I recently attended the annual Dentrix Train the Trainer conference and, during the banquet, I sat next to the HIPAA compliance manager for Henry Schein, John Mertz. My commitment to you, my readers, is to try and give you new and relevant content, so while I was chatting with John I asked him, “Can I interview you for my blog?” and he accepted.
Q: John, being the compliance officer for Henry Schein, what are the top two HIPAA issues offices are asking you about?
Great question Dayna, and thank you for this opportunity.
The top two questions I get are: 1) What kind of paperwork do I need between Henry Schein and our practice to be HIPAA-compliant? 2) Is the email I submit from my office HIPAA-compliant when sending directly from Dentrix?
Q: How do you respond to their concerns? Do you refer them back to their own legal team or do you have resources you can pass along?
It depends on what the concern is. To maintain HIPAA compliancy, it is very important to have a Business Associate Agreement between the practice and Henry Schein on hand. To make the process much easier for our customers (and Henry Schein), we have a BAA available that can be downloaded, from our website, where it can be printed out (for their records) and submitted online. One aspect of utilizing this BAA is that it will cover our customers for anything they utilize from Henry Schein (practice management software, eServices, eClaims, TechCentral, training, support, etc.), avoiding the need to have multiple agreements on file. Last year, Congress passed what is called the Final Omnibus Rule of 2013. Anytime there are significant changes made to HIPAA regulations, it is necessary to update the Business Associate Agreement. Our BAA has been updated to reflect the changes made to HIPAA and we strongly encourage our customers to contact Henry Schein if they have not yet renewed that agreement since the Omnibus Rule had gone into effect. If anyone is unsure whether or not their BAA is current, they are encouraged to contact Henry Schein Customer Support.
In regards to email, if you are transmitting any PHI (Protected Health Information) data, the short answer to that is “No, your email is not HIPAA compliant.” Our practice management software does not encrypt email. There are a several methods that can be utilized to protect email and patient data. We encourage our customers to consult with their IT staff, or whoever setup their network regarding email encryption. If there is no one available, Henry Schein has a department dedicated to hardware and network configuration (Tech Central) that would be able to assist with that as well.
Disclaimer: the following websites are listed as information only. I intend no endorsement of their content and imply no affiliation with the organizations that provide their content, nor do I make any representation or warranties about the information on those sites, which I do not control in any way.
- U.S. Department for Health and Human Services: http://www.hhs.gov
- U.S. Department for health and Human Services; Centers for Medicare and Medical Services: http://www.cms.hhs.gov/
- U.S. Department for health and Human Services; Office for Civil Rights: http://www.hhs.gov/ocr\
- U.S. Department for Health and Human Services; Office of Assistant Secretary for Planning and Evaluation: http://www.aspe.hhs.gov
- Council of Inspectors General on Integrity and Efficiency: http://www.ignet.gov
- Electronic Code of Federal Regulations: http://www.ecfr.gov
- U.S. Department for Health and Human Services; Health Information Technology for the Future of Health Care: http://healthit.hhs.org
- Health Information Technology Standards Panel: www.hitsp.org
- National Institute for Standards and Technology; Information Technology Library: http://www.csrc.nist.gov
Q: What is your answer for email? How can the office be HIPAA compliant with email?
This is certainly a common question. I would refer to the answer I have given above to address this inquiry.
Note from Dayna: Corresponding with your patients via email is one of the most common questions I receive from offices. As John stated above, sending email the common way is not HIPAA-compliant. For some HIPAA compliant options for your practice, CLICK HERE to be directed to the resources page on my website. CLICK HERE if your office needs HIPAA training or Risk Analysis.