Servicing Charlotte Area - North Carolina, Detroit - Michigan, DC, California & More
Menlo

HIPAA / HI-TECH COMPLIANCE

At Menlo Technical Consulting, LLC, (herein referred to as Menlo Technical) we continually invest in procedures and technology to support your every effort in upholding HIPAA’s privacy and security rules. Our IT services are designed specifically for healthcare providers, and as a result has built-in support for all the data security and regulatory compliance requirements that apply to a modern dental practice.

HIPAA and HITECH

There are two separate sets of regulations that govern the sharing of patient data: HIPAA (the Health Insurance Portability and Accountability Act of 1996), which establishes your practice as a “Covered Entity” and regulates how you use and disclose protected health information (PHI); and the HITECH Act (Health Information Technology for Economic and Clinical Health Act of 2009), which complements HIPAA and controls with whom you can share this information. Parties with whom you share such information are identified as “Business Associates,” and must comply with HIPAA Privacy and Security rules to the same degree as any covered entity. In this framework, Menlo Technical Consulting, LLC acts as your Business Associate, and your office is the Covered Entity.

HIPAA and Marketing

The 2013 amendments to the HIPAA rules under the HITECH Act state a covered entity is required to obtain prior authorization from the patient to “market” to them, which is defined as “making a communication about a product or service that encourages recipients of the communication to purchase or use the product or service” [Title 45 of the Code of Federal Regulations, section 164.501].

However, HIPAA offers exemptions for communications about services you render or offer as their healthcare provider, as well as “healthcare operations” communications around treatment plans, alternatives to treatment, new services and care coordination. The only instance when such messages could be considered “marketing,” and would thus require permission from the recipient, would be if a Covered Entity or their Business Associate received third-party “financial remuneration” to send these messages. This isn’t common in a typical dental office – and Menlo Technical as a business associate never accepts any form of third-party remuneration for content within the system.

Compliance and Patient Communications

Email: Health care providers are permitted to communicate with their patients electronically (including email), as long as reasonable precautions and safeguards are taken to limit unintentional disclosure [45 C.F.R § 164.530(c)]. Because Menlo Technical utilizes patient contact information directly from your practice management software, it is your responsibility to ensure that you have each patient’s correct information on file, not the business associate.
Phone Calls and Voice Mail Messages: A Covered Entity or a Business Associate may leave a message on an answering machine, so long as a reasonable precaution is taken to limit the amount of information disclosed in such a non-personal interaction [45 C.F.R § 164.510(b)(3)]. Menlo Technical phone calls (and voice mail messages) do not contain any treatment-specific information and hence comply with this requirement.
Postcards and Letters: Business Associates are allowed to mail correspondence to a Covered Entity’s specified mailing addresses even if it contains PHI. As an additional measure of security, Menlo Technical uses security envelopes for any correspondence containing health-related or payment-related information. Again, as with email addresses, your office needs to take the necessary precautions to ensure that all HIPAA compliance is maintained and followed. This includes the necessary regular office training lessons to the entire staff.

Physical and Technical Compliance

Data extracted from your practice management software extracted for data sets for other third party Business Associates will be sent over an encrypted Internet connection. In addition, Menlo Technical will help maintain that the connection is prepared for the most available secure, HIPAA, HITECH and PCI-compliant hosting facility, where all data operations are performed. Regular HIPAA audits and HIPAA compliance experts on staff should be designated and help ensure your data is closely managed and compliant. Your own access to the system is safeguarded using SSL and 128-bit encryption so you can safely log in from your office, home or mobile device.

TCPA and Consent

Telephone Consumer Protection Act rules are designed to protect consumers from telemarketing messages, and apply to text messaging, residential phone lines, and wireless lines. Treatment plan notifications, appointment confirmations and other types of messaging sent on your behalf via Menlo Technical are deemed by the FCC to be “health care messaging,” or “informational messaging,” and both have been exempted from the 2013 modification to the Act (known as the “new rules”).

In exempting this type of messaging, the FCC stated there is efficient and thorough oversight in HIPAA so as to “already safeguard consumer privacy” and that it did not “need to subject these calls to its consent, identification, opt-out, and abandoned call rules” (77 FR 34240).