Sunday, April 22, 2012

7th Anniversary of HIPAA Security Rule . . . are you compliant?

It has been 7 years since the HIPAA Security Rule became effective on April 21, 2005. With the explosion of electronic health records and the implementation of electronic services, this is a need-to-know topic for all dental practices. I hope this post will help you know where to find information and resources to help your office comply with this not-so-new rule. The Security Rule applies only to electronic PHI (Protected Health Information) and requires that dental practices that store health information maintain its confidentiality, integrity, and accessibility.

·         Confidentiality means the information is available or disclosed to people or entities authorized to receive it.  
·         Integrity means the patients PHI has not been altered or destroyed without proper authorization.  
·         Accessibility means that the patient information is retrievable under any circumstance.

One major goal of the HIPAA Security Rule is to allow your dental practice the freedom to implement new technology, improve the quality of patient care, and help make your systems more efficient while still maintaining the security and privacy of your patients health information. The Security Rule is designed to be flexible and customizable (depending on the size of your practice) so you can implement policies, procedures, and technologies that fit your office structure. There is no right or wrong way to do things; you just need to have a plan in place and have it documented.

Below, I will walk you through a summary of the requirements of the Security Rule and give you some resources and links to help you in your journey to compliance.
  1. Administrative Safeguards
    1. Your office must perform a Risk Analysis and maintain Risk Management on an ongoing basis.
    2. Visitor Access how does your office protect computers from inappropriate access?
    3.  Access Control of your team members
    4. Team members should only have access to information that they need to perform their functions at work
    5. When a team member leaves, what is the protocol to terminate his or her access?
    6.  How does your office restrict conversations containing PHI?
    7. Where is PHI posted in the office and how is it limited to visitors?
    8. Who and how does your office disclose PHI to other entities such as other offices, insurance companies, etc.?
    9. Have a Contingency Plan in place to ensure that electronic-based information is available in a timely manner. 
      1. Data Backup Plan document the office backup routine
      2. Testing Restoration how often do you do a practice recovery?
      3. Disaster Recovery Plan what happens if your data is lost?
  2. Physical Safeguards
    1. Device and Media Controls
      1. How does your office dispose of computers or other devices to prevent disclosure of PHI?

      2. If you re-use media, how do you ensure the PHI has been removed and is unrecoverable?
      3. If you remove storage devices that contain PHI from the office, how do you make sure the PHI is safe?
      4. Computer Workstation Use and Security
        1. Are your computers password protected?

        2. Where are the computers containing PHI located and how are they secured?
      5. Records Processing

        1. How does your office receive PHI from other dental offices or entities and how do you ensure it stays secure?
        2. If your office sends PHI out of the office, what is the format and how do you ensure you are protecting it?
        3. What is your records retention policy?
  • Technical Safeguards
    1. Security Configuration
      1. Do all the computer workstations have a virus protection program installed to detect and ward off potential treats to data?
      2. Is there a firewall in place to protect your patients data?
      3. Does someone in the office make sure all the workstations are up-to-date with all software updates?
      4. Identification and Authentication
        1. Does each member of your team have a unique password to validate the user of the system?
        2. Are your computers set to automatically log off when they are not in use?4. Organizational Requirements
  • Business Associate Contracts
  • Training for all team members on an on-going basis
  • Documentation of all policies and procedures and all team training

  • Now that you have reviewed a brief summary of the HIPAA Security Rule, let me give you some solid resources to help your office with more detailed documentation so you can complete the process in your office.

    CLICK HERE if your office needs HIPAA training or Risk Analysis.

    If you CLICK HERE , you will find a great resource for breaking down each section into more detail. Even though it is a government document, it is very user-friendly and readable. Also, you can check out a website called Dental Practice Compliance that will actually take you through the process and guarantee your office is compliant. Also, check out the NIST (National Institute of Standards and Technology) and its HIPAA Security Rule Toolkit . It is an interactive tool that you download to your computer that will help your practice better understand the requirements of the Security Rule and implement those requirements into your office.

    Good Luck and dont hesitate ... it has been a requirement since April 21, 2005.  

    Sunday, April 8, 2012

    Redefine and Improve your Reports

    If you know how Billing Types are used in your Dentrix software, please raise your hand. Okay, I see a few hands out there, but not many. Billing types are typically defined at the initial training session during the practice setup; however, I would like all of you to re-evaluate your billing types and see if they are working effectively for you.
    First of all, what is a Billing Type? A Billing Type is used to define a group of patient accounts for billing purposes, filtering of reports, and categorizing patient accounts. Most offices I encounter have either left the Billing Types as the Dentrix default or maybe added one or two, but never truly understood how they could help the practice. I believe this simple little tool can reshape and improve your accounting and reporting at your office.
    What are some examples of how Billing Types are used?
    ·         Orthodontics – If your office is treating patients with orthodontics, billing the dental insurance, and setting up payment plans, I would highly recommend using a separate billing type for these accounts. Why? These accounts are usually setup on a monthly payment plan and do not get billing statements like the general population. Also, ortho insurance benefits have a lifetime maximum and you don’t want the ortho payments to subtract from the general dental insurance benefits (remember, for this to work properly you would also have a separate ortho account setup).
    ·         Medicaid, DSHS, or many other government-assisted plans – These patients typically do not receive billing statements, so having a separate billing type will allow you to withhold these accounts from your regular statement runs. Also, if the doctor wanted a report of what he or she has produced in Medicaid, he or she would be able to filter the report to show this information.
    ·         Sent to Collections – This is one of the Dentrix defaults, but I just brought it up to remind all of you to use it. J
    ·         Sent to Department of Revenue – I don’t know about your state but, in the state of Washington, if you have a credit balance on a patient’s account and you cannot locate that patient to send him or her the refund check, you must send the money to the Department of Revenue’s unclaimed property department. Therefore, it would be a good idea to create a new billing type for these accounts so you can keep track of how much was sent. If you want to get more information about this search the internet for Department of Revenue Unclaimed Property for your state.
    Where in Dentrix are billing types used?
    ·         Billing Statements – You can filter down a statement run to a certain group of patient accounts.
    ·         Reports – Most of the reports in Dentrix can be filtered to include or exclude certain billing types.
    ·         Family File – This is where you can change the billing type for the family.
    ·         Payment Agreement – This is another place you can change the family billing type.
    How do you edit your existing billing types?
    Go to the Office Manager > Maintenance > Practice Setup > Definitions > and it is the first one in the list. Remember, if you are going to edit your billing types and you have been on Dentrix for a while, if a family account has been assigned to a billing type you are editing, it will be changed to the new type, so be careful. I recommend keeping it simple. You don’t want so many that you are constantly changing them.
    Once you grasp the concept of how Billing Types can help you define the patients in your practice, you will find them to be a very simple yet powerful tool in your front office.

    Monday, April 2, 2012

    HIPAA 5010 . . . How it Affects Your Practice

    Last Friday, I was teaching my first Insight Seminar for the 2012 season and, to my surprise, very few attendees knew what HIPAA 5010 was or what they needed to do be compliant. With this new discovery of how little people know about how HIPAA 5010 will affect their dental practice, I thought this would be good information to share on my blog.
    What is HIPAA 5010 anyway?
    ·     HIPAA 5010 is a new set of standards from our government that affects the way certain electronic transactions are transmitted. Most of these changes will not be noticeable to you, but there are a couple of things you need to do in your Dentrix software to become compliant.
    When is the effective date?
    ·    The original effective date for compliance was January 1, 2012, but that was pushed to March 31, 2012. As of today, you need to be in compliance with HIPAA 5010 or you will see delays or rejections in your insurance claims. UPDATE: The Centers for Medicare and Medicaid Services has extended the non-enforcement period for the HIPAA 5010 transaction sets another 90 days through June 30, 2012.
    What do I need to do in my Dentrix software to be compliant?
    1.       You need to update your provider files to include a 9-digit zip code (the five digits of the ZIP code, a hyphen, and four more digits that determine a more precise location than the ZIP code alone. If needed, you can go to to look this up). To include the revised zip code, go to the Office Manager > Maintenance > Practice Setup > Practice Resource Setup, select the provider and click edit. Then update the zip code to the correct 9-digit number.
    2.       The Rendering Doctor field can no longer be a P.O. Box. You must have the physical location address in this field. If your office receives insurance payments at a P.O. Box, you will need to create a provider to use for this purpose only. If your office sends electronic claims you will want to set this new provider as the Pay-to-Provider in the Practice Defaults.  If your office sends paper claims you will want to set this new provider as the Billing Provider in the Practice Defaults.   To get to the Practice Defaults, go to the Office Manager > Maintenance > Practice Setup > Practice Defaults and set this new provider in the proper section. Do not use this new provider ID for any posting. 
    3.       All dental practices must be using correct NPI numbers on electronic claims. Insurance companies will no longer accept Legacy IDs such as Medicaid IDs or BCBS IDs. In addition to using the NPI number exclusively for electronic claims, you must be using the correct NPI number in the correct fields. For more information on NPI numbers, CLICK HERE to read my October 2011 blog post on NPI numbers.
    How can I get more information?
    ·         You can CLICK HERE to take you to the Dentrix website for detailed instructions on what you need to do in your Dentrix software. If you want more information on the details on the new HIPAA 5010 code set standards, CLICK HERE to be directed to the CMS website.

    Please stay tuned for more information on HIPAA 5010 on the Dentrix website and my blog.