Dental Website HIPAA Mistakes You Can Easily Dodge
Dental websites have a crucial role to play, as they provide your patients with access to important information and resources, as well as allowing them to communicate with your practice. However, with the handling of sensitive information such as protected health information (PHI), it’s vital that your website is HIPAA compliant.
In this article, we will be covering some of the common HIPAA violations that dental websites can make and how to avoid them.
1. Not Having a Notice of Privacy Practices Readily Available
A HIPAA compliant dental website will include a notice of privacy practices which provides your patients with a notice of their legal rights and an explanation of the covered entity regarding the use and disclosure of protected health information (PHI).
To comply with this regulation, a dental practice should have a clear and conspicuous Notice of Privacy Practices (NPP) that is readily available to patients. This notice should be provided to patients at the time of their first visit and should be available on the practice’s website from one click away. The one-click policy means the NPP cannot be hidden deep in your website. It should be on your home page, footer, or header making it easy to find.
The notice should include information on the types of PHI that will be collected and used, the purposes for which PHI will be used, and the persons or entities to whom PHI may be disclosed. It should also include an effective date, contact information for the privacy officer at your practice, and the OCR contact information and dispute process.
Additionally, the practice should obtain written acknowledgement of receipt of the notice from the patient and retain it in the patient’s medical record. It’s also important to update the notice as needed, and provide patients with a new copy of the notice when there is a material change.
It is recommended to have your Notice of Privacy Practices audited to ensure that it is compliant with current HIPAA regulations.
2. Not Properly Securing ePHI With an Encrypted Website
Having an SSL (Secure Sockets Layer) and HTTPS (Hypertext Transfer Protocol Secure) on a dental website is required for HIPAA compliance because it ensures that all data transmitted between the website and the user’s device is encrypted. This includes ePHI such as patient names, addresses, social security numbers, medical history, and treatment information.
When a website uses SSL/HTTPS, it creates a secure connection between the website and the user’s browser, which encrypts data transmitted between them. This means that even if someone intercepts the data, they will not be able to read it. This is important because it prevents unauthorized access to ePHI.
Covered entities are required to implement technical safeguards to ensure the confidentiality, integrity and availability of ePHI. Implementing SSL/HTTPS on website is one of the technical safeguards and it meets the requirements set by the HIPAA.
A quick way to know if your website is SSL/HTTPS encrypted is to look at the URL bar while on your website and see if there is an image of a lock. If the lock is locked like in the image above, then you have an encrypted site. If it’s unlocked, or if you don’t see a lock, you don’t have an encrypted site.
3. Non-Compliant Contact Us and Request Appointment Forms
It’s technically possible to have SSL (Secure Sockets Layer) on a dental website but the contact forms not be encrypted. An SSL certificate encrypts the communication between the website and the user’s browser. An SSL certificate will encrypt the login page, the pages that show patient’s information, and other sensitive pages that contain ePHI at rest.
But an SSL is not enough because ePHI must be encrypted at rest and in transit. Contact forms collect ePHI and transmit the data to a server. Contact forms must use an end-to-end encryption process. This ensures that the information is encrypted from the point of origin, i.e. the patient’s device, until it reaches its final destination, i.e. the practice’s server.
To comply with this regulation, dental practices should verify that their contact and request an appointment forms are end-to-end encrypted.
4. Not Having Business Associate Agreements in Place with Third-Party Vendors
HIPAA regulations regarding the use of third-party vendors that handle ePHI are outlined in the Business Associate Agreement (BAA) provision of the HIPAA Privacy and Security Rules. According to these regulations, covered entities must have a written BAA in place with any vendor or contractor that creates, receives, maintains, or transmits PHI on their behalf.
To comply with this regulation, a dental practice should take the following steps:
- Identify all third-party vendors that will be handling ePHI: This includes vendors that provide services such as data storage, billing, and marketing.
- Obtain a written BAA from each vendor: This agreement should clearly outline the vendor’s responsibilities for protecting ePHI and should be updated as needed.
- Regularly review BAAs: This includes regularly reviewing and updating BAAs to ensure that they are current and effective in protecting ePHI.
- Monitor the vendors compliance: This includes regularly monitoring the vendors to ensure that they are complying with the terms of the BAA and with HIPAA regulations.
- Terminate relationship with non-compliant vendors: This includes taking steps to terminate the relationship with vendors who are not in compliance with the BAA or HIPAA regulations.
It is recommended to have a HIPAA compliant attorney review the BAAs to ensure that they are compliant with the current regulations.
It’s important to note that BAAs are not only required for vendors but also for any other third-party that have access to ePHI, like contractors, or even temporary employees.
5. Using ePHI On Your Website Without Patient Consent
HIPAA regulations regarding the use and disclosure of ePHI on a dental practice website are outlined in the Privacy Rule. According to these regulations, covered entities must obtain written authorization from patients before using their ePHI on a website.
To comply with this regulation, a dental practice should take the following steps:
- Obtain written authorization from patients: This should include a description of the ePHI to be disclosed, the reason for the disclosure, the name of the person or entity to whom the PHI will be disclosed, and an expiration date for the authorization.
- Limit the disclosure of PHI to the minimum necessary: This includes only sharing the minimum amount of ePHI necessary to accomplish the intended purpose.
- Implement procedures for verifying patient identity: This includes confirming the identity of the person requesting ePHI prior to disclosing it.
- Maintain records of disclosures: This includes keeping a log of all disclosures of ePHI, including the date, the ePHI disclosed, the person or entity to whom the ePHI was disclosed, and the reason for the disclosure.
- Train employees on HIPAA regulations: This includes educating employees on the regulations related to the use and disclosure of ePHI, as well as their responsibilities for protecting ePHI.
Protect yourself by using a patient authorization form. You can download a free patient authorization form here. It is also important to regularly review and update policies and procedures to ensure that they are current and effective in protecting ePHI.
Conclusion: Dental Website HIPAA Mistakes
HIPAA compliance for dentists may sound complicated but these updates are actually simple fixes. By understanding the common HIPAA dental mistakes you can make and taking the necessary steps to ensure compliance with HIPAA regulations, you can protect patient’s sensitive information and avoid costly penalties.
Implementing a notice of privacy practices, properly securing patient data, obtaining patient consent before disclosing PHI, implementing physical and technical safeguards, and having BAA’s in place with third-party vendors are all necessary steps to ensure that your website is HIPAA compliant.
Remember that the regulations are in place to protect the patients’ rights to privacy and security of their information. By implementing these measures, you can not only comply with the regulations but also provide a better service to your patients.
About the Author: Adrian Lefler is one of the founding members of My Social Practice. He’s a dental marketing expert and currently works in the marketing and business development department. Adrian is passionate about helping dental practices grow through online dental marketing strategies. He lives in Draper Utah with his lovely spouse, four snarky kids, one dumb dog, one amazing dog, and Epicurus his philosopher fish.