By Jim Moore, CHP; Smart Training LLC
2013 was a watershed year with respect to regulatory requirements for dental practices:
- The Omnibus Rule stepped HIPAA toward broader enforcement. (The Omnibus Final Rule strengthens and re-affirms HIPAA Privacy, HIPAA Security, and HITECH Breach Notification requirements.)
- House Bill 300 imposed amended training mandates.
- OSHA adopted the Globally Harmonized System of Classification and Labelling of Chemicals (GHS)—an internationally agreed upon system created by the United Nations.
- OSHA required GHS training for most offices by December 1.
Most compliance consultants consigned their crystal balls to the dustbin years ago; compliance pathways are no longer predictable. The compliance landmark events of 2013, however, paint a rather telling picture of OSHA and U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) compliance expectations for the next 24 to 36 months.
There’s no way to know whether the OCR will expand, extend or renew the $9.2 million HIPAA-compliance audit contract with KPMG—one of the nation’s “big four” auditors. However, it’s fair to assume that some entity will step into the breach and perform that function during 2014. Non-compliance on the part of hospitals and other large-practice targets is too obvious, and the anticipated civil-money-penalty revenue stream is too large to ignore.
KPMG’s efforts effectively paved the way for a widespread “steamroller” approach to compliance audits. The company developed an accountancy-driven approach to assessing HIPAA compliance. As a result, KPMG’s findings from 150 HIPAA-compliance audits were especially re-vealing: more than 30% of the practices audited claimed to be “unaware” of HIPAA and HITECH Act requirements.
According to the OCR, audited covered entities (which according to HIPAA rules, includes dentists that transmit any information in an electronic form in connection with a transaction for which the U.S. Department of Health and Human Services has adopted a standard) typically displayed:
- Consistent lack of application of sufficient resources
- Incomplete implementation of processes and specifications
- “Complete disregard” for patient privacy issues
We can say with some degree of certainty that patient-privacy regulation will not go away. If anything, privacy requirements and associated regulatory burdens will continue to increase. The inescapable consequence: HIPAA audits will continue and become far more widespread. If KPMG-style HIPAA audits continue through 2014 and beyond, willful disregard of patient privacy issues may see some practices fined out of existence.
Business Associate and Business Associate Agreements
Perhaps as important are the Business Associates (BA) “ticking time bombs” uncovered by KPMG. In essence, auditors identified Business Associates as the Achilles’ heel of patient-privacy security. To date, few dental practices have given the issue adequate attention. Thanks to the Omnibus Rule, Business Associate Agreements (BAA) are now required. In short, any vendor with access to a practice’s Protected Health Information (PHI) should enter into a BAA; doing so pledges the vendor to train its employees to safeguard PHI in the same manner required of the dental practice.
I deal with this subject on a daily basis. Many vendors are understandably anxious to avoid the training requirements and other legal entanglements presented by a BAA. Some vendors claim that since they’re also covered entities, they’re exempt from the BAA requirement altogether. Nothing could be further from the truth. If a business associate sustains the theft of an unencrypted laptop containing patient PHI, for example, the business associate is at risk for the disclosure. If a BAA does not exist between the vendor and dental practice, then both are on the hook. Interestingly, this dual responsibility is effectively created by the lack of a BAA.
Assuming most dental practices have fulfilled their statutory obligations with respect to training employees and safeguarding patient health in-formation, we can point to the business associate issue as a real and present danger. Unfortunately, much of the BAA scrutiny must be per-formed by a practice manager or by the dentist; most staff members lack the requisite experience to determine which business associates pose a genuine liability for the practice.
Of the practices audited by KPMG, 89% demonstrated substantive HIPAA and HITECH patient-data security problems. KPMG audits pointed time and again to the need for a risk analysis or assessment. Indeed, KPMG’s national HIPAA services leader Michael Ebert said that the lack of risk assessment was consistently “the biggest weakness” auditors found. A detailed HIPAA risk assessment and deficiency remediation process emerges as an effective “get out of jail free” card for many dental practices. A risk analysis—and the associated effort required to remediate any vulnerabilities found—is increasingly seen as evidence of a “good faith effort,” and may do much to dissuade auditors from levying substantial fines or taking other enforcement action.
While patient privacy issues are vexing enough, occupational safety and health challenges will likely take center stage during 2014 and 2015. As the GHS continues to gain traction across the country, OSHA will be working to ensure that employees exposed to hazardous chemicals receive proper GHS training.
Based on our consulting experience, hazard communication has never been a particularly easy compliance requirement for dental practices to meet. The OSHA Hazard Communication standard—also referred to as the “employee right-to-know” standard—requires:
- Office-specific lists of hazardous chemicals used or stored
- A copy of the manufacturer’s Material Safety Data Sheet (MSDS) or Safety Data Sheet (SDS) for each chemical
- Employee training on the Globally Harmonized System
GHS requires new safety data sheets replace the MSDS maintained by dental offices for so many years. The timing of manufacturer development and distribution of SDS, however, may cause compliance delays that are beyond a dentist’s or administrator’s control.
Emergency Readiness and Safety Guards
Additionally, we’re fairly certain that OSHA will continue its preoccupation with emergency exits and exit route identification. Complying with OSHA’s emergency exit specifications— for example, having unblocked emergency exits equipped with working, lighted signage—could be problematic; especially in rural settings or in dated buildings. Other specifications, such as conducting fire drills and developing and maintaining an emergency action plan, are relatively easy to comply with.
Another continuing OSHA issue is that of machine guarding. Any sort of grinder or abrasive wheel machine—like the machines commonly found in dental office labs—must incorporate a safety guard that’s in place and functional. Unfortunately, because of the unremitting pace of laboratory work, the temptation to remove guards is strong. But an OSHA inspector needs only to walk into a lab area while the guard is off the machine for that practice to be liable for a fine. The only way to avoid this unpleasant scenario is to keep the guard in place on the machine.
Required Written Safety Programs
OSHA’s new Regional Emphasis Programs aim to identify and cure specific deficiencies on a region-by-region basis. While the exact targets of local emphasis programs are difficult to predict, we have no doubt that written safety programs will continue to be an area of focus.
Written safety programs must be site-specific; in other words, they must be crafted especially for the individual practice. Merely buying one from a vendor and putting it into a binder is not sufficient. The content must be altered to fit the specific demands of the unique practice setting. Additionally, the content must be updated annually.
Most dental offices require these written programs:
• Emergency Action Plan
• Electrical Safety
• Bloodborne Pathogens Standard
• Hazard Communication
In other facilities equipped with x-ray equipment, an Ionizing Radiation written program is required as well.
The Emergency Action Plan written program includes details about exit signage and evacuation plans. OSHA has long required a diagram of evacuation routes be posted in a conspicuous location within the office. The written program merely translates this diagram into verbiage office workers can reference.
OSHA’s electrical safety standards address requirements to safeguard employees from electrical hazards—specifically electrical equipment and wiring in (or in close proximity to) hazardous locations. Our experience has shown that many practices ignore the need for this written program altogether.
The written Bloodborne Pathogens exposure control plan must also be updated annually, and typically covers the use of universal precautions, as well as office-specific engineering and work practice controls. Recent events in other states have shown that this information is still relevant; important safeguards are still lacking in too many dental practices.
The requirements for these written programs will likely remain un-changed for the next several years. Meanwhile, many dental offices will continue to operate without them. This is likely the sort of violation that OSHA will focus on with increasing frequency. Whether the time spent to create the required written programs can be weighed against potential fines involved is a decision for dentists and practice stakeholders to make.
For 2014 and 2015 in particular, dental office regulatory requirements and the associated burden of compliance will only increase. The sign-posts presented during 2013 are powerful indicators of the direction those requirements are taking. The real challenge of compliance—particularly from the standpoint of Texas dentists—is to use 2014 to get ahead of the regulatory curve. If anything, this year will likely be seen as the eye of the storm—the whirlwind of compliance requirements is sure to gain speed again in years to come, and this brief lull should be a time for preparation.
Jim Moore is a bestselling author and certified HIPAA professional. He develops OSHA and HIPAA-compliant training for Smart Training LLC, a TDA Perks Program partner. Texas-based Smart Training worked with TDA Perks to provide an online training module for HB-300 compliance. Smart Training also offers its Learning Management System (LMS) and Regulatory Compliance Services to the Texas dental industry, and offers exclusive discounts to TDA members. For more information about Smart Training, please call: 469-342-8300.
1. According to HealthIT.gov, the “HITECH Act seeks to improve American health care delivery and patient care through an unprecedented investment in Health IT (HIT).” It was enacted as part of the American Recovery and Reinvestment Act of 2009, made important changes to HIPAA and imposes much steeper penalties for HIPAA violations. The HITECH Act also requires the federal government to take a more rigorous approach to enforcement
2. U.S. Department of Health and Human Services, Office for Civil Rights: HIPAA Privacy, Security and Breach Notification Audits, Verne Rinker JD, May 21, 2013.
3. According to the U.S. Department of Health & Human Services, “a ‘business associate’ is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.
4. 45 CFR § 160.103, Definition 3: A Covered Entity can be a Business Associate of another Covered Entity.
5. HealthCare Business and Technology, May 7, 2013
6. AISHealth, KPMG Official Describes Early audit Results, May 10, 2012