HIPAA Scare Tactics

Someone called my practice and said I have to fill out their checklist for HIPAA each year. Is this true or is it HIPAA scare tactics?

Not Really. You do have to perform a “Risk Analysis” (RA) checklist of all the ways you store, input and transmit protected health information (PHI). This must be done initially and then anytime you change your systems. Yearly is recommended as change is a constant, but it is not required. Any risks identified are then addressed and your solutions documented in a Corrective Action Plan (CAP). You should update your CAP as you make the changes and review it at least yearly.

Any company that says you have to use their checklist is misrepresenting the Risk Analysis. There is no form or format required. There are certain elements that are required to be addressed with both managerial and IT personnel. You can address these with a good consulting firm or you can research it yourself at hhs.gov

  • Neither HHS nor OSHA is going to call you and tell you that you have to do something unless you are in the middle of an investigation you already know about. If someone calls you and says they are with HHS or OSHA, call your local branch and verify the contact.
  • A reputable company does not use scare tactics or any words that say you must deal with them.
  • Contact your dental association and/or the Better Business Bureau.