Department of Health launches HIPAA security assessment tool

The U.S. Department of Health and Human Services (HHS) has launched a new security risk assessment tool that helps dentists and other health care professionals be in compliance with the Health Insurance Portability and Accountability Act (HIPAA).

It is important for dentists to conduct a security risk assessment as required by HIPAA to protect their patients' information and minimize liability risk. A recent review of HIPAA enforcement actions reveals that entities were penalized for not having a documented risk analysis or for having an incomplete analysis.

The HHS security risk assessment tool is designed to help practices conduct and document a risk assessment in a thorough, organized fashion at their own pace by allowing them to assess the information security risks in their practices. The tool, which also produces a report that can be provided to auditors, is available at HealthIT.gov/security-risk-assessment.

Congress passed HIPAA in 1996 to simplify, and thereby reduce the cost of, the administration of health care. HIPAA does this by encouraging the use of electronic transactions between health care providers and payers, thereby reducing paperwork. Congress deemed that if the electronic transmission of patient health information was to be encouraged by the legislation, there needed to be means to protect the confidentiality of that information, and thus, the HIPAA Security Rule was created.

After establishing a "security officer" in the practice (similar to the designation of a privacy officer as required by the HIPAA Privacy Rule), conducting a documented risk analysis on their practices' information systems is the first step dentists can take to be in compliance with the HIPAA Security Rule. Other things dentists can do to protect themselves include, among other things, instituting a system to regularly review records of information system activity, such as audit logs, access reports and security incident tracking reports; and having business associate agreements that require compliance with the Security Rule and notification of data breaches that occur with the respective business associate.

Secure electronic transmission of protected health information is one of the many requirements of the HIPAA Security Rule. Dental practices should review the rule requirements to ensure compliance. The HIPAA Security Rule: A Summary resource can be found on cda.org. Also, HHS has a Guidance on Risk Analysis on its site.

For more information on patient privacy and HIPAA requirements, visit cda.org/Privacy-HIPAA. For more from HSS, visit hhs.gov.