Securing your patients’ protected health information is essential. We cover who should be on your team and which outside partners are necessary to manage your practice’s data.
Data management and protection is a requirement by federal law for dental practices. The Health Insurance Portability and Accountability Act (HIPAA) defines a clinician’s responsibility regarding the maintenance of your patients’ protected health information (PHI). HIPAA laws require practices to have specific safeguarding measures in place that defend against cyberattacks and data breaches that compromise your patients’ privacy-or you could face thousands in federal fines.
However, protecting data is crucial for a practice’s success as well. John Flucke, DDS, and Technology Editor for Dental Products Report says that setting up your data team is vital for any dentist. He describes it as the “life-blood” of your practice.
“Several years ago, I was at a dental meeting talking with someone, and I asked him what software he was running in his practice. He waved me off, saying that was the staff’s job,” Dr. Flucke says. “I told him, ‘That’s your money.’”
We spoke to some experts in the industry on HIPAA compliance and data management to discover how to set up a data team for your practice that protects PHI and your practice’s bottom line. Here’s what they had to say.
Who should be on the team?
All of our experts agree that an internal team member should own and champion your HIPAA compliance and data management for the practice. Demetrios Andritsogiannis, founder and CEO of Aspida, a compliance technology solutions company that specializes in Secure Solutions for HIPAA, says it is the priority for your data team.
“Appointing a person to lead the charge for the team is crucial to your successful compliance efforts,” Andritsogiannis says.
“You need a centralized person that’s in charge and are who you go to with questions about HIPAA and data protection,” Steve White, vice president of sales and marketing for DDS Rescue, agrees.
However, the experts say that it doesn’t mean the doctor has no responsibility for data management and HIPAA compliance in the practice. As White points out, the doctor owns that data.
“They are responsible for it legally, morally, and ethically,” White says.
The dentist should have an active role in the data team, says Dr. Flucke. Understanding what is going on with IT, data protection, and management, as well as the HIPAA compliance efforts, not only protects the dentist against hackers but also from embezzlement, theft, or any other cybercrimes.
“If you don’t stay on top of it, you are at the mercy of the person who is,” Dr. Flucke says.
A practice should have a security officer that is separate from the dentist to provide a go-to person when the dentist is treating patients, White emphasizes. This setup improves productivity and patient experience.
“A lot of questions come up, from staff members and patients. To pull the doctor away from chairside every single time there’s a question about HIPAA or something needs to be handled is foolish,” White says.
Furthermore, Andritsogiannis says that having a person in charge does not give the rest of the team a pass on responsibility. Data management is everyone’s responsibility.
“Everyone's involved on the team,” Andritsogiannis says. “That includes the doctors, the owners, the staff or any member that is part of that covered entity in any form or fashion. They all should be trained and informed about all the compliance rules and processes to follow.”
Another crucial part of the data team is the outside partner, which is usually the IT provider. White says having someone that is an expert in data management and the potential threats to it is essential to your compliance efforts.
“You need a trusted IT provider, onsite,” White says. “You can’t get this done without it.”
Also, data management and HIPAA compliance are not tasks a single person can tackle on their own, Andritsogiannis says, and he encourages practices to find a third-party auditor to assess the practice’s vulnerabilities at least once a year. Self-audits often don’t find the potential liabilities because internal team members are too familiar with the setup and don’t see the problems, he says.
“It's best to get a second set of eyes to give you an audit or an assessment from a different perspective,” Andritsogiannis says. “Auditing yourself isn't always the best option. Making smart business decisions on which partners to bring in is very important.”
Continue reading on the next page...
A dental practice should have a separate cybersecurity and recovery business associate to serve as checks and balances for each other, White agrees. It’s challenging to have the same person in charge of maintaining the network (i.e., the IT provider) be in charge of the network auditing as well. Plus, this setup has other inherent dangers, too, he says.
“It’s not good business sense to have one person in charge of managing the server and managing the backup. That’s all the keys to the kingdom in one set of hands, and we’ve seen that be a problem,” White explains.
A dental practice and their IT provider had a “falling out” and the IT provider changed the login capabilities to the server and didn’t share it with the dentist, White recalls. However, the same IT provider also had the backups, so the dentist was locked out of their system. DDS Rescue began recommending separating the two systems after that situation.
“What’s the doctor going to do? It’s locked up, and the backup is locked up with it. You’re stuck. You’re going to need to do whatever the IT provider wants to get it access to data on a server that you own,” White says. “Originally, that's why we came up with separating the two things.”
Insurance against a cyberattack is another reason to separate providers for data management and backup. Hackers have targeted managed services providers (MSPs) to get access to all the MSPs clients’ data. The criminals use malicious software called ransomware, which encrypts data. To decrypt it, the victim pays a sum to get the decryption key. When your backup vendor is different than your MSP, then there is a significant chance you can still access your data, even if one of your vendors is compromised by criminal activity.
DDS Rescue does not have logins to its customers’ servers, White says. They have to be let in by their customers’ every time they need to access that data, and DDS Rescue does this to add another layer of protection. This is in addition to the multiple layers they already have in place to protect their clients’ data.
“By dividing the two of them, you increase the ability to have checks and balances and keep your security completely up-to-date,” White says. “And you don’t let those keys sit in one set of hands.”
HIPAA law requires practices ensure that outside partners are also taking every possible step to protect patients’ PHI. Laura Miller, Compliance Manager for Aspida, defines the different relationships involved with your data team.
Any outside partner who has access to PHI is a Business Associate and subject to the same federal requirements as the practice. Per the HIPAA requirements outlined in the Omnibus Rule released in 2013, practices have to ensure they have a Business Associate Agreement (BAA) with each outside partner. Furthermore, that responsibility and relationship trickle down into whomever your outside partners employ in work on your behalf as well.
“You want to have a contract in place with every Business Associate that you have with access to your PHI to ensure that they are safeguarding that information and that they are also accepting responsibility in the event of a breach or mishandling on their part,” Miller explains.
“And there needs to be a subcontractor clause that says if one of your hired subcontractors fails to protect this information, then they are liable,” Andritsogiannis adds.
Ultimately, anyone who is a covered entity is the last one liable, Andritsogiannis says. Everyone that an outside partner brings into the equation could potentially be a threat and needs their own liability agreement.
“If you don't have an agreement with the subcontractor and they're not accepting liability, then you're accountable because you were the one that brought them in via the Business Associate. You’ve left a big hole of liability.”
Who should not be on the data team?
It’s crucial to know who should not be included in the data management team to reduce threats to the practice, Dr. Flucke says. For example, he used to give everyone an email at the office. He learned, however, that one of the most significant threats to a dental practice's data security is people who do not know any better clicking on the wrong thing. Now, he keeps those with access to email at a minimum at the office, reduced to the front office staffer, the office manager, and Dr. Flucke.
“In the early days, everyone had the email,” Dr. Flucke says. “Now, it’s only those that have mission-critical email-related tasks at the practice.”
When hiring IT professionals, either on-staff or outside partners, Dr. Flucke recommends ensuring the position is stable. Job-hoppers leave practices open for vulnerability at worst and inconvenience at best.
“When they leave, you are going to be in the soup,” Dr. Flucke says.
Practices should also avoid outside partners that do not engage in regular training with your staff, Dr. Flucke recommends. The external partner should provide your internal officer with tools to recognize a problem and a rundown of what to do in an emergency. Then, if there is a meltdown, the practice’s internal security officer has a standard operating procedure to follow.
“A good dental assistant can triage the patient to the point that the doctor can just come in and do his or her thing,” Dr. Flucke says. “You need to have the same type of situation with data team personnel.”