Is your dental practice completely HIPAA compliant?

January 5, 2015

As many of you are aware, patient privacy and data security has taken center stage over the past two decades. It started with HIPAA in 1996, then the HITECH Act in 2009 and the “final” HIPAA law, the Omnibus Rules, that were enacted in March 2013 with a September 2013 deadline. For many practices, the rules and regulations are a paradigm shift in how you need to practice.

As many of you are aware, patient privacy and data security has taken center stage over the past two decades. It started with HIPAA in 1996, then the HITECH Act in 2009 and the “final” HIPAA law, the Omnibus Rules, that were enacted in March 2013 with a September 2013 deadline. For many practices, the rules and regulations are a paradigm shift in how you need to practice.

While many practices have taken some of the steps necessary to become compliant, such as having written policies and procedures, I have yet to find a dental practice that is even close to being totally compliant (not that 100 percent compliance is even possible). The reason is many practices are unaware of many of the newer rules that must be followed. The purpose of this article is to identify five things I see pretty much every day dental offices are doing that would not meet the HIPAA regulations.

Not encrypting patient data

There are some people out there who, unfortunately, don’t understand the need for encryption. HIPAA has defined encryption as an “addressable” concern, meaning, if it’s reasonable and appropriate, you must do it. If it’s not reasonable, then you must either present an alternative or document why you don’t think it’s reasonable. This is NOT a get-out-of-jail-free card! The problem is encrypting your data is both reasonable and appropriate. You can buy servers with self-encrypting drives. Operating systems like Windows Server 2008/2012 or Windows 8 have Bitlocker encryption built into the software. There are free programs like TrueCrypt that can accomplish the same things. While I suggest hiring an IT professional to help you, the costs to encrypt all your data are minimal compared to the fines and loss of patients for breach notification.

Not backing up patient data regularly

While none of us would argue the need for backing up data and having a good disaster recovery plan in place, few people realize there are numerous HIPAA regulations that specifically address this. The backup must be encrypted, you must be able to restore any lost data, it must be offsite and you must test it on a regular basis. This means the typical dental office that backs up unencrypted hard drives that aren’t removed from the office on a regular basis and aren’t verified are at a very high risk of a breach. Breaches are devastating for a practice, as you need to notify all patients in writing, notify the local media and have your practice listed on the Health and Human Services website, where you’d join the 1,100+ practices as of this writing who are also on that site.

A local image of your server on an encrypted device, combined with online backup (also encrypted), is your best defense against all of this. Many of our clients use our DataProtect service so they don’t have to handle this on their own.

Related reading: A new, free way to be HIPAA compliant

Sending sensitive patient information through email

HIPAA refers to any data that is sent over email or the Internet as “data in motion.” The basic rules say if you send electronic protected health information (ePHI) over the Internet, you must take steps to ensure the data is protected and secure. The problem with most email systems is they are anything but secure!

Most email systems, like Gmail, Yahoo and even Outlook, are not encrypted, which is something HIPAA highly recommends. The other problem is when you send an email to another office, it doesn’t go directly to that person; it gets sent to multiple servers, called hops, before reaching the final destination. And, in most cases, those servers are not secure.

You really have two options. If you are sending ePHI, then you really need to encrypt your outbound emails. There are many services that offer this; they cost around $5 to $10 per user per month, are easy to set up and will work with your existing email address. Our HIPAACheck email system works well and can handle file attachments up to 2 GB in size. The other option is to de-identify the email. For example, you can send a digital X-ray image, but it can’t contain any patient information: No names, no initials, no chart ID, no DOB, no full face photo-nothing that would allow another person to identify who that X-ray image belongs to.

Continue to the next page to read more...

Using Dropbox to share and store patient data

Dropbox is great! You can put any file into it and it will immediately be available on all of your devices, such as your home computer, iPad or smartphone. It’s very convenient and easy to use. What it’s not, unfortunately, is HIPAA-compliant. There have been numerous outages and data breaches of Dropbox over the years. While it may be OK for personal files, it’s definitely not a viable option for any documents that contain ePHI.

Related reading: HIPAA compliance and digital photography with personal mobile devices

Not restricting access to patient information

While HIPAA involves some technical and physical safeguards, the administrative safeguards make up more than 50 percent of the rules. You need to make sure only specific people can access patient information. You need to log which employees have access, when they accessed it, what they did with that data, etc. Many of these are part of the privacy rule, which includes non-electronic data. Don’t leave charts laying around unattended. Don’t throw old charts in the trash. Secure the charts at night. Be careful what labels and markings you put on the outside of charts. The list goes on and on.

Practices that are interested in becoming more HIPAA-compliant should consider working with a HIPAA professional that can assist them. While 100-percent compliance isn’t realistic, the HIPAA auditors are looking for VDE: visibly demonstrable evidence. In other words, making a good effort and having proof of that effort can go a long way toward mitigating what could potentially be well more than $1.5 million in fines.

If you are concerned about your HIPAA compliance and want to schedule a free risk assessment, please feel free to call us at 866-204-3398.

Related reading: How one practice stays HIPAA compliant [VIDEO]

About the author

Dr. Lorne Lavine, founder and president of Dental Technology Consultants, has more than 30 years invested in the dental and dental technology fields. A graduate of USC, he earned his DMD from Boston University and completed his residency at the Eastman Dental Center in Rochester, N.Y. He received his specialty training at the University of Washington and went into private practice in Vermont until moving to California in 2002 to establish DTC, a company that focuses on the specialized technological needs of the dental community. Dr. Lavine has vast experience with dental technology systems. He is a CompTia Certified A+ Computer Repair Technician, CompTia Network+-certified and will soon be a Microsoft Certified Systems Administrator. As a consultant and integrator, he has extensive hands-on experience with most practice management software, image management software, digital cameras, intraoral cameras, computers, networks and digital radiography systems. He also writes for many well known industry publications and lectures across the country. He was the regular technology columnist for Dental Economics Magazine, and his articles have appeared in Dentistry Today, Dental Economics, Dental Equipment and Materials, Dental Practice Report, New Dentist, Dental Angle Online and DentalTown magazine, where he is a moderator of 10 of their computer and software forums. He has lectured to the Yankee Dental Congress, American Academy of Periodontology, American Academy of Endodontics, the DentalTown Extravaganza and numerous state dental society and study club lectures. In addition, he is a member of the Speaking and Consulting Network. He is also the former technology consultant for the Indian Health Service.