If your dental practice contracts with and utilizes the services of other individuals or businesses to assist in service delivery to your patients, heads up!
Here are the considerations you will want to make to assure compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. Not to scare you or anything, but just saying: Violations of HIPAA carry both civil and criminal penalties. Civil penalties can be as high as $50,000 per violation. Did I get your attention?
Under HIPAA, the individuals, or businesses you contract with to assist in service delivery are called “business associates.” The business associates under consideration perform activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity (covered entity = your dental practice). The full definition of a “business associate” can be found at 45 CFR 160.103 .
The Privacy Rule allows you to disclose protected health information to these “business associates” if you first obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule. Covered entities may disclose protected health information to an entity in its role as a business associate only to help the covered entity carry out its health care functions – not for the business associate’s independent use or purposes, except as needed for the proper management and administration of the business associate.
The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity – your dental practice – and the business associate. The contract must:
Where you know of a material breach or violation by the business associate of the contract or agreement, you must take reasonable steps to cure the breach or end the violation, and if unsuccessful, you must terminate the contract or arrangement. If termination of the contract or agreement is not feasible, your dental practice is required to report the problem to the HHS Office for Civil Rights. To make this a little easier, HHS provides sample business associate agreement provisions to help you satisfy these requirements.
You may wish to consult the Health and Human Services FAQ page to find additional answers to other questions you may have about the business associate provisions of HIPAA. Also, be aware that an enhanced version of HIPAA is on the horizon. A Notice of Proposed Rulemaking (NPRM) to modify the HIPAA Privacy Rule now under consideration by the OCR. The proposed changes to the HIPAA Privacy Rule include strengthening individuals’ rights to access their own health information, including electronic information; improving information sharing for care coordination and case management for individuals; facilitating greater family and caregiver involvement in the care of individuals experiencing emergencies or health crises; enhancing flexibilities for disclosures in emergency or threatening circumstances, such as the Opioid and COVID-19 public health emergencies; and reducing administrative burdens on HIPAA covered health care providers and health plans, while continuing to protect individuals’ health information privacy interests.
If you have any questions about assuring that your practice is in compliance with the HIPAA business associates requirements, contact us.