Business Associate Agreements (BAAs) are a very important requirement of HIPAA compliance and should not be overlooked. Organizations have gotten into trouble because of lack of a BAA and Business Associates (BAs) are quite often the source of breaches. This tip is written from the point of view of a Covered Entity, although the same concepts apply to BAs as well (Note: a BA can also have a BA! This is called a “downstream” BA – see below.)
Many people believe that a HIPAA breach automatically leads to investigations and fines. This is not necessarily the case. The purpose of the HIPAA Security Rule and the goal of HIPAA compliance is to position your organization to minimize the chance of a breach and to properly deal with a breach if one occurs. That said, it is impossible to eliminate all possibility of a breach. For example, the actions of your employees and Business Associates are completely out of your control. Again, HHS (Health & Human Services) and the OCR (Office for Civil Rights) are not expecting perfection. In fact, it is estimated that if you have 10,000 records in your office, chances are 1 in 3 that you will have a breach – so odds are you will have one sooner or later. This article is designed to examine security incidents and breaches and determine how to deal with them.
This article provides useful tips for HIPAA security officers. As a HIPAA security officer, you can divide your list of tasks into two categories: “ad-hoc” tasks and maintenance tasks. Examples of dealing with “ad-hoc” tasks include remediating gaps
identified on a Risk Assessment and dealing with a security incident. There are also maintenance tasks that must be performed on a regular basis. One example is tracking Employee Training. Another maintenance task example is a vulnerability scan.
The key to having confidence in your compliance program is preparation. This article is designed to help you prepare for an OSHA visit. The Occupational Safety and Health Administration (OSHA) is an agency of the U.S. Department of Labor. Tennessee OSHA is an agency of the Tennessee Department of Labor and Workforce Development. In addition to Tennessee, there are other states who have OSHA-approved State Plans. (1)
There are different types of audits:
Many dental offices are scrambling to achieve OSHA compliance with the recent announcement of random audits as part of TOSHA’s Local Emphasis Program. Numerous dental offices across the state of Tennessee have been randomly audited. There has been much confusion and quite a bit of stress resulting.
This article explores common violations we commonly see in dental offices in Tennessee. We hope you will find this information helpful in closing the gaps in your compliance program.
Effective October 1, 2017, all dentists licensed in Tennessee will be subject to a random OSHA inspection. This is part of the Local Emphasis Program.
According to OSHA, they analyzed data collected over a 10-year period. The results indicate that 319 serious hazards were identified with an average of 11.8 per facility. The Local Emphasis Program will focus primarily on exposure to blood and other potentially infectious materials and exposure to hazardous chemicals. Each year, the OSHA area offices will be expected to inspect at least five (5) dental offices and this includes offices with less than ten (10) employees.
Millions of dollars are spent on costly HIPAA settlements due to violations and a lack of compliance. Overlooking risk can result in a security breach.
Covered entities are required to not only make a security risk assessment to safeguard the electronic protected health information (ePHI) but also to act on those assessments. This article explores the maintenance of computer logs and how this procedure can detect an unauthorized access.
Keep it Real:
How to Avoid HIPAA Marketing Scams
By Olivia Wann, JD
Has your dental office received a phone call stating the following: “My name is XX. I’m calling your office today to conduct your mandatory HIPAA Security Risk Assessment that’s required by the Department of Health and Human Services…”
We have received a number of support calls from dental offices regarding the Section 1557 compliance. If you accept Medicaid, Medicare Advantage and/or received funding under the HITECH Act, please read this letter carefully.
Section 1557 of the Affordable Care Act protects individuals from discrimination in health care based on race, color, national origin, age, disability and sex including pregnancy, gender identity, and sex stereotyping.
A critical component of a dental office’s HIPAA compliance program is obtaining business associate agreements from their business associates. A business associate is a person or an entity that provides services for the covered entity (dental office) involving protected health information (PHI) and electronic protected health information (ePHI).
Examples of business associates include electronic claims vendors, information technicians (IT), practice management software companies, appointment confirmation companies, marketing companies, trainers, consultants, bookkeepers, accountants, lawyers and others.
Modern Practice Solutions, LLC is receiving numerous calls regarding disposal of pharmaceutical waste, particularly dental anesthetic carpules. The American Dental Association recently published an article, “Stericycle Contracts: Read the Fine Print – Dentists Question Business Practices,” in the ADA News June 20, 2016 edition. Dentists are looking for affordable options for waste disposal rather than being bound to expensive contracts.
The dilemma of whether an employee is salary or hourly continues to perplex employers. Perhaps you have classified your office manager as salary exempt meaning no compensation for overtime because he or she is serving in a managerial capacity. Maybe the hygienist was also classified as exempt “salary.” The hygienist on a daily rate never had to track hours worked and was paid a daily rate whether they worked 8-hours a day 4-days a week or the occasional 6-days a week.
It seems like a handheld X-ray unit is the way to go . . . is it?
Maybe yes . . . probably no
By Kevin Christian, LLC
As consultants in the dental OSHA and infection control compliance world, we are keenly interested in the promotion of safe dental care and a safe working environment.
There has been documented transmissions of infectious agents including patient-to-patient in dental settings between the years 2003 and 2015. According to CDC, there have been reported breakdowns in basic infection prevention procedures including unsafe injection practices, failure to heat sterilize dental handpieces between patients, and failure to monitor autoclaves.
Navigating the myriad of regulations that govern a dental office can be daunting. And the last thing anything wants is to be out of compliance without even knowing it. My name is Kevin Christian, and I am the TDA endorsed private X-ray inspector in the State of Tennessee. I want to take a second to help you avoid some of the common pitfalls that dentists often fall into when purchasing X-ray equipment.
As we move into the new year and implement our goals for our practices, don’t forget OSHA’s new requirements.
OSHA updated the requirements for labeling of hazardous chemicals under its Hazard Communication Standard. As of June 1, 2015, all labels will be required to have pictograms, a signal word, hazard and precautionary statements, the product identifier, and supplier identification. Please see the picture provided.
Everything is bigger in Texas….even their version of HIPAA regarding medical records privacy.
Texas Legislature adopted House Bill 300 known as HB 300 effective September 2012 which amended the Texas Medical Records Privacy Act. HB 300 significantly expanded patient privacy protections compared to the federal counterpart outlined in the Health Insurance Portability and Accountability Act of 1996 known as HIPAA.
How Lawyers Who Serve As Business Associates to Covered Entities Align their Law Practices with HIPAA
HIPAA is certainly not new. Hospitals, medical and dental practices, and other covered entities have been grappling with HIPAA for years now. Ask any healthcare worker about the topic and likely you will receive negative feedback. No doubt such a response relates to the ongoing challenges of HIPAA compliance which includes ongoing training, voluminous policies and procedures, never ending documentation, complicated risk assessments and convoluted risk management plans.
The woes of HIPAA compliance….
HIPAA requires a thorough and accurate risk assessment of your data’s security. As HIPAA consultants, we collaborate with your Practice Administrator and your IT professionals to answer questions such as: