5 questions to ask yourself to avoid an HHS lawsuit.
Since the Health Insurance Portability and Accountability Act (HIPAA) became law in 2003, dental offices have struggled to comply with the vast regulations and requirements set forth by the legislation. Back then, many dentists didn’t have a website, nor did they understand the power of the internet to increase efficiencies in their practices.
Today, there are over one billion websites on the internet and HIPAA compliance has extended its reach to include the electronic transfer of personal health information (ePHI) over the web and how the data is hosted and stored.
According to the US Department of Health and Human Services (HHS), the lack of administrative safeguards of ePHI is currently the fourth-most investigated type of non-compliance since the law’s inception. It’s fair to assume these type of violations will continue to be reported and draw the attention of HHS.
There are many technical specifications related to HIPAA compliance, and we will cover that in a moment. For now, ask yourself the following:
If you answered “yes” to any one of these questions, then you need a HIPAA-compliant website.
So, how do you ensure your website is HIPAA compliant? For smaller entities like an independent dental office, you are required to take reasonable steps to ensure the protection of your patients’ ePHI. Some of these requirements are simple to implement in your practice right away.
Determining your level of compliance
Seven major points should be evaluated to determine if your website is HIPAA compliant. They consist of the following:
1. Access Control: Team members should have unique logins and passwords when accessing your website. Administrative access should not be given to team members who do not need to have complete access to every function. As a basic rule, limit access as much as possible but still allows the team member to perform his or her basic duties within your practice.
If your team does not access your website but instead has a third party maintaining and making updates, you must have a current HIPAA Business Associates Agreement with that company. We’ll go into more detail on agreements shortly.
Read on to find six more ways to evaluate your compliance...
2. Audit Control: Most websites have a reporting mechanism that can audit users’ activity. It’s necessary to track activity in case of a security violation. It should be noted that the HIPAA Security Rule does not specify what type of data needs to be collected by the audit mechanism or how often audit reports need to be reviewed. Confirm with your web developer that such audit controls exist - they most likely do.
3. Integrity: If data stored on your website is not properly encrypted, it can be modified or destroyed, unintentionally or otherwise. Humans are not the only ones responsible for a breach of data integrity. Electronic errors or failures can cause data to change or even be deleted. Your web developer has many options to encrypt your data, from hard-coding encryption methods to installing a plugin that encrypts data and decrypts only when a user is logged in.
In May 2018, the European Union enacted changes to its web security laws, called the General Data Protection Regulation, or GDPR. Because of this new law, it’s highly likely more plugins will be developed to assist in maintaining a high level of encryption and integrity.
4. Transmission Security: In addition to data integrity in your website’s database, the transfer of ePHI needs to be encrypted as well. The first step is to purchase and install an SSL certificate to migrate your website from HTTP to HTTPS. The HTTPS protocol allows for a secure connection from a web server to a browser.
It’s also important that you are accessing your website data over a secure network. Your team should never access your website from any open network, like internet connections that do not require a password.
If you are emailing patients’ ePHI, then a secure email system should be used. Many reputable companies provide this service for a reasonable price, and they are easy for both your team and your patients to use.
5. Backup: If you are storing ePHI on your website, you must be sure a backup of your database is frequently taken and can be recovered in case of an emergency or unintentional deletion. Most hosting companies already provide this service. Restoring a backup may incur a charge, but it’s usually a nominal fee worth paying. Check with your provider to confirm how often website backups are taken and how they are being stored. HIPAA compliance standards also apply to your backed-up data, so it needs to be secure.
6. Disposal: After you’ve confirmed the frequency of your data backups, you need to determine how it’s disposed of when no longer needed. Your hosting company will likely not keep your backups indefinitely, so find out what happens to the discarded data. Also, when an old server needs to be retired, the hard drive will need to be securely deleted. The hosting provider should use software that performs several passes of random writes to the hard disk to make it impossible to recover data.
7. Business Associates Agreement: If any vendor working with your practice has access to your patients ePHI you must have a signed Business Associates Agreement. Vendors include, but are not limited to, your website designer, your IT company maintaining in-office server and equipment, electronic claims vendors, marketing companies, consultants, accountants, appointment reminder software companies and your practice management software provider. Last year, a health care provider settled a lawsuit with HHS for $31K for not having the appropriate Business Associates Agreements in place. You can find free templates for HIPAA Business Associates Agreements online.
Ensuring your website is HIPAA compliant may seem like an overwhelming task, but there are simple tools at your disposal and processes you can implement which prove reasonable steps are taken to protect your patients’ ePHI. With the increase in HHS compliance reviews, it’s well worth your time and money to protect your practice from potential violations.