Top 6 Ways to be Prepared for a HIPAA Audit

By Abyde

Let’s be real — there’s probably a few things in life we all have an “Oh, it won’t happen to me” mentality about. For many medical professionals, that may be exactly how you feel about HIPAA audits, yet HIPAA investigations are becoming more common than you might think. 

While the odds of facing a totally random HIPAA audit might not be high, they increase significantly when you factor in additional investigation triggers like data breaches, cyber attacks, and patient complaints — none of which a dental practice is immune to.

Proactively preparing for anything that might be thrown your way is imperative for your practice to have the ability to handle a HIPAA audit without the consequence of a hefty violation. Here are the top six things you should have in place before a breach, complaint or audit investigation occurs:

1. Security Risk Analysis
The first thing the OCR looks for upon investigation is a properly documented and up-to-date Security Risk Analysis. This shows that you’ve assessed your practice operations and identified any vulnerabilities — before an audit occurs. While it’s the first step of HIPAA compliance, only 17% of practices audited by the OCR met this requirement.

2. Practice-specific Policies and Procedures
Proper documentation is key for all aspects of your compliance program, including your practice-specific HIPAA policies and procedures. These policies and procedures serve as the guidelines for how protected health information (PHI) should be handled within your practice and the proper documentation is necessary to prove the expectations and standards you have set for your organization. 

3. Disaster Recovery Plan
Disasters happen, most of the time without warning. Having a disaster recovery plan in place is important to ensuring continuity of patient care and continued access to important medical records. As the saying goes, if you fail to plan, you plan to fail.

4. Implement Proper Administrative, Technical and Physical Safeguards
Securing all forms of PHI with the necessary safeguards already implemented within your practice is essential to successfully meeting HIPAA requirements, and ultimately protecting your patients.

5. Staff HIPAA Training
Properly train your staff on all HIPAA privacy and security policies and procedures. This training should be ongoing to ensure that staff is staying up to date with any changes to HIPAA regulations or practice operations.

6. Business Associate Agreements
It’s important to be on the same page with everyone who has access to your patient’s secure information. Implementing the proper business associate agreements with all third-party vendors that could potentially access PHI ensures patient data is secure while also offsetting liability to business associates should they be the cause of a data breach.

There’s a lot that goes into your HIPAA program, even more than the top six items listed here, which is why it’s all the more important to have a true culture of compliance in place and a complete HIPAA program to prevent and minimize threats to your patients’ data.


Abyde is an FDA Crown Savings Endorsed Partner and the Abyde software solution is the easiest way for any sized dental practice to implement and sustain comprehensive HIPAA compliance programs. FDA members save 20% on Abyde services that help their practices meet government-mandated HIPAA standards that protect patient health information by identifying and correcting key security safeguards. Visit fdaservices.com/abyde or call 800.594.0883.

This article was originally posted on Abyde’s blog on Aug. 14, 2020. Reprinted with permission.

HIPAA Audits: Why Dental Organizations Shouldn’t Ignore the Audits

By Dr. Danika Brinda, CEO, Planet HIPAA

2016 is going to be a monumental year for HIPAA compliance. The Phase 2 HIPAA audits will be starting, and increased HIPAA enforcement is a guarantee. So far in 2016, we have seen multiple fines and HIPAA compliance enforcement that are setting the stage for the remainder of 2016. For many years, HIPAA compliance has been pushed off and ignored; however, if the first 2 months of 2016 is telling the story, now is the time to ensure your dental practice has established proper policies, procedures and practices for HIPAA compliance. Don’t get tangled up in a HIPAA audit with no confidence in your dental practice’s compliance with HIPAA!

It is easy to think that your practice is too small to get selected for a HIPAA audit or that audits will focus on large, integrated health care systems. However, looking at the findings from the pilot audits indicate that dental practices are just as desirable for a HIPAA audit as any other type of organization.

Some key findings from the HIPAA Pilot Audits are:

  • Smaller organizations tended to struggle with HIPAA compliance more than larger organizations.
  • The most common finding was that the entity was “unaware of the requirement.”
  • Of the total health care providers audited, NONE of them were 100 percent HIPAA compliant.
  • Incomplete implementation of the regulations was cited as a top finding from the audits.

We are at a stage with HIPAA compliance that the “I didn’t know” or “I was unaware” is no longer going to be an acceptable reason for non-compliance. In the past year, numerous data breaches were reported to the Department of Health and Human Services. In some of the dental data breaches reported, more than 500 individuals were impacted!

  • 2,000 individuals impacted when an unencrypted portable device was stolen from a dental provider.
  • 3,200 individuals impacted after an unencrypted server was stolen during a burglary of a dental office.
  • 7,400 individuals impacted when dental records at an off-site storage were released by the storage company to unauthorized individuals.

With proper oversight of HIPAA and appropriate physical, technical and administrative safeguards, these data breaches could have been avoided.

Another common finding is false security that the vendor of your practice management system or electronic health record has all aspects of HIPAA compliance covered. Even when a third-party solution manages a system, not all aspects of HIPAA compliance are met. Additionally, you may find that some functionality of your systems does not actually meet HIPAA compliance. For example, your systems should be able to automatically log out after a specified time of inactivity. Your vendor may be the group responsible for creating the functionality, but you are responsible for the implementation in your dental organization. If your software system doesn’t have the functionality to automatically log out of the system with inactivity, you may be out of compliance with HIPAA. Don’t assume that compliance is met — verify it!

Don’t wait until a HIPAA audit comes to your dental practice to know that you are out of compliance. Immediate action is needed if you are not confident in your HIPAA compliance. HIPAA takes more than just putting a HIPAA manual on the shelf in your dental practice. Make sure your organization takes the steps NOW and prevents a bad outcome from a HIPAA audit or showing up on the HIPAA Wall of Shame.

 

Dr. Danika Brinda is the CEO of Planet HIPAA and has more than 12 years of experience in health care privacy and security practices. She also is a nationally recognized speaker on a variety of health care privacy and security topics, and specializes in helping dental organizations implement a HIPAA-compliance program.

This article was first published on Planet HIPAA on April 18, 2016.