Despite the fact that many dental clinics are self-contained centers, the HIPAA rules for dentists apply to any dental services that may issue claims, eligibility requests, pre-determinations, claim status inquiries or treatment authorization requests digitally.
If a dental office transmits any of the above transactions directly to a payer, or uses the services of a business associate – who has access to individually identifiable health information – the HIPAA regulations for dentists are applicable and must be complied with.
In addition, policies must be formulated to advise dental office staff on procedures for the use, disclosure and safeguarding of the PHI – not only to patients and co-workers, but also to business associates and third-party service suppliers.
What are the HIPAA Rules Regarding for Dental Centers?
The HIPAA Rule for Dental centers includes the Privacy Rule (2003), Security Rule (2005) and Breach Notification Rule (2009). Dentists and Dental Offices should also ensure they are knowledgeable of any relevant amendments to these Rules enacted in the HITECH Act (2009) and Final Omnibus Rule (2013). The key elements of the HIPAA Privacy Rule for dentists are:
- The personal identifiers thought to be Protected Health Information.
- The allowable uses and disclosures of Protected Health Information.
- Security measures to implement to protect the privacy of patient health data.
- A briefing on the Minimum Information Necessary rule.
- Restrictions on using Protected Health Information for marketing campaigns.
- Patient access to medical data and notice of privacy practices.
Dentists and the HIPAA Security Rule
The HIPAA Security Rule is mainly composed of three sets of “requirements” – technical requirements, physical requirements and administrative requirements. The technical requirements relate to how patient data should be transmitted electronically (for example email is not permitted, nor is SMS or Skype). The technical requirements also refer to the processes and controls that have to be adapted in order to protect PHI when it is at rest or in transit.
The physical HIPAA regulations for dental centers concern the security of computer systems and the setting in which the computer systems are located. Responsibilities included in the physical HIPAA regulations for dental centers include implementing a faculty plan and a back up plan in the event of an emergency, and putting place validation procedures to restrict physical access to PHI held on the computer systems.
The administrative HIPAA rules for dentists demand that system administrators are charged with selecting and put in place a compliant communications system. Administrators are also in charge of developing “best practice” policies, training dental office staff on the use of the compliant communication system, and for reviewing activity on the system. Administrators are also charged with ensuring HIPAA compliance by Business Associates.
HIPAA Security Rule Solution
Though adhering to the Business Associate, privacy and breach notification HIPAA requirements for dental offices can be achieved without too many problems, complying with the HIPAA Security Rule can present an obstacle for many dental offices. A solution to the HIPAA Security Rule is to put in place a system of secure messaging.
Different to email, SMS or Skype, secure messaging is completed within a private network only accessible by authorized individuals. The authorized users can access patient information and sent it to other authorized users only after they log in to secure messaging apps which demand user authentication via unique centrally-issued credentials.
All patient information is encrypted while stationary and in transit, so it is perfectly secured to send text messages, share images or carry out video calls over public Wi-Fi services via a mobile device. The secure messaging apps can also be downloaded to desktop computers, and a time-out feature automatically logs users out of the network when a computer or mobile device is inactive, to stop unauthorized access to patient data.
Along with safeguards that stop patient data being downloaded to an external hard drive, copied and pasted or forward external to the dental practice´s private network, the messaging platform through which all communications travel monitors activity on the network. Administrators can ensure that secure messaging policies are being complied with, or PIN-lock an app if the device it is added to onto is lost, stolen or replaced.
Additional Advantages to Secure Messaging
Secure messaging solutions were first formulated to allow HIPAA covered bodies to comply with the industry regulations for privacy and security. However, a series of efficiency-improving and cost-minimizing benefits have resulted from the implementation of secure messaging solutions – many of which will be applicable in a dental office setting:
- Dentists and dental office staff can receive secure messages on any desktop computer or mobile device – allowing them to access patient data “on-the-go”.
- Pictures and documents can be attached to secure messages, which can then be sent among dentists if collaboration is needed on the treatment of a patient.
- Secure messages can also be used in cases where a patient cannot visit a dental office and their condition can be diagnosed at home or in another medical location.
- Time consuming phone tag and the requirement for follow-up calls is greatly reduced due to automatically-produced delivery alerts and read receipts.
- When the secure messaging solution is combined with an EHR, authorized personnel can load patient notes straight onto the system from a mobile device.
These features and advantages ensure that secure messages are sent to the correct recipient, lessen the time and money that may be wasted between broadcasting messages and receiving responses, and protect the integrity of patient information in compliance with the HIPAA rules for dentists.
HIPAA Rules for Dentists: Are You Adhering?
Secure messaging solutions are not hard to put in place. As all communications and access to patient information goes through a cloud-based “Software-as-a-Service” system, there is no extra hardware to buy and no need to employ the services of an IT specialist to set up complicated software.
The secure messaging apps have a text-like system like commercially available messaging apps, so little staff training will be needed before the solution is up and running and the HIPAA regulations for dental offices are being adhered with.
Naturally, secure messaging solutions only address the requirements under the HIPAA Security Rule. Dental centres will have to research and implement other security before they are in full compliance with the HIPAA rules for dentists.