Learn more about the Florida Dental Association here.

Beyond the Bite

The Official Blog of the Florida Dental Association

Tag: compliant

ADA Website Accessibility Compliance: How to Protect Your Practice

by 1 Comment

By Officite

The focus of “ADA compliant” websites has become a hot topic of discussion lately. You’ve likely heard of the issue by now, but perhaps you’re not entirely sure what it means for your practice. Is it really true that a few simple mistakes can land you in legal hot water? In this short guide, we’ll explain the basics of how the ADA pertains to websites so that you can take the appropriate steps to provide the best care to your patients, and to protect your practice from unnecessary litigation.

This is by no means a comprehensive guide, nor is it meant to provide legal advice. If you find yourself facing an ADA-related claim, you should consult an attorney. Nevertheless, by the time you’ve finished reading this, we hope to reduce some of the fear and misinformation swirling around the issue. First, let’s cover the basics.

What is the ADA?

The Americans with Disabilities Act (ADA, sometimes AwDA) is a federal law passed in 1990 that aims to protect the rights of disabled people to ensure they are not discriminated against due to their disability. This is the same law that requires real-world public locations (referred to by the ADA as “places of public accommodation”) to be accessible to disabled patrons by offering accommodations such as wheelchair ramps and handicapped parking. The law is well-intentioned, and largely effective at improving the lives of disabled people. Unfortunately, however, the law did not account for the growing dependence of the internet, and did not provide specific language to cover any differences or similarities between physical locations and a website.

What do the Recent ADA Lawsuits Claim?

Until recently, many of these lawsuits had been in relation to actual physical locations. But over the past year or so, some dentists have received letters from lawyers claiming that their websites do not comply with The Americans with Disabilities Act, and thus have not provided the necessary accommodations for their clients. These letters often threaten legal action unless the practice agrees to pay an amount of money to settle the dispute outside of court. In order to prevent a potentially long and costly legal battle, many of these dentists have agreed to the settlement.

What Does It Mean to Be “ADA Compliant”?

If you take only one thing away from this guide, it should be this: as of today, there is no legal definition for an “ADA compliant” website. The current ADA regulations, which are enforced by the Department of Justice (DOJ), do not specifically mention websites and their accessibility requirements. The DOJ has stated that official regulations for website accessibility will not be released until at least Spring 2018. Until that point, all we have to work with are suggested guidelines, not hard-and-fast requirements.

Although there is no specific language (as of the date of this publication) within The Americans with Disabilities Act regarding website requirements, there are arguments that can be made that the language of the law insinuates websites as a place of public accommodation. Because of this lack of specificity, different state courts have different views, which can range from:

  • Websites are not required to be accessible to people with disabilities.
  • Only websites that have a connection to an actual brick and mortar location must be accessible to people with disabilities.
  • All websites must be accessible to people with disabilities.

Immediate Steps to Take

If you are a current client of Officite, then your website meets the current suggested ADA accessibility guidelines. In addition, Officite will keep all of its clients’ websites updated to meet these guidelines without any action required by its clients.

If your website is not hosted by Officite, you should take a moment to familiarize yourself with the basics of website accessibility. The DOJ has suggested the WCAG 2.0’s ‘Level AA Success Criteria’ as the best accessibility standards to follow. Again, these are suggested guidelines; they are not currently laws. Nevertheless, this checklist is a good place to start. If you can check every box of the Level AA Success Criteria, you are in the best position to defend your website from any “non-compliant” complaints you may receive.

Next, it’s a good idea to run your current website through an automatic evaluation tool that will help to reveal some of the most common potential accessibility problems.

Further Complications

Even if you have checked your website against the suggested ADA website accessibility guidelines and run the automatic evaluation tool, if you or your office staff add or modify content on your website, regardless of whether it is written or visual, it is difficult to guarantee that these changes fall within the suggested ADA website accessibility guidelines. If you do make changes to your website, it is best to use a website hosting company that meets the suggested ADA website accessibility guidelines and have their customer service team make the changes for you.

Additional Information

For health care practices that do not currently host their websites with Officite, Officite provides a complimentary ADA accessibility review to help gauge where your website stands in relation to the currently suggested ADA accessibility guidelines. To get this free evaluation, please call 888-700-3971 between the hours of 8 a.m.–5 p.m. Central Time, M-F or visit www.OfficiteFreeADAReview.com to schedule an appointment.

As the leader in website hosting and web presence solutions for healthcare practices, it is Officite’s goal to help all health care practices prosper and remain equipped for success in the future. Please feel free to share this FAQ document in its entirety. You also may direct additional questions to Officite’s team of Web Presence Advisors who can be reached at 888-700-3971.

 

This article was originally posted on Officite’s blog on July 19, 2017.

Could Your Practice’s Website Reveal Your HIPAA Non-compliance?

by Leave a comment

By Dr. Danika Brinda, CEO, Planet HIPAA

Did you know that your practice’s website can reveal to the world that you are out of compliance with HIPAA?

A quick look around your website could reveal to a HIPAA auditor that your practice is struggling with HIPAA compliance. Wondering what I am referring to? It’s the Notice of Privacy Practices! The regulations state that your practice must ensure that the most current version of your Notice of Privacy Practices is posted on the practice’s website (if one exists). Here is the specific language from the regulations:

CFR 164.520(c)(3)(i) – A covered entity that maintains a website that provides information about the covered entity’s customer services or benefits must prominently post its notice (of privacy practices) on their website and make the notice available electronically through their website.

Go ahead, give it a try. Head on out to your website (or another practice’s). Try and find the Notice of Privacy Practices. Were you successful or did you find something that is called Privacy Policy? If you look through the Privacy Policy, most of the time the language is something specific to the privacy policy of the website and not the Notice of Privacy Practices. Keep searching for the Notice of Privacy Practices. If you are unsuccessful at finding it, the basic elements of the regulations are not met. If you found the Notice of Privacy Practices – great work! You are compliant, right? NOT NECESSARILY!

Even with your Notice of Privacy Practices posted on your website, you must make sure that the document is your most current version and matches the one available in your office. You also must make sure it meets all the requirements that were defined in the 2013 HIPAA Privacy Regulations and the 2013 HIPAA Omnibus Rule. If any of the following three statements are true, your website revealed that you are out of compliance with HIPAA:

  1. Your Notice of Privacy Practices was not posted on your website.
  2. Your Notice of Privacy Practices was dated prior to Sept. 23, 2013.
  3. The Notice of Privacy Practices on your website isn’t the most up-to-date copy.

If you think the auditors will not be looking on your website to make sure your Notice of Privacy Practices is posted, think again. In the OCR 2016 HIPAA Desk Audit Guidance on Selected Protocol Elements, it states the covered entity must “upload the URL for the entity’s website and the URL for the posting of the entity’s notice.” In fact, the instructions for the HIPAA auditors state that they must:

“Determine whether the entity maintains a website. If so, observe the website to determine if the Notice of Privacy Practices is prominently displayed and available. An example of prominent posting of the notice would include a direct link from homepage with a clear description that the link is to the HIPAA Notice of Privacy Practices.”

Not only does it have to be posted on your website, but it must be in a location that is easy to find with an easy description!

The Notice of Privacy Practice is not a difficult area to comply with for the HIPAA regulations; however, it is a common area of non-compliance. To be compliant with this regulation, the following four items should be established:

  • Notice of Privacy Practices
  • Notice of Privacy Practices Policy and Procedure
  • Acknowledge Form of the Notice of Privacy Practices
  • Making the notice available on the practice’s website

The specific elements that need to be defined in the Notice of Privacy Practices are specifically defined in the regulations. More information can be found here.

 

Dr. Danika Brinda is the CEO of Planet HIPAA and has more than 12 years of experience in health care privacy and security practices. She also is a nationally recognized speaker on a variety of health care privacy and security topics, and specializes in helping dental organizations implement a HIPAA-compliance program.

This article was first published on Planet HIPAA on Sept. 5, 2016.

HIPAA Audits: Why Dental Organizations Shouldn’t Ignore the Audits

by 1 Comment

By Dr. Danika Brinda, CEO, Planet HIPAA

2016 is going to be a monumental year for HIPAA compliance. The Phase 2 HIPAA audits will be starting, and increased HIPAA enforcement is a guarantee. So far in 2016, we have seen multiple fines and HIPAA compliance enforcement that are setting the stage for the remainder of 2016. For many years, HIPAA compliance has been pushed off and ignored; however, if the first 2 months of 2016 is telling the story, now is the time to ensure your dental practice has established proper policies, procedures and practices for HIPAA compliance. Don’t get tangled up in a HIPAA audit with no confidence in your dental practice’s compliance with HIPAA!

It is easy to think that your practice is too small to get selected for a HIPAA audit or that audits will focus on large, integrated health care systems. However, looking at the findings from the pilot audits indicate that dental practices are just as desirable for a HIPAA audit as any other type of organization.

Some key findings from the HIPAA Pilot Audits are:

  • Smaller organizations tended to struggle with HIPAA compliance more than larger organizations.
  • The most common finding was that the entity was “unaware of the requirement.”
  • Of the total health care providers audited, NONE of them were 100 percent HIPAA compliant.
  • Incomplete implementation of the regulations was cited as a top finding from the audits.

We are at a stage with HIPAA compliance that the “I didn’t know” or “I was unaware” is no longer going to be an acceptable reason for non-compliance. In the past year, numerous data breaches were reported to the Department of Health and Human Services. In some of the dental data breaches reported, more than 500 individuals were impacted!

  • 2,000 individuals impacted when an unencrypted portable device was stolen from a dental provider.
  • 3,200 individuals impacted after an unencrypted server was stolen during a burglary of a dental office.
  • 7,400 individuals impacted when dental records at an off-site storage were released by the storage company to unauthorized individuals.

With proper oversight of HIPAA and appropriate physical, technical and administrative safeguards, these data breaches could have been avoided.

Another common finding is false security that the vendor of your practice management system or electronic health record has all aspects of HIPAA compliance covered. Even when a third-party solution manages a system, not all aspects of HIPAA compliance are met. Additionally, you may find that some functionality of your systems does not actually meet HIPAA compliance. For example, your systems should be able to automatically log out after a specified time of inactivity. Your vendor may be the group responsible for creating the functionality, but you are responsible for the implementation in your dental organization. If your software system doesn’t have the functionality to automatically log out of the system with inactivity, you may be out of compliance with HIPAA. Don’t assume that compliance is met — verify it!

Don’t wait until a HIPAA audit comes to your dental practice to know that you are out of compliance. Immediate action is needed if you are not confident in your HIPAA compliance. HIPAA takes more than just putting a HIPAA manual on the shelf in your dental practice. Make sure your organization takes the steps NOW and prevents a bad outcome from a HIPAA audit or showing up on the HIPAA Wall of Shame.

 

Dr. Danika Brinda is the CEO of Planet HIPAA and has more than 12 years of experience in health care privacy and security practices. She also is a nationally recognized speaker on a variety of health care privacy and security topics, and specializes in helping dental organizations implement a HIPAA-compliance program.

This article was first published on Planet HIPAA on April 18, 2016.