Top 4 Things You Must Do to Become HIPAA Compliant

Top 4 Things You Must do to Become HIPAA Compliant. Image credit: © ZimmyTWS - stock.adobe.com

As dental offices digitize more and more of their patient data, it’s critical that they do everything in their power to protect and secure that data. The Health Insurance Portability and Accountability Act (HIPAA) law is based on the premise that patients entrust us with their most personal information, with the expectation that we will do our best to prevent it from falling into the wrong hands.

Here are the top 4 things you can do right now to ensure your practice is HIPAA compliant.

Patch Management

Many of you likely have been told by your information technology (IT) department that you should replace any computers running Windows Server 2012. The reason for this is that Microsoft ended support for this operating system on October 10, 2023, which means there will be no more security patches.¹ An unpatched operating system is a huge risk. Offices need to either upgrade or replace their systems as soon as possible. You still have many software programs besides Windows that you use; these too must be patched. Many IT companies offer what is often called managed services, which is a fancy way of saying automated software that does the heavy lifting.

Encryption

It makes sense for all offices to encrypt their data. Any data breach would not need to be reported if you can establish that the data were encrypted before the breach occurred. The good news is that Windows Server versions from 2012 or later, in addition to Windows 10, have a free, built-in encryption module called BitLocker so you don’t have to buy a separate program to encrypt your data.

Backup and Disaster Recovery

Although backing up your data is obviously critical, even in the absence of HIPAA rules, there are multiple laws that relate to the backup, such as having it off-site, testing and verifying it on a regular basis, and ensuring that it is encrypted.

I’m a huge fan of cloud backup. It allows you to get your data off-site without any human intervention, and you can easily monitor those backups. The problem is that if you had to restore from that backup, it could take days depending on the size of the backup and your internet speed. I always suggest a local backup as well. I recommend a disk image; it’s basically an exact replica of the entire server that you can store on a local device. If your main server goes down, you fire up that copy of the server and you’re up and running in a matter of minutes.

Risk Assessment and Management Plan

If a new patient arrives at your office, you don’t just start to treat them (well, at least, I hope not!). You do your diagnosis first: x-rays, restorative charting, perio probing, etc. Then, based on your findings, you create a treatment plan. HIPAA is the same way. How will you know if your practice isn’t meeting HIPAA requirements unless you actually look? And, contrary to what some vendors might tell you, a quick online questionnaire is not a proper risk assessment. It must include a full evaluation of your IT systems, your existing policies and procedures, a site survey, vulnerability testing, and more. If done properly, it should then generate a plan of action so that you can keep on track to address the deficiencies that are found during the risk assessment.

Starting with these 4 items will put you well on the path to HIPAA compliance.

Reference

1. Windows Server 2012 and 2012 R2 reaching end of support. Microsoft.com. May 5, 2023. Accessed October, 17, 2023. https://learn.microsoft.com/en-us/lifecycle/announcements/windows-server-2012-r2-end-of-support