Patient Electronic Medical Records

For something as simple as “plain old know better,” $50,000 or more could be the penalty for a breach of HIPAA law from Advocate Medical in Illinois. This breach has been described by the prosecuting attorney, Shannon M. McNulty, as a failure “to follow basic operating procedures”.

The law suit has been filed due to the loss of patient records stored on a computer that was stolen in July 2013. The computer could have the records of nearly 4 million patients stored on its hard drive. This information could contain names, Social Security numbers, addresses, birth dates, medical records, and insurance information. The breach gives the thieves access to information that they could use to perform identity theft and fraud.

Advocate Medical stated in their defense that they believe the thieves did not have the private, sensitive information stored on the computer as their target. Because they believe there is a lack of evidence to show that the lawsuit has no merit Advocate Medical believes that they will win the suit.

Unfortunately, for Advocate Medical, the HIPAA laws are clear. And for an entity as large as Advocate Medical, there is very little understanding when it comes to trying to prove ignorance.

You can read the full release at

New HIPAA Rules Go Into Effect On Monday – What You NEED To Know

The new HIPAA rules that will go into effect September 23rd, 2013 have changes that affect any company that deals with PHI. That means doctors, dentists, nurse practitioners, hospitals, nursing facilities, assisted living facilities, health care insurance companies, medical billing companies, and licensed coding contractors. All of these and others will need to take a careful look at how they are protecting PHI both physically and digitally in order to ensure they escape the hefty fines and penalties. Some of the notable changes are:

  • Patient notifications of breaches
  • Restriction of Disclosure to Insurance Companies
  • Marketing Restrictions
  • Broadened Definition of Responsible Persons
  • Clarification of Fine and Penalty Tiers

Although these have many ramifications for nearly every one working in the health care industry there are three that stand out more urgently:

  1. Patient Notifications of Breaches
  2. Broadened Definition of Responsible Persons
  3. Clarification of Fine and Penalty Tiers

First, patient notifications of breaches are a serious topic especially in the wake of so many penalized breaches since 2009. The largest change to the rule is that all breaches are now considered obligatory reportable unless the breach is determined to have not compromised PHI. This determination is made by using four factors assessing the risk to the PHI.

Second, a broadened definition of responsible persons is an expanded view of who is a business associate. Rather than simply holding a patient’s caregiver and their employees responsible of protecting PHI the new rules expand this to anyone who is tasked with transmitting, storing, receiving, converting, copying, selling, using, or even viewing PHI to take the same measures to protect PHI.

Lastly, the fine and penalty tiers have been simplified and explained. The first tier comprises of breaches in which the physician or facility administration could not have reasonably known of the breach. The second tier is made up of cases in which the doctor or facility admin knew of the breach, or would have known, if exercising due diligence but did not employ negligence. The last and most heavily penalized tier is those cases and circumstances where willful neglect has been proven.

These are only a few things to be aware of with the new changes to the HIPAA law going into effect on September 23rd, 2013. You may want to look into hiring a HIPAA security expert to learn more and help ensure you are compliant.