A closer look at HIPAA: Part 1 -- The rules and myths

Lindy Benton
Jun 1, 2015
2015 06 01 14 37 33 930 Benton Lindy 200

The Health Insurance Portability and Accountability Act (HIPAA), passed in 1996, was enacted to protect health information, increase oversight of transaction standards for the exchange of health information, and improve standards for security and privacy.

Lindy Benton is the CEO of MEA|NEA.Lindy Benton is the CEO of MEA|NEA.

Ultimately, HIPAA regulation protects "protected health information" (PHI). This information is defined as individually identifiable health information that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. The regulation applies to "covered entities," including health plans, clearinghouses, and healthcare providers who transmits any health information in electronic form.

HIPAA defines health information as any data, whether oral or recorded in any form or medium that is created or received by a provider or employer and relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present or future payment for the provision of healthcare to an individual.

HIPAA's rules

As background, let's take a look at some of HIPAA's various rules.

  • The HIPAA Privacy Rule is that every patient has the right to control their personal health records, and each business and its employees are responsible for keeping any unauthorized person from viewing patient files. These health files are now written, stored, and shared orally, electronically, and on paper, so a lot has to be done to keep these records out of the wrong hands.

  • The HIPAA Security Rule relates directly to electronic patient files and states each covered entity -- which includes dentists -- must keep them safe from any unauthorized access during transit and storage.

  • The HIPAA Breach Notification Rule requires all covered entities and business associates to give notification when a breach has occurred in relation to unsecured protected patient health information.

  • The Patient Safety Rule protects identifiable patient health information from being used to analyze and improve patient safety and events relating to patient safety.

Thus, if dentists don't comply with HIPAA rules, they will be audited and penalized.

Types of HIPAA violations

There are two types of HIPAA violation: negligent and intentional.

Examples of negligent violations include the following:

  • Disposing of sensitive information without destroying it.
  • Connecting unapproved devices like flash drives to the secure network.
  • Forgetting to log out of the electronic patient record.
  • Faxing documents containing protected health information to the wrong number in error.

The other types of violations are those that are intentional. These include the following:

  • Snooping (which is a violation of the minimum necessary standard), which dictates that protected health information should not be accessed or shared at all unless it is necessary to satisfy a particular function of care.

  • Accessing PHI of any kind and sharing it in any way unless it is necessary to satisfy a particular function of care. According to a report from American Sentinel University, some healthcare facilities take this standard so literally that they consider it grounds for dismissal if a staff member looks at their own records or that of their child.

Common HIPAA myths

The following are some of the most prevalent myths surround HIPAA, especially for smaller practices.

No one will ever check to see if I am HIPAA-compliant.
Not anymore. In the past, a covered entity was only investigated if there was a complaint. Now there is an increased focus and scrutiny on compliance. Practices will be checked.

However, there is some good news: According to a recent HIPAA survey of about 1,000 healthcare practices, many leaders are beginning to take HIPAA into consideration. Of the 66% of respondents who were unaware of HIPAA audits, 35% of respondents said their business has conducted a HIPAA-required risk analysis; 34% of owners, managers and practice administrators reported that they were "very confident" that their electronic devices that contain PHI were HIPAA-compliant; 24% of managers, owners, and practice administrators at medical practices reported that they've evaluated all of their business associate agreements; 56% of office staff and (nonowner) care providers at practices said they've received HIPAA training in the last year.

No one gets fines for HIPAA violations.
HIPAA now has teeth and violations are being punished primarily because of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. The maximum penalty for HIPAA violations is now sitting at $1.5 million per incident. Penalties range from fines to employees being fired to closing an office and even potential jail time (in the event of knowingly losing 500 or more PHI records and failing to report the breach to HHS within 60 days).

Texting patient information is OK; I never lose my phone.
Each year in the U.S., 30 million mobile phones are lost or stolen. A study by IT security company Symantec found that 89% of those who found a smartphone attempted to violate the phone owner's privacy.

I don't need to be HIPAA-compliant because I have a very small practice.
A small physician's practice was issued a $100,000 fine in 2012 for not protecting health information. No matter the size of the practice, you will be held responsible for HIPAA violations.

Types of breaches

According to this page on HHS' website, the top three issues are impermissible uses and disclosures (known as a breach), safeguards, and access. The No. 1 type of breach is physical theft of the record, according to 2011 HHS data. Thus, it is important to ensure the devices used by the dental office uses, such as USB flash drives, mobile devices, and laptops, are handled with care and securely stored to prevent theft of the device and the patient information on them.

Additional breaches include unauthorized access (snooping) of the record, loss of the record, and hacking and improper disposal of the record.

In her next column, Benton will address the 10 most common HIPAA violations.

Lindy Benton is the CEO of MEA|NEA, a provider of electronic attachment, health information exchange, and secure cloud storage solutions for dental and medical practices.

The comments and observations expressed herein do not necessarily reflect the opinions of DrBicuspid.com, nor should they be construed as an endorsement or admonishment of any particular idea, vendor, or organization.

Latest in Dental Practice
Man Saliva Sample
Avesis, Harmony launch pilot salivary testing
April 26, 2024
Gavel Scale Lawsuit
Ex-NBA player sentenced in multimillion-dollar dental fraud scam
April 25, 2024
Available On Demand
Sponsored
Available On Demand
April 18, 2024
Police Light
Theft of $32K-plus worth of dental ovens stumps authorities
April 24, 2024
Related Stories
2018 05 14 20 00 2144 Gallion Kenneth 20180514202524
Regulatory Updates
4 benefits of an all-in-one compliance management system
2016 12 23 12 36 51 253 Benton Lindy 400
Insurance
What to ask when looking to improve your claim processes
2015 06 01 14 37 33 930 Benton Lindy 200
Dental Practice
5 simple tips to improve your practice's processes
Available On Demand
Sponsor Content
Available On Demand
More in Dental Practice
Avesis, Harmony launch pilot salivary testing
By DrBicuspid.com staff writers
Avesis and Harmony Health have piloted a program to improve oral healthcare for underserved Medicaid populations with special needs.
April 26, 2024
Man Saliva Sample
Ex-NBA player sentenced in multimillion-dollar dental fraud scam
By Melissa Busch
An ex-NBA player was sentenced for his role in a $5 million scheme to defraud the association's dental and medical benefits plan.
April 25, 2024
Gavel Scale Lawsuit
Man arraigned for unlicensed dentistry
By DrBicuspid.com staff writers
A 53-year-old man was arraigned on April 19 for allegedly practicing dentistry without license at a business office.
April 24, 2024
Law Books Gavel
Theft of $32K-plus worth of dental ovens stumps authorities
By Melissa Busch
The theft of thousands of dollars' worth of porcelain dental ovens from a lab has left authorities baffled.
April 24, 2024
Police Light
What every dental practice must know about getting paid for oral cancer screenings
By Estela Vargas
There is no question that oral cancer screening is important for every practice, but what about the insurance side of the equation? Estela Vargas, CRDH, has some advice that can help on that front.
April 23, 2024
Estela Vargas, CRDH.
Dental appointment interrupts Trump trial
By Melissa Busch
A dental appointment delayed the New York criminal trial involving an alleged hush money scheme to quell negative stories about former President Donald Trump before the 2016 election.
April 23, 2024
Jury Chairs
U.S. jury indicts man accused of threatening to kill dental staff
By Melissa Busch
A man has been indicted for threatening to shoot the staff at a dental practice in New Mexico.
April 23, 2024
Scales Of Justice2
Dentists, doctors sue Google for 'unfair' reviews
By Karie Neeley Anderson
More than six dozen dentists and doctors in Japan filed a lawsuit on April 18 against Google claiming that the search engine posts unfair reviews and misinformation on its Google Maps navigation app.
April 22, 2024
Check Mark Stars
Synchrony partners with Adit
By DrBicuspid.com staff writers
Consumer financial services company Synchrony has partnered with dental practice management software provider Adit.
April 22, 2024
Dentist Payment Credit Card
Do's and don'ts for practice production
By Dr. Roger P. Levin
If your production per hour isn't increasing annually, your practice is at risk of decline. Dr. Roger P. Levin outlines how to boost your numbers.
April 22, 2024
Levin Practice Success Resized Image Only
How young dentists and dental assistants can work better together
By Kevin Henry
How can dental assistants help new dentists get comfortable in the practice? Matthew Nelson, a practice analyst with the California Dental Association, joined the podcast to share his ideas and explain why comfort levels matter.
April 20, 2024
Matthew Nelson
3 ways that personality assessments can benefit your dental practice
By Kevin Henry
In an era where keeping your team together is arguably more important than ever, understanding the wants, needs, and personalities of your team is critical to a practice's success.
April 20, 2024
DiSC and four personality types
Page 1 of 524
Next Page