To encrypt or not to encrypt… It’s not really a question!

September 2, 2015
Dr. Lorne Lavine
Dr. Lorne Lavine

Dr. Lorne Lavine, founder and president of The Digital Dentist, has more than 30 years invested in the dental and dental technology fields. A graduate of USC, he earned his DMD from Boston University and completed his residency at the Eastman Dental Center in Rochester, N.Y. He received his specialty training at the University of Washington and went into private practice in Vermont until moving to California in 2002 to establish TDD, a company that focuses on the specialized technological and HIPAA needs of the dental community. He can be reached at drlavine@thedigitaldentists.com or 866-204-3398.

As many people know, there are two types of rules: required and addressable. Unfortunately, there is a lot of confusion about these. Required is the easy one: Any rule that is required means you must do it, no ifs, ands or buts. It’s not negotiable. Addressable, though, is a bit less cut and dry.

Welcome to another article in our series on helping dental practices become HIPAA compliant. This month, we’ll focus on the need for encryption; but first, we need to back up a bit and talk about HIPAA rules.

As many people know, there are two types of rules: required and addressable. Unfortunately, there is a lot of confusion about these. Required is the easy one: Any rule that is required means you must do it, no ifs, ands or buts. It’s not negotiable. Addressable, though, is a bit less cut and dry.

The wording is this: The US Department of Health and Human Services says “a covered entity must implement an addressable implementation specification if it is reasonable and appropriate to do so, and must implement an equivalent alternative if the addressable implementation specification is unreasonable and inappropriate, and there is a reasonable and appropriate alternative.” If you believe that an Addressable specification is not reasonable or appropriate, you must document your decision.    

More from Dr. Lavine: The 5 crucial components of a HIPAA contingency plan

It’s important to understand that addressable does not mean optional! This part is key: If it’s reasonable, you must do it. Who gets to decide if it’s reasonable? Well, you … until the day the HIPAA auditor shows up and then they do.

How does all of this related to encryption? Well, encryption is an addressable concern because by law it’s not required. But that doesn’t mean you shouldn’t do it. There are two reasons why I always recommend encryption:

1. As we discussed in the previous issue, the Breach Notification Rule requires you to notify all patients in writing as well as the local media if you suffer a breach of your data. If the data is encrypted though, it’s not considered a breach and as such, you do not need to notify your patients or the local news.

2. The second reason related back to this issue of reasonable and appropriate. My question is, how will you win the argument that it’s not reasonable and appropriate if you are ever audited? There are many versions of Windows, such as Server 2008 or Server 2012, Windows 7 Ultimate, Windows 8 Pro, etc. that contain a free encryption program called Bitlocker. There are free encryption programs like Veracrypt that will encrypt folders or an entire drive. Assuming you’re not comfortable setting these programs up, most IT companies can easily do it for around the cost of five to six hours of support.

More from Dr. Lavine: 3 things you must do if a data breach occurs at your practice

The bottom line is that encryption is really something every office should be doing. It protects the security and privacy of the data, and it will protect the practice from embarrassing public notifications that always lead to a loss of patients and income. Talk to your IT people or contact me to discuss how to encrypt your data safely and with minimal cost.

About the author

Dr. Lorne Lavine, founder and president of Dental Technology Consultants, has more than 30 years invested in the dental and dental technology fields. A graduate of USC, he earned his DMD from Boston University and completed his residency at the Eastman Dental Center in Rochester, N.Y. He received his specialty training at the University of Washington and went into private practice in Vermont until moving to California in 2002 to establish DTC, a company that focuses on the specialized technological needs of the dental community. Dr. Lavine has vast experience with dental technology systems. He is a CompTia Certified A+ Computer Repair Technician, CompTia Network+-certified and will soon be a Microsoft Certified Systems Administrator. As a consultant and integrator, he has extensive hands-on experience with most practice management software, image management software, digital cameras, intraoral cameras, computers, networks and digital radiography systems. He also writes for many well known industry publications and lectures across the country. He was the regular technology columnist for Dental Economics Magazine, and his articles have appeared in Dentistry Today, Dental Economics, Dental Equipment and Materials, Dental Practice Report, New Dentist, Dental Angle Online and DentalTown magazine, where he is a moderator of 10 of their computer and software forums. He has lectured to the Yankee Dental Congress, American Academy of Periodontology, American Academy of Endodontics, the DentalTown Extravaganza and numerous state dental society and study club lectures. In addition, he is a member of the Speaking and Consulting Network. He is also the former technology consultant for the Indian Health Service.