HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law to protect Protected Health Information (PHI). 
- The HIPAA Privacy Rule regulates the use and disclosure of all PHI. 
- The HIPAA Security Rule establishes detailed standards to protect the integrity, confidentiality, and availability of electronic PHI (ePHI). 

The responsibility for HIPAA compliance falls to each dental office. If you take standard precautions to protect patient data, then you should be HIPAA compliant in that area.

EZ2000 Plus Dental is entirely HIPAA compliant, and all privacy concerns are addressed. EZ2000 Plus Dental uses CDT codes exclusively, it uses the ADA claim form, and electronic claims are sent to the clearinghouse in a HIPAA compliant format. We are also easily on target to meet any possible future security requirement.

Business Associate Agreement
If you will be sending PHI to EZ2000 Plus Dental for any reason, please be sure to sign and date the EZ2000 Plus Dental HIPAA agreement and make a copy. Keep one for your records, and return one to us for our records.  We do not sign alternate versions of Business Associate Agreements from customers or other third parties, as there is no need.  We do not have time to have a lawyer review each of the many versions that come through. The one we have signed and posted will work just fine.  Please let us know if there is an issue with the document that we should address.

If an outside person or entity does a service on behalf of the practice, and it involves PHI, you should enter into Business Associate Agreements with that person or entitiy.. If you need more information, or examples of the forms that patients and business associates must sign, you can request information from the American Dental Association at www.ada.org.

Security Risk Analysis
As part of the Security Rule, dental practices must conduct a security risk analysis, document it, and develop safeguards to protect ePHI.  We strongly recommend purchasing a HIPAA Compliance Kit from the ADA, or from some other company, for about $300.  These kits have sample security risk analysis reports for small dentist offices that might be helpful.

To ensure your computer systems are HIPAA compliant:

1. Follow Networking Guidelines.
2. Use Virus Protection.
3. Setup Security profiles in EZ 2000 Plus Dental for all users (user groups, user names, passwords).
4. Encrypt your data.
5. BACKUP your data.

How EZ2000 Plus Dental Data is Protected
Data in storage:  EZ2000 Plus Dental data is stored in the database (usually MySQL) and in the A to Z folders.  It is each practice's responsibility to take steps to protect this data. See Encryption.

Data in transit:  EZ2000 Plus Dental does not move patient data off of your network in any automated fashion. There are some optional features of EZ2000 Plus Dental that involve sending patient data to, or from, your EZ2000 Plus Dental database. To see how this data is protected, see Encryption of Data in Transit.

Track Authorized Use of EZ2000 Plus Dental:  To track who logs in/out of EZ2000 Plus Dental, use the Windows audit feature.  Set up Windows so that each user is required to log in separately, then use the Security Log to view valid and invalid log attempts. To view the Windows audit log go to My Computer, right-click and choose Manage, expand Event Viewer, expand Windows Logs, left-click on the Security log.   

Other Resources

• HIPAA Security Rule FAQ - https://www.ada.org/7668.aspx
• Security Risk Analysis Tipsheet
• Basics of Risk Analysis and Risk Management:  http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/riskassessment.pdf
• Security Rule Guidance Material:  http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityruleguidance.html
• Guidance on Risk Analysis:  http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidance.html
• Guide to Privacy and Security Health Information:  http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf