OR WAIT 15 SECS
Dr. Lorne Lavine, founder and president of The Digital Dentist, has more than 30 years invested in the dental and dental technology fields. A graduate of USC, he earned his DMD from Boston University and completed his residency at the Eastman Dental Center in Rochester, N.Y. He received his specialty training at the University of Washington and went into private practice in Vermont until moving to California in 2002 to establish TDD, a company that focuses on the specialized technological and HIPAA needs of the dental community. He can be reached at firstname.lastname@example.org or 866-204-3398.
It’s impossible for any health care provider to be 100 percent HIPAA compliant but you still need to make a good faith effort. Here are the top five things you can do right now.
As dental offices put more and more of their patient data into a digital format, it’s critical that they do everything in their power to protect and secure that data. HIPAA laws are based on this premise-that patients entrust us with their most personal information, with the expectation that we will do our best to prevent that info from falling into the wrong hands.
It’s impossible for any health care provider to be 100 percent HIPAA compliant because there are literally hundreds of pages of rules and regulations. However, you still need to make a good faith effort to be as up to date as you can. Here are the top five things you can do right now.
1. Risk Assessment and Management Plan
If a new patient shows up to your office, you don’t just start to treat them. You do your diagnosis first-X-rays, restorative charting, periodontal probing, etc. Then, based on your findings, you create a treatment plan before beginning treatment. HIPAA is the same way.
How can you know where your practice isn’t meeting HIPAA requirements unless you look? Proper risk assessment must include a full evaluation of your IT systems, your existing policies and procedures, a site survey, vulnerability testing, the list goes on and on. If done properly, it should then generate a plan of action so you can keep on track to address the deficiencies that are found during the risk assessment.
2. Backup and Disaster Recovery
While backup is obviously critical even in the absence of HIPAA rules, there are multiple laws that relate to the backup, such as an offsite location, testing and verifying on a regular basis, and using encryption.
I’m a huge fan of cloud backup-it allows you to get the data offsite without any human intervention and you can easily monitor those backups. The problem is if you had to restore from that backup, it could take days depending on the size of your backup and internet speed. So, I always suggest a local backup as well. I recommend a disk image, it’s basically an exact replica of the entire server that you can store on a local device. That way, if your main server goes down, you fire up that copy of the server and you’re up and running in a matter of minutes.
Continue reading on the next page...
3. Anti-malware and Firewalls
It’s important that you do what you can to keep the bad people out and the important data in (that’s what a firewall does). But you should also have protection in place in case some malware does make it through. While having decent antivirus software is important, protection against ransomware is far more critical. Ransomware locks your files and requires you to pay a ransom- which can be many thousands of dollars-to get the unlock key. Adding insult to injury, Health and Human Services has determined that if you are hit with ransomware, you have suffered a Breach and must notify all patients in writing as well as the local news media.
4. Patch Management
Many of you have likely been told by your IT people that you must replace any computers running Server 2008 or Windows 7. This is because Microsoft is ending support for these operating systems. An unpatched operating system is a huge risk, so offices need to either upgrade or replace their systems as soon as possible. You still have many software programs besides Windows that you use, which must also be patched. Many IT companies offer what is often called “managed services”, which is just a fancy way of saying automated software that does the heavy lifting for us.
While encryption is an “addressable” HIPAA item, it still makes sense for all offices to encrypt their data. Any breach of your data would not need to be reported if you can establish that the data was encrypted before the breach occurred. The good news is any Windows Server version from 2012 or newer, and Windows 10, all have a free, built-in encryption module called Bitlocker, so you don’t have to go out and buy a separate program.
It’s critical to protect your patients as well as your practice. Any office that does these five steps will be well on its way to becoming more HIPAA compliant.