Dental Compliance for Dentists and Business Associates


Published on

This presentation will discuss covered entities, protected health information (PHI) as it relates to dental practices and business associates of those practices.It will update you on major legislation relating to patient privacy laws and explain why PHI Information is important and the consequences for non-compliance with state and federal laws.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • For more information, contact Duane at
  • Dental Compliance for Dentists and Business Associates

    1. 1. For Free compliance tips join our list!
    2. 2. Neither of these guys are licensed peace officers, attorneys, or dentists…. they‟re not very funny either!
    3. 3. After completing this presentation participants should be able to: Define Covered Entity, Protected Health Information and Business Associates Identify major legislation regarding patient privacy laws in Texas Explain why protecting Protected Health Information is important and consequences for non-compliance with state and federal laws Sketch out a plan to achieve compliance for their organizations
    4. 4. HIPAA PrivacyHIPAA SecurityHB 300 (Texas Medical Privacy Act)HITECH
    5. 5. Took effect on April 1st, 2003First major regulation in recent years to control fraud, waste andabuse of government programsMandated mechanisms for exchange of information betweenhealthcare clearinghouses, health plans and providers.
    6. 6. Took effect in 2009Provided Federal money for providers to help incorporate EHR intohealth care practicesRecognized the majority of data breaches was by BusinessAssociates and there were (previously) no accountability to enforceHIPAA provisions over unlicensed BA‟s
    7. 7. Took effect on 09/01/2012Re-defined “Protected Health Information”Expanded definition of “Covered Entity” to include entities thatcome into possession of, obtain, assemble, collect, analyze,evaluate, store or transmit PHI.
    8. 8. Expanded privacy and security mandates on covered entities such as: Employee training (within 60 days of hire and every 2 years) Patient access to electronic health records (EHRs) (15 days) Identifies state agencies that regulate covered entities and the agency‟s compliance enforcement process (Office of Attorney General for non-licensed C.E.‟s)
    9. 9. Consumer Information WebsiteProhibits sale or disclosure of PHIConsumer Notice and Authorization Required for ElectronicDisclosure of PHIFines and penalties include civil and criminal remedies for non-compliance
    10. 10. American Recovery and Reinvestment Act of 2009 (ARRA) becamefederal law on February 12, 2009. HITECH is part of that law.The goal of HITECH is to enhance and expand the HIPAA Privacy Ruleand Security Rules.The HITECH Act not only makes privacy regulations more strict, but italso gives more power to federal and state authorities to enforce privacyand security protections for resident information and data.
    11. 11. It increases HIPAA‟s patient rights regarding control over their PHI(medical information)It limits the use of PHI for marketing purposesIt mandates breach (unauthorized access or loss of PHI) notificationIt also extends a lot of the same requirements to those businessassociates outside of our company to whom we give PHI so they can dotheir jobs.
    12. 12. Published January 25th, 2013Expands the definition of Business Associates - now includeentities that “maintain” PHI, in addition to those that create, receive,or transmit PHI for a function or activity such as claims processingor administration, data analysis, utilization review, qualityassurance, patient safety activities, billing, benefit management,practice management, and re-pricing.The definition extends fully to subcontractors of BAs who performthese functions.
    13. 13. Solidifies that BAs are directly liable for compliance withHIPAA. Under the new rules, BAs are statutorily liable for violationsof the HIPAA security rules. They are also subject to the sameHIPAA privacy restrictions as covered entities. This includesrequirements that BAs create and implement HIPAA privacy andsecurity policies and procedures in relation to the handling of PHI ofa covered entity. BAs may be subject to compliance reviews by thefederal Department of Health and Human Services (HHS).
    14. 14. Require BAs to report to the covered entities breaches ofunsecured PHI.Breach is the unauthorized access of PHI by unintended orunauthorized persons or entities.
    15. 15. As per HB 300 and HITECH Final Rule:Basically, all persons or entities who receive, possess, or generateprotected health information (PHI) or who store and „couldpotentially‟ access PHI
    16. 16. Individually Identifiable Health Information (including demographicdata, that relates to: The individual‟s past, present or future physical or mental health or condition; The provision of health care to the individual, or The past, present, or future payment for the provision of health care to the individual
    17. 17. EXAMPLES: Names, Addresses, Date and place of birth, Race,Marital Status, Phone numbers, Fax numbers, Email addresses, SocialSecurity numbers, Medical record numbers, Health insurancebeneficiary numbers, Account numbers, Certificate/license numbers,Vehicle identifiers and serial numbers, including license plate numbers,Device identifiers and serial numbers, Web URLs, IP addressnumbers, Biometric identifiers (including finger, retinal and voiceprints), Full face photographic images and any comparable images
    18. 18. Required (R) means that complying with the given standard ismandatory and, therefore, must be complied with.Addressable (A) means that the given standards must beimplemented by the organization unless assessments and in depthrisk analysis conclude that implementation is not reasonable andappropriate specific to a given business setting. Important Note:Addressable does not mean optional.
    19. 19. Safeguard documents and communications involving PHI (oral,written and otherwise)Shred or definitively destroy documents that are no longer neededNotify Covered Entities if any information has been breachedHave written policies and procedures to account for this informationSee HIPAA Privacy summary for additional
    20. 20. Risk Analysis: (R) Perform and document a risk analysis to seewhere PHI is being used and stored and to determine what allpossible ways HIPAA could be violated areRisk Management: (R) Implement measures sufficient to reducethese risks to an appropriate level.Sanction Policy: (R) Implement sanction policies for employeeswho fail to comply.Information Systems Activity Reviews: (R) Regularly reviewsystem activity, logs, audit trails, etc.Officers: (R) Designate HIPAA Security and Privacy Officers
    21. 21. Employee Oversight: (A) Implement procedures to authorize andsupervise employees who work with PHI, and for granting andremoving PHI access to employees. Ensure that an employee‟saccess to PHI ends with termination of employment.Multiple Organizations: (R) Ensure that PHI is not accessed byparent or partner organizations or subcontractors that are notauthorized for access.ePHI Access: (A) Implement procedures for granting access toePHI and which document access to ePHI or to services andsystems which grant access to ePHI.Security Reminders: (A) Periodically send updates and remindersof security and privacy policies to employees.
    22. 22. Protection against Malware: (A) Have procedures for guardingagainst, detecting, and reporting malicious software.Login Monitoring: (A) Institute monitoring of logins to systems andreporting of discrepancies.Password Management: (A) Ensure there are procedures forcreating, changing, and protecting passwords.Response and Reporting: (R) Identify, document, and respond tosecurity incidents.Contingency Plans: (R) Ensure there are accessible backups ofePHI and that there are procedures for restore any lost data.
    23. 23. Contingency Plans Updates and Analysis: (A) Have procedures for periodictesting and revision of contingency plans. Assess the relative criticality ofspecific applications and data in support of other contingency plancomponents.Emergency Mode: (R) Establish (and implement as needed) procedures toenable continuation of critical business processes for protection of the securityof electronic protected health information while operating in emergency mode.Evaluations: (R) Perform periodic evaluations to see if any changes in yourbusiness or the law require changes to your HIPAA compliance procedures.Business Associate Agreements: (R) Have contracts with business partnerswho will have access to your PHI to ensure that they will be compliant.
    24. 24. Contingency Operations: (A) Establish (and implement as needed) proceduresthat allow facility access in support of restoration of lost data under the disasterrecovery plan and emergency mode operations plan in the event of an emergency.Facility Security: (A) Implement policies and procedures to safeguard the facilityand the equipment therein from unauthorized physical access, tampering, and theft.Access Control and Validation: (A) Implement procedures to control and validatea person‟s access to facilities based on their role or function, including visitorcontrol, and control of access to software programs for testing and revision.Maintenance Records: (A) Implement policies and procedures to document repairsand modifications to the physical components of a facility which are related tosecurity
    25. 25. Workstations: (R) Implement policies governing what software can/mustbe run and how it should be configured on systems that provide accessePHI. Safeguard all workstations providing access to ePHI and restrictaccess to authorized users.Devices and Media Disposal and Re-use: (R) Create procedures for thesecure final disposal of media that contain ePHI and for the reuse ofdevices and media that could have been used for ePHI.Media Movement: (A) Record movements of hardware and mediaassociated with ePHI storage. Create a retrievable, exact copy ofelectronic protected health information, when needed, before movement ofequipment.
    26. 26. Unique User Identification: (R) Assign a unique name and/or number foridentifying and tracking user identity.Emergency Access: (R) Establish (and implement as needed) proceduresfor obtaining necessary electronic protected health information during anemergency.Automatic Logoff: (A) Implement electronic procedures that terminate anelectronic session after a predetermined time of inactivity.Encryption and Decryption: (A) Implement a mechanism to encrypt anddecrypt electronic protected health information when deemed appropriate.
    27. 27. Audit Controls: (R) Implement hardware, software, and/or proceduralmechanisms that record and examine activity in information systems thatcontain or use electronic protected health information.ePHI Integrity: (A) Implement policies and procedures to Protect electronicprotected health information from improper alteration or destruction.Authentication: (R) Implement procedures to verify that a person or entityseeking access to electronic protected health information is the one claimed.Transmission Security: (A) Implement technical security measures to guardagainst unauthorized access to electronic protected health information that isbeing transmitted over an electronic communications network.
    28. 28. Create, revise, and/or implement HIPAA policies andprocedures. Diligently pursue HIPAA-compliant policies andprocedures as they relate to HIPAA security and privacyrequirements.
    29. 29. Ensure you have Business Associate agreements on file withthe Covered Entities whose patients’ PHI you have accessto. Ensure you have BA agreements with covered entity clients, aswell as with subcontractors to whom it delegates BA functions(consider relationships with lenders, transition specialists, practicemanagement, attorneys, other vendors).
    30. 30. For you and ALL employees or persons for whom you areresponsible receive training as required: within 60 days of beginning new employment, and; every two yearsTraining must include State and Federal requirements
    31. 31. This presentation is NOT comprehensive and is only intended as a high-level overview of information relevant to Covered Entities and Business Associates. My team and I are happy to provide you with additional information or you can surf the Internet at:
    32. 32. Duane Tinker traded his gun and badge for a clipboard and classroomto inform and teach Dental professionals how to stay off the radar andout of the news! As President & CEO of Dental ComplianceSpecialists, LLC -- a company specializing in Dental office regulatorycompliance – he has taken his expertise as a former law enforcementofficer responsible for investigating criminal and civil complaintsagainst practices and now uses this knowledge to assist Dentalprofessionals in avoiding these legal pitfalls. He is a much sought-afterspeaker and consultant and a member of the Speaking ConsultingNetwork. In this pursuit, today his passion is all about helpingbeleaguered oral healthcare providers find justice!