The data protection checklist

January 9, 2020

Safeguarding your patients protected health information is essential to your HIPAA compliance. We share the systems and steps that should be in place to keep data properly secured.

Every dental practice is responsible for protecting your patient’s protected health information (PHI) as detailed by the Health Insurance Portability and Accountability Act (HIPAA). However, not every dental practice complies with the HIPAA laws.

Many times, this lack of compliance is not intentional but instead caused by a practice’s lack of understanding of the data protection requirements. John Flucke, DDS, and Technology Editor for Dental Products Report says the lack of compliance sometimes also has other reasons. Some practices resent the added expense and hassle that HIPAA compliance adds to a practice’s bottom line.

Dentists and other covered entities should not to be “penny-wise and pound-foolish” about data protection management and HIPAA compliance, Dr. Flucke advises. From an accounting standpoint, it’s something all practices must do.

“Expenditures to protect data are another form of insurance; they prevent disaster like fire insurance does,” Dr. Flucke says. 

Data protection checklists are a useful tool to help you identify where you have HIPAA compliance issues in your current data management system. Marc Haskelson, President and CEO of Compliancy Group, a company that provides HIPAA software with coaching to automate HIPAA compliance, says a checklist is a simple way for a dental practice to gauge where they are currently as far as the HIPAA requirements. 

“Checklists are not designed to make people compliant or secure. They're designed to help you understand how far off base you are as a starting point,” Haskelson explains. 

There are many checklists available to practices for data management issues brought forth by the HIPAA laws. Perhaps the first checklist you should examine for data management comes from the Department of Health and Human Services (HHS), which oversees the HIPAA requirements. HHS published Seven Fundamental Elements of an Effective Compliance Program. These seven fundamentals were given to help covered entities become compliant and include:

  • Having and implementing written policies and procedures, as well as standards of conduct regarding patients’ protected health information (PHI)

  • Appointing a compliance officer and committee on-site to oversee the data management at the practice

  • Engaging in regular training and continuing education on the topic

  • Communicating on the subject regularly

  • Monitoring and auditing your data management system internally

  • Having disciplinary guidelines in place for violations that are enforced on site

  • Fixing vulnerabilities quickly once identified

To download the PDF of the HHS Compliance tips, please click here.

Continue reading on the next page...

 

Haskelson has 14 years’ experience in HIPAA compliance, and Compliancy Group works with all kinds of clients, not just dental practices. None of their clients have ever failed an audit. They designed the Compliancy Group checklist to clear up common misunderstandings people have regarding HIPAA. 

Compliancy Group developed the questions on their HIPAA Compliance Checklist because many organizations think they are HIPAA compliant when they are not. Haskelson says these misunderstandings contribute to the high failure rate in the US with audits by the Office for Civil Rights (OCR), the enforcing body for the HHS.

Most of what Compliancy Group chose to include are associated with what federal law requires. Protecting your data is also protecting your business, he notes.

“When it comes to security, you are protecting the assets of your firm,” Haskelson says, adding that your reputation is one part of those assets. “So, you should be using a checklist to evaluate where you are today, as well as your risk profile.”

There are 18 specific identifiers that HIPAA requires you to protect, Haskelson says, the obvious ones being your name, number, email address, and financial information. However, your computer and your home have addresses equally identifiable, he adds. In the end, criminals want your data because they’re trying to get access to your finances, and they will use any of these identifiers in any combination to do it. 

Every covered entity is required by HIPAA to complete an audit every year, and these audits identify where you have gaps. Haskelson also says it is essential to look at security reviews and related checklists as a way to improve the practice and the patient experience rather than how not to get caught (and fined or worse) by the OCR.  

“Using these results as a guideline, we help an organization to set up their policies and procedures. Those policies and procedures make your staff happy,” Haskelson says. “When your people are happy, and they know what they are supposed to do, they tend to serve your patients better.”

Haskelson also cautions practices that use of a checklist only provides guidelines on HIPAA compliance. You should not think that if you answered yes on all the items in a self-evaluation checklist that you are compliant. These checklists are intended to be educational, he says.

Continue reading on the next page...

 

 

 

“We think it has become way more complicated than it was meant to be, and it really should be simple,” Haskelson says of HIPAA compliance. “The other reason for the checklist is it takes what is several hundred pages of very complex language and brings it down to something straightforward.”

The HIPAA Journal, a publication that provides coverage of HIPAA news, also published a HIPAA Compliance Checklist of self-evaluation for dental practices and other covered entities. Like Compliancy Group, it uses the HHS guidelines to help a practice establish their baseline for getting HIPAA compliant. 

For example, the first question identifies the six annual audits and assessments required by the HIPAA laws, which include:

  • Security Risk Assessment

  • Privacy Assessment

  • HITECH Subtitle D Audit

  • Security Standards Audit

  • Asset and Device Audit

  • Physical Site Audit

The subsequent questions then address the findings of these audits and what’s been done to solve any vulnerabilities that were found. For example, the second question asks whether you have the documentation for the past six years available in case of an OCR audit of your practice. Like the other checklists available, the HIPAA Journal also emphasizes that completing the checklist does not guarantee HIPAA compliance and recommends you get professional help. 

To download the HIPAA Compliance Checklist from the HIPAA Journal, please click here.

Dr. Flucke has his version of a checklist for dental practices that want to ensure they are HIPAA compliant. They include the following:

  • Have at least two providers. Managed service providers (MSPs) are a significant target for hackers. When an MSP suffers a breach, all their clients do, too. Dr. Flucke employs several experts to ensure his private practice in Lee’s Summit, Mo., is protected and HIPAA compliant, including DDS Rescue. Dr. Flucke says having more than one provider ensures you will still have access to your data if one of the data companies gets breached. 

  • Do a physical backup.  In addition to the cloud backup, Dr. Flucke does two manual backups on a hard drive that he takes home with him. If something should happen to his cloud backup, he has the physical backups to use. 

  • Choose a reputable IT company to help you. However, Dr. Flucke says not to “put all of your eggs in one basket.” He recommends at least a two-pronged approach. 

  • Invest in a proper hardware firewall. Dr. Flucke uses the ASPIDA firewall product, a high-end firewall that is a guardian between the practice and the Internet. 

  • Install up-to-date Anti-Virus software.  He uses Emsisoft, a New Zealand company that specializes in keeping Windows computers free from malicious software. Whichever you choose, Dr. Flucke says it is essential that you configure the anti-virus to update continuously and scan machines every day to maintain the best protection and minimize damage if something gets into your system.

  • Make time for staff training. The weakest link for your data security is an untrained staff who does not know any better and falls prey to criminal schemes, he says.

Dr. Flucke says sometimes dentists don’t want to hear about these steps, especially the extra physical backup, because it is a hassle. However, he thinks all of these are crucial with the level of threat facing dental practices today. 

“The last thing you want to hear is your accounting and patient records are gone,” Dr. Flucke says.