Six HIPAA dental best practices that will keep your business compliant
As a dental office manager, you have seen these papers a hundred times. Whenever a new patient arrives, you hand them the HIPAA consent forms, then ten minutes later they hand them back signed. Maybe they skimmed the page, maybe they didn’t. Those signatures, however, are vital for most of the administrative tasks you perform. But do you know what responsibilities are yours under HIPAA? Dental office managers should understand HIPAA inside and out.
HIPAA stands for Health Insurance Portability and Accountability Act. It was passed in 1996 and amended a few times since then. It has two functions:
- regulate the availability and scope of group health plans
- prevent healthcare fraud and abuse
For the purpose of this post, we’re only going to focus on the second function, a few of the rules it lays out, and how a few simple ways you can adhere to them.
HIPAA dental best practices on privacy
The Privacy Rule is going to be the most important part of HIPAA dental office managers should know. It dictates the disclosure terms of Protected Health Information (PHI). For example, you may disclose PHI when submitting a billing statement to an insurance company so that they know what to pay. Apart from the few exceptions that HIPAA makes for disclosure of PHI, you have a responsibility as an office manager to disclose as little confidential information as possible while still retaining the ability to do your job.
Make sure that your computer screen faces away from the waiting area. To further protect the information, order a privacy screen that you can attach to the front of your monitor, which prevents people on your peripheries from glimpsing sensitive information.
When sending sensitive information over the internet, make sure your office adheres to HIPAA standards of electronic transmissions, which you can find on their website. Most importantly, don’t send information electronically that isn’t necessary for payment or treatment.
Dental offices are one of the few places where paper documents still exist in abundance. It’s crucial that those documents are secure at all times. When you have patient records on your desk, keep them covered except for the parts you need to see. When you’re finished, even if it’s only for a moment, close the file containing patient information. If you have to leave your desk, return the file to the filing cabinet and lock the drawer.
In that same vein, all drawers containing PHI should be locked at all times. It’s easy to get in the habit of unlocking drawers when you arrive in the morning and locking them again at night, but this leaves protected information susceptible to eyes that may not have the authorization to see it. It may take more time, but this is one thing that’s worth doing the right way, not the fast way.
HIPAA covers the oral transmission of PHI as well. Especially in small, quiet offices, be mindful of your volume as well as who’s around when you speak. Even something as seemingly insignificant as a patient birthday is protected information and must be kept confidential during transmission. If that means getting up and going across the room to speak to someone, so be it.
This goes double for phone conversations. Most of us don’t realize how loudly we speak when we’re on the phone. If you think you’re using your “indoor voice,” speak just a little bit quieter. The person on the other end will let you know if they can’t hear you.
HIPAA dental best practices on security
The Security Rule is essentially an extension of the Privacy Rule, but it only applies to electronic PHI. It covers three areas of safeguard: administrative, physical, and technical. Much of this rule’s burden will fall on whoever is responsible for your IT, but there are a few things you should practice to stay in compliance with this rule.
From an organizational standpoint, make sure that you’ve been thorough and complete with any electronic records. Along with HIPAA comes regular audits and you maintain a lot of the information that will be examined.
You should also know who is allowed to have access to what information. While a receptionist may be allowed access to certain PHI, custodial staff shouldn’t have access to any. Familiarize yourself with the people in your office who are authorized to view PHI.
This one is primarily IT’s responsibility as it deals with keeping equipment containing PHI physically secure. The piece that remains your responsibility is ensuring that no unauthorized individuals have access to your electronic equipment. Lock your computer when you leave your desk. Turn it off when you go home. If you use a laptop, make sure it’s locked to your desk.
The technical component also falls almost entirely on IT as it deals with encryption of data, securing networks, etc. The one thing that’s worth iterating here is not to use your personal e-mail or any file sharing programs on a computer containing PHI. If file sharing is an absolute necessity for a job function, make sure that the program complies with HIPAA’s standards for electronic transmissions.
The list goes on
HIPAA contains many regulations, exceptions, and challenging language that’s difficult even for some experts to interpret. The information above by no means covers all the functions or provisions of HIPAA, but if you adhere to these few suggestions as an office manager, you—and the information you’re obligated to protect—should be safe. More information is available on HHS.gov.
Are you a dental office manager or professional that works within the rules and regulations of HIPAA? What tools have you uses, or practices have you developed, to stay compliant?