Help with HIPAA Compliance
Help with HIPAA Compliance
Helping you understand the complexities of compliance under the HIPAA Security and Privacy Rules. Our team of experts in regulatory compliance can answer any questions you may.
Colington Consulting

Dental Offices May be Targeted for HIPAA Audits

Dental Offices May be Targeted for HIPAA Audits

9/30/2014 10:38:49 AM   |   Comments: 0   |   Views: 322

A little over a year ago, the former Director of the Office for Civil Rights (OCR), Leon Rodriquez, referred to covered entities that did not realize they have business associates relationships in place.  He went on to say that some business associates did not know that they were actually business associates.  Rodriquez stressed it was both the responsibility of the covered entity and the business associate to understand this relationship does exist.

Regarding ramped up HIPAA compliance, Rodriquez indicated future audits will be narrower in scope and include more organizations than ever before.  Covered entities and their business associates also will be audited under the new permanent program, and audits will focus on vulnerabilities that could change year to year as new issues arise.

With Rodriquez’s departure to Homeland Security in June, it seems like the task of continuing the drum beat message of ramped up HIPAA enforcement fell to Linda Sanches.  

Sanches, who serves as OCR’s Senior Health Information Privacy Advisor, also has the role of chief compliance enforcer.  As the overseer for the HIPAA security and breach notifications audit program, it appears Sanches may know a thing or two about the direction OCR wants to take with future audits.   Sanches recently spoke at the Health Information and Management Systems Society (HIMSS) Privacy and Security Forum.   However, she did not provide any striking revelations or critical insights about these new audits, just more of what the industry seems to know already, that these audits are coming.

Much like Rodriquez did in the past, Sanches spoke more in generalities than specifics.  She indicated OCR was looking at a broader view of the entire healthcare industry as possible criteria for selection of who would be targeted for an audit.  Using the National Provider Identifier (NPI) database is a method being considered to select entities like hospitals, practices and dental providers for audits. 

Large and small providers with random geographic locations will be part of the selection formula.  Dental providers were specifically mentioned, a concern because, in my experience, smaller practices have struggled to meet their compliance requirements because there is a lack of completely understanding the regulations. 

As a former Assistant Inspector General for Investigations at the U.S. Department of Health and Human Services, I interpret Sanches’ government speak to mean very simply this: any covered entity or business associate including dental practices may be the subject of a random audit.  Now as a HIPAA consultant on the other side of the enforcement table, and as someone assisting healthcare clients and business associates with compliance requirements, I am continuously advising they be prepared and maintain current policies and best practices when it comes to required security safeguards. 

What Sanches told those at the HIMSS Forum is similar to advice I give to all clients — make sure you have an up-to-date HIPAA Risk Assessment and Risk Management Plan.  The HIPAA Risk Assessment is going to be the first document OCR asks for during an audit or compliance review.  Make sure you have a robust sanction policy and process.  This is an issue I previously addressed in my blog article titled “HIPAA Security Compliance: What is Your Sanction Policy?” 

Being compliant is the best way to sleep at night and not be concerned if you are subject to a random audit.  The longer OCR keeps kicking the can down the road when it comes to enforcement and audits, the more time it gives you to review, update and be prepared if the notification comes that you were selected for a compliance review. 

Author: Jay Hodes is the President of Colington Consulting.  His company provides assistance with HIPAA compliance by conducting risk assessments, writing practice specific risk management plans, security awareness training, and developing privacy policy and procedures manuals.  


More Like This

Total Blog Activity

Total Bloggers
Total Blog Posts
Total Podcasts
Total Videos


Townie Perks

Townie® Poll

Do you allow parents into the operatory?

Site Help

Sally Gross, Member Services
Phone: +1-480-445-9710

Follow Dentaltown

Mobile App



9633 S. 48th Street Suite 200 • Phoenix, AZ 85044 · Phone: +1-480-598-0001 · Fax: +1-480-598-3450
©1999-2019 Dentaltown, L.L.C., a division of Farran Media, L.L.C. · All Rights Reserved