I’ve read accounts of child prodigies. You know, the kid who sits down to a piano for the very first time and plays Beethoven’s 5th Symphony flawlessly, and maybe I’m just envious, but I don’t buy it! When it comes to learning something new, the vast majority of us - I dare say, all of us - need a guide to help us along. We need a teacher or coach to show us the ropes. HIPAA is no different. Your practice needs a HIPAA coach who will have three key objectives:

1. Guide the development of appropriate privacy and security rules
2. Foster a culture of continual improvement
3. Ensure all employees are held accountable to the published practice standards by applying fair, consistent, and appropriate sanctions

Let’s look at each of these goals a little closer:

First, HIPAA wants to make sure that you are adequately addressing the HIPAA standards and that you are communicating this with your workforce. So, your practice is required to have a HIPAA rule book that clearly communicates the privacy and security standards for the office (the rules) and what the penalties for breaking the rules are (these penalties are also known as sanctions). Sanctions are a HIPAA requirement. They provide the accountability mechanism necessary to implement a HIPAA continual improvement program.

Second, fostering a culture of continual improvement is a goal because, let's face it, mistakes will happen. As a HIPAA coach, it is important to make sure the workforce understands the goal is to just get better at privacy and security each day.

And third, let’s say you have a staff meeting with your workforce and you play a short video demonstrating the correct way to shoot free throws. Following the morning huddle, you ask your team to go outside and take fifty shots each. Do you expect every person to sink every shot they take? Of course not. The same is true with HIPAA. Everybody is going to miss some shots. But, when it comes to the privacy and security of your patients, these “missed shots” do need to be documented and the appropriate sanctions need to be applied each time. This is the third goal: applying consistent and appropriate sanctions. Don’t think of this as punishment as much as it is about tracking progress. 

If HHS audits your practice and asks to see your “missed shots” report for the past year and you respond with, "We didn’t have any?" Well, to them, that sounds just as crazy as our free throw example. It’s a huge red flag that HIPAA is either not being implemented correctly within the practice, or that your workforce is not being held accountable to it.

Documented sanctions are a way to provide evidence of both continual, consistent employee coaching and the progress your practice is making. Once you have implemented the HIPAA privacy and security standards in your practice, it is fair to assume that people will fall short of these expectations from time to time. Remember, progress is a fair and reasonable expectation for the workforce - perfection is not. Don’t be afraid of the sanctions process. It’s a necessary piece in the process of getting better.

If you haven’t made HIPAA a priority yet, start today. Join our online HIPAA community for dentists at bitesizehipaa.com. Explore and learn for 60 days on us! Please, watch every training course (we call them bites) and explore the tools we’ve created to help ease HIPAA implementation and compliance. There is no risk. Give us a little bit of your time and we'll teach you about the HIPAA law, why it exists, and how - if done right - you can protect your patients and your practice from a variety of very real threats that inherently exist in today’s dentistry.