Following these eight steps can help ensure your dental practice is HIPAA compliant.
Over the course of the past year, I’ve explored many of the rules and regulations that HIPAA requires of dental offices. I would encourage readers of this column to go back and review those articles, as each one goes into more detail of the various regulations that are legally required.
However, when I work with dental practices directly, one of the first things I’m asked is to help them develop a “treatment plan” of what they need to do right away to get started on the path towards compliance.
While each practice is unique, in my experience, there are eight steps that I believe every practice will likely need to take to become complaint:
Formal risk assessment
Many practices have not done a formal risk assessment nor do they have a HIPAA management plan in place. This is a game stopper if a HIPAA auditor ever shows up, as the risk assessment and management plan are required by law and they are the first things they will ask to see. If you don’t have them, it will go downhill quickly from there! Not having a risk assessment is like creating a treatment plan for a patient without taking X-rays, charting or perio probing; you have to diagnose first before you can treatment plan. The same goes for HIPAA.
What I would recommend is a formal risk assessment. A proper risk assessment should include most of the following: risk analysis, HIPAA management plan, evidence of HIPAA compliance, an external network vulnerability scan, an on-site survey, a disk encryption report, file Scan report, user identification worksheet, computer identification worksheet, network share identification worksheet and HIPAA supporting worksheets.
HIPAA also requires you do what’s called patch management. You are required to make sure your software is current and up to date, with all security holes patched. The software we use, called Netwatch, does this. It also does non-HIPAA but still needed services like alerting us to network problems, cleaning out the temporary Internet files, etc.
While most antivirus software is likely alright for most types of malware, it doesn’t do a great job against the ransomware viruses, the ones that lock your data and demand a ransom be paid. The Office of Civil Rights recently announced that a ransomware infection is considered a breach, you’d have to notify all your patients, the local media and be listed on the HHS Wall of Shame. Your best defense is software designed to prevent ransomware infections.
Backup and disaster recovery plan
Many offices don’t have a proper backup and disaster recovery plan. HIPAA requires it to be offsite but you need a fast way to restore if your server goes down. HIPAA also requires that the backup be encrypted, that you verify the backup and that you test the backup. What I would recommend instead is a local “image” of the server that is an exact copy of the server, and online backup. Downtime would be measured in minutes, not days.
HIPAA training and documentation
HIPAA requires that not only do you complete HIPAA training for your staff, you also must document it. There are many online companies that offer the training and they provide a certificate of completion.
If you are sending patient information over email, you really need to consider an encrypted email service. These are not costly.
Speaking of encryption, any computer that contains electronic protected health information must be encrypted.
Up-to-date operating systems
Finally, evaluate your hardware, for many offices, they are running unsupported operating systems or just have old systems that need replacement.
While no dental practice can get 100-percent compliant, if you have handled all of these eight steps, you’ll be well on your way to a more secure and HIPAA-compliant office!