48% of breaches are reported for theft or loss of a computer/ device containing PHI.
24% of breaches are reported for theft or loss of paper information
16% of breaches are reported for Hacking / IT incident
11% of breaches are reported for unauthorized access of users.
HIPPA Compliance Check List:
Must have on file:
1) HIPPA Privacy Policy and Procedures Manual (Including Training)
2) HIPPA Risk Assessment (Current)
Omnibus Rule (2013)
Business Associate Agreement
The Business Associate is now directly liable for certain privacy and security rule violations.
Common Business Associates:
1) IT Providers
2) Billing Companies
3) Hosted Software Providers which contain Protected Health Information (PHI)
4) Electronic Fax Services
5) Email Providers which Transmit PHI
HIPPA Breach Notification Rule
Requires covered entities to notify patients when their unsecured protected health information (PHI) is impermissibly used or disclosed—or “breached,”—in a way that compromises the privacy and security of the PHI.
Required annual HIPPA Self-Audits
Compliance Officer, Dental Security Risk Assessment, Dental Security Risk Assessment, Privacy Assessment, HITECH Subtitle D Audit, Asset and Device Audit, Physical Site Audit, and updated list of Business Associates w/ Signed Privacy Agreements (Must have a signed business associate agreement).
Note: Emails must be encrypted/ locked.
“First, Build Your Dental Practice Disaster Recovery Plan to be prepared for Natural Disasters or Security Breaches.”
Additional questions to consider:
Have you utilized the self-audits to identify gaps?
Have you documented the gaps identified by the self-audits?
Have you created remediation plans that address the identified gaps?
Are remediation plans documented in writing?
Are your remediation plans reviewed and updated annually?
Are your remediation plans retained in your records for six years?
Have all employees completed their annual HIPAA training?
Is there documentation proving that all of your employees received training?
Do you have a designated HIPAA Compliance, Privacy, and/or Security Officer?
Do you have Policies and Procedures that directly apply to your business practices and incorporate HIPAA Privacy, Security, and Breach Notification Rules?
Have all employees legally attested to your organization’s Policies and Procedures?
Do you have the documentation that proves their legal attestation?
Do you have documentation for annual reviews of your Policies and Procedures?
Have you identified all of your Business Associates and vendors?
Do you have signed Business Associate Agreements with all of your Business Associates?
Have you done your technical due diligence by assessing your Business Associates’ HIPAA compliance?
Are you reviewing and tracking your Business Associate Agreements annually?
Do you have Confidentiality Agreements in place with your vendors that are not Business Associates?
Do you have an incident response plan and clearly defined process for breaches?
Do you have the ability to track and manage the investigations of all incidents?
Are you able to provide the required reporting of minor or meaningful breaches or incidents?
Do your staff members have the ability to anonymously report an incident?
Don't forget to include this phrase on all "in-house" created forms:
"I understand the importance of keeping all patients protected health information private. I will not share or distribute patient information. I understand that sharing patients PHI is grounds for termination"
Employee Signature: ____________________________
Date: _______________________________
Ashleigh Dental Marketing offers Solutions for Dental and HIPPA Compliance.
We can assist you in self auditing your employee records, training, compliance documentation, and OHSA and HIPPA Compliance.
Comments