All-Star Dental Academy Lead Mastery Coach Eric Vickery is joined by Danielle McKinley of PCIHIPAA. They discuss HIPAA, vulnerabilities, and the benefits of simplifying HIPAA, PCI, and OSHA compliance for their dental practice.

They discussed:

• Compliance changes practices should know about
• What’s a risk assessment?
• What are the most common HIPAA violations?
• How do practices get hit with penalties?
• What’s a Business Associate Agreement?
• What’s one thing a practice can do today to improve their compliance status?
• What are two common myths about compliance?
• How do I train someone in HIPAA? 
• How can you turn compliance into savings?
• What’s the number one thing a practice can do to prepare for an incident?

HIPAA and Your Practice

HIPAA was passed to make sure that the patient’s information is not shared with a third party without the patient’s knowledge and consent. In case it happens the responsible party will be subject to a penalty.

Even if a practice does not do something like that intentionally, a patient’s sensitive information can still be compromised. This can happen through human error or things like malware. To prevent damage in such a case risk mitigation is important.

The good news is that there is no need for you to overwhelm yourself with the burden of keeping up with the HIPAA compliance requirements. There are people who will do that for you. All you need to do is understand a few simple things and bring them into practice.

We want to make your lives easier and simpler. And that is why we are sharing the key takeaways from the discussion in this article.

What are the regulations I need to be aware of?

The regulations around the Protected Health Information (PHI) of the patients are updated regularly. And it can be difficult to keep up with them. Danielle suggests that the best way to know where to start from is to take the annual risk assessment. It is a simple questionnaire that can help you understand your compliance status.

The most recent changes in regulations were made considering the rise of practices like teledentistry. Health and Human Services (HSS) have concentrated their focus on access control policies. Access Control Policies are a high-level requirement to specify how access to information is managed. They also specify the circumstances under which someone can get access. The best way to stay updated is risk assessment and joining hands with someone who is an expert in the field.

What is a risk assessment?

A risk assessment test can be undertaken on the HSS.gov website in the form of a questionnaire. The risk assessment test asks about all the compliance requirements of your practice. It then issues a twenty-page report detailing your score. It also highlights the faults in your current compliance standard and suggests improvements.

Common compliance violations are small-scale infringements caused by human error. This includes confusing the names of the patients and sharing private information with the wrong person. The practice must notify both patients of the mix-up and infringement of personal information. These scenarios are most often handled by an investigation and rarely taken to the media. These investigations task themselves with identifying the practice’s failures in compliance. The task is to see whether the responsible staff (or all staff) were trained in HIPAA standards.

The larger cases of compliance violations come from ransomware and malware. Sometimes they are spread through a creator’s target audience, for example, the newsletter of a practitioner. Masquerading under an email or username, they encourage readers to open links with malware inside. This results in corrupting the entire system and putting all the data inside at risk.

The penalties can range from $10,000 to $1,500,000. A business was hit with a $120,000 penalty for not having a business associate agreement. The amount that a practice will be penalized for doesn’t only depend on the scale of the infringement. It also depends on which representative of the HSS is handling the matter. This is so because the laws are quite gray.

What is a business associate agreement, what does it mean for my practice?

A business associate is different from a business partner. It’s a vendor that your practice works with that has access to patient health information. This information is anything from a patient’s full name to their billing account.

The purpose of business associate agreements is to protect the practice and its clients. If the third-party vendor makes a mistake, whether by human error or otherwise, that exposes the client or the practice, it is the business associate’s responsibility and not the practice itself.

Although it may seem that a business associate is being proactive by having their agreement and offering it to practice. However, to benefit from the protection of a business associate agreement, the practice must have its version of the document, and it must be the sender of the agreement. Only then is the practice truly protected.

What purpose do business associate agreements have coming from the third-party vendor?

Business associates have almost identical compliance responsibilities as a covered entity. Therefore, they are fulfilling their responsibilities as a business associate. The only difference is the legal language used in their version of the agreement.

What are some common misunderstandings or falsely held beliefs related to the subject?

Laboratories don’t require business associate agreements anymore. Since the law changed some years ago, laboratories have become covered entities under HIPAA.

Even if a practice has undergone annual training, it doesn’t tick all the boxes of mandatory training requirements.

How do I prove that my practice is compliant with mandatory HIPAA training requirements?

To prove that your practice’s training is wholly understanding and compliant with HIPAA, you must:

1. Reproduce all current training material to ensure that it is correct and up-to-date.
2. Show accountability through documentation. Ensure that all HIPAA training comes with a certificate of learning.
3. For the practice’s protection, the team must sign two acknowledgment forms. The first form should be an acknowledgment that the team has received access to updated policies and procedures. And the second should acknowledge that they have received relevant training, and are willing to do what is required of them to protect patient data.

While this seems very linear and simple, there is still one particular risk that practices must be aware of – training new hires.

A common mistake is waiting to get the new hire certified during annual training. If in the time between being hired and the annual training, the newbie makes an error that leads to an investigation, the practice will be penalized for being incapable of proving that the new employee has been trained.

So, how do I train someone in HIPAA?

Doing in-house training is not enough to qualify for the HIPAA Safe Harbor bill. To qualify for protection under the bill, a certified party must be conducting your training.

The HIPAA Safe Harbor bill requires the HSS to consider whether organizations have recognized cybersecurity practices in place when investigating a data breach. And, if so, to be lenient in issuing fines or enforcement action toward the practice.

So long as your practice can prove that it has been meeting the compliance requirements for the past 12 months, should you be hit by ransomware, the fines will be drastically reduced.

Therefore, it’s recommended that even if you are only training one new hire, you have them trained one on one by a certified party. PCIHIPAA, Danielle’s compliance program, offers certified compliance training. And it also offers real-time access to all the training material.

All-Star Dental Academy’s training portals are all available online. And they guarantee you instant access to training information at any point you need it.

How does being compliant help me save money?

The importance of compliance is recognized widely. Everyone is aware that there is, at the very least, a minimum standard to which a professional entity must hold itself when it comes to data privacy. However, it becomes increasingly difficult to gauge whether you are adequately compliant if you have multiple compliance solutions in a variety of different areas.

Having a minimum standard does not guarantee that your business is safe. It’s more convenient to find a compliance solution that covers all the areas you need, rather than spending on individual solutions for individual cases. It also increases your practice’s safety by having the same compliance level in every area.

Some compliance programs come with additional financial protection should you fall under investigation. In Danielle’s words, “being compliant doesn’t make you bulletproof, it makes you prepared.”

What is the best way a practice can prevent penalties?

“Assessment, get a complete solution in place, and be prepared for an incident.”

First things first, an assessment will help you understand where you currently stand concerning compliance. The next step is implementation. Having a complete compliance solution in place will help you in becoming completely compliant. Instead of outsourcing compliance duties to different vendors, find a one-stop solution. This will not only save you money but will also spare you much hassle. The final thing that you can do to keep yourself from getting into trouble is to always be prepared for trouble. By having all your documents in place and by making sure that you are following all the rules, you will be making yourself prepared for adversity. In case an incident happens you will have every tool at your disposal to prevent penalties and to protect your reputation.

About Danielle McKinley:

Danielle (also known as The HIPAA Chick) is a wife, mom, friend, and positive energy enthusiast. Gratitude is her attitude. She’s worked in risk mitigation for 12 years and consulted thousands of practices. She helps medical providers spend more time treating patients, enjoying hobbies, and spending time with family and friends by simplifying HIPAA, PCI, and OSHA Compliance for their business. Her passion is helping Doctors, Dentists, and Business Associates understand how to get compliant, and how to protect themselves from a compliance incident with minimal time and resources. She’s found a way to have fun with compliance! She’s here to connect and help. www.pcihipaa.com/danielle, dmckinley@pcihipaa.com, Direct phone number 480-343-3034

Social Media: Instagram @thehipaachick, LinkedIn: https://www.linkedin.com/in/danielle-m13, Facebook: @HIPAAChick

About Eric Vickery:

Eric holds a degree in business administration and brings a strong business and systems approach to his consulting. His initiation into the field of dentistry was in the area of office management. He managed dental practices for over ten years and has been consulting over 250 offices nationwide since 2001.

There are two main delivery systems that he utilizes, that of monthly coaching as well as virtual or on-site seminars. Through his coaching, Eric has helped improve offices with his practice monitoring systems. He is an expert on case acceptance, verbal skills and the DISC personality profile. He has a passion for stopping cancellations, handling patient objections and asking patients for referrals/reviews. Further, he has vast expertise in financial arrangements, third party financing and eliminating dependence on insurance.