How to ensure your email is HIPAA compliant

Each month, Dr. Lou Shuman consults with a dental technology specialist to discuss the latest developments in digital encryption, data security, social media trends, SEO strategies, website optimization, online reputation management, marketing and more. 

This month, in part two of a two-part series, Dr. Shuman continues his conversation with Robert McDermott, president and CEO of iCoreConnect, on the topic of HIPAA compliance and electronic protected health information (ePHI). This column provides greater depth on the required safeguards for HIPAA-compliant management of ePHI, as well as the relative security of cloud-based systems for the dental office.

Would you review all five required technical safeguards for HIPAA-compliant management of ePHI?

Last month, we talked about the transmission security safeguard which involves encryption. The current HIPAA encryption requirement is 256-bit. The best technology out there right now is 2048-bit encryption. 

A second technical safeguard is integrity. You must have a secure backup that keeps the original version of the document unaltered for at least six years.

Access control is a third technical safeguard that comes down to making sure only those with legitimate need and permission can access patient data. Automatic logoff after a certain period of inactivity satisfies access control.

Authentication is a fourth technical safeguard that means the sender must know that the email recipient is who they claim to be. You also must be able to verify that the recipient is the only person that received the communication. That’s why something like Gmail or Yahoo is not a good venue to send protected health information. I can easily create an email account called DrBob@gmail.com, and you have no way of authenticating that I am actually Dr. Bob.

Audit control is the final technical safeguard. Proper ePHI audit control means you’re able to provide audit journals from doctor to doctor and from doctor to patient. Basically, your system must “follow that email around” and be able to provide a detailed audit of where it came from, who it went to and who opened it. 

Let’s shift lanes for just a second and talk about cloud computing. Many dental office systems are migrating to the Cloud including practice management systems. Is the Cloud secure?  Should people be worried that they’re going to lose all that confidential patient data in the Cloud?  

A common misconception about the Cloud is that practice data is just floating around out there on the internet. It’s just the opposite. Cloud-based simply means removing the computer server, which holds all of your patient data, from your office and storing it in a highly secure data center.

In most practices, the server is either in the doctor’s office or underneath the receptionist’s desk. I always ask, “Do you think your server is more secure underneath your desk or safer in an armed, guarded, 24-hour surveillance data center?”  It’s almost impossible to break into one of these data centers, whereas someone can easily break into your practice and steal the server. 

Remember, your local server has a hard drive, which means every piece of private information is, literally, in that box at your office. Once a thief has your server, they can get everything on your hard drive, especially if it’s not encrypted. I recently saw a report that 98 percent of the servers in medical and dental offices are not encrypted. 

When something is cloud-based, the information does not live in your office, so when you log off of your computer or laptop, the information is stored on the remote servers at another location. This protects you and your patients.

Step out of being an ePHI/HIPAA-compliance expert and into the shoes of the average dentist or practice manager. As you are investigating email systems that will keep you HIPAA compliant, what things should you be looking for? What would you be asking?  

The easiest place to start is the five, simple technical safeguards. I would ask what level of encryption the solution employs; while 256-bit is the requirement, a higher encryption rating is exponentially harder to hack.

Ask if the proposed solution uses MicroTokenization. This operates much like the chip on your credit card. Every single transaction is isolated with its own unique username and password. Even if there was a successful hack, it would be contained to exactly one transaction, or in this case, one email.

Next, ask if the solution uses the DIRECT protocol, the federal government’s method for authentication. Seeing as how these are the folks handing out the fines, it makes good sense to adopt their protocol. DIRECT verifies the people on the other end are who they say they are.

Finally, beyond all the technical requirements I would insist on a solution that doesn’t change your workflow very much and is very easy to use. As a businessman, I want anything I implement in my practice to be a benefit, not a burden. I want to increase productivity, efficiency, customer retention, and satisfaction. And that means ease-of-use for the dental team and patients. Ask a potential provider to clearly demonstrate these benefits.