“The ADA Practical Guide to HIPAA Compliance”

39 Responses

D. Kellus Pruitt DDS, on December 7, 2010 at 12:13 AM said:

More on the ADA’s HIPAA guide

So you think you’re HIPAA compliant? Have you conquered Chapter 4 yet?

“ADA Tip: Remember, the Security Rule provides your practice with ‘flexibility of approach’ that allows your practice to reasonably and appropriately managing your risks, taking into consideration, amongst other factors, the size of your practice and costs of security measures.”

The comfort one may feel from HIPAA’s flexibility concerning costs of security measures is not unlike the comfort of an untested, cheap parachute.

I know dentists. And I know that even though “The ADA Practical Guide to HIPAA Compliance” by Ed Jones and Carolyn P. Hartley” has been out for a year, I bet less than a dozen practicing dentists in the nation have made it to Chapter 4: “Administrative Safeguard Standards: HIPAA Security Rule.” The threatening and time-consuming (mostly irrelevant) HIPAA demands in the fourth chapter are at least as tricky as those in the first three.

Have you yet recognized that neither Mr. Jones nor Ms. Hartley have a background in the dental industry? It shows. First of all, the two naïve authors of the ADA publication appear to assume that the majority of individual dentists in small practices are going to be willing or even capable of avoiding multiple HIPAA violations in the unfortunate event of an inspection. That’s as unrealistic as expecting the majority of new patients to actually read their Notice of Privacy Practices and floss after every bite.

The documentation demands of HITECH HIPAA alone are so tedious that even the most security-conscious / security-effective dentists in the nation should expect to be at the mercy of HHS inspectors. My recommendation is to treat them with the respect one treats any potential tyrant with an advantage and you might get away with paying only the $100 minimum for the encounter.

Like all other clueless HIT stakeholders before them, Jones and Hartley still don’t understand that if dentists were to actually spend the amount of non-productive time it takes to become HIPAA inspection-ready, the cost of dentistry would increase accordingly and even more children would go to bed with toothaches. And; for what? What’s Hippocratic about wasting dentists’ time with details of admittedly questionable value that have nothing to do with improving patient care? How dare you, Jones and Hartley!

“ADA Tip: As a deterrent, periodically include a description of the practice’s sanction policy for a workforce member’s failure to comply with provisions of the Security Rule in your practices Security Reminders, which are an addressable Implementation Specification required under the Security Awareness and Training standard.”

Go ahead. Be a HIPAA hero starting tomorrow. If your practice is like mine, that could make for a long Monday. Even the ADA is out of touch with reality.

D. Kellus Pruitt DDS

LikeLike
Darrell, on December 7, 2010 at 1:11 AM said:

Is “encryption of PHI” discussed in dentistry?

From the first chapter of “The ADA Practical Guide to HIPAA Compliance,” by Ed Jones and Carolyn P. Hartley, the authors who are from outside the dental profession, are persuasive in selling their arguments for dentists to encrypt their patients’ protected health information (PHI) – regardless of cost and inconvenience. At the same time, they repeat their assurance that the HIPAA Rule is wonderfully flexible… like a cheap parachute:

“You will see in the discussion concerning encryption in Chapter 6 (Technical Standards) that if you decide that encryption is not reasonable and appropriate for safeguarding your electronic protected health information, you will have to document the reasons for your decision. Such a choice may be difficult to justify, especially with the growing use of portable and mobile electronic media in the healthcare workplace environment.” – Chapter 1.

Since data breaches of patients PHI from healthcare facilities continues to increase at an alarming rate, it is naturally prudent for dentists to find out more about encryption. In the summary of Chapter 1, Jones and Hartley further warn:

“Providing notification to the appropriate parties in the event of a breach of unsecured protected health information may be costly to relatively small dental practices. It may be more cost-effective to encrypt your practice’s protected health information at rest and in motion, and on any portable or mobile devices used outside of the practice. Consider the cost and benefits of encryption in your risk analysis.”

So if I were to want to consider the cost and benefits of encryption as Jones and Hartley suggest, who should I turn to for answers? This morning, I googled “dentistry encryption,” and didn’t even come up with Googleads for a product. I think that’s a good sign that encryption software is not being sold to very many dentists. It would certainly be helpful for consumers to know what percentage of dental patients’ PHI are encrypted. However, that kind of information isn’t being shared by HHS Secretary Kathleen Sebelius, even though someone in that department knows that number. I would guess that less than 5% of patients’ PHI in dental practices is encrypted. I bet less than 10% of physicians’ data are encrypted. Maybe I’m wrong. Even that would be nice to know.

Over the last few years, I’ve also asked numerous eDR vendors about the viability of encryption, but they continue to be evasive – as are the leaders of the ADA. A person who is unfamiliar with the ADA’s way of handling mistakes might find my accusation of evasion surprising considering the “ADA Tip” about encryption in Chapter 6: “Any portable workstation containing electronic protected health information, used in the practice or taken out of the practice by an authorized user, must have appropriate encryption to ‘secure’ that information, as outlined in the Breach Notification Rule Guidance.”

So you tell me, why do ADA leaders encourage members to encrypt, yet refuse to answer my questions about it?

I’ve discovered that the leadership of both the ADA and my state organization evade all discussion about HIPAA. In fact, I remember a few years ago that the president of my dental society even published a note in the society newsletter in response to numerous local questions about the NPI number that he couldn’t answer. He simply asked everyone to please quit asking questions about it. Even though I wasn’t one of the local dentists who asked him about the NPI, perhaps I owed it to my patients to pressure the elected leader for answers. But like everyone else, I obediently complied with him because he’s such a nice guy. That hesitancy makes me an accomplice to the ADA’s HIPAA blunder.

So if I cannot obtain information from Google, the HHS, encryption vendors or the ADA, what about my colleagues around the nation? After all, 96% of Dentists are HIPAA-covered entities and about half of them obediently volunteered for NPI numbers following encouragement by the ADA – not unlike the ADA’s encouragement to encrypt and not ask questions.

Yesterday, I posted the following question about encryption of patients protected health information on several Facebooks – including a couple of industry news sites, an eDR vendor, a couple of HIT and HIPAA sites and a few state ADA-affiliated state dental organizations:

“I’m currently reading “The ADA Practical Guide to HIPAA Compliance” by Ed Jones and Carolyn P. Hartley for a CE course. Numerous times they recommend that dentists encrypt their patients’ digital records. Does anyone have an idea of what percentage of dentists currently encrypt, how much it costs and if it is an inconvenience?”

Not a word of advice from even people who know nothing about me.

Authors Jones and Hartley continue: “The Breach Notification Rule Guidance specifies technologies and methodologies to ‘secure’ electronic protected health information on these portable electronic media via encryption, so that such information is ‘unusable, unreadable, or indecipherable’ to an unauthorized user. If appropriate encryption is enabled on these devices and the devices are lost or stolen, then the practice may not have to provide the potentially time consuming and expensive notifications described in the Breach Notification Rule.” – Chapter 6.

Ed Jones and Carolyn P. Hartley, as well as leaders of the ADA, repeatedly exhibit the expected level of ignorance of a community they are not a part of and don’t understand.

D. Kellus Pruitt DDS

LikeLike
Dr. Pruitt, on December 8, 2010 at 9:17 PM said:

So how’s that encryption idea going, Jones and Hartley?

“ADA Tip: Any portable workstation containing electronic protected health information, used in the practice or taken out of the practice by an authorized user, must have appropriate encryption to ‘secure’ that information, as outlined in the Breach Notification Rule Guidance.” (no byline) From “The ADA Practical Guide to HIPAA Compliance,” by Ed Jones and Carolyn P. Hartley.

HIPAA stakeholders like Jones and Hartley, as well as the anonymous ADA official who provided the advice, make it sound like encryption is very important in dentistry. However, starting two days ago, I futilely posted the following question on more than a dozen dentistry-related Facebook pages: “I’m currently reading “The ADA Practical Guide to HIPAA Compliance” by Ed Jones and Carolyn P. Hartley for a CE course. Numerous times they recommend that dentists encrypt their patients’ digital records. Does anyone have an idea of what percentage of dentists currently encrypt, how much it costs and if it is an inconvenience?”

Yesterday morning, I even posted the question on the Dentrix Facebook and the Dentrix Study Club Facebook. Dentrix is the most popular dental software in the nation. Since “encryption” is mentioned dozens of times in the ADA “practical” guide to HIPAA compliancy, including advice to encrypt in numerous “ADA Tips” like the one above, one would assume that someone in the real world would have an opinion about it. Yet nobody from Dentrix has replied either.

If encryption is so vitally important for maintaining the security of dental patients’ identities in the US, how come there are only three encryption advocates serving the entire dental profession: HIPAA experts Jones and Hartley and the anonymous ADA official who provided advice in “ADA Tips”? As you read the biographies of the authors, watch for the possibility that at least two thirds of the time, HIPAA secures the jobs of CEOs more than the identities of dental patients.

Ed Jones, Managing Member and CEO of CornichonHealthcare Innovations, LLC:

“Ed is a leading authority on healthcare privacy and security, insurance, electronic remittance/payments, and electronic health records issues. He was a founding commissioner of the Electronic Healthcare Network Accreditation Commission (EHNAC) and served as the Chair of the Workgroup for Electronic Data Interchange (WEDI), an organization with over 300 corporate and government healthcare industry stakeholders that serve as an advisor to the US Secretary of Health and Human Services under HIPAA. He also served as a senior executive with a NYSE healthcare benefit and property & casualty reinsurance holding company, and co-founded a successful medical claims review software company.

Ed is the Manager of CornichonHealthcare Innovations, LLC, and owns and manages a consulting company that provides healthcare information technology solutions for healthcare industry stakeholders, including financial institutions, healthcare providers, and health plans. He also is a cofounder and President of HIPAA, LLC, an online HIPAA/HITECH Act resource site (HIPAA.com) and provider of online HIPAA/HITECH Act training solutions to the healthcare industry through HIPAA School

Ed is co-author of six books for the American Medical Association—four on HIPAA, including the new second edition of HIPAA Plain & Simple, and two on implementation of electronic health records (EHRs). In addition, he has co-authored two books for the American Dental Association, including the new ADA Practical Guide to HIPAA Compliance: Privacy and Security Kit.”

– From CornichonHealthcare Innovations, LLC Website

Click to access ed_bio.pdf

Carolyn P. Hartley, President and CEO of Physicians EHR Inc.:

“Carolyn P. Hartley serves as provider/clinic advocate, managing the EHR implementation process. She and her EHR project management team oversee the complex paper to paperless migration for clinics in 17 states, and also serve as EHR technical advisor to national and state medical societies and quality improvement organizations. She also served on the Technical Advisory Panel for the Health Information Security and Privacy Collaborative (HISPC), funded by the Office of the National Coordinator (ONC).

Carolyn readily shares her implementation knowledge in day-to-day EHR projects with audiences, and in publications. She is co-author of 15 textbooks published by the American Medical Association, the American Dental Association, the American Society of Clinical Oncology, and the American Gastroenterological Association on HIPAA Privacy, Security, and EHR Implementation. She is a recipient of the distinguished Silver Anvil award for communications and Leadership award from the Points of Light Foundation.

She holds a Master of Liberal Arts degree from Baker University with an emphasis in medical anthropology.”

– From Physicians EHR Website
http://www.physiciansehr.org/index.asp?PageAction=COMPANY

ADA contributor to the HIPAA guide – Unknown

The name of the author of the “ADA Tips” was not revealed in the credits. Instead, was this disclaimer: “The American Dental Association designed this ‘ADA Practical Guide to HIPAA Compliance Privacy and Security Kit’ to assist dental practices in developing their HIPAA compliance programs. In making these materials available, the ADA does not, nor does it intend to, provide either legal or professional advice. Nothing here represents ADA’s legal or professional advice as to any particular situation you may be facing. To get appropriate legal or professional advice, you need to consult directly with a properly qualified professional or with an attorney admitted to practice in your jurisdiction.”

Do you know the difference between a tip and advice? Accountability.

“Nothing here represents ADA’s legal or professional advice as to any particular situation you may be facing.” Really? There are 62 “ADA Tips” scattered throughout 360 pages of the HIPAA guide, and not a one of them could possibly be considered professional advice from the ADA, even though they are anonymous? Anonymous advice (and even “tips”) cheapen ADA publications by giving the appearance that at least one ADA official involved in Health Insurance Portability and Accountability Act avoids accountability.

D. Kellus Pruitt DDS

LikeLike
D. Kellus Pruitt DDS, on January 19, 2011 at 3:22 PM said:

Will common sense crush HIPAA in dentistry?

Yesterday, President Obama revealed belated Main Street common sense concerning government regulations in an opinion piece in the Wall Street Journal:

http://online.wsj.com/article/SB10001424052748703396604576088272112103698.html?mod=WSJ_hp_LEFTTopStories

“From child labor laws to the Clean Air Act to our most recent strictures against hidden fees and penalties by credit card companies, we have, from time to time, embraced common sense rules of the road that strengthen our country without unduly interfering with the pursuit of progress and the growth of our economy.

Sometimes, those rules have gotten out of balance, placing unreasonable burdens on business—burdens that have stifled innovation and have had a chilling effect on growth and jobs. At other times, we have failed to meet our basic responsibility to protect the public interest, leading to disastrous consequences.”

I’ve always said that HIPAA will fail in dentistry first.

I copied below a single, long paragraph embedded deep in Chapter 1 of “The ADA Practical Guide to HIPAA Compliance

“Adopting Health IT presents challenges as well. For example, a dental practice must research and evaluate available systems, assess the current and foreseeable needs of the practice, negotiate the terms of the contract for the system and related services, including items such as the cost and availability of tech support, the number of licenses and authorized users that the contract will include, and the hardware and software features that enable HIPAA and HITECH compliance. Time and energy must be devoted to training staff to use the electronic health record system. A dental practice adopting an electronic health record should consult its attorney both with regard to the acquisition itself (including any contracts, licenses, and other legal documents) as well as with regard to the legal implications of using an electronic health record (for example, the dental practice should understand what will constitute the legal record and how the electronic health record would affect document retention requirements). A dental practice that intends to take advantage of the HITECH Act Medicare or Medicaid reimbursement incentives must understand and stay abreast of developments regarding the incentives, such as the qualifications of an ‘eligible provider,’ how to demonstrate compliance with the ‘meaningful use’ criteria, how reimbursement incentives will be structured, and certification criteria of dental information systems.”

It looks to me like authors Ed Jones and Carolyn P. Hartley, who make money promoting HIPAA in dentistry, wanted to get the nasty bolus of bad news about eDRs out as quickly and efficiently as possible. I think the HIPAA advocates’ carefully-chosen words concerning a profession they know nothing about prove that HIPAA in dentistry is exactly the kind of regulatory nonsense Obama is talking about. Yet the President still has no clue about how poorly the grandest farce in the history of healthcare is being played out in dental offices. Won’t he be surprised!

Unfortunately, neither HHS nor the ADA offer estimates of how much these intricate HIPAA tasks cost dentists (read “dental patients”). HIPAA is a bad idea with bi-partisan momentum that also swept up ambitious leaders in dentistry. Flaws in the Rule, such as the unacceptable expense, have never been acknowledged by stakeholders who stand to gain from the complicated mandate.

Forever-anonymous ADA officials who endorse the embarrassing HIPAA Guide are guilty of deceiving ADA members into performing the ineffective, non-productive busywork warned about by President Obama and described in detail (very quickly) by Jones and Hartley. And for what? “Mandated’ eDRs are unwanted by dentists even before HIPAA inspections start later this year.

So how deeply have careless ADA leaders committed my profession to the historic blunder? In a September 2008 interview with ADA Reporter Judy Jakush a month before ADA President-elect Dr. John Findley took office, he said, “The electronic health record may not be the result of changes of our choice. They are going to be mandated. No one is going to ask, ‘Do you want to do this?’ No, it’s going to be, ‘You have to do this.’” His campaign slogan was “Findley for our Future!” Let’s hope not.

I’d offer a link to the interview, but within the last year, Dr. Findley’s non-Hippocratic capitulation to the interests of HIT stakeholders has been deleted from the ADA News Archives. It still exists on paper though. I call that redemption.

Do you know the most frequent complication that arises when a dentist extracts a molar with forceps designed in the 1930s? Successfully getting the insurance company to pay their full part of the bill in a timely manner. EDRs and HIPAA compliance will only make the delays worse for natural economic reasons: It costs Delta Dental much less to email a notice of delay of payment than to send a letter. And as interest rates rise, those delays will be especially painful for healthcare principals.

“We’re also getting rid of absurd and unnecessary paperwork requirements that waste time and money.” President Barack Obama

I think most of us recognize that nothing about HIPAA improves dental care. But to be fair, I must warn you that if you’re an ADA member, be careful where you post such opinions. Speaking the truth on the Internet about regrettable decisions made by misinformed ADA leaders can get one kicked out of the organization and nobody can force them to tell you why.

D. Kellus Pruitt DDS

LikeLike
D. Kellus Pruitt DDS, on April 25, 2011 at 5:53 PM said:

Oh my! What dentists don’t know about HIPAA!

This weekend, I warned of imminent federal enforcement of overwhelming Meaningful Use requirements for dentists with EDRs. So far, I have received a few positive public responses to my challenging statements, yet nobody has said I’m wrong even privately. What do you think that means?

Since I alone am responsible for virtually all reporting about HIPAA in dentistry (any arguments?), and I only reach a couple of dozen friends and relatives, I’m fairly certain this weekend was the first time the vast majority of you with NPI numbers even heard of Meaningful Use, and that if you aren’t in compliance by 2012, payment for services could suffer. What else do you not know about HIPAA?

Have you heard about HIPAA 5010? Today the AMA published “Not e-claim compliant? Expect no pay in 2012,” written by Emily Berry, amednews staff.

http://www.ama-assn.org/amednews/2011/04/25/bil20425.htm

“On Jan. 1, 2012, if physicians’ practice management systems are not up to new standards, they will risk not getting electronic payments from private insurers and Medicare.”

Because image-conscious leaders in the dental industry continue to be professionally silent about the absurdities of ADA-approved HIPAA, one might not realize that these are old, unresolved issues in dentistry. In January 2009, President Bush agreed with the AMA to move the HIPAA 5010 deadline back from April 1, 2010, to Jan. 1, 2012, and removed all clauses in the law which said “except for dentists.”

Just kidding about the exception. Dentists have always been included in the insurance-friendly, one-size-fits-all HIPAA plans.

I’m curious. How much did the ADA officials tell you about the NPI number when they joined Delta Dental and BCBSTX in encouraging you to volunteer for one? Didn’t ADA News say the arbitrary 10-digit numbers are simply for our “convenience”? Doesn’t that deception piss you off just a little bit?

I bet if the ADA were as transparent with members 7 years ago like they will be in a few months, you wouldn’t have an NPI number, Bush would have given us an exception, and American dental patients would have been better off.

D. Kellus Pruitt DDS

LikeLike
D. Kellus Pruitt DDS, on May 19, 2011 at 5:06 PM said:

PAA compliance just got more expensive

“The Department of Health and Human Services (HHS) Office of the Inspector General (OIG) raises critical red flags over current attempts to protect electronic health records (EHRs) and health data.” – Janice Simmons, FierceEMR, 5/18/11.

http://www.fierceemr.com/story/oig-calls-onc-it-security-controls-poor/2011-05-18

In the audits of 7 hospitals, OIG found 151 vulnerabilities that placed the “confidentiality, integrity and availability” of patients’ information at risk to being illegally accessed by outsiders as well as employees without the hospitals’ knowledge.

Just because I’m the only dentist in the nation willing to openly discuss HIPAA doesn’t mean it went away. How secure are your patients’ PHI? Wouldn’t it be great if all you had on your computer was arbitrary, in-house reference numbers rather than names, addresses, social security numbers, birthdates and even insurance identities?

D. Kellus Pruitt DDS

LikeLike
Darrell, on June 29, 2011 at 4:53 PM said:

Is HIPAA worth the cost to dental patients?

Value = Quality / Price. So how valuable is HIPAA to Americans who unwittingly pay its price and experience its quality? Does it work as intended?

A recent study performed by the Ponemon Institute suggests that HIPAA is a waste of healthcare dollars even if compliancy was free. According to Dr. Larry Ponemon, chairman and founder:

“Our survey research provides evidence that many organizations are ill-equipped to prevent cyber attacks against networks and enterprise systems. This study suggests conventional network security methods need to improve in order to curtail internal and external threats.” (from “Ponemon Institute Survey Finds 90 Percent of Businesses Fell Victim to Cyber Security Breach at Least Once in the Past 12 Months,” Marketwire Press Release, June 22)

http://www.marketwatch.com/story/ponemon-institute-survey-finds-90-percent-of-businesses-fell-victim-to-cyber-security-breach-at-least-once-in-the-past-12-months-2011-06-22

So if the threat from cyber attacks is almost a statistical certainty these days even for dentists with swell passwords, would you say the tedious documentation of busywork to remain HIPAA compliant is worth its cost for small businesses with 2 to 4 employees – like the majority of 170,000 dental practices in the nation? Long before dentists were encouraged by the ADA Department of Informatics, BCBSTX and Delta Dental to volunteer for permanent NPI numbers, someone in the dental industry should have simply asked, “How much can we expect HIPAA to raise the cost of an extraction?”

As incredibly irresponsible as it appears, if health IT stakeholders calculated dentists’ cost to be compliant beyond $220 for “The ADA Practical Guide to HIPAA Compliancy” (on sale now at ADA.org), nobody is giving away that information. The ADA.org isn’t even selling it. One could say the cost of HIPAA compliancy for dentists is “open-ended,” and with publishing costs becoming more and more expensive, the sale price for the detailed 360 page “Practical Guide” will end soon.

Dentists should be thankful that the telephone, fax and US Mail are sufficient for our communication needs should the cost of HIPAA force us to abandon maintaining patients’ digital PHI on office computers. What’s more, one doesn’t have to be a HIPAA-covered entity to use traditional communication tools that are also much cheaper than digital.

In addition, if a dentist isn’t a HIPAA-covered entity, there is no fear of an inspection by HHS or the state attorney general’s office should someone – anyone – turn a dentist in for a suspected HIPAA violation. Did you know that an inspection will cost a dentist $100 even if the allegations are found to be baseless? It’s my guess that when the word gets out, disgruntled former employees and/or patients will find HIPAA much more satisfying than the local Better Business Bureau.

D. Kellus Pruitt DDS

LikeLike
D. Kellus Pruitt DDS, on July 27, 2011 at 3:05 PM said:

HIPAA is now too costly for Texas dentists

The ever-increasing cost of HIPAA compliance has priced electronic health records out of Texas dental practices. Long ago, I tried to warn the Texas Dental Association this was going to happen, but my designated representative wasn’t interested. “Nobody in Austin is concerned about HIPAA.” – TDA, February, 2006. He eventually called me unprofessional for my persistence.

It was the shy leaders of the Texas Dental Association who anonymously promoted HIPAA compliancy to members while hiding from discussion of the absurdity just like my TDA rep. So what is the TDA Board going to do about their blunder now? Can anyone, anywhere in Texas answer this question? Where’s the leadership, TDA Board? Nobody is telling your story.

According to a popular, feel-good but impotent law Governor Rick Perry recently signed, as of September 1, 2012, HIPAA-covered entities in Texas not only can be fined up to $3 million for HIPAA violations, but can also lose their license to practice in Texas. (See “New Texas health care privacy law more stringent than HIPAA” by Linn Freedman and Christopher Browning)

Click to access HIPAA_Alert_07_21_2011.pdf

Since Texas has adopted the most stringent privacy law in the nation with the most costly consequences for HIPAA violations, and 95% of dentists are HIPAA-covered entities, will this make dental care in the state cheaper or more expensive for 95% of Texans?

Increasing the cost of dentistry for even good ideas causes more children to go to bed with toothaches. And for what? EDRs are not only more expensive than paper dental records, but they are also more dangerous to both dentists and patients.

Since I no longer receive Texas Dental Association publications, I have to wonder if TDA leadership has started being honest with members about the increasingly expensive new demands for maintaining patients’ information digitally. I’m certain it’s going to be difficult for more than one of them to admit their careless mistake. But that’s personal accountability. If such transparency hadn’t been conveniently avoided for decades by TDA officials, Texas dentists wouldn’t be in this mess. There is no leadership in Texas dentistry. Please, oh please – someone prove me wrong!

From what I can tell, once otherwise rational adults with post graduate degrees are “vetted” TDA officials, critical thought ceases and committee-approved talking points take over. But thankfully for the safety of dental patients in Texas, the TDA’s irrelevant “one voice” rarely makes it outside Austin Headquarters any more. My pleasure.

Talk to me, TDA Board. I’m not going away, and you are obliviously fading fast.

D. Kellus Pruitt DDS

LikeLike
D. Kellus Pruitt DDS, on July 27, 2011 at 5:14 PM said:

“Health Law Alert: Why You Need to Worry AGAIN about HIPAA: Seven Practical Tips in the New Electronic Age”

http://www.jdsupra.com/post/documentViewer.aspx?fid=0b28430c-61a9-4a1c-aca4-514764015ace

“Act Now – Now is a good time for covered entities to reconsider and reinforce privacy basics with workforce members. More government agencies, such as the OIG, State Attorney Generals and the FBI, are becoming involved in privacy enforcement. New regulations are on the horizon. It is time to dust off the old policies and get ready for this new electronic age.”

HIPAA’s non-productive costs continue to rise, sports fans.

D. Kellus Pruitt DDS

LikeLike
D. Kellus Pruitt DDS, on August 18, 2011 at 7:14 PM said:

Cignet Health

A HIPAA-covered entity challenges HHS Secretary Sebelius’ authority – One shouldn’t mistake the silence in dentistry to be a sign that interoperable EDRs are coming online smoother than expected, on schedule and according to an ADA committee’s well-considered plans. That would be incorrect.

Does it seem odd to anyone out there that even EDR vendors have stopped marketing their products? And where are those unresponsive ADA officials who pushed members into adopting paperless practices? The same trusted dental leaders also persuaded obedient, dues-paying members to quickly volunteer for (permanent) NPI numbers – without giving a credible reason. Have you figured out that mystery yet, Doc? Whom does the NPI number help? Here’s another hint: P4P.

Now that becoming paperless has become a questionable business move for dentists – considering the dangers as well as the lack of a return on investment – shouldn’t those same ADA officials re-join our community, grab a handful of personal accountability and finally answer dentists’ questions? Or maybe they should just resign.

Let’s face it. If I wasn’t posting news about the progress of EHRs in dentistry, there would be no news at all. Here’s some fresh news that stands a good chance of affecting the adoption of EHRs in dentistry. It was posted only a couple of hours ago:

“Feds Go to Court to Collect First-Ever Fine for HIPAA Violations” (no byline)

http://aishealth.com/archive/hipaa0811-06

“In February, the Office for Civil Rights imposed a $4.3 million fine on a Maryland medical group that had refused to honor 41 patients’ requests for their medical records, and then had them unceremoniously deliver some 4,500 patient files to the lobby of a Department of Justice building in Washington, D.C.

The fine was the first instance in which OCR had been unable to broker a resolution agreement with an errant covered entity, and the agency was in disbelief that representatives of Cignet Health, of Temple Hills, had not responded to OCR or even attended court hearings…”

There is only one way to describe this collision between healthcare principals and stakeholders: The Cignet medical group is thumbing its nose at HHS Secretary Kathleen Sebelius and the US Government.

Anyone who is interested in how HIPAA will be enforced in dentistry in a few months should watch how this battle of wills plays out. I predict the entire weight of HHS will come down hard on Cignet with their ultimate nuclear accusation: “willful neglect.” What else can Sebelius do? There’s more. According to HITECH provisions, Maryland’s State Attorney General could get involved regardless of Sebelius’ reaction.

The future of HIPAA enforcement in healthcare, including dentistry, could easily hinge on the outcome of Sebelius vs. Cignet. It appears to me that if Cignet was going to lay down without a fight, they would have surrendered by now. That means Sebelius will probably try to scorch Cignet’s earth as a loud warning to providers who might otherwise challenge the authority of the HHS.

If Sebelius fails to respond decisively, it won’t affect dentists at all. But if Cignet surrenders to avoid bankruptcy, I’d expect many dentists to rush to become HIPAA compliant … for a few months.

D. Kellus Pruitt DDS

LikeLike
Darrell, on September 1, 2011 at 6:01 PM said:

Henry Schein’s HIPPA consultant
Henry Schein bravely answers questions about HIPAA compliance

Yesterday, I suggested that there is not enough openness in dentistry. Nobody offered an opinion.

Nevertheless, I think one important issue in my profession that urgently needs more clarity is the value of HIPAA compliance to dentists and their patients. That is why I was happy to discover that this morning, Henry Schein’s Field Consultant Cliff Marsh invited discussion about HIPAA on Dentist Meeting Group Facebook.

https://www.facebook.com/groups/181304365261861/?view=permalink&id=213758288683135

“You need to start planning on securing your data base today. I am trained to identify HIPPA [sic] & OSHA violations and I see them in every dental office I walk into. For my clients I provide at no cost a basic regulatory compliance review. Please feel free to contact me at any time to schedule an evaluation.”

– Cliff Marsh, Field Consultant, Henry Schein Dental Company
From “The HIGHTECH Act,” Cliff’s Notes blog, August 28th, 2011)http://www.cliffsnotesblog.wordpress.com/

Darrell Pruitt – Is HIPAA really worth the trouble, Cliff?

Cliff Marsh – It’s a defensive business position. The law is the law and you can leave yourself open to litigation. There are a lot of starving attornys [sic].

Darrell Pruitt – So you’re saying it doesn’t even matter if it’s cost-effective.

Cliff Marsh – It’s a cost of doing business. Speak with your insurance carrier to find out if your liability insurance covers defense costs. Also, you may want to check out the ADA website and serch [sic] NHII. There will be a lot more invoved [sic] in 3 years.

Darrell Pruitt – So how much does it cost?

Cliff Marsh – This is part of practice management. I would suggest contacting the Health Compliance Team & Dr. Don Cohen – doncohen@healthcomplianceteam.com

Darrell Pruitt – So do you know?

Cliff Marsh – It would all be relitive [sic] to the size of your practice.

Darrell Pruitt – How about a single dentist practice with 2,000 active patients? How much could I expect to have to spend on compliance?

Darrell Pruitt – Am I the first person to ask this question?

Cliff Marsh – A complete compliance review costs about $2,500.00. That would include staff training and certification. As far as the hard assets [sic] needed for compliance (ie software, & OSHA requierments [sic]) it depends on what you already have. The cost could be from as little as $100.00 to $20,000.00. On on-site evaluation needs to be done for exact figures.

Darrell Pruitt – So you say that from scratch, a dentist could expect to pay Schein $22,500 in the first year to become HIPAA compliant.

Darrell Pruitt – How much will the documentation of compliance cost in staff time for the first year?

————-

It’s been a couple of hours since the last question, and this is where my conversation with Mr. Marsh stands. Unlike lesser dental practice consultants, the Henry Schein Field Consultant appears confident enough in his expertise to answer questions about HIPAA that nobody else in the industry will touch.

I’m hoping to ask Cliff Marsh if the danger of sloppy handwriting in paper dental records is any worse than the danger of keystroke errors.

D. Kellus Pruitt DDS

LikeLike
D. Kellus Pruitt DDS, on September 2, 2011 at 11:35 PM said:

Censorship – smoking gun

Censorship is a smoking gun. So who do you think fired the shot that knocked Cliff Marsh and I off of the Dentist Marketing Group Facebook Wall? An anonymous DMG moderator or Henry Schein Dental Supply Company?

https://www.facebook.com/groups/181304365261861/

————-

Dear Dentist Marketing Group moderator:

Yesterday, Henry Schein field consultant Cliff Marsh and I were having a straightforward and timely discussion concerning the HIPAA Rule of 1996, here on your Facebook. It was unprecedented in its openness. But now, the entire thread is gone. What happened to it?

For the first time ever, Schein revealed that they charge dentists over $20,000 to bring an average-sized practice into compliancy, yet their consultant hesitated to estimate the amount of staff time a dentist should expect to have to devote to proper documentation of HIPAA requirements in the first year. Although it surprised me that that field consultant wouldn’t know such information like the back of my hand, I was hoping to see his estimate this morning.

We’re fortunate that the story was picked up by the Medical Executive-Post which has over 300,000 readers. Otherwise Cliff Marsh’s estimates of Schein fees would have been forever lost your 793.

“The ADA Practical Guide to HIPAA Compliance”

Unless I’m told differently, I’m going to assume it was Marsh who deleted the thread. I can’t imagine DMG Facebook shielding a dental vendor even as prominent as Henry Schein from accountability for sales pitches it can’t back up.

Henry Schein’s resistance to transparency tells me that we are getting ever closer to the truth in dentistry concerning HIPAA.

D. Kellus Pruitt DDS

LikeLike
Darrell, on September 3, 2011 at 6:32 PM said:

Henry Schein field consultant Cliff Marsh re-joins our discussion about the cost of HIPAA compliancy and now, censorship. Sport never gets better than this.
———-

Cliff Marsh – Dr. Pruitt, it was never stated that Henry Schein charges $20K for compliance. It was stated that compliance could cost from $100.00 to $20K depending on the office. The NHII, as of now will be part of compliance and digital records and digital transport of those records will requier [sic – I will no longer notate the author’s spelling and keystroke errors] software and digital images. If you don’t have software and you do not have digital capabilities, full implimentaiton (regardless of the vendor) may cost over $20k. It is all relitive to your existing infrastructure. As far as staff time, once again it is all relative to what has to be done and each situation needs to be evaluated “on-site” before any cost can be estimated. Henry Schein does not charge it’s clients for basic reviews. I hope I cleared up your mis-understandig, of my words. Henry Schein management is available at any time to discuss this with you. I can arrange that if you would like? Or, you can contact your local Hery Schein Branch and have someone meet with you. Please forgive my delay in responding to you, here in Northern NJ we are cleaning up after the storm.

Darrell Pruitt – Thanks for responding, Cliff Marsh. But before I devote more of my time to the important question concerning the cost of HIPAA compliance on this Dental Meeting Group Facebook, I must know if it was you or the moderator who was responsible for deleting our earlier conversation.

I’m sure you agree that there is no benefit in wasting any more of our time in conversation if it’s going to suddenly disappear without warning or explanation. In addition, if the moderator is responsible, her readers certainly deserve to know about it. Just give the word, and I’ll never return to this DMG Facebook.

Cliff Marsh – Dr. Pruitt, I have no reason or ability to to remove any conversations that I am involved with from any social media, nor do I know how, who what, where or why it is done. As far as HIPAA, I suggest you contact your local dental society, they are in-tune with the situation.

Darrell Pruitt – Actually, I’d like to continue our transparent conversation about the cost of HIPAA to dentists. And as you certainly must know by now, there are several other dentists around the nation who also want to hear what Schein’s HIT team has to say. When you suggested that my local dental society is in-tune with the situation, I giggled. Trust me, Cliff. Even ADA Headquarters in Chicago is clueless about the information you have to offer. Besides that, you are the only expert in the nation confident enough to discuss HIPAA publicly. That makes this an exciting professional opportunity for you as a HIPAA field consultant.

I think you’d have to agree that we were making unprecedented progress before our conversation was rudely terminated. You said that you didn’t censor our conversation, and I sure didn’t. That can only mean that it was a foolish, anonymous moderator with DMG who treated you, me, Henry Schein and 793 Dentist Meeting Group fans with inexcusable disrespect. I’m sure you and other Henry Schein officials detest censorship as much as all Americans do. Am I right, Cliff?

So should we continue our discussion somewhere else, or remain here and risk our conversation being deleted? It’s up to you. I know of several other venues that will never censor us – including the Medical Executive-Post which has over 300,000 readers. I shouldn’t have to mention that such readership could not only be great publicity for Schein’s HIT program, but it would also increase your name’s SEO juice on the internet. Our conversation could even appear on your first page of an internet search of “Cliff Marsh.”

You call it, Cliff. It’s your destiny.

D. Kellus Pruitt DDS

LikeLike
D. Kellus Pruitt DDS, on September 4, 2011 at 4:42 PM said:

Anonymous Censorship

An anonymous Dentist Meeting Group Facebook moderator censored Cliff and me again! Don’t you know Cliff is pissed as well?

However, I’m still not blocked from posting my opinion on Dentist Meeting Group Facebook (not yet), and I suppose Cliff can still respond as well. Let’s see what can I stick on the Wall? Maybe the Schein rep will join in. I’m sure everyone agrees that we must discourage anonymous censorship in our community.

—————-

Dear Dentist Meeting Group moderator:

As you and your readers know, on your Facebook, a desperately needed discussion is struggling to take place between me and a Schein Dental Company HIPAA consultant concerning what a dentist should expect to have to pay to become compliant, but it keeps disappearing.

As a dentist, I find the capricious deletions very frustrating and I know consultant Cliff Marsh and other Schein Dental executives are also not happy with your censorship. After all, our groundbreaking discussion of the mandate started following an ad for his services which you also deleted: “You need to start planning on securing your data base today. I am trained to identify HIPPA & OSHA violations and I see them in every dental office I walk into. For my clients I provide at no cost a basic regulatory compliance review.”

Later in our conversation, Marsh estimated that a dentist could expect to be charged somewhere between $2,500 and $20,000 by Schein or any other dental company to be brought into compliance. Before our conversation was interrupted, he was on the verge of telling us how many staff hours dentists could expect to devote to the effort. Why would you want to stand in the way of that information, Anonymous? (Do you have a name?)

You may not realize it, but Cliff’s quote is the very first professional cost estimate for HIPAA in dentistry EVER. I cannot understand why you would consider hiding this very important information from your 793 readers. What do you have against Cliff Marsh and Schein Dental Company?

I know several of your Facebook fans. Even though dentists are unlikely to say a thing, trust me when I assure you that they want the information you censor as much as I do. Why would anyone want to make so many enemies in the dental industry, Anonymous?

I’d like to speak with your supervisor, please.

D. Kellus Pruitt DDS

LikeLike
D. Kellus Pruitt DDS, on September 4, 2011 at 9:44 PM said:

DMG Responds and Blocks

Before I leave to golf, I just have to say that this has been a really fun day for playing internet games! I won big today. The DMG Facebook moderator blocked me from even viewing his Facebook rather than admit to hiding information from Schein about the cost of HIPAA to dentists (patients).

I am discovering that those who would limit this dentist’s speech to protect fellow HIT stakeholders from embarrassment still just don’t get it when it comes to the pervasive transparency of social networks… like this. I don’t know about you, but I find that humorous.

When are community leaders going to learn that regardless how painful the honesty in a troublemaker’s opinion, the very worst thing they can do is carelessly delete even one member’s sincere question anonymously and without warning or explanation. This isn’t your granddad’s internet. Manners matter now.

This morning, I asked to speak with an anonymous moderator’s supervisor about the capricious censorship Cliff Marsh and I experienced in the last couple of days on Dentist Meeting Group Facebook. A short time ago, Laurent Giro partially accepted accountability by telling me he limits discussion on his Facebook to “technical subjects” (other than electronic dental records?). I think he and his anonymous friend, ActiveDent, forgot that I didn’t start the conversation about HIPAA compliance.

——————–

Laurent Giro – Dear Dr. Pruitt: Let me clarify some points. This Group is focused on clinical case discussion. Dentists publish their clinical cases and discuss about them. Other issues are not in the scope of this group. Our policy is to keep the group focused exclusively in technical subjects.

Activedent [an HIT stakeholder] – I totally agree on this

Laurent Giro – Thank you

Darrell Pruitt – You forget, Laurent. Cliff Marsh offered a Schein Dental product. I simply asked how much it costs. Isn’t anyone else interested in the cost of HIPAA compliance? Would you rather ignore HIPAA for cosmetic reasons? Who are you really protecting? And how come you censored me without warning or explanation, Laurent Giro?

Darrell Pruitt – Did you censor our conversation the first time as well, or was that Cliff? Man up.

————–

Laurent Giro who would have censored me anonymously, didn’t man up. Instead of accepting full responsibility, he found it more convenient to block me from even visiting the Dentist Meeting Group Facebook. He’s simply new to the internet. Newbies make embarrassing mistakes.

From an economics perspective, note the in-your-face disrespect stakeholders in dentalcare generally have for their customers. Any practicing dentist witnessing the resistance I face as a dentist will admit there is no better signal that this niche healthcare market is upside down and increasingly unstable. Regardless of what I do, transparency will inevitably seep into dentistry just like it has everywhere else in the business world. And it will be good.

Doc, are you tired of you and your patients being on the bottom of the heap instead of together controlling treatment decisions? Don’t look now, but winning back our profession is already a walkover. All you have to do is be opinionated and obstinate. If you aren’t honing those skills already, no need to rush. You’ll naturally know when they’re needed the most.

D. Kellus Pruitt DDS

LikeLike
D. Kellus Pruitt DDS, on September 5, 2011 at 8:18 PM said:

The cost of HIPAA compliancy

How many US dentists are not 100% HIPAA compliant? (Did I hear a moan?)

I hope readers can see that regardless of how uncomfortable my questions make a few of my colleagues feel, I really, really love exposing topics no other dentist dares mention (publicly). Actually, some dentists quietly appreciate the transparency I bring. Many agree that as health professionals we cannot continue to ignore breaches of patients’ Protected Personal Information from our practices. Yet generally, dentists don’t appear to be taking the law seriously.

Even Henry Schein’s HIPAA consultant Cliff Marsh states: “I am trained to identify HIPPA & OSHA violations and I see them in every dental office I walk into.”

http://www.cliffsnotesblog.wordpress.com/

I don’t doubt it. What’s more, from my personal experience, I contend that poor compliance is confirmed in the way many HIPAA consultants mishandle basic questions about the law’s value to consumers. Does anyone else in the healthcare industry find it incredible that 15 years after the HIPAA Rule was swept into law, even Schein Dental’s expert isn’t sure how much compliance raises the cost of dentistry? The absence of readily available cost information for HIPAA can only mean that nobody is asking basic questions about compliancy. And that tells me that generally, dental practices in the nation aren’t compliant.

Here’s what I find especially shameful about the current state of ethics in the dental industry: Far too many command-and-control stakeholders choose to anonymously censor practicing dentists’ opinions rather than take accountability for lousy mandate-driven products they can’t sell honestly in a competitive market. Stakeholders big and small should heed my advice when I warn that the dental market is upside down, unstable and transparent. This is not a good time to show one’s rudeness to dentists and their vulnerable patients.

Below is a follow-up to a contact Cliff Marsh provided in our interrupted conversation. I emailed my letter to Dr. Cohen a few minutes ago. Let’s see what he has to say about the cost of HIPAA compliance.

———

Dear Don Cohen DMD
Director, Health Compliance Team

A few days ago, when Mr. Cliff Marsh, Henry Schein Dental’s HIPAA field consultant, lacked information to answer my question about the value of HIPAA, he referred me to you and your team. You come highly recommended, Dr. Cohen.

I had responded to Cliff on the Dentist Meeting Group Facebook concerning an ad for Schein’s HIPAA consulting services on the Wall. I asked how much a dentist with 2000 active patients should expect to pay to become 100% HIPAA compliant. Mr. Marsh replied: “A complete compliance review costs about $2,500.00. That would include staff training and certification. As far as the hard assets needed for compliance (ie software, & OSHA requierments) it depends on what you already have.”

I was hoping for a simple breakdown of the costs, but Cliff probably took off for a long Labor Day weekend because he isn’t responding. I felt he was also on the verge of revealing the number of staff hours a small dental practice should expect to devote to training and documentation in order to be HIPAA compliant. A few interested friends and I are hoping you can help us with the questions. Thank you for your time, Dr. Cohen.

Sincerely,

D. Kellus Pruitt DDS

LikeLike
D. Kellus Pruitt DDS, on November 3, 2011 at 10:27 AM said:

HIPPA … ?

What does “HIPPA” mean to you? To me, the common misspelling suggests that the nation’s dental leaders whom we depend on are ignoring the increasing number of data breaches from dental offices.

Dentists who are watching me disassemble Dr. Paul Child’s questionable promise that dentists can expect “a high return on investment” from EDRs may recognize that Dr. Child is no lightweight in the dental industry. He is the CEO of CR Foundation – Dr. Gordon Christensen’s world-renown and widely-trusted dental research group. Dr. Child took over the position in 2008 from Rella Christensen, Dr. Christensen’s wife.

Though the spelling mistake, “HIPPA,” is confusingly common, and some may deride me for being picky, practicing dentists with their businesses on the line shouldn’t disregard the significance of Dr. Child’s repeated misspelling in his response to me. The fact that the CEO is not familiar enough with HIPAA to know how it’s spelled is a clear sign that the Rule never crossed the national dental leader’s mind – even while recklessly encouraging early adoption of EDRs in his Dental Economics article, “Digital dentistry: Is this the future of dentistry?”

http://www.dentaleconomics.com/index/display/article-display/2974000845/articles/dental-economics/volume-101/issue-10/features/digital-dentistry-is-this-the-future-of-dentistry.html

It also suggests that issues concerning patient privacy are rarely if ever discussed at CR Headquarters in Utah.

As our leaders work hard to keep up their image of aloof professionalism, even while dentists and patients are increasingly harmed by uninformed carelessness, I intend to bring my friends’ attention to how leaders like Dr. Paul Child are letting us down when they don’t pay attention.

D. Kellus Pruitt DDS

LikeLike
Mary, on November 3, 2011 at 8:18 PM said:

Darrell,

At first I thought – “there he goes again” – “what a blow hard” – after reading the above. After all, it’s only a typo?

But, then I thought, if Dr. Child can’t type, won’t eDRs and eMRs then slow down everyone else. So, he is the perfect example for at least one argument against eDRs.

Accurate voice recognition, or some other input method, will be the generational improvement that may actually jump-start this industry. For now however, the good doctor might benefit from typing lessons, an eye exam, a good proof-reader or even a medical records scribe.

Mary

LikeLike
Darrell Pruitt, on November 3, 2011 at 8:44 PM said:

This is a problem that can’t be solved by voice recognition. You may have missed my point, Mary.

I meant to point out that if the CEO isn’t familiar enough with HIPAA to know how it’s spelled, that clearly suggests that CR Foundation hasn’t addressed the growing problem with data breaches from dental offices in a long time – if ever. Yet Dr. Child nevertheless encourages adoption of EDRs by suggesting ROI that’s just not there.

Your first impression was correct. “There he goes again.”

Darrell Pruitt

LikeLike
D. Kellus Pruitt DDS, on November 7, 2011 at 3:48 PM said:

I’m for Less Silliness in Dentistry

It looks like I’m the only dentist in the nation publicly complaining about the cost of HIPAA compliancy. Should that be more scary for me or HHS Secretary Kathleen Sebelius?

Five years after I publicly complained to then HHS Secretary Michael Leavitt that EDRs are increasingly costlier as well as more dangerous than paper dental records, industry leaders continue to allow trusting dentists and their clueless patients to be misled by the same deceptive selling points. If Obama’s HHS is no more interested than Bush’s was in discouraging deceptive claims about EDRs, how about the FTC?

Most recently, Kathleen Noll, VP of QSI Dental and Dr. Paul Child, CEO of the CR foundation, each independently announced that EDRs are cheaper than paper dental records. Yet neither stakeholder has responded to requests to share data supporting their claims. That would be impossible. There is no such data.

Nevertheless, Dr. Child is so confident in EDRs’ “high return on investment,” that he promises the money saved will more than cover the cost of compliance – whatever it increases to. He says to even research the cost-effectiveness of EDRs would be an interesting waste of funds just to confirm the obvious.

In Defense of the eDR Industry

I’ve read about similar nationwide, unimpeachable faith in technology before. Lewis Strauss, then Chairman of the United States Atomic Energy Commission, told the National Association of Science Writers that nuclear power will soon make electricity “too cheap to meter.” While we’re still awaiting that 1954 promise, HIPAA as well as electricity become more expensive by the day. For example, on Friday, HIT veteran Charles Denyer broke the bad news about the latest increase in the cost of compliancy: “Proposed HIPAA privacy rules changes may demand new tools, processes.”

http://searchsecurity.techtarget.com/tip/Proposed-HIPAA-privacy-rules-changes-may-demand-new-tools-processes

If you are a dentist, as you read the summary of the tedious (expensive) new audit trail requirements that I copied below, I’m confident that it will become clear that HIPAA is becoming even more absurd in our profession at an increasing speed. We should immediately encourage consumers to insist that the Government Accountability Office (GAO) perform a cost-benefit study of HIPAA… On the other hand, we can all keep quiet just a little longer and witness a spectacular collision of fantasy with reality in dentistry.

Charles Denyer writes:

From a security perspective, a comprehensive audit trail and logging infrastructure will have to be implemented for all medical records accessed at “covered entities” by various organizations. This requires the use of change-detection software, file integrity monitoring (FIM) tools, and various other technologies that can provide a detailed audit record of who accessed what information, when, where, why and how. Specifically, IT organizations will need to implement audit records that capture the following conditions by organizations accessing medical records at “covered entities”:

All authentication and authorization activities, such as logon attempts (both successful and unsuccessful) for both system-level and application-level platforms;

Any creation, modification or deletion of both system-level and application-level objects (i.e., data files opened and closed and specific actions, such as reading, editing, deleting and printing);

All actions undertaken by system administrators who have elevated privileges and access rights.

Additionally, for each event described above, the following attributes are to be captured:

– The type of event that occurred and on what system level and/or application level did it occur on;

– The date and time of the event;

– The identity of the user, such as the logon ID;

– The origination of the event;

– The outcome of the event, such as the success or failure of the event;

– The name of the affected system resource.

From a legal perspective, “covered entities” will have to ensure all their respective service-level agreements (SLA) and other contractual documentation include provisions, disclosures and requirements regarding the above stated audit records.

From an IT security perspective, a proactive risk assessment process should be immediately undertaken whereby the following issues are addressed by all “covered entities”:

1. Identify all system components (i.e., network devices, servers, applications, databases) that aid, facilitate and store an individual’s medical records.

2. Evaluate each system component’s compliance with the above stated audit records and implementing measures, via software utilities, that the required events are being logged and sent to a secure logging server accessible by select authorized personnel only.

3. Undertake training initiative for ensuring both internal employees at “covered entities” and all third parties that have access to an individual’s medical records, understand and acknowledge the proposed changes to the HIPAA Privacy Rule.

4. Implement measures internally for ensuring compliance with the proposed rule changes are being met, adhered to and maintained from an IT perspective. Specifically, systems will have to be monitored internally with quarterly audits or “surprise” assessments by an internal audit function.

Though it may be difficult to provide an exact date of when the proposed HIPAA Privacy Rule change may go into effect, it’s important to understand this is just the first of many new security requirements that are being pushed out by the government regarding an individual’s right to secure and private medical records.

——————–

… Or, you can stick with paper records a little longer, Doc – hoping just like I am that the hidden cost and danger of being a HIPAA-covered entity will magically disappear before our patients lose all their faith in the security of EDRs.

Whether it’s busywork of Meaningful Use, HIPAA security documentation or otherwise leaving a non-productive audit trail, someone in HHS should be informed that limited dental office staff in small offices must take time to enter each keystroke of data even if it’s irrelevant to the needs and desires of their patients.

Computers actually saved money in dentistry long ago. But eventually, well-meaning lawmakers’ unrestrained demands found their way into the HIPAA Rule – predictably leading to profits for mandate-hugging stakeholders, while quietly causing under-represented American dental patients more harm than good. HIPAA is nuts!

Let’s be adults and admit that the reckless push for identifiable EDRs is the largest blunder in the history of dentistry. Even without the additional costs of HIPAA compliance, it’s clear that EDRs have never saved money in dentalcare. It’s time for dental leaders inside and outside the ADA to acknowledge the dropping value of EDRs, recognize the obstacle, sidestep it and move on. Let’s stop being silly.

D. Kellus Pruitt DDS

LikeLike
Mary, on November 13, 2011 at 1:51 PM said:

Office of Civil Rights to begin HIPAA audits

Starting this month, healthcare organizations will be subject to audits by the Office of Civil Rights (OCR), evaluating their compliance with the HIPAA privacy and security rules and breach notification standards.

http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html

Does this include dentists, Darrell?

Mary

LikeLike
Darrell DK, on November 13, 2011 at 8:16 PM said:

I assume HHS will first concentrate on those who maintain the largest collections of digital PHI – hospitals and insurers. Some who are justifiably cynical recognize that huge bureaucracies with millions of dollars within reach are also most capable of covering the pricey fines for HIPAA violations – enabling HHS to pay its way, so to speak. In addition, voters generally like institutions such as hospitals, insurers and HHS less than their doctors.

On the other hand, since the number of relatively small breaches from small healthcare facilities is increasing faster than the breaches of millions at a time from huge institutions – a trend that will naturally worsen as more EHRs are adopted – who knows what an angry Congress might do a year from now?

I sense that the business environment is growing increasingly unfavorable for the HIT industry. While Congress continues to desperately pass expensive but ineffective regulations intended to plug the data breach holes, the trigger-happy lawmakers don’t seem to understand that their interference is pricing interoperability out of the healthcare market. Without profit, HIT is nothing more than a toothless mandate.

Thanks, Mary.

Darrell

LikeLike
Darrell DK, on November 13, 2011 at 8:17 PM said:

(Correction: I left out part of my reply)

From what I gather, dentists as well as any other HIPAA Covered Entity who transmits digital Protected Health Information could be chosen for the first 150 audits in the next year. And even though dentists’ names are well represented on Secretary Sebelius’ Wall of Shame for data breaches involving 500 or more individuals, I don’t think we will be specifically targeted.

I assume HHS will first concentrate on those who maintain the largest collections of digital PHI – hospitals and insurers. Some who are justifiably cynical recognize that huge bureaucracies with millions of dollars within reach are also most capable of covering the pricey fines for HIPAA violations – enabling HHS to pay its way, so to speak. In addition, voters generally like institutions like hospitals, insurers and HHS less than their doctors.

On the other hand, since the number of relatively small breaches from small healthcare facilities is increasing faster than the breaches of millions at a time from huge institutions – a trend that will naturally worsen as more EHRs are adopted – who knows what an angry Congress might do a year from now?

I sense that the business environment is growing increasingly unfavorable for the HIT industry. While Congress continues to desperately pass expensive but ineffective regulations intended to plug the data breach holes, the trigger-happy lawmakers don’t seem to understand that their interference is pricing interoperability out of the healthcare market. Without profit, HIT is nothing more than a toothless mandate.

Thanks, Mary.

Darrell

LikeLike
K. Darrell Pruitt DDS, on November 15, 2011 at 11:13 AM said:

HIPAA Audits

More information concerning the upcoming HIPAA audits was posted a few minutes ago by Brooks and Smith, LLP titled, “HHS Announces Immediate HIPAA Audit Initiative.”

“The Office for Civil Rights of the Department of Health and Human Services has announced an audit initiative under which it intends to conduct audits of up to 150 covered entities to review compliance with the Health Insurance Portability and Accountability Act of 1996. The audit will focus on the HIPAA privacy and security requirements. The OCR will select a broad range of entities, including health plans and health care providers of all sizes. HIPAA audits begin immediately.

Group health plan sponsors and health care providers should carefully review their HIPAA compliance programs. Keep in mind that HIPAA mandates training of individuals who have access to protected health information. Failure to train (and to properly document training) could result in significant liability.”

K. Darrell Pruitt DDS

LikeLike
D. Kellus Pruitt DDS, on January 9, 2012 at 7:14 PM said:

The ADA has a CDT tumor

I received the following email this morning: “FYI – a client of mine, a physician/businessman here in Texas, has sent your article ‘HIPAA Audits Are Here’ to several Texas congressman he knows. He asked that I not share the email with anyone else, so I cannot forward it to you. But, it is very well written and cautions that bureaucratic overreach is a huge danger to business. So, your article is now making the rounds which is a good thing.”

I told my friend that if he thinks that’s hot, he should provide the physician/businessman with the link to an article that was posted on par80 yesterday titled “What Physicians Can Learn from Wall Street: The Battle We Should Have Fought.”

http://par8o.com/wordpress/what-physicians-can-learn-from-wall-street-the-battle-we-should-have-fought/

Do you remember that years ago I warned that non-dues revenue from the ADA’s copyrighted CDT codes is like a cancer with its own blood supply? Here’s what par80 says about the AMA’s CPT growth:

“In a previous blog post ( http://bit.ly/yb2plB ), we described how the American Medical Association’s (AMA) ownership of the critical CPT billing taxonomy transformed the US healthcare system into one incentivized to become more and more inefficient, while also undermining physicians directly caring for their patients. Now, we ask, what could physicians have done to create a more effective and efficient system for ourselves, our patients and the healthcare system itself?

What would have happened if physicians had realized what the AMA was doing to them and had acted in time to prevent the erosion of our profession?”

As one might expect, AMA membership has been plummeting because of the distraction of non-dues profits – similar to the ADA which is just beginning to lose market share, but nevertheless, still making increasingly more profit off of CDT copyrights. Only 10% of physicians belong to the AMA, yet even if all the physicians in the nation paid dues, it would still not bring in as much cash as CPT royalties. That’s a nice not-for-profit business if you can find it.

Who would have thought mixing non-dues income with ambitious leadership in a self-perpetuating, unaccountable bureaucracy would cause even ADA officials to go renegade? ADA members were given a hint of ADA leaders’ growing malfeasance with the inglorious collapse of the ADA/IDM partnership in 2008, but nobody in the ADA Business Enterprise Inc. was ever held accountable. So here we are. The former Chairman of ADABEI, Dr. Robert Faiello, was elected ADA President-elect in October.

ADA leaders who closed their eyes to common sense and invested their careers in CDT and informatics for power and/or money are in an even more precarious position than avaricious AMA leaders. Physicians need EHRs. Dentists and their patients are not only safer with paper records, but paper costs less.

I smell a physicians’ revolt against HIPAA. And since HIPAA is even more absurd in dentistry than in physicians’ practices, if dental patients are really lucky, soon heads will start rolling out of the revolving door of ADA Headquarters, and on down the road… way on down the road.

D. Kellus Pruitt DDS

LikeLike
D. Kellus Pruitt DDS, on April 12, 2012 at 2:37 PM said:

HIPAA failed

HIPAA proves to be an expensive failure, and not just in dentistry. Yet the American Dental Association continues to stoically uphold the dignity and honor of the profession in silence.

“Nearly 16 years after the enactment of the Health Insurance Portability and Accountability Act (HIPAA) – the first of many regulations and guidelines governing data security in the healthcare industry – a new report suggests that an increased focus on compliance has not resulted in increased security.” See: “Healthcare Industry’s Prioritization of Compliance Over Data Security Puts Patient Data at Risk, says New Study from Kroll Advisory Solutions – Healthcare data security breaches continue to rise with human error as the leading factor.” (no byline).

http://www.timesunion.com/business/press-releases/article/Healthcare-Industry-s-Prioritization-of-3474048.php

Any dental practice owner who has purchased and read the $260 “ADA Practical Guide to HIPAA Compliance” written by two non-dentists can easily understand why the Rule has always been absurd – especially in dentistry. A quick glance at the tedious, expensive (and futile) compliancy requirements in the 360 page guide also reveals why no ADA official dares to take accountability for the worst blunder in the history of dentistry. Everyone in dentistry knows HIPAA is absurd. But nevertheless, ADA leaders on national, state and local levels ignore dentists’ stated concerns and call their silence “upholding the dignity and honor of the profession.”

You don’t believe me? Prove it for yourself.

Doc, were you one of those who, following recommendations from a dental leader, signed up for an NPI number like a good little ADA member? Did you happen to ask the person you once trusted how promotion of the NPI fits inside the mission of the ADA since it does nothing to improve patient care? If you are beginning to feel you were misled, please do Americans a favor and call that vetted ADA official right now. As HIPAA crumbles before our eyes, ask if he or she has any regrets for pushing the Rule in dentistry – now that you own an indelible HIPAA identification number like a tattoo.

It’s increasingly easy to recognize the NPI as the business end of HIPAA’s leverage – wedged forever between dentists and their insurance payment for work already completed. Ominously, the HIPAA identification is voluntary but irreversible, and those pushing it have always refused to answer members’ questions about its purpose. So tell me. What small business owner in the nation other than trusting ADA members with post-graduate degrees would volunteer for such nonsense? Was my entire profession blinded by a misplaced devotion to the ADA Department of Dental Informatics and coding royalties?

Since the NPI benefits only healthcare stakeholders such as insurers and the ADA, applying for the number will always be an unfortunate business decision unfairly forced on 170,000 small business owners. What’s more, nothing good ever comes from deception in dental care.

D. Kellus Pruitt DDS

LikeLike
Darrell K. Pruitt DDS, on April 29, 2012 at 11:57 AM said:

HIT stakeholders defend HIPAA’s inestimable cost

For years I’ve been asking healthcare IT stakeholders how much HIPAA adds to patients’ bills – even as the Rule increasingly fails to protect their privacy. In the last few hours, a couple of my buddies from the HealthIT Linkedin group – both HIPAA consultants – responded. An EHR trainer offered her best authoritarian guess, while a director of health informatics for a public/private regional extension center (REC) from Pennsylvania provided an estimate of the cost of an estimate.

For those who are unfamiliar with the secretive HIT industry, I agree that charging up to $1000 for an estimate is hardly consistent with an atmosphere of marketplace transparency and informed customers found elsewhere in American business. But believe it or not, his quote actually marks progress. I can leverage against such purchase.

Until the consultant mentioned his fees, that wasn’t the cost which concerned me as a provider, taxpayer and patient. All I wanted to know was the cost of non-productive staff time I’m expected to devote to achieve audit-proof HIPAA compliancy – year after year after year. Now he’s made me curious about how much HIPAA consultants cost per hour as well. These two make HIT seem like a fun and sometimes creative job without accountability to those who fund the work. Even in public/private business ventures, that kind of position is much harder to find than taxpayers might think.

http://www.linkedin.com/groupAnswers?viewQuestionAndAnswers=&discussionID=110778337&gid=3993178&commentID=78499592&goback=%2Egde_3993178_member_110778337&trk=NUS_DIG_DISC_Q-ucg_mr#commentID_78499592

Quanda King, an EHR implementation support and trainer from Los Angeles, offered, “I would estimate the price for HIPAA compliance at a fraction of the penalties for non-compliance.”

Phil Magistro, a director of health informatics from Reading, Pennsylvania said:

“Darrell, As a regional extension center we provide a Privacy and Security assessment for practices that engage us as part of our subsidized work. To sell that service outside of our REC clients at our hourly rate it is typically less than $1000 per site. That is just the assessment. Mitigation work could vary widely depending upon many factors.”

My reply:

Quanda, thanks for the estimate. Can you narrow down the fraction?

Phil, surely you don’t mean to say that a provider with 4 employees and 5000 active patients has to spend up to $1000 just to find out what it would cost to become 100% HIPAA compliant. What other variables can possibly be needed to provide a reliable cost estimate? Staff IQs?

Let’s table discussion about your subsidized fee for now. Can you tell me how many staff hours such a provider can expect to have to dedicate to tedious HIPAA/HITECH requirements and documentation to maintain an audit-proof practice? Less than 2 weeks ago, the HHS Office for Civil Rights (OCR) reached a $100,000 settlement with Phoenix Cardiac Surgery in Arizona for alleged violations of the HIPAA Privacy and Security Rules. For HIPAA covered entities, that’s frightening.

Unless I’m wrong about what looks like information purposely hidden from the public by HIT industry leaders, you seem to be in a unique position to ethically admit that to your knowledge, in 16 years of HIPAA, nobody has researched and published the Rule’s cost to healthcare (not counting consultant fees which are expensive to estimate).

If the price of goods and services are hidden from those who pay the bill, is that more likely to increase or decrease the cost? As one of many taxpayers in a nation that certainly cannot afford waste in healthcare, please assure me that our nation’s leaders are not hiding the cost of HIPAA/HITECH from us.

I intend to get back in touch with consultant Ron Sterling of Sterling Solutions soon. When I asked him about the cost of HIPAA compliancy a couple of days ago, Ron also said he needed more information. Maybe today I’ll ask him what else he needs. Surely HIPAA can’t be that complicated.

Darrell K. Pruitt DDS

LikeLike
D. Kellus Pruitt DDS, on April 30, 2012 at 6:34 PM said:

Phil Magistro responds again on Linkedin concerning the cost of HIPAA compliance. We’re making progress

http://www.linkedin.com/groupAnswers?viewQuestionAndAnswers=&discussionID=110778337&gid=3993178&commentID=78569550&goback=&trk=NUS_DIG_DISC_Q-ucg_mr#commentID_78569550

——————————–

Darrell,

Actually I’m not an REC official. I work with the company that has the REC contract and I work with those folks but my role is not part of the REC. And the reason that I didn’t need to do the math was because if you total up the billings and divide by the number of customers for the privacy and security assessment you’ll get $750.

Determining the cost is no more complex than any project. How much does it cost to paint a house? How much to buy a car? How much to set up a dentist’s office? In every case you need to assess what you have versus what must be done. Only then can you understand the activities and costs that you face.

Do I think that a provider in a small practice need to use a consultant to be HIPAA compliant? Unfortunately yes I do. Or, at least, they need to have someone in their practice that is focused on this. And I think that for two reasons. One is because providers main activities are treating patients which doesn’t leave much time to become experts in HIPAA. The second is because medical school teaches a physician how to practice medicine, not how to run a business. And, because of my first reason the there is no time for the second.

My reply:

Take pride, Phil. We are the very first to make tangible progress in finally determining how much HIPAA/HITECH adds to the cost of healthcare in the nation. It’s not much, but here’s what we’ve learned so far:

– The cost of HIPAA compliance is an unknown fraction of the cost of the penalties for non-compliance.

– A professional assessment of compliance – just to determine if a provider risks federal (and state) fines from a surprise HIPAA audit – has been priced at $750 for 6 to 8 hours of thorough on-site investigation. (Additional costs to correct gaps in security are apparently impossible to estimate even hypothetically).

– HIPAA compliance is too complicated for doctors to navigate without the expert help of trained consultants.

– The cost of compliance is secretive, meaning there is nothing holding down its open-ended cost to Americans.

For dentists like me who purchased the ADA Practical Guide to HIPAA Compliance for under $300, it means we’ve simply wasted money by taking the advice of leaders in dentistry. According to at least one HIPAA consultant, fulfilling the tedious requirements listed in the ADA guide is unlikely to offer sufficient protection for a dental practice if audited by a KPMG employee under contract to the ONC.

Yet ADA members are still being told that the purchase of the 360 page guide is an “investment in the future of your practice.” It even says so in the introduction to the Guide. Indeed, that line has always puzzled me. If an investment offers no chance of a return, how is that different than a “cost”?

Since HIPAA requirements in dentistry are no different than HIPAA requirements in physicians’ offices and Phoenix, Arizona Cardiac clinics, surely you also have access to the same list of HIPAA covered entities’ obligations that are presented in the ADA Guide, written by Ed Jones and Carolyn P. Hartley – neither is a dentist.

Just for argument’s sake, let’s pretend that there is a small practice with a solo provider, four employees and 5000 active patients. How much non-productive staff time would you guess is needed for a small practice to become HIPAA compliant? Also, you properly reminded us that “being HIPAA compliant is not a static event. It requires continued monitoring and work by the providers.” So how many more non-productive staff hours do you think are required on a yearly basis once the groundwork is laid? Is another $750 visit a good idea? Do you offer a discounted price for follow-up assessments?

I don’t believe the question about HIPAA’s cost is as difficult to determine as you seem to be making it. Considering the simplicity of the most basic math functions, don’t you find it suspicious that nobody in the industry has yet estimated the staff hours necessary to adequately fulfill published HIPAA requirements? And why does it seem so impolite for providers like me to inquire about labor costs concerning HIPAA/HITECH?

I think you and I are both aware that the obscure, half-baked HIPAA Rule is so fragile that stakeholders fear the predictable backlash when its cost is revealed to Americans. Nobody in the nation wants to be held accountable for the worst mistake in medical history since blood-letting.

D. Kellus Pruitt DDS

LikeLike
Hope Rachel Hetico RN MHA CMP™, on April 30, 2012 at 10:33 PM said:

The HIPAA Compliance Spectrum

There is a spectrum, from DIYs to consultants, on this topic. But, your best bet might just be a hybrid of the two using an electronic HIPAA white paper as a guide, with compliance checklists, for only $99.

PAPERS

And, check out our other practice management tools, too!

https://medicalexecutivepost.com/office-checklists-on-cd-rom/

Hope Rachel Hetico RN MHA CMP™
http://www.CertifiedMedicalPlanner.org
[Managing Editor]

LikeLike
Darrell K. Pruitt DDS, on May 1, 2012 at 2:43 PM said:

Phil Magistro finally backtracks

http://www.linkedin.com/groupItem?view=&gid=3993178&type=member&item=110778337&commentID=78826569&report%2Esuccess=8ULbKyXO6NDvmoK7o030UNOYGZKrvdhBhypZ_w8EpQrrQI-BBjkmxwkEOwBjLE28YyDIxcyEO7_TA_giuRN#commentID_78826569

Darrell, I think you’re making far more out of this than is necessary. Much of being HIPAA compliant just equates to good business practices. Providers just need the proper education and help in determining the best practices to employ. Some need more of this help than others. That help could come from a variety of sources and could be free or have a cost. The key is for the provider to then take the appropriate actions to establish good business processes.

My reply:

“Darrell, I think you’re making far more out of this than is necessary.”

* Less than a month ago a cardiac clinic in Arizona was fined $100,000 for HIPAA violations.

* Three days ago, Quanda King warned, “the price for HIPAA compliance is a fraction of the penalties for non-compliance.”

* Only yesterday, even though neither you nor Quanda have a clue what HIPAA compliance costs, you claimed that HIPAA is so complicated that providers need to hire HIPAA consultants to prevent $100,000 fines for violations (no matter how much it costs).

And today, you tell me it’s no big deal.

Darrell K. Pruitt DDS

LikeLike
Hope Rachel Hetico RN MHA CMP™, on May 1, 2012 at 2:49 PM said:

Darrell and Phil,

This topic is now closed.

Hope Rachel Hetico RN MHA CMP™
[Managing Editor]

LikeLike
D. Kellus Pruitt DDS, on June 28, 2012 at 10:02 AM said:

HIPAA criticised by Consumers Union

“Healthcare Patient Data Laws Outdated: Consumers Union” by Nicole Lewis was posted today on InformationWeek. Like it or not, that’s another I told you so, sports fans.

http://www.informationweek.com/news/healthcare/security-privacy/240002799

Are there any outdated HIPAA stakeholders who still jealously cling to the fantasy that creating document trails for meaningless patient signatures on Notices of Privacy Practices makes sense?

Lewis writes: “Laws covering privacy and security of health data haven’t kept pace with changes in health IT, report from Consumers Union and Center for Democracy and Technology says.”

The embarrassing, unpopular truth about regulatory waste of healthcare dollars on senseless HIPAA busywork can no longer be kept hidden even with well-meaning censorship. And the NoPP is low-hanging fruit.

D. Kellus Pruitt DDS

LikeLike
D. Kellus Pruitt DDS, on June 30, 2012 at 10:47 AM said:

Interest in HIPAA Waste

Dave Lieber of Watchdog Nation shows interest in the wasteful NoPP

http://www.watchdognation.com/

Today, Fort Worth’s investigative journalist Dave Lieber retweeted the link to my June 21 Linkedin article that features my email to him.

http://www.linkedin.com/groups/I-notified-Dave-Lieber-Watchdog-3993178.S.126837735?view=&gid=3993178&type=member&item=126837735

In the email, I point out that pursuing patients’ meaningless signatures on Notice of Privacy Practices (NoPP) forms – just to avoid HIPAA fines – is the epitome of bureaucratic waste.

Now that it looks like I successfully attracted the Fort Worth Star-Telegram reporter’s attention, do you think the adventure intrigues him enough to help me blow the whistle on undeniable federal waste a little sooner than if I go it alone?

Let’s have some transparency, HHS. It’s time.

D. Kellus Pruitt DDS

LikeLike
Mary, on June 30, 2012 at 11:00 AM said:

Darrell

Enough already with the HIPAA stuff. You are against it – we get it!

Mary

LikeLike
Editors, on June 30, 2012 at 12:43 PM said:

This topic thread is now closed!
The Editors

LikeLike
D. Kellus Pruitt DDS, on August 15, 2012 at 9:45 AM said:

HIPAA and dentistry
[Reliable answers about HIPAA and dentistry – at last]

You may have heard a rumor that dentists are “mandated” to purchase and use electronic dental records. As a matter of fact, you might have read the rumor in the ADA News, followed months later by the ADA’s denial of the rumor. Such conflicting information about a mandate have co-existed in the leaderless dental industry for almost a decade. Bottom line: Regardless what the ADA, EDR vendors and other stakeholders tell dentists, there is no mandate – not even for dentists whose practices are more than 30% Medicaid.

A few days ago, I asked well-known experts on the HIPAA 411 Linkedin group about the Rule. Our unprecedented discussion even spilled over into other questions, including what determines if a dentist is a HIPAA covered entity. As far as I can tell, many of the answers I uncovered have never before been revealed to dentists:

According to the official definition from 45 CFR 160.103, a covered entity includes:

– A health plan.

– A health care clearinghouse.

– A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.

Another expert offered:

a) Sending facsimiles doesn’t count as electronic communications for purposes of making a health care provider a HIPAA Covered Entity. There are a number of reasons for this, but one of the biggest is that the data being communicated via facsimile never actually exists as discrete data elements.

b) Patient registration and patient scheduling electronic transactions are not among the list of HIPAA transactions presently spelled-out starting with Subpart K in 45 CFR 162. Thus sending or receiving them does not make a health care provider a HIPAA Covered Entity.

c) A health care provider who only receives electronic remittance transactions, but never transmits any transactions is not a HIPAA Covered Entity.

d) The electronic transactions that most often cause a health care provider to become a HIPAA Covered Entity are:

– requesting eligibility or benefits information from a health plan

– submitting a claim or encounter report to a health plan.

“Generally speaking, if a health care provider initiates — i.e., transmits — any of these types of transactions via a computer, that health care provider is very likely either using the ASC X12 transactions itself or via a business associate / health care clearinghouse, or using Direct Data Entry. Either way, that health care provider is now transmitting a transaction spelled-out in Subpart K or Subpart L in 45 CFR 162, and is, therefore, a HIPAA Covered Entity.”

e) Once a health care provider becomes a HIPAA Covered Entity, all of the HIPAA regulations — transactions, code sets, identifiers, security, privacy, enforcement, etc. — apply to that health care provider.

Another offered this:

“Also, pursuant to Section 3 of the ASCA, PL107-105 (2002), many providers are required to submit Medicare claims electronically making them covered entities. In this case, though, dentists were specifically excluded from this requirement. Per CMS guidance (Related Change Request (CR) #: 3440, reissued January 27, 2005), dentists and small providers are specifically excluded from electronic submission requirements related to Medicare claims. There may be states with additional requirements that would push more into the covered entity category or even force adoption of HIT but that would be state by state. It is not a national requirement today.”

I wish to thank the members of HIPAA 411 Linkedin group for their generous help. I would also suggest to ADA leaders that when they sell membership information about an EDR mandate that contradicts itself not once, but three times, they harm the organization’s credibility for years. You leaders need to get your act together quickly because the ADA is on the verge of becoming increasingly irrelevant at a time when our patients need strong representation the most.

D. Kellus Pruitt DDS

LikeLike
Darrell, on January 24, 2013 at 1:02 PM said:

HIPAA omnibus rule
[How many breaches of dental patients’ identities go unreported?]

As I again attract unwanted attention to yet another taboo topic in dentistry that even the most trusted dental leaders would prefer to keep hidden, I hold no illusion that my investigation will make me any more popular with my colleagues than I am already – especially with those who have neglected to notify patients of one or more breaches when they know they should have.

In 2010, the Identity Theft Resource Center recorded 662 breaches – 3 times the Department of Health and Human Services’ reported 214 breaches for the same period.

http://www.microbilt.com/news/credit-risk-management/most-data-breaches-go-unreported.aspx

In another ITRC report that was released in July 2012, it was revealed that 63.4 percent of the 213 breaches reported to HHS during the first 6 months of 2012 didn’t even include information on how the breaches happened. In addition, for 46% of breaches, the number of records potentially affected weren’t disclosed.

http://www.informationweek.com/security/vulnerabilities/id-thefts-go-unreported-despite-notifica/225702822

The failure of the interim HIPAA rule to protect patients’ welfare hasn’t gone unnoticed. This week, upon releasing the HIPAA omnibus final rule, HHS announced: “We recognize that some persons may have interpreted the risk of harm standard in the interim final rule as setting a much higher threshold for breach notification than we intended to set. As a result, we have clarified our position that breach notification is necessary in all situations except those in which the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised.”

http://www.govinfosecurity.com/hipaa-omnibus-impact-on-breach-notices-a-5436

Starting March 26, all breaches are assumed to be reportable unless proven otherwise. Dentists deserve timely warning.

The revised breach notification guidance described in the final rule, which removes the notoriously subjective harm standard, makes disregarding breaches much more risky. It’s only fair that dentists be informed of the change, and it could be months before the ADA gets around to announcing the change. Although on January 21, the ADA News did announce that Delta Dental has a new CEO.

http://www.ada.org/news/8154.aspx

When performing a post-breach risk assessment to determine if PHI has been compromised – making notification of affected patients necessary – four objective factors are listed that providers must consider:

– The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;

– The unauthorized person who used the protected health information or to whom the disclosure was made;

– Whether the protected health information was actually acquired or viewed

– The extent to which the risk to the protected health information has been mitigated

Yesterday, I posted the following poll question on 5 dental industry Facebook and 14 Linkedin Groups with a potential total audience of 77,448 readers: What percentage of reportable breaches of dental patients’ electronic Protected Health Information (ePHI) do you think are properly reported? A day later, there have only been only a half-dozen or so responses and most estimate that less than 10% are properly reported. The fact that the pole was virtually ignored by up to 77,000 readers reveals more than the few responses.

Clearly, if this dentist doesn’t say something, nobody will. Hate me if you have to and censor me if you can. But deep down, you know transparency with our patients is as Hippocratic as informed consent.

Popularity is irrelevant. Ethics is what matters.

Darrell

LikeLike
D. Kellus Pruitt DDS, on April 25, 2013 at 7:47 PM said:

Audits of HIPAA-covered entities resumes in six months

If I don’t warn you, Doc, who will?

“Audits find organizations unaware of new data, privacy rules,” by Joe Carlson, was posted this week on ModernHealthcare.com.

http://www.modernhealthcare.com/article/20130423/NEWS/304239958/audits-find-organizations-unaware-of-new-data-privacy-rules

On Tuesday, OCR Senior Adviser Linda Sanches addressed healthcare lawyers and compliance officials during the Health Care Compliance Association’s annual Compliance Institute, suggesting that HIPAA-covered providers – including dentists – probably don’t know what they don’t know.

“Sanches said the findings show that many healthcare companies could benefit from re-reading the rules and regulations in the Health Information Technology for Economic and Clinical Health, or HITECH, Act that widen HIPAA privacy and data-security protections on patients’ protected health information.” Carlson continues: “Not only did many providers report being unaware of all the data security and privacy rules they’re supposed to follow, but many seemed not to have policies in place to comply with the rules. [Sanches] said it seemed clear that some of the policies were written by consultants after the organizations were targeted for audits. ‘There were intentional misrepresentations. We were not happy about that,’ she said.”

Will stricter enforcement of HIPAA raise or lower the cost of dentalcare? De-identify electronic dental records now.

D. Kellus Pruitt DDS
cc: American Dental Association via Sharecare.com
http://www.sharecare.com/group/american-dental-association

LikeLike
D. Kellus Pruitt DDS, on November 24, 2013 at 12:00 AM said:

Hints of sudden interest in HIPAA

Let me share with you hints of sudden interest in HIPAA in the dental community, and a possible reason why.

An article I wrote titled “’The ADA Practical Guide to HIPAA Compliance’ A Book Review – Dark, Dark Reading, ” was picked up by the Medical Executive-Post on December 7, 2010. It is my blunt critique of the how-to manual which I purchased from the American Dental Association for $260.

“The ADA Practical Guide to HIPAA Compliance”

Within the last day or so, it surfaced from deep in the archives to become one of the ME-P’s top ten most popular posts (7th and rising). Every time a long-forgotten article pops up, it arguably reveals a spike of interest in a topic. For this reason, the ME-P’s popularity scale is like being granted a limited, real-time peek at topics significant portions of the dental industry find interesting… it’s a poor man’s algorithm for mining big data from a secretive niche. To appreciate the significance of the evidence, note that there are thousands of featured articles competing for attention from half a million ME-P readers – most of whom don’t give a hoot about dentistry.

Every time this happens it intrigues me: What underlies the spike in interest and who is hitting the link to a 3 year old article about HIPAA? Could the unprovoked increase reflect HIT stakeholders’ interests rather than dentists’? If so, who would that be? The US Department of HHS? The ADA? I suspect the surprise interest is more likely to be coming from the ADA, but then, I’m forever an optimist.

But why? Here is what I suspect:

On September 22, the stricter HIPAA Omnibus Act went into effect making it more difficult for HIPAA covered entities to legally avoid notifying patients of data breaches. Consequentially, far more Americans, including dental patients, are expected to be notified of breaches. For those who promoted HIPAA in dentistry, the results are likely to lead to embarrassment.

“These individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include, to the extent possible, a description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity.” – Office for Civil Rights, US Dept. of HHS.

http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/

Thursday was 60 days.

D. Kellus Pruitt DDS

LikeLike

“The ADA Practical Guide to HIPAA Compliance”

Posted on December 7, 2010 by Dr. David Edward Marcinko MBA MEd CMP™

Book Review – Dark, Dark Reading

By Darrell K. Pruitt DDS

Complying with HIPAA is an investment in the future of your dental practice. HIPAA Privacy sets forth requirements regarding the proper protection, use, and disclosure of patient information. HIPAA Security addresses using and protecting electronic patient information and the electronic technology that can save time, increase revenues, and improve workflow.” So are those evidence-based claims or an advertisement in the $250 ADA publication I purchased?

On Being Leary

I’ve learned to be wary when dentalcare stakeholders like authors Ed Jones and Carolyn P. Hartley call HIPAA an “investment in the future of your practice” much like I would advise people to be wary of a dentist who sells cosmetic veneers by calling it an “investment in your smile!” All too often it turns out to be an investment in the dentist’s smile.

Unsupported Claims

Contrary to the authors’ unsupported claims in the Introduction of “The ADA Practical Guide to HIPAA Compliance,” there is no evidence that electronic technology saves time, increases revenues or improves workflow in dental offices. And even though Jones and Hartley mention “investment” numerous times in their HIPAA guide, how smart is it for a dentist to sink money into expensive electronic technology that demands mind-numbing documentation (even if it’s done on a computer); that exposes a practice to government inspections which carry liabilities up to $1.5 million even before state attorneys general get involved; that endangers the long-term welfare of both the dental practice as well as dental patients, and that promises no financial return? So just how smart is a HIPAA investment in the future of one’s practice?

Disaster Recovery

I wasn’t far into Jones and Hartley’s imaginative guide to HIPAA compliance before reading other long-since rejected selling points that are so lame that even rookie eDR vendors know better than to attempt them. The authors’ naïve claim of the digital advantage of easier “disaster recovery” from a fire or hurricane is a good example of ADA-approved HIT fiction. Just ask yourself why disaster recovery was hardly a concern throughout the history of dentistry until the ADA leadership mindlessly bought in to promoting paperless practices and suddenly needed selling points in the worst way.

ADA Slogan

“Dentistry is healthcare that works”.

Beware

Any time dentalcare stakeholders trot out solutions, before asking the price, dentists should determine that there is indeed a corresponding problem that needs to be solved. Here is a simple marketplace test of Jones and Hartley’s disaster recovery claim: Which is cheaper: Disaster recovery insurance or data breach insurance? Common sense says that dentists’ offices are much more likely to be hit by burglars than fires and hurricanes. When burglars break into dentists’ offices, they don’t go for filing cabinets and ledger cards. They steal computers that can contain thousands of patients’ identities. As for the small percentage of US dentists whose offices are located in coastal cities and vulnerable to hurricanes, perhaps those dentists should maintain both digital and paper patient records. After all, which kind is easier to read during power failures that are common with hurricanes as well as ice storms – which occur much more frequently and throughout the nation? What’s more, pegboards and ledger card boxes in a paper-based practice are not only hack-proof, but their use is unaffected when Internet servers go down, or are hacked. Confused yet?

“You may decide to engage a technology consultant at some point, but after reading this book, you’ll have specific reasons for that engagement.”

Still Not a Fan

I’m not a fan of creative writers Ed Jones and Carolyn P. Hartley’s style of humor, but I needed a few continuing education credits and decided to pick up 8 easy hours through the ADA by purchasing their HIPAA guide and accompanying test. After finally conquering the first 2 bureaucratic-tedious chapters, it’s a pretty sure bet that I’ll try to wing it on the test long before getting through all 360 pages – many with footnotes even.

In the Minority

I think studying for a CPA exam would be more riveting reading for me, as well as perhaps more meaningful for my dental patients – even if I were a HIPAA-covered entity. But since I’m one of the 4% of dentists in the nation who still doesn’t store or transmit patients’ protected health information (PHI) in slippery digital form, I never have to worry about attracting a subjective inspection because of my highly visible opinions about the absurdity of HIPAA in dentistry. Fines for being “willfully negligent” start at $50,000, and my transparent lack of respect for the Law would understandably trigger an inspection if I were a HIPAA-covered entity.

HIPAA Flexibility

On the other hand, since the HIPAA Rule is “flexible” by design, and HIPAA-covered dentists can be charged with huge fines – the other 96% of dentists in the nation who use computers in the business office have good reason to be careful about exercising their basic freedoms in the land of the free. It’s easy to see why covered entities aren’t complaining. Not to worry. As always, Proots has your six, good buddy. Are flexible laws really in American citizen’s best interest?

Although authors Jones and Hartley repeatedly point out that the HIPAA Rule’s flexibility is its beauty – even to the extent of allowing dentists to decide whether or not to notify their patients of a breach – dentists simply must be warned of the dangers that are inherent in vague laws: Flexibility for the dentist always means subjectivity for the inspector. History has shown us that subjectivity is dangerous in the hands of poorly-trained people with badges working on commission. The odds of fair treatment following even a self-reported data breach are not in a dentist’s favor. Even the simplest investigation by HHS representatives will cost a dentist at least $100 – even if the dentist is determined to be innocent of a baseless complaint – perhaps filed by a disappointed patient or employee.

Investigations and Violations

“Violation Category (A) Did Not Know: For a violation in which it is established that the Covered Entity did not know and, by exercising reasonable diligence, would not have known the Covered Entity violated such provision [$100-$50,000 per violation]. Chapter 2, page 20. HHS Secretary Kathleen Sebelius promised Congress that she intends to efficiently investigate every complaint against providers and vows to stop data breaches through stricter enforcement of the (hazy) HIPAA Rule – starting real soon. How is that not tyranny?

HITECH Subjectivity?

The ADA’s guide to HIPAA compliance has reaffirmed to me that HITECH HIPAA is a subjective law designed for abuse by those who created it. What’s more, eDRs provide NOTHING to dental care that has not been adequately and safely handled by conventional means of communication for decades at far lower costs. Sooner or later, the sudden news about HIPAA’s absurdity in dentistry is going to hit the HIT market like a brick. Following that flash of honesty, anyone who doesn’t agree that HIPAA is absurd in dentistry will do so at risk of snickers. So how complicated is compliance?

Chapter One: Dentist’s Obligations

Chapter 1, page 1: “This book is concerned with only a portion of [Public Law 104-191]: Subtitle F — Administrative Simplification, hereinafter referred to as ‘HIPAA.’” Later in Chapter 1, Jones and Hartley use a paragraph to describe dentists’ obligations.

“Adopting Health IT presents challenges as well. For example, a dental practice must research and evaluate available systems, assess the current and foreseeable needs of the practice, negotiate the terms of the contract for the system and related services, including items such as the cost and availability of tech support, the number of licenses and authorized users that the contract will include, and the hardware and software features that enable HIPAA and HITECH compliance. Time and energy must be devoted to training staff to use the electronic health record system. A dental practice adopting an electronic health record should consult its attorney both with regard to the acquisition itself (including any contracts, licenses, and other legal documents) as well as with regard to the legal implications of using an electronic health record (for example, the dental practice should understand what will constitute the legal record and how the electronic health record would affect document retention requirements). A dental practice that intends to take advantage of the HITECH Act Medicare or Medicaid reimbursement incentives must understand and stay abreast of developments regarding the incentives, such as the qualifications of an “eligible provider,” how to demonstrate compliance with the “meaningful use” criteria, how reimbursement incentives will be structured, and certification criteria of dental information systems.”

Now do you see why the name “HIPAA” works better for stakeholders than “Administrative Simplification”?

HIT Rot

As another illustration of how effectively stakeholders have hidden rot in HIT, the most common misspelling of HIPAA is “HIPPA,” and most consumers trustingly assume at least one of the Ps stands for “Privacy.” HIPAA hasn’t been about patient privacy since it was amended 8 years ago, and the P stands for “Portability.” And boy-howdy are digital records ever portable! HIPAA has ceased to be a benevolent law for Americans. It’s become instead a bi-partisan plan to take control of healthcare from healthcare principals and award it to healthcare stakeholders such as the HIT industry.

Assessment

You’ll spend a good amount of time implementing the Security Rule in your dental practice, but it’s the maintenance measures that will keep you in compliance.” This is a beautiful, meaningless point, Ed Jones and Carolyn P. Hartley.

Conclusion

Your thoughts and comments on this ME-P are appreciated. Feel free to review our top-left column, and top-right sidebar materials, links, URLs and related websites, too. Then, subscribe to the ME-P. It is fast, free and secure.

Link: http://feeds.feedburner.com/HealthcareFinancialsthePostForcxos

Speaker: If you need a moderator or speaker for an upcoming event, Dr. David E. Marcinko; MBA – Publisher-in-Chief of the Medical Executive-Post – is available for seminar or speaking engagements. Contact: MarcinkoAdvisors@msn.com

OUR OTHER PRINT BOOKS AND RELATED INFORMATION SOURCES:

DICTIONARIES: http://www.springerpub.com/Search/marcinko
PHYSICIANS: www.MedicalBusinessAdvisors.com
PRACTICES: www.BusinessofMedicalPractice.com
HOSPITALS: http://www.crcpress.com/product/isbn/9781466558731
CLINICS: http://www.crcpress.com/product/isbn/9781439879900
BLOG: www.MedicalExecutivePost.com
FINANCE: Financial Planning for Physicians and Advisors
INSURANCE: Risk Management and Insurance Strategies for Physicians and Advisors

Filed under: "Doctors Only", Book Reviews, Health Law & Policy, Information Technology, Pruitt's Platform | Tagged: ADA, ARA, Darrell Pruitt, DDS, dentists, HIPAA, HITECH |

The Leading Business Education Network for Doctors, Financial Advisors and Health Industry Consultants

Subscribe MEDICAL EXECUTIVE-POST?

Member Statistics

ME-P Information & Content Channels

Ann Miller RN MHA [Managing Editor]

CERTIFIED MEDICAL PLANNER® program

Most Recent ME-Ps

PodiatryPrep.org

ME-P Free Advertising Consultation

Medical & Surgical e-Consent Forms

iMBA Inc., OFFICES

ME-P Publishing

SEEKING INDUSTRY INFO PARTNERS?

Reader Comments, Quips, Opinions, News & Updates

Start-Up Advice for Businesses, DRs and Entrepreneurs

Up-Trending ME-Ps

Capitalism and Free Enterprise Advocacy

OIG Fraud Warnings

“The ADA Practical Guide to HIPAA Compliance”

39 Responses

Leave a comment

Calendar

Advertising Info:

Book Offerings:

Dictionary Offerings:

Dr. David Marcinko [Publication List]

Education Online:

Health Dictionary Series Wiki Project

Lower Extremity Medicine & Surgery

Pending NIHCM Grant Applications:

Practice Lists:

Professor Marcinko

Related Blogs:

Speaker's Bureau:

Thought-Leaders:

White Papers:

The Leading Business Education Network for Doctors, Financial Advisors and Health Industry Consultants

Subscribe MEDICAL EXECUTIVE-POST?

Member Statistics

ME-P Information & Content Channels

Ann Miller RN MHA [Managing Editor]

CERTIFIED MEDICAL PLANNER® program

Most Recent ME-Ps

PodiatryPrep.org

ME-P Free Advertising Consultation

Medical & Surgical e-Consent Forms

iMBA Inc., OFFICES

ME-P Publishing

SEEKING INDUSTRY INFO PARTNERS?

Reader Comments, Quips, Opinions, News & Updates

Start-Up Advice for Businesses, DRs and Entrepreneurs

Up-Trending ME-Ps

Capitalism and Free Enterprise Advocacy

OIG Fraud Warnings

“The ADA Practical Guide to HIPAA Compliance”

Rate this:

Share this:

39 Responses

Leave a comment

Calendar

Advertising Info:

Book Offerings:

Dictionary Offerings:

Dr. David Marcinko [Publication List]

Education Online:

Health Dictionary Series Wiki Project

Lower Extremity Medicine & Surgery

Pending NIHCM Grant Applications:

Practice Lists:

Professor Marcinko

Related Blogs:

Speaker's Bureau:

Thought-Leaders:

White Papers: