HIPAA Audits: Why Dental Organizations Shouldn’t Ignore the Audits

By Dr. Danika Brinda, CEO, Planet HIPAA

2016 is going to be a monumental year for HIPAA compliance. The Phase 2 HIPAA audits will be starting, and increased HIPAA enforcement is a guarantee. So far in 2016, we have seen multiple fines and HIPAA compliance enforcement that are setting the stage for the remainder of 2016. For many years, HIPAA compliance has been pushed off and ignored; however, if the first 2 months of 2016 is telling the story, now is the time to ensure your dental practice has established proper policies, procedures and practices for HIPAA compliance. Don’t get tangled up in a HIPAA audit with no confidence in your dental practice’s compliance with HIPAA!

It is easy to think that your practice is too small to get selected for a HIPAA audit or that audits will focus on large, integrated health care systems. However, looking at the findings from the pilot audits indicate that dental practices are just as desirable for a HIPAA audit as any other type of organization.

Some key findings from the HIPAA Pilot Audits are:

  • Smaller organizations tended to struggle with HIPAA compliance more than larger organizations.
  • The most common finding was that the entity was “unaware of the requirement.”
  • Of the total health care providers audited, NONE of them were 100 percent HIPAA compliant.
  • Incomplete implementation of the regulations was cited as a top finding from the audits.

We are at a stage with HIPAA compliance that the “I didn’t know” or “I was unaware” is no longer going to be an acceptable reason for non-compliance. In the past year, numerous data breaches were reported to the Department of Health and Human Services. In some of the dental data breaches reported, more than 500 individuals were impacted!

  • 2,000 individuals impacted when an unencrypted portable device was stolen from a dental provider.
  • 3,200 individuals impacted after an unencrypted server was stolen during a burglary of a dental office.
  • 7,400 individuals impacted when dental records at an off-site storage were released by the storage company to unauthorized individuals.

With proper oversight of HIPAA and appropriate physical, technical and administrative safeguards, these data breaches could have been avoided.

Another common finding is false security that the vendor of your practice management system or electronic health record has all aspects of HIPAA compliance covered. Even when a third-party solution manages a system, not all aspects of HIPAA compliance are met. Additionally, you may find that some functionality of your systems does not actually meet HIPAA compliance. For example, your systems should be able to automatically log out after a specified time of inactivity. Your vendor may be the group responsible for creating the functionality, but you are responsible for the implementation in your dental organization. If your software system doesn’t have the functionality to automatically log out of the system with inactivity, you may be out of compliance with HIPAA. Don’t assume that compliance is met — verify it!

Don’t wait until a HIPAA audit comes to your dental practice to know that you are out of compliance. Immediate action is needed if you are not confident in your HIPAA compliance. HIPAA takes more than just putting a HIPAA manual on the shelf in your dental practice. Make sure your organization takes the steps NOW and prevents a bad outcome from a HIPAA audit or showing up on the HIPAA Wall of Shame.

 

Dr. Danika Brinda is the CEO of Planet HIPAA and has more than 12 years of experience in health care privacy and security practices. She also is a nationally recognized speaker on a variety of health care privacy and security topics, and specializes in helping dental organizations implement a HIPAA-compliance program.

This article was first published on Planet HIPAA on April 18, 2016.

5 Ways to Reduce Embezzlement Risk

By Julian Dozier, CPA, ABV, CFF, CFE, Thomas Howell Ferguson P.A. CPAs​

You work hard in your practice, enjoy spending time with your patients, and do your best to manage your office staff and bookkeeping. While you’d rather be spending time on the medical side of your practice, you understand the importance of being involved in the business side of your practice. No one wants to think their employees would steal from their company, but every organization faces the risk. So, do you have a sound system of internal controls in place to mitigate the risk?

Here are five simple steps you can take to reduce your risk of employee embezzlement:

1. Conduct background checks. Your employees may have access to your financial information, bank accounts, prescription pads and expensive medical supplies. Be sure to conduct background checks before hiring any employee, and make it your policy to update those checks at least every two years for financial personnel.

2. Segregation of duties. Financial tasks should be assigned so that no single employee is responsible for authorizing transactions, maintaining custody of assets and resources, recording transactions and reconciling accounts. While it’s best for all four of those functions to be segregated, be sure no single employee is responsible for more than two of them. As an example, if an employee can authorize payments to vendors, they should not be authorized to add vendors to the accounting system, print and sign checks, or reconcile the bank account.

3. Oversight is important. The perception of detection can be as important as any other internal control your practice puts in place. If employees know their work is being checked, and that the bank accounts are being reconciled and verified, they are less likely to embezzle.

4. Know your bank account. For assets like cash that — when there are poor internal controls — can be embezzled quickly and easily concealed, you need to do more. Receive each monthly bank statement directly (unopened) and review it for unusual or unexpected activity. Ask questions. Know where your practice spends its money and who is authorizing those transactions. Quickly spotting unauthorized bank activity is critical to minimizing your risk of embezzlement.

5. Get outside help. Find a local certified public accountant (CPA) to conduct periodic checkups at your practice. Your CPA can help you design internal controls, implement best practices and conduct random checks to see that your employees are following approved policies and procedures.

Julian Dozier is a CPA with the accounting firm Thomas Howell Ferguson P.A. He specializes in forensic audits and litigation support related to for-profit and governmental enterprises. His certifications and designations include Certified Fraud Examiner (CFE) and Certified in Financial Forensics (CFF). For more information, please visit www.thf-cpa.com/what-we-do.