October 2009       Recent HIPAA Violations in a Dental Office: 

If you receive a HIPAA complaint letter from the Department of Health and Human Services, you must regard this action as very serious and respond appropriately.  Recently a dental practice contacted Modern Practice Solutions after having received such a letter.  An alleged violation of a patient's protected health information took place earlier this year.

Evidently the complaint was the result of the dentist using another patient's radiograph to explain a dental procedure.  Additionally, the practice used photos of patient's teeth on their website.  Notice in the body of the complaint, the State asked for the following information: 

1) A copy of the practice's HIPAA policies as it related to the disclosure of protected health information. 

2) A copy of policies as related to safeguarding patient's protected health information.

3) Policies regarding training new hires and ongoing HIPAA training for staff.

4) A copy of all HIPAA training for the Dentist and staff for 3 years, including materials and sign in sheets.

5) A copy of the Notice of Privacy Practices.

6) A signed copy of the Acknowledgment of the Notice of Privacy Practices for the last 10 new patients.

7) A digital photo of the Notice of Privacy Practices displayed in the lobby.

Failure to provide the requested information may constitute a violation and is punishable in fines of $100 to $50,000 per day. 

If you received this letter, would you be prepared to respond?  Prepare your staff and develop your policies to meet the demands of HIPAA compliance. 

HIPAA Online Web Training January 20, 2010 - Please join us.  Email for details.

August 2009            MEDICAL & DENTAL HIPAA COMPLIANCE

February 17, 2009, President Obama signed into law The American Recovery and Reinvestment Act known as the "Stimulus Bill".  The federal government included in this law $19.2 billion which is intended to increase the use of the Electronic Health Records (EHR) known as the Health Information Technology for Economic and Clinical Health Act, or HITECH Act. 

What does this mean for patients? Having a national system for computerized health records will improve patient care, increase patient safety and simplify compliance in the United States.  Additionally, using these records will save costs, minimize errors and maximize efficiency.  Yet the computerization of all health records by the end of 2014 means new regulatory requirements for the health care profession. 

The HITECH Act increases the penalties for various HIPAA violations which is significant to covered entities.  Additionally, the Act will now require business associates to comply with many of HIPAA's rules and subject them to HIPAA's civil and criminal penalties. 

Consider that since April 2003 when HIPAA's Privacy Rule became effective, the Health and Human Services Office of Civil Rights has received over 27,070 complaints with over 4,500 cases investigated and resolved.  There have been four criminal HIPAA violations prosecuted to date with over 350 complaints considered by the Department of Justice. 

In providing HIPAA trainings across the country, some individuals having mistakenly thought that these regulations are more applicable to administrative employees who handle patient account information such as payments and insurance.  Regardless whether an employee is considered "clinical" or "administrative," the privacy of protected health information may be breached.  Simply look at your patient information screen and note how much information is gathered on patients which requires security measures.  Thus, the entire team is responsible to launch a successful HIPAA program to avoid violations including criminal prosecutions.  

To commit a criminal offense, a person must "knowingly" violate a HIPAA rule.  Interestingly, the Stimuls Bill added to the Wrongful Disclosures Criminal Penalties "a person (including an employee or other individual) shall be considered to have obtained or disclosed indivdiually identifiable health information in violation of this part if the information is maintained by a covered entity.."  Therefore, employees who knowingly violate a HIPAA rule may be subject to a criminal penalty, not simply the corporation or covered entity.  

Medical and dental offices should thus seriously evaluate the level of HIPAA compliance in their practice to avoid practice interruptions, penalties and litigation.  Modern Practice Solutions strongly suggests providing training for your staff, conducting a risk assessment of your patient's protected health information and incorporating the necessary Privacy & Security policies for compliance.  A team approach to HIPAA compliance assures a more successful program and a smoother transition into the electronic health record era.  

Program Includes:

• HIPAA Manual - Fully Customized Including the Privacy Rule, Security Standard & Forms 
• Risk Assessment
• Training & Employee Documentation

Don't Forget These New Rules:  Federal Trade Commission: 

The Federal Trade Commission outlined Red Flag Rules to aid in the detection of identity theft.  Effective May 1, 2009, health care providers must comply with the FTC as a "creditor" (ie., an office that sends patients statements  for unpaid balances, arranges payment plans and accepts insurance whereby the patient or account holder is responsible for unpaid balances).  As such, medical and dental offices must implement an Identity Theft Detection & Response Policy & Procedures program. This includes verifying patient's identity with government issued ID.  Penalties and the opportunity for civil litigation may result for violations. 

For more information regarding Identity Theft and the Red Flags Rule, please visit the Federal Trade Commission's website:  

http://www.ftc.gov/bcp/edu/pubs/business/idtheft/bus23.shtm.