Imaging in a HIPAA world

December 28, 2015
Dr. Lorne Lavine
Dr. Lorne Lavine

Dr. Lorne Lavine, founder and president of The Digital Dentist, has more than 30 years invested in the dental and dental technology fields. A graduate of USC, he earned his DMD from Boston University and completed his residency at the Eastman Dental Center in Rochester, N.Y. He received his specialty training at the University of Washington and went into private practice in Vermont until moving to California in 2002 to establish TDD, a company that focuses on the specialized technological and HIPAA needs of the dental community. He can be reached at drlavine@thedigitaldentists.com or 866-204-3398.

The majority of dental offices now use some sort of image management system.

The majority of dental offices now use some sort of image management system.

Whether it’s digital X-rays, intraoral cameras or digital cameras, dentists accumulate images on their computer systems.

As many practices know, there are now many new rules and regulations regarding the protection and privacy of patient information. For electronic data images, this is part of the HIPAA Security Rule. Unlike practice management data, however, image files are significantly larger and need to be handled differently. In this article, we will look at the storage of images, data backup and disaster recovery and how to share these images with other practitioners.

More on HIPAA: The 5 most commonly forgotten things about HIPAA

Image storage

The biggest threat dentists face when it comes to patient images is having an unauthorized person access those images. This would qualify as a data breach, and the law is quite clear on what happens next. If a practice suffers a data breach, it must notify all patients in writing and the local media, as well as be listed on the Health and Human Services website, affectionately known as the Wall of Shame. However, there is one “get-out-of-jail-free card” and that is encryption.

If you encrypt the folders where the images reside and suffer a loss of the data, you are exempt from the Breach Notification rule. Because most offices have far more ePHI (electronic protected health information) than just images, I would almost always recommend you encrypt the entire hard drive of the server. Windows Server 2008 and Server 2012 have a free encryption program called BitLocker built into the operating system.

Hot read: Why the benefits of using digital imagery and conebeam CT scans outweigh the risks

Continue reading on Page 2 ...

 

Disaster recovery

While backing up your data is obviously critical and has been for decades, new HIPAA regulations make this even more critical. HIPAA requires the backup be “retrievable” (this mostly means offsite), and it must also be “indecipherable, unreadable and unusable”, which you can easily accomplish using the encryption I mentioned above. While I am a huge fan of online backup, for offices that handle images, a two-pronged approach is needed, as downloading multiple gigabytes of data from an online data center could take days or even weeks.

What I recommend is doing an “image” of the server to a local device. This would be an exact snapshot of the entire server, including settings, programs, etc. This image can be updated as often as every 15 minutes. If the server goes down, you create a virtual copy and can get up and running within minutes. And, if the entire office burns down, you could restore from the online backup. Keep in mind that many of the better online services charge based on the amount of data you have.

Risky business: HIPAA compliance and the importance of risk analysis assessments

Sharing information

While there are some very good online portals for sharing images, the reality is most dentists prefer to use email when communicating with other offices. HIPAA has some very clear criteria when it comes to what it calls “data in motion,” and email certainly qualifies as data in motion.

For the most part, if you send images to another office, you should use an encrypted email system to meet HIPAA regulations. Yes, you could in theory send just, say, a single bitewing radiograph with no identifying information and then call up the recipient to tell them which patient that X-ray belongs to, but that’s not really practical. Encrypted email systems can be found for less than $50/month, are very easy to use and will protect both the sender and recipient from HIPAA violations.

While image management has made HIPAA compliance more challenging, there are many established systems available that allow dental practices to meet these rules and regulations.

Interesting reading: 5 steps to developing your team