HIPAA Audits may come for Dentists

The federal government has begun auditing some health care providers, including dental practices, to ensure they are complying with patient privacy laws and health care information security laws.

The U.S. Department of Health and Human Services Office for Civil Rights announced March 21 it has begun its second phase of audits of covered entities and their business associates to assess their compliance with the Health Insurance Portability and Accountability Act Privacy, Security and Breach Notification Rules, according to a news release. The Office for Civil Rights will review whether the policies and procedures adopted and employed by the groups meet selected standards and implementation specifications of the law.

“We want dentists to be aware that this is happening and to take HIPAA compliance seriously,” said Dr. Andrew Brown, chair of the ADA Council on Dental Practice. “There are steep consequences for health care providers that don’t comply with the law and we don’t want to see any dentists having to pay tens of thousands of dollars in a penalty.”

A dental practice would be considered a covered entity if they use electronic dental claims.

“The first phase of audits, which began in 2012 included at least one dental practice,” said Paula Tironi, senior associate general counsel in the ADA Division of Legal Affairs. “If a dental practice receives a communication from the Office for Civil Rights that they’re to be audited, they may only have a few days or weeks to send documentation demonstrating that they’re complying with HIPAA, such as security risk assessment, policies and procedures, training records and business associate agreements.”

The Office for Civil Rights will begin the audit process by emailing covered entities and their business associates to request they send their contact information and answer a pre-audit questionnaire in order to gather data about the entity’s size, type and operations.

Those who don’t respond to the government’s request to verify its information may still be selected for an audit or subject to a compliance review, according to the news release. Communications from the Office for Civil Rights will be sent via email and may be incorrectly classified as spam so health care providers should check their junk or spam folders.

“It would be prudent to have documentation demonstrating HIPAA compliance ready and up to date should a dental practice be audited. If an audit determines a dental practice has not been complying with the law, the government may initiate a compliance review,” Ms. Tironi said. “It can be a lot of work and may be difficult to gather all the required documentation if a practice is caught unprepared.”

OCR will post updated audit protocols on its website closer to conducting the 2016 audits, the news release stated.

“The audit protocol will be updated to reflect the HIPAA Omnibus Rulemaking and can be used as a tool by organizations to conduct their own internal self-audits as part of their HIPAA compliance activities,” according to the release.

Contact Us At: arcor-inc.com SD: 858-481-4494 LA: 310-431-9389 North California: 650-468-0307

Leave a Reply