How well do you stack up against other dental professionals with your HIPAA knowledge?
Take this quiz with the 10 HIPAA questions most dental professionals get wrong! We’ll give you a scenario. Decide whether the situation describes a HIPAA-compliant action or event and why. When you have your answer, click the toggle arrow next to the question to see if you’re right.
Are you ready to test your knowledge? Go!
10 HIPAA Questions Most Dental Professionals Get Wrong
1. A patient asks for his dental records. You give the records to him, don’t charge for them, and he is happy. The next week, he asks your colleague for a copy of his records. She gives them to him, but they are not exactly the same records you gave him.
Is this a HIPAA violation? If so, what guideline was not followed?
This is a HIPAA violation.
This is a violation because you need to have a standard of what you give each patient. Individuals have a right to access PHI in a “designated record set.” A “designated record set” is defined at 45 CFR 164.501 as a group of records maintained by or for a covered entity
2. You need to refer your patient to a specialist, but you tell the patient you can’t without written a patient permission from the patient.
Are you following HIPAA guidelines?
You’re not following HIPAA guidelines.
The HIPAA Privacy Rule permits a health care provider to disclose protected health information about an individual, without the individual’s authorization, to another health care provider for that provider’s treatment of the individual. See 45 CFR 164.506 and the definition of “treatment” at 45 CFR 164.501.
3. Something breaks every time you do a Windows update, so you turn off updates and leave it to your IT person to handle.
Is this a HIPAA violation? If so, what guideline was not followed?
This is a HIPAA violation.
The HIPAA Security Rule requires that all Covered Entities must perform “periodic security updates” and have “procedures for guarding against, detecting and reporting malicious software.” Unless this is documented in your practice, it never existed.
4. Patient “John Smith” jots his full name on the sign-in sheet at the front desk and takes a seat. When it’s time to take him back, you call out the name “John” and two men stand up. You all laugh and you clarify you’re looking for John Smith.
Is this a HIPAA violation? If so, what guideline was not followed?
This is a HIPAA violation.
Covered entities, such as dental offices, may use patient sign-in sheets or call out patient names in waiting rooms, so long as the information disclosed is appropriately limited. Full names are not limited.
5. We know we must have backups to stay compliant, so we back up to the cloud at night.
Is your backup enough to ensure HIPAA compliance? If not, what are you missing?
You are not HIPAA compliant.
It is not enough just to have a backup. §164.308(a)(7)(ii)(B) states that you must Obtain, and review documentation related to a disaster recovery plan. You must review and determine if appropriate procedures for restoring any data loss has been incorporated into the disaster recovery plan.
6. Your patient sent a standard email request for his records, so you hit “reply” and sent them back.
Is this a HIPAA violation? If so, what guideline was not followed?
The Security Rule does not expressly prohibit the use of email for sending e-PHI. The Security Rule allows for e-PHI to be sent over an electronic open network as long as it is adequately protected and documented. Is the internet adequately protected? Unfortunately, email providers’ accounts are hacked all the time.
7. We know we must train all our staff on HIPAA, but because there is no time frame listed, we leave it up to the staff.
Is this a HIPAA violation? If so, what guideline was not followed?
This is a HIPAA violation.
HIPAA requires organizations to provide training for all employees, new workforce members, and periodic refresher training. However, most organizations train all employees on HIPAA annually. This is considered to be a best practice. You must have documentation of each employee’s HIPAA Privacy and Security training.
8. We don’t have a documented designated HIPAA Privacy and Security Officer; everyone in our office knows the office manager handles HIPAA.
Is this a HIPAA violation? If so, what guideline was not followed?
This is a HIPAA violation.
The HIPAA Security Rule mandates that every practice or health care organization that creates, stores, or transmits ePHI, must designate a privacy compliance officer regardless of their size and document it.
9. Our IT provider does not need a Business Associate Contract because they are merely acting as a conduit for protected health information, for example, similar to the way the US Postal Service, certain private couriers, and their electronic equivalents work.
Is this a HIPAA violation? If so, what guideline was not followed?
This is a HIPAA violation.
According to https://www.hhs.gov/, A “business associate” is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information. A “business associate” also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate. So, by definition, they are a business associate.
10. We “certify” our organization’s compliance with the standards of the Security Rule, so that we cannot be fined or have a HIPAA violation.
Is your practice adequately protected? Why or why not?
You’re not protected.
There is no standard or implementation specification that requires a covered entity to “certify” compliance. The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that establishes the extent to which an entity’s security policies and procedures meet the security requirements.
According to U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES, Office for Civil Rights, the Security Rule simply establishes a floor, or minimum requirements, for the security of ePHI. It doesn’t cost any more to increase protections above and beyond HIPAA through a program.
Get a Free HIPAA Assessment
HIPAA is a journey, not a destination. When you set a GPS for a long trip, what would happen if you never made any course corrections? Let us be your GPS. Email me at john@dentalhipaait.com for more information or request a free HIPAA Assessment for your practice.