Thursday, January 17, 2019

HIPPA Compliance and SSE Patient Reports

At Superstition Springs Endodontics, we have been discussing the secure, electronic reports that we send back to our referring offices.  As you can imagine, when working with different offices with different email services, each computer with different mail settings, security settings on different networks, doctors and team members reading reports on handheld as well as desktop computers and last but not least, human error, there is likely to be some complications along the way.  Our recent upgrade to TDO endodontic software was significant technology investment was meant to improve our HIPAA compliance.

What is HIPAA?  Title II of the 1996 Health Insurance Portability and Accountability Act (HIPAA) has broad implications in health care - which includes dentistry.  This law created multiple rules & regulations for various purposes.  These regulations include a privacy rule, security rule, breach notification rule and an enforcement rule with civil authority to levy monetary penalties for HIPAA violations.

The Privacy Rule: You are likely most familiar with this rule.  This rule gives patients certain rights over their personal health information which includes dental records and billing records.  This rule gives patients the right to ask for a change in their records, ask health care provider not to disclose their health information to others, or accommodate the patients requests regarding how they communicated with the patient.

The Security Rule: This rule puts the burden on the dental practice to have a written risk assessment and develop practice safeguards to protect the confidentiality, integrity and availability of electronic patient information.  These safeguards are categorized as 1. Administrative 2. Technical 3. Physical  This is a tall order in that these safeguards must make sure that patient data is not corrupted or changed without authorization, and that only authorized people have access to patient data while at the same time making it available for authorized persons to access the information whenever needed. "The HIPAA Security Rule also requires ongoing maintenance of safeguards, periodic risk assessments, workforce training, and documentation."

Breach Notification Rule: The new law enforced the adoption of EHRs for Medicare and Medicaid providers which had a greater impact on our physcians colleagues.  The Health Information Technology for Economic and Clinical Health (HITECH) Act also created the Breach Notification Rule which requires dental practices to provide notification of breaches of unsecured patient information to the patients, the federal government and in some cases the media.

Enforcement Rule:  The enforcement rule has authorized enhanced civil monetary penalties for non-criminal violations of HIPAA rules since February 18, 2009.  While there is not a big history of dentists being fined for non-compliance issues, Dr. Joseph Beck was the first dentist to be fined $12,000 for non-compliance with HIPAA rules by the office of the Indiana attorney general.  The Health and Human Services Office of Civil Rights (OCR) also has the ability to audit dental practices and issue fines/penalties.Omnibus Final Rule:  On January, 17, 2013 the HHS published the HIPAA Privacy and Security Omnibus Rule which created a compliance deadline of September 23, 2013.  The Omnibus Final rule reinforces the HIPAA rules and regulations and:
  • extends the privacy and security rules to the dental practice's business associates and their contractors (any contractor who has access to patient information)
  • establishes new limitations on use of patient data for marketing and fundraising purposes
  • prohibits sale of patient's personal health information without authorization
  • expands patients' rights to request and receive electronic copies of personal health information
  • broadens patients' ability to restrict disclosure of personal health information to health insurance plans

Does HIPAA apply to your practice? Yes! HIPAA rules apply to your practice if you are a "covered entity" under the law.  You are considered a "covered entity" if you or a third party clearinghouse that you hire transmit electronic claims to a dental plan.What doest that mean for my practice?  If you are a "covered entity" then you need to take steps to comply with the HIPAA law which includes:
  • Appointing a practice HIPAA privacy official
  • Appointing a practice HIPAA security official
  • Familiarizing yourself with the law
  • Creating a HIPAA compliance team
  • Performing a risk assessment
  • Deciding on your practice policies and procedures
  • Training your workforce
  • Update business associate agreements to comply with privacy and security rules
  • Maintain
You can order the ADA HIPAA compliance workbook to help walk you through the process of becoming fully HIPAA compliant at: click here

How does SSE secure patient communication work?  Our current software gives every referring doctor a username and password - allowing them to access all their patients reports, radiographs and relevant clinical data by logging into a secure server.  When a consult or treatment has been completed in our office, you will receive an email to view that specific report or log into the server to access any patient report/data.  However, every step of security also comes with the cost of added steps and login. Here are some of the trouble spots people have reporting using our secure communication tool:
  1. Clicking on the wrong hyperlink:  One hyperlink will take you to your specific patient's report and another hyperlink will take you to the server where you can access all of your referred patient's data.
  1. Offices with multiple doctors: Each doctor has their own login credentials to access the reports of the patient's they referred.  Team members logging in on the doctor's behalf need to login with the correct doctor to access their patient reports.   If you have multiple doctors, make sure you are logging in the with doctor's credentials who referred the patient to SSE.
  1. Email settings:  Your email client (outlook, gmail etc.) may have a setting to string together emails from one source making it harder to find each individual report.  Go to your preferences/settings to make changes in your email software application.
We are committed to making sure your patient's information is protected and that it is available to you when and where you need it. If you are having any problems accessing your reports, please contact us so we can make sure our electronic communications are working seamlessly.