HIPAA Policies & Procedures
The primary purpose of HIPAA's privacy and security regulations is to protect the confidentiality of Protected Information of the patients and the dentist.
What are HIPAA policies and procedures?
Having policies and procedures in place is crucial for HIPAA compliance, as they give your organization and employees a framework for what is and is not allowed in regards to protected health information. Policies provide general guidelines for how to comply with HIPAA, while procedures give specific instructions for handling a situation.
HIPAA Terminology
-
Protected health information (PHI) – any individually identifiable data
The PHI term encompasses a broad range of personal health information, including insurance and payment information, diagnosis, clinical care, and examination results such as images and tests. This data can be created, stored, or transmitted in many formats, including verbal conversations, written documents, computer software or hardware, and various other forms. In every case, security and confidentiality measures must be implemented.
PHI stands for Protected Health Information and includes any information in a patient's health record that could be used to identify them. This can include lab results, medical history, images, and more. PHI also refers to other personal records like name, date of birth, SSN, and other information that can be used to create identity theft. With data breaches becoming more and more common, proper disclosure of PHI is a major concern. Taking care of patient information falls under the HIPAA guidelines.
-
Covered Entities: Healthcare providers that offer services or accept payments for them
The HIPAA rules are applicable to covered entities, which include healthcare providers, information centers, and plans. If we are talking about healthcare providers, these refer to specialists, clinics, hospices, pharmacies, and other providers. A person or organization is considered to be a healthcare provider if they transmit any information in an electronic form regarding a transaction for which HHS has set a standard.
Clearinghouses are HIPAA-covered entities that handle nonstandard HI they receive from another entity into a standard. As for healthcare plans, these include insurance companies, company health plans, etc. and are regarded as covered entities HIPAA as well.
-
Business Associate: Individuals who are not members of a covered entity but who work as vendors or subcontractors for a covered entity with PHI admittance.
When a covered entity brings in a business associate to help with carrying out its health care activities, the covered entity must have a written contract or agreement with the business associate that establishes the business associate's obligations. Sample HIPAA policies and procedures for business associates are available online. HIPAA for business associates, in this case, covers PHI privacy and security procedures. In addition to these contractual obligations, HIPAA business associates are responsible for compliance with certain provisions of the HIPAA Rules. Some companies even offer HIPAA training for business associates.
Dentulu applications is subject to HIPAA
It is crucial to have a deep understanding of your application's use cases. This is especially important when determining if your mobile apps will store or transmit PHI, even if the collected data is not considered PHI by itself. As soon as protected health information appears on mobile apps, they must become HIPAA-compliant apps. A basic example of a HIPAA-compliant mobile app is a HIPAA-compliant mobile scanning app since it is used to transfer a patient's data. Now let's explore HIPAA-compliant phone apps in more detail.
The Importance of HIPAA compliance for dentists at Dentulu
It is important for all healthcare entities to prioritize protecting patients' PHI. This is especially true in the healthcare industry, which is one of the most common targets for ransomware attacks. In a ransomware attack, a hacker gains access to an internal network and steals or encrypted sensitive data. The hacker may then demand payment to return the data.
Some smaller medical practices (including dental offices) don’t think that they need to take precautions against data breaches and cyber-attacks, because they assume that their small size disqualifies them as a target for attacks. Unfortunately, this isn’t the case. Hackers are now targeting smaller practices and offices more than ever before.
Dental offices contain a lot of personal information about patients that could be used to commit fraud or steal their identity. This information includes things like their name, phone number, address, insurance information, Social Security number, and credit card information. Because of this, it's important that dental offices follow HIPAA compliance rules.
The Importance of HIPAA compliance for patients at Dentulu
In order to ensure that PHI is protected, it's necessary for a dental office to have comprehensive security policies and procedures. There are a number of ways that a dental office can achieve HIPAA compliance, including developing a secure network infrastructure, using encryption on digital devices, and limiting access to patient information.
For patients at Dentulu, this means that when they visit the practice their health data will be kept safe and private. The data stored in Dentulu’s systems must meet certain standards set by the HHS; this ensures that all patient information is securely handled. Patients also have the right to know who has accessed their medical record and can request copies of any documents related to them.
By adhering to these regulations, Dentulu is ensuring that all patient data remains safe and secure. This helps to build trust between the practice and its patients, as well as prevent any potential breaches of PHI. In addition, it also keeps Dentulu compliant with applicable laws and regulations set forth by the HHS.
In summary, HIPAA compliance is an important part of safeguarding a dental office's confidential data. By following HIPAA rules, Dentulu can ensure that all patient information is kept secure while still providing excellent care to their patients. Compliance with these guidelines not only benefits the practice but also provides peace of mind for patients knowing their health information is in good hands.
Policies & procedures under this rule include:
- Access management policy
- Automatic logoff policy
- Data backup and retention policy
- Device and media controls policy
- Disaster recovery policy
- Facility access control policy
- Information systems computer management policy
- Internet and computer usage policy
- Intrusion detection policy
- Password creation and usage policy
- Risk management policy
Sharing your information
Except as otherwise described in this Privacy Policy, or if we inform you otherwise at the time of data collection and receive your consent where required, we will not sell, trade, or share your information with third parties.
We may share your information as follows:
- Visits: We will share your information, at your direction, to transmit a request for a Visit with Dentulu Dental Hygienists. The Dental Hygienists and/or other representative of Dentulu Dental Hygienists may contact you prior to the Dental Hygienists being dispatched to your location, to ensure that he or she is equipped to handle your Dental case. Dentulu Dental Hygienists treatment of your information is subject to Dentulu Dental Hygienists own policies and procedures. Any PHI that we collect and save from you will be kept private and secure, as required by law.
- With Affiliates: We may share your information with affiliated companies and businesses, provided that your PHI will not be shared for any marketing purposes without your prior written consent, in accordance with applicable law.
- With Service Dental Hygienists: We may use other companies to perform services including, without limitation, facilitating some aspects of our Application such as processing credit card transactions, sending emails, fulfilling purchase requests, and data analysis on our behalf. These other companies may be supplied with or have access to your information solely for providing these services to you on our behalf. Such service Dental Hygienists shall be bound by appropriate confidentiality and security obligations, which may include, as applicable, business associate contract obligations.
- With Business Partners: When you make purchases or engage in promotions offered through our Application, we may share PII, but not your PHI, with the businesses with which we partner to offer you those products, services, and promotions. When you accept a particular business partner’s offer, you authorize us to provide your information to that business partner.
- To our wholly owned subsidiary, Breakthrough, and affiliated medical/Dental groups.
- To contractors, service providers and other third parties we use to support our business and who are bound by contractual obligations to keep personal information confidential and use it only for the purposes for which we disclose it to them.
- As required by law, which can include providing information as required by law, regulation, subpoena, court order, legal process or government request.
- When we believe in good faith that disclosure is necessary to protect your safety or the safety of others, to protect our rights, to investigate fraud, or to respond to a government request.
- To a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution or other sale or transfer of some or all of Dentulu’s assets, whether as a going concern or as part of bankruptcy, liquidation or similar proceeding, in which Personal Information maintained by the Site is among the assets transferred.
Special circumstances:
We also may disclose your information:
- In response to a subpoena or similar investigative demand, a court order, or other request from a law enforcement or government agency where required by applicable law.
- When disclosure is required or allowed by law in connection with efforts to investigate, prevent, or take other action regarding illegal activity, suspected fraud or other wrongdoing; to protect and defend the rights, property or safety of our company, our users, our employees, or others; to comply with applicable law or cooperate with law enforcement; or to enforce our Application’s terms and conditions or other agreements or policies.
- In connection with a corporate transaction, such as the sale of all or a portion of our business, a divestiture, merger, consolidation, or asset sale, or in the event of bankruptcy, as required or allowed by law.
HIPAA privacy policies & procedures for healthcare providers at Dentulu
The Privacy Rule was issued by the U.S. Department of Health and Human Services (HHS) to implement the requirements of the Health Insurance Portability and Accountability Act of 1996 (What is HIPAA?). The Privacy Rule set forth standards for the privacy of certain health information, referred to as protected health information (PHI). PHI is any “Individually Identifiable Health Information” related to the past, present, or future provision of healthcare.
The Privacy Rule addresses privacy of PHI in several ways, including:
- The proper use and disclosure of individuals' PHI must be dictated.
- Individuals have certain rights with respect to their protected health information (PHI). These rights are outlined in standards set forth by the government.
- Covered entities are required to provide patients with a Notice of Privacy Practices to ensure that they understand how their health information will be used.
The HHS and the Office for Civil Rights are responsible for making sure that the Privacy Rule is followed and for enforcing it through compliance activities and civil money penalties. The Privacy Rule protects people's health information while still allowing the necessary information to be shared in order to promote quality healthcare. The Rule allows for important uses of information while still maintaining the privacy of those who seek healthcare.
The HIPAA Privacy Rule is designed to cover a wide range of uses and disclosures. Covered entities that are regulated by the HIPAA Privacy Rule must comply with all of its requirements.
The Privacy Rule applies to health plans, healthcare clearinghouses, and to any healthcare provider who transmits health information in any form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA (the “covered entities”).
HIPAA policies for privacy provide guidance to employees on the proper uses and disclosures of PHI. For example, a policy on adhering to the HIPAA minimum necessary standard may state that employees should make reasonable efforts to limit PHI uses, disclosures, and requests to the minimum necessary to accomplish the intended purpose. The corresponding procedure may state that the organization will identify the classes of persons or job titles within the workforce who need access to PHI to carry out their job duties and responsibilities.
Protected health information
The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information protected health information (PHI).
HIPAA security policies & procedures
Healthcare organizations must take reasonable and appropriate measures to protect ePHI from unauthorized access, use, or disclosure. These measures may include administrative, technical, and physical safeguards.
The Security Rule defines:
- PHI should not be available or disclosed to unauthorized persons according to confidentiality requirements in the Security Rule which support the Privacy Rule’s prohibitions against improper uses and disclosures of PHI.
- Integrity means that ePHI is not altered or destroyed in an unauthorized manner.
- The ePHI must be accessible and usable on demand by an authorized person.
HHS realizes that healthcare organizations come in all shapes and sizes, so the Security Rule is designed to be flexible and scalable. This way, businesses can assess their own compliance needs and put in place solutions that make sense for their particular circumstances.
The Rule does not dictate what security measures a healthcare organization must use, but it does require them to consider:
- Its size, complexity, and capabilities.
- Its technical, hardware, and software infrastructure.
- The costs of security measures.
- The likelihood and possible impact of potential risks to ePHI.
As the healthcare landscape continues to evolve, it is important for organizations to review and update their security policies to ensure that they are adequately protecting ePHI.
Risk analysis and management
The security risk analysis is a key part of the Security Rule's Administrative Safeguards provisions. This analysis is used to help determine which security measures are reasonable and appropriate for a particular organization, which in turn affects the implementation of all of the safeguards contained in the Security Rule.
A risk analysis process includes, but is not limited to, the following activities:
- Evaluating the likelihood and impact of potential risks to ePHI;
- Implementing appropriate security measures to address the risks identified in the risk analysis;
- Documenting the chosen security measures and, where required, the rationale for adopting those measures; and
- Maintaining continuous, reasonable, and appropriate security protections.
HIPAA Risk analysis is an important part of keeping your ePHI safe. You should do it regularly to make sure your security measures are effective and to find new risks.
Administrative safeguards
- Security Management Process: The organization must identify potential risks to ePHI and implement security measures to reduce these risks to a reasonable level.
- Security Personnel: An organization must have a security official who is responsible for developing and implementing the organization's security policies and procedures.
- Information Access Management: An organization is only allowed to give access to ePHI to users and recipients based on their role (role-based access).
- Workforce Training and Management: The organization must have a system in place to authorize and supervise workforce members who work with ePHI. This system must include training workforce members on security policies and procedures, and implementing sanctions against those who violate these policies and procedures.
- Evaluation: The organization must evaluate on a regular basis how effective its security policies and procedures are in relation to the Security Rule's requirements.
Physical safeguards
- Facility Access and Control: The organization must ensure that only authorized personnel have access to the facilities, while also limiting physical access to the premises.
- Workstation and Device Security:An organization must have policies and procedures in place for the transfer, removal, disposal, and re-use of electronic media that contains protected health information (ePHI). These policies and procedures must ensure that ePHI is appropriately protected.
Technical safeguards
- Access Control: An organization must implement technical policies and procedures that restrict access to electronic protected health information (ePHI) to authorized persons only.
- Audit Controls: An organization must have systems in place to track and monitor access to and activity in information systems that contain or use ePHI.
- Integrity Controls: An organization must take measures to ensure that ePHI is not improperly altered or destroyed. This includes putting electronic measures in place to confirm that ePHI has not been improperly altered or destroyed.
- Transmission Security: An organization must implement technical security measures to prevent unauthorized access to ePHI that is being transmitted over an electronic network.
Other safeguards
- Email- and Web-Based Communications: We use email and Web encryption technologies to protect ePHI when communicating it electronically.
- SMS- Based Communications: We use text message encryption technologies to protect ePHI when communicating electronically.
- Digital dashboard- We use a digital dashboard system to ensure the secure transmission and access of ePHI.
- Chat- We use an encrypted chat system to protect ePHI when communicating digitally.These are just a few of the safeguards that organizations should implement as part of their risk analysis and HIPAA compliance efforts.
HIPAA policies for security provide guidelines for securing PHI, while HIPAA procedures for security provide specific measures that must be implemented to provide that security. For instance, a HIPAA security policy for user authentication may include: “Information systems used to access ePHI shall uniquely identify and authenticate workforce members through the use of strong passwords.” While a HIPAA procedure for this policy may include: “System administrators shall provide the password for a new unique user ID to only the user whom the new ID is assigned.”
HIPAA policies & procedures at Dentulu for business associates
A business associate is a person or organization that performs certain functions or activities on behalf of a covered entity, or provides certain services to a covered entity, which involve the use or disclosure of individually identifiable health information. These functions or activities include, but are not limited to, claims processing, data analysis, utilization review, and billing. The services that business associates provide to covered entities are usually limited to legal, actuarial, accounting, consultant, data aggregation, management, administrative, accreditation, or financial services.
The HIPAA policies and procedures for business associates are similar to those of covered entities. The main difference is that, since business associates are not involved with treatment, payment, or healthcare operations, they only need limited privacy policies and procedures.
Organizational requirements
A Business Associate Agreement is a contract between a covered entity and a business associate that outlines how the business associate will handle and protect ePHI.
HIPAA policies & procedures and documentation requirements
Healthcare organizations must have policies and procedures in place to comply with the Security Rule. This includes maintaining written security policies and procedures, as well as records of required actions, activities, or assessments. Organizations must also periodically review and update their documentation to reflect any changes that could affect the security of electronic protected health information (ePHI).
Links to third party sites
Our Application or website may contain links to websites or applications operated and maintained by third-parties, over which we have no control. Privacy policies for these third-party sites and applications may be different from our Privacy Policy. You access these third-party sites and applications at your own risk. You should always read the privacy policy of a linked site or applications before disclosing any personal information on such site and/or through such applications. Dentulu is not responsible for information you submit to third-parties.
How to contact Us
If you have any questions, comments or concerns about our Privacy Policy, you may contact us at support@dentulu.com or by writing a letter to:
Dentulu, Inc.,
Attn: General Counsel,
2002 South Burlington Avenue
Los Angeles, CA 90007.
Effective Date
This Privacy Policy is effective as of Jan 1st, 2019.